Email Attacks Put Other Types of Accounts in Jeopardy
You’ve probably seen reports of big webmail phishing attacks over the week. A spokesperson for Symantec‘s Message Labs tells WebProNews, however, that most reports have glossed over a key point to consider. That is that the potential impact on other aspects of victims’ online lives are in jeopardy as well.
"The bad guys have more than just access to users’ email accounts," says the spokesperson. "They have access to a host of other online services the victims use."
Paul Wood, MessageLabs Intelligence Senior Analyst says, "A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and Instant Messaging on a public Instant Messaging (IM) network. If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID."
If a cybercriminal had the email account information and wanted to take over a related social networking account, all they would have to do is try the password reminder links from the login pages. Then they could use the victim’s email to spam, but they could also gain access to other personal information, not to mention use your account to spam social networks as well.
MessageLabs says it has tracked a number of phishing attacks using Instant Messaging, where bad guys would collect real IM user account info and passwords, only to use them to send spam to everyone on the person’s buddy list. This is another possible result. "An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password," the spokesperson says. "For public IM networks, the user name is often the same as the web-based email account."
In other phishing-related news, the FBI has charged nearly 100 people in the United States and Egypt as part of Operation Phish Phry," one of the largest cyber fraud phishing investigations ever. WebProNews has more details on that here.