Internet Identity

Part of IID’s Takedown Taekwondo Series

Over the last few months, we’ve addressed in this blog different types of phishing and malware sites, how cyber criminals manage to get them online, and some of the steps IID takes to get them taken down quickly.  Now let’s switch gears and talk about how cyber criminals get their victims to connect to these bad Internet locations. In order to make money off of their fraud, they need visitors to those sites, and they primarily lure them there with email spam messages.

Spam Can Be Crime-Ridden

We all know what email spam is. If you have an email account, you’ve gotten spam—and probably lots of it! Spam can be more than just annoying; it is often criminal in nature. Spammers may send out mass emails to addresses they have purchased from legitimate sources. Or those sources may acquire addresses by compromising companies’ databases and stealing their customer contacts, for example.

Once they have a list of would-be victims to send their spam messages to, criminals can lure recipients to fall victim to all types of online fraud. A common type of spam invites recipients to click on a link in the body of an email, typically after warning of some sort of catastrophe that could result if they don’t. For example, an email may warn recipients that their bank accounts have been suspended and direct potential victims to click a link to reset their accounts. Once victims click the links in those emails, they may be taken to a phishing page that looks like their bank’s login page. The criminal in control of that lookalike phishing site collects the login credentials and the victims are none the wiser until their accounts are accessed and potentially emptied.

Other spam messages actually contain the phishing form within the body of the message, and victims are encouraged to enter sensitive information like login credentials, just as they would into a form on a phishing webpage. When victims submit credentials through the email form, their credentials are sent to a designated email address controlled by the criminal. That email address may be the same one the criminal used to send the email, or it may be another email address altogether. Whichever the case, the email address that receives the now-compromised credentials is subject to IID’s efforts to shut it down for its role in the criminal activity.

Further variations of email-based fraud include scams that ask victims to voluntarily send their personal information to a given email address, generally under some false pretense. Potential victims may be asked to send resumes for job offer scams or banking information for lottery or advance-fee fraud scams. Each of these scam types solicits sensitive personal information to be sent to an email address controlled by the criminal fraudster. In these cases—as with phishing lures and all types of spam—seeking to eliminate the spam messages themselves may prove to be a fool’s errand. Spam is ubiquitous and once the messages hit inboxes, they’re a threat.

Cutting the Collection of Information

In order to protect Internet users and organizations being impersonated from becoming victims of these crime-ridden spam emails, IID works with Email Service Providers (ESPs) and domain registrars. We coordinate with them to shut down or block the email addresses the criminals use to receive the requested information from victims. Criminals create these email addresses in several ways: they abuse free email services like Hotmail or Gmail; they might register a fraud domain that can serve as a legitimate-looking domain for their supposed job offers, lottery scams or the like; and in rare cases they take over legitimate email accounts. Email accounts on fraud domains might be accompanied by a fake website set up on that domain, or there may be nothing on the domain at all.

To shut down those email addresses set up on fraud domains, IID follows a similar path as we do for taking down any fraud domain: contact the registrar who sold the domain to the criminal. The primary difference in pursuing the shut down of email addresses on fraud domains is that there may be no discernible fraud taking place on a website using that domain, so the registrar needs to be directed to suspend it with the purpose of killing the email address by either suspending the domain or disabling email services on the domain. Without this directive, the domain itself may not appear to be engaged in fraudulent activity. To shut down email accounts that abuse free email services, we contact those services directly to alert them that an account is violating their Terms of Service agreements, which generally prohibit criminal activity.

Providing the registrar or ESP with evidence of the fraud—a sample of the spam luring victims to send personal information to the email address in question, for instance—should get the job done. However, ESPs are rightfully hesitant to suspend accounts without good evidence. That’s because a legitimate user’s account may be taken over by a criminal for use in an email scam and ESPs want to avoid unwittingly cutting off a law-abiding user’s email account. When the evidence points to fraud, however, ESPs work to protect Internet users at large, just as their ISP, webhost and registrar counterparts do.

Phishing lures are very commonly sent as spam email messages, but that’s not the only way cyber criminals seek to con their potential victims. Next time, we’ll take a look at how criminals use social media to disseminate links to their fraud sites, as well as how social media platforms themselves are victimized by phishing and malware—and what IID does to keep them safe. Stay tuned for more Takedown Taekwondo!