The Better Business Bureau is targeted in a more sophisticated form of “phishing” scam. FInd out more about this type of opportunity for identity theft and what you can do about it.
Want to know if the lawyer you’re considering has a good track record of honest representation? Who would you turn to? Other than personal referrals you might want to check with the Better Business Bureau in your area.
On the other hand, need to make a complaint about a dry wall contractor that left you, but not your walls, high and dry? The Better Business Bureau is the appropriate place to file a complaint that can save others this aggravation.
The Better Business Bureau has a long history of helping consumers. They’ve earned public trust and that is just why the Better Business Bureau is such an attractive bait for spear phishing scams.
What is spear phishing?
The term phishing was coined described e-mail scams where identity thieves were “fishing” for personal information like names, addresses, birthdates, social security numbers or account numbers. As opposed to the sport where one casts out bait to see what they can catch, spear fishing is sport where a specific fish is targeted for spearing. E-mil spear phishing is a scam that sends out mass phishing e-mails that target a small group of people, such as corporate executives.
The first waves of phishing scams were “too good to be true” types of scams in which lucky you, of all people, had been chosen to help move money and would be rewarded a great share. Then savvy identity thieves moved on to “too scary to ignore” scams such as your bank, e-bay or PayPal account has been compromised so just enter your name and passwords here so we can protect you.
According to Art Manion, a top vulnerability analyst for CERT, an internet emergency response group based at Carnegie Mellon University, scammers tactics are improving. Manion says “Today, the e-mail looks like it’s from my bank or my company, with better grammar, more believable stories, and better URLs.”
One of the latest scams used the Better Business Bureau to target to corporate executives. The mass spear phishing e-mails arrive saying they are from an address @idtheft.bbbb.org or firstname.lastname@example.org or email@example.com, none of which are Better Business Bureau addresses or even legit e-mail addresses. There are a long list of these fake addresses that have been used. Even as the Better Business Bureau spear phishing scams were being reported, identity thieves simple continued e-mailing using different addresses.
The messages begin with a variation similar to this message:
“This is an automated email that confirms the registration of your complaint case number: [CASE NUMBER] filed by (your company) on (date) concerning Online Identity Theft. The Better Business Bureau does not resolve individual problems but your complaints help us to investigate fraud and can lead to law enforcement action.” This message is followed by clickable links, attachments and request for information verification.
As with any suspicious e-mail, and remember how often they don’t look suspicious, do not open attachments which can be infected with viruses or click on any links which can take you to unsafe web sites. Do not supply any information or even respond to the e-mail because it confirms whom they have reached.
What you can do:
*Copy the internet header and forward to firstname.lastname@example.org, which will reach the Council of Better Business Bureaus, Inc.
*Don’t assume that “they already know about it so they don’t need to hear from me.” Addresses and messages constantly change so each one is important.
*Not only does reporting spear phishing scams stop current scams and protect others, reporting them also helps programmers improve security programs to prevent future spear phishing attacks.
Joe Stewart of SecureWorks, has learned of a Chinese connection in both the IRS scams and the BBB scams. Stewart explains: “Typically when we see malware from China, it has one of two purposes – to either steam documents related to trade secrets of companies and military/government institutions, or to steal accounts from online role-playing games. This new scam doesn’t seem to fit into either category, so it may represent the emergence of a new kind of Chinese-based cybercrime. The question is then, just what do Chinese malware authors intend to do with the vast amount of data they’ve stolen from over a thousand U.S. corporate executives?”
Being a personal or corporate victim of spear phishing is no day at the beach. Spear phishing identity thieves are using attractive bait so beware of the hook and don’t get reeled in to participating in scams.