Many people are fooled by phishing spam. Even more people don’t know what the hell I’m talking about when I say that. Let’s start from the beginning…
Long ago, spam was just a luncheon meat popular with frugal moms, not so popular with their offspring. Then some clown decided to start sending out email messages that pretended to be from someone’s friends in order to get them to buy a product or click on a link that would gain money for the sender of the message. Well, like all bad ideas, some other idiots decided that since the original clowns seemed to be getting rich using this marketing method, it cost virtually nothing to implement, and the law didn’t seem to be able to deal with them effectively, adopted the idea for direct fraud and larceny. Malware could be delivered in this manner. Malware that is intent on stealing from your bank account, poaching your credit card numbers, grabbing your personal information and stealing your identity so that large loans can be taken out in your name and never repaid, traffic offences can be committed and attributed to you, and illicit behavior can be blamed on you instead of the actual peretrator.
Phishing spam was almost totally focused on banks in the early days, immitating bank password change notiifications and other standard communications to get the recipients to share their online passwords and personal verification questions with them so that they could drain the recipients’ accounts. Now a change has occurred as the banks are able to identify, react, take-down and otherwise deal with the problems these issues have posed. The focus is now on recognized consumer brands. Everyday products and services that appeal to a wide audience.
Anyway, CA (Computer Associates) has a good article showing how these guys have progressed from simple text based messages, to messages with logos, to full on, authentic looking marketing emails that connect the unsuspecting recipient to a website, compromised or fraudulent, that delivers the payload. In this case, the payload appears to be Fake-AV, a type of phony anti-virus product designed to get the recipeint to “buy” their fake product. So you spend $50 on a fake product. Big Deal, right? Unh-unh. You lose fifty bucks for sure, but you have also given a definite miscreant your credit card number, allowed them to check if it is valid, and sent them off on a shopping spree!!