Spear Phishing with unsecured databases

Remember the old phishing emails that starting with “Dear User”? Well, those days have passed and scammers have gotten to know you better. And where’s the best place to do that – Facebook? Yes of course, but that’s not the only source of information.

During 2010, thousands of businesses, like McDonald’s last year and RecruitIreland only 2 days ago – had their customer data stolen. Scammers are using the data extracted from those poorly secured databases and combining it with information collected from a number of social network sites, resulting in very sophisticated phishing attempts.

Here’s an example: Last year, a man received an email from his bank (or so he thought) asking him to change his password to improve security. What’s scary was the content of the email: to update your account ending with xxxx4467. How on Earth did they get his account number? Simple! If you have access to a database that stores client credit card numbers, you can easily match the credit card issuer, the card type, and so on, without having to see the card. You only have to look at the first 8 numbers, sort the numbers by issuer, then build a personalized message with the issuer’s logo and link that to a fake website.  Voila, you’re all set to go spear phishing!

I’m not talking about a database that’s stolen from a bank (which is probably very secure). I’m talking about that little purchase that was done through a small business website. The business is probably very legit and honest, but also poorly protected.

So if ever you receive an email that appears to be from your bank that urges you to act on something, please contact them directly to question or confirm the message content, either by phone or by going to their website. If you choose the online option, do not use or click the URL included in the email: enter the URL manually. And don’t trust your eyes! Fake URLs can be hidden within a legit look-a-like URL.