Botnet operators intent on duping Internet users out of their savings have proved adept at social engineering, taking advantage of breaking news events and direct marketing — as well as audio and video files and PDF attachments — to lure people into downloading a variety of malware and visiting spoofed Web sites aimed at capturing personally identifiable information. The government’s economic stimulus tax rebate program is giving them another excellent opportunity.
U.S. taxpayers need to be concerned about spam, phishing and fraud as the IRS continues issuing nearly 130 million economic stimulus tax rebates worth an estimated US$150 billion, according to Randy Abrams, ESET’s director of technical education. TechNewsWorld had the opportunity to discuss with Abrams the nature and extent of this online security threat, as well as steps Internet users can take to guard against becoming victims.
TechNewsWorld: Please describe the nature and extent of threats foreseen or actually perpetrated related to the government’s economic stimulus rebate program.
These are typical phishing attacks with the exception that they target the stimulus check. … The victim is promised a quicker check and quicker receipt through direct deposit, or advised that they need to provide information to get their money. There is either a link to a Web site or, in some cases, an attachment with malicious code. Some have been maliciously crafted PDF files that will install malware on the victim’s computer.
Unless a person has already established an e-mail communication with the IRS, they should delete all e-mails from the IRS, as the IRS didn’t send it.
As for extent, it is hard to tell. We know that millions of the phishing e-mails are spammed out by botnets. I’m not sure how well the banks can tell when an account has been compromised due to an IRS phish versus another phishing attack. …
I think it is an error to concentrate on the stimulus rebate checks at the expense of the broader range of IRS phishes. We are still seeing generic phishes in addition to the stimulus check ones. I expect that only the exact same people who would fall for a generic IRS phish will fall for the stimulus check phish.
TNW: How bad could this get in terms of number of victims and monetary losses?
You do know that 97 percent of statistics are made up on the spot. (Laughs) I think this has the exact same potential as any IRS phishing scam. I don’t know of anyone who has an accurate count of the number of victims, as it can be difficult to ascertain what phishing attack — IRS or other — was used to gain access to the victim’s bank account.
I recently spoke to a victim who thought he [might] have followed a link in an e-mail that he shouldn’t have, but he didn’t remember what the e-mail was for. Since the dollar losses are related to the amount of money and/or credit the victims have in their accounts and credit lines, it would take a financial profile of the victims to know how bad it could get. I could pull a number out of thin air, but it would only be as good as one you could as well.
Once the bank account information is harvested, it is essentially divested from the source of the attack. It is possible, in some cases, to find the information on an upload server and thereby link it to the attack, but only the banks would know which account numbers had been successfully attacked and how much the attack cost.
TNW: What recommendations can you offer people to authenticate notice and collection of their stimulus rebates?
Ignore any e-mail or phone call about a tax stimulus rebate check. It’s bogus. It’s that simple. The e-mails and phone calls are all 100 percent bogus. Immediately delete such e-mails and never open attachments. If the e-mail says it came from the IRS, it didn’t.
TNW: How good are — or aren’t — PC and network security software systems at countering such threats?
Fundamentally, this is a social problem, and technology is not a solution for social problems. At best, security products can help mitigate by preventing malicious attachments from executing and by identifying fraudulent Web sites. Users of Web browsers that are not the current version, such as [Internet Explorer 6], will benefit from newer antiphishing technologies in the browsers.
TNW: What are ESET and other security providers doing to thwart these particular threats?
Users of ESET NOD32 will benefit from protection against malicious attachments and identification of some phishing sites. Nobody identifies 100 percent of all phishing sites, but we can reduce the risk by blocking a significant portion of the phishing sites.
Users of ESET Smart Security also benefit from the antispam technology, which also will file many of these attacks as the spam that they are.