Website flaws let spammers, phishers build profiles
Spammers and phishers are using new kinds of attacks to build wide-ranging profiles of online users -- everything from their political views to their sexual preference -- a security firm said Monday.
Blue Security, which has offices in the US and Israel, laid out details of what it's calling "registration attacks" and "password reminder attacks" in a report released Monday. Together, these attacks are used, said Blue Security's chief executive Eran Reshef, to conduct hostile profiling of Internet users.
In a registration attack, a spammer tries to register large numbers of Email addresses -- using automated scripts somewhat similar to those used in directory harvest attacks -- with a variety of Websites. Because sites typically return errors on addresses already in use -- Reshef said his research showed a majority of sites do this -- spammers and phishers can determine not only which addresses are valid, but match an address with a Website.
"It's one thing to have an address," said Reshef in explaining why spammers go to this trouble. "But with all this additional information, that address is much more valuable. If you want to promote, say Viagra, it's better for the spammer if he can identify those more likely to purchase the product."
By matching addresses with site, spammers can compile a surprisingly in-depth profile, said Reshef. If an address is used by a dating service geared toward seniors 55 and older, for instance, the spammer can assume the owner of the address is in that age group. Ditto for a site that caters to gays and lesbians. Or a site for an NBA team.
Basic marketing, in other words, said Reshef: know your customer.
"They end up with a profile rather than just an Email address," Reshef went on. Not only is that make the address more valuable to the spammer, but it also makes it more valuable when the spammer sells his list to others.
A password reminder attack is similar, but takes advantage of the habit of most Websites to inform users that an address is either in use or not registered when someone requests a password reminder for that address. If the address has been registered, the spammer is usually told that the password has been sent, essentially validating the address.
"With phishing, hostile profiling gets more interesting," said Reshef. "If a phisher knows that an Email address is registered with, say, a major online e-tailer, then he can assume you make purchases at that site using a credit card. If he sends a phishing Email posing as coming from that e-tailer, it's more likely that you'll respond, since you do buy there.
"These scammers are taking an Email address they already know and running it through hundreds of sites," said Reshef to build these profiles.
Even Internet service providers are inadvertently helping out spammers and phishers, added Reshef. Using registration attack tactics, scammers can leverage ISP tools that help users find available addresses. TechWeb was quickly able to verify, for instance, that numerous Yahoo Email addresses were already taken and in use.
According to Reshef, nine out of ten major Email providers and ISPs leak such information.
Few sites use the simple techniques that can stymie such attacks. eBay seems to be one of them. When TechWeb tried the password reminder technique at eBay, and used the bogus address "email@example.com," eBay responded with "eBay just sent your User ID to firstname.lastname@example.org. Check your Email to get your User ID." It didn't verify that the address was in use on the site or not.
"We believe these kind of attacks are currently in use," said Reshef. "Some high profile sites are taking measures against them, but no one does that to solve something only theoretical, especially when it degrades the user experience."
eBay's method, in fact, could be seen in that light, since it doesn't give any feedback to users who might, for instance, have mistyped their address.
While some site categories are invulnerable to such hostile profiling -- banks, Blue Security discovered, don't use Email addresses as user IDs, preventing both registration and password attacks -- most others are. In fact, the majority of recent non-bank phishing targets leak their customers' Email addresses to these attacks.
"All sites have to do, is stop using Email addresses as user IDs," said Reshef. "Or they could include a CAPTCHA, a graphical challenge that machines can't figure out. That would solve 99 percent of the problem."
The report, which is available on Blue Security's Website as a PDF file, also includes ways users can determine whether a specific site is vulnerable to registration or password reminder attacks.
UKFast is not responsible for the content of external Internet sites.