Cybersecurity Awareness Week (CSAW) will take place in Australia, and then in New Zealand, at the back end of May 2013. Sophos is an enthusiastic supporter of CSAW events around the world, because security is the shared responsibility of us all. CSAWs are a fantastic opportunity to review some of the security issues that we’re all so inured to that we barely think about them any more. Such as spam.
We’re all used to spam; most of us get quite a lot of it; some of us are awash in it.
But even if we see only the occasional unsolicited message, one thing seems certain: as a sales and marketing tactic, it’s not very convincing.
I mean to say, it’s bad enough getting into one of those call centre message loops that says something like, “Your call is important to us. So important, in fact, that we have stuck you in a call centre message loop that says, ‘Your call is important to us. So important, in fact, that we have stuck you in a call centre message loop. Please hold.’ Please hold.”
At least when you’re in a queue to get into a queue to get voice support, you can fall back on the thought that you initiated the communication for reasons of your own.
But when someone contacts you entirely for their benefit, out of the blue, and pitches you a concept that is peculiar at best, and outright alarming at worst…
…you really do find yourself thinking, “Why? WHY? What can the sender POSSIBLY hope to get out of this?”
Old-school spam still works
Sometimes, you can work out why.
For example, a few years ago, fellow Naked Security writer Graham Cluley decided it would be a laugh to count up his earnings from just one week’s worth of money-making spam that built up in his inbox while he was on vacation:
290,259,462 of your United States dollars, if you don’t mind!
The “why” in this case, as Graham pointed out in his well-worth-reading article, is because this sort of spammer will occasionally hook someone who is vulnerable, and who can’t tell the difference between a genuine windfall and a cold-hearted scam.
Such victims may then end up being bled for thousands of dollars, or even hundreds of thousands, in bogus administration fees, loans, travel expenses, bribes, protection money and more.
Phishing still works
The “why” is obvious in this example, too:
Here, the crooks want to try to defeat two-factor authentication (2FA).
(The RVN mentioned in the email stands for Random Verification Number, a one-time password used for sensitive transactions by the bank referred to in the email.)
Even if only a handful of people aren’t thinking clearly, and click through to dispute the bogus transaction, the criminals will be able to make money that would otherwise have been denied to them.
That’s because their victims will helpfully relay the RVNs that are there to make scamming harder.
Spam in a post-email world
But what about the dentistry example shown above?
That was comment spam, almost certainly generated by hand and submitted to Naked Security.
It really does link to an apparently-legitimate dentist with an apparently-legitimate site:
How could this ever work? Who would ever click through?
When the spammer reminded me that “there are some qualifications that might be handy when choosing a dentist,” I asked myself what things I might expect of a dentist I’d just picked off the internet.
A passing familiarity with the physiology of the jaw, mouth, gums and teeth, perhaps? Some sort of official sanction by an accredited medical licensing agency? No chronic dependency on the sort of habit-forming substances a dentist might have ready access to?
All of those, and this one, too: NOT HAVING A BUSINESS RELATIONSHIP WITH WEB FORUM SPAMMERS!
Keeping your own nose clean
So, as the antipodal Cybersecurity Awareness Weeks approach, keep in mind that cybersecurity isn’t just about avoiding the bad stuff that crooked online operators fling at you.
Make sure you don’t get into bed with electronic marketing companies that are involved in flinging unwanted or untrustworthy communications at other people.
That would make you into part of the problem.
If you don’t have experience in social media, forum participation and other post-email ways of engaging people online, it’s tempting to leave it to someone else, especially if they offer to let you pay on results.
That sounds like a no-risk deal, since if they do a worthless job, the job will be worthless, and you’ll pay nothing.
But by outsourcing their on-line activities to an overseas boiler-room, and planning to making up for modest performance with unrelenting volume, dodgy e-marketing outfits could end up costing you dearly, since it’s your reputation visibly on the line, not theirs.
So, if you do outsource your social media and similar online activities, keep an eye on what is being said in your stead.
Firstly, this will help you learn your way around the post-email online whirl; secondly, it will give you early warning if you’re being promoted unethically or unprofessionally online.
And if that happens, simply pull the plug: you’ll help yourself, and everyone else.