Tuesday, May 17, 2011

Yahoo email gets an "F" in security

In analyzing the sources for various phishing attempts and downright fraud attacks, one service shows up again and again as a vehicle for mischief: Yahoo email. I've previously posted on messages from my dead friend Jeff Menz. Somebody got into his Yahoo mail account and tried repeatedly to sell me pharmaceuticals. Subsequent complaints to the FBI were ignored. And while the pharmacy botnet was taken down (see my post Jeff Menz may now rest in peace), Yahoo is still a fertile field for criminal activity. Just yesterday, I got the following message from an acquaintance of mine who promotes bicycle races:
Hope you get this on time, I made a trip to Edinburgh, Scotland and had my bag stolen from me with my passport and personal effects therein. The embassy is willing to help by letting me fly without my passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately for me, I can't have access to funds , I've made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that I can give back as soon as I get in. I really need to be on the next available flight.

I can forward you details on how you can get the funds to me.

I await your response....
Naturally I deleted his name. No use embarrassing him. The Yahoo email address was just one of his, so I sent the following note to another of his accounts:
Somebody from [account deleted for prvacy]@yahoo.com sent this. Hoping it's a scam, I'm not biting. But if you get back to the US and want to give me a call, I'd be glad to apologize in person if this is on the level. In the meantime, I suggest you call your family members and have them bail you out. 
Within half an hour, he responded:
Spammed.  Thanks.  Working on it.

Granted, this is a fairly low-tech and shop-worn scam, and pales in comparison to the malefactors who used Amazon cloud services to successfully bring down Sony's PSN network (which I still think is an inside job by recently-fired SOE employees who wanted to misdirect the investigation by planting the word "Anonymous" in the infecting code). But similarly strange email and telephone calls could soon be coming your way courtesy of gaping Android security holes or even not-so-proud-owners of Cisco phones.

Which is too bad, as it is not my nature to deny help to people who need it. Heck, I even give money to panhandlers on the street, trusting that they're doing their best with what they have available to them. I've even started a war against charities who pay their management team big salaries and who funnel very little of their donors' contributions to the cause for which it is being raised. If you want to be entertained, check out my work-in-progress website:  www.ZeroOverheadCharities.com.

I prefer to live in a world based upon trust. One way to bring about such a world would be to have misconduct yield substantial and instantaneous consequences. For companies involved in charity scams, public humiliation and social ostracism might be the answer. In the world of cyber crime, I contend that licensed and bonded cyber privateers are one answer. If you have a better solution, let me know. We're surely getting bupkis out of the politicians (see today's New York Times story).

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?