Ever have your email account hacked? Did it send spam to everyone on your mailing list, everyone you have ever communicated with through email? If you’ve simply recovered your account and changed your password, it might not be over…
Hackers will save the information gained from hacked accounts. They will possess data such as the user name you use for that email account, as well as your address book. With this information they can continue to plague your friends, family, and business contacts with ‘fake’ emails forged under your name utilizing different email addresses such as freemail accounts.
These types of spam emails are much more personable than just regular bulk marketing spam or obvious catphish and donation spam. They can be sent at just the right time to fool someone. For example, say you went on vacation and shortly after the spammers send messages to your address book with links to ‘pictures’. People who knew you were on vacation may not think twice to click the link, ultimately containing malware.
This can be especially unsettling when it comes to business contacts. We all know too well the sheer amount of fake invoices and fake product orders being sent daily. By sending that fake invoice or fake product order at just the right time to the right person, the result could be devastating.
At present, this method of spam is not too sophisticated. This may be because the amount of hacked email accounts and data is so numerous there is no time to analyze and create sophisticated targeted campaigns from the data of each one. For the time spent, it is likely more efficient to send bulk generic spam (e.g. fake pictures and fake invoices) to the respective address books.
This doesn’t mean high profile accounts are not sought after by hackers. CEO/manager information (such as names and employees) will be very valuable. However, this type of information is readily available. You can find the names of CEO’s and the email contacts of their staff within company websites. This brings us into the territory of attacks such as domain spoofing, name spoofing, and business email compromise (BEC) scams.
For an individual clicking the link of what appears to be their friend’s vacation pictures, the scale of damage is generally not too big. It is when a business gets compromised by this spam that monetary losses can get huge. As mentioned, a lot of business information is publicly available. Businesses need to be well aware that these types of email scams exists, and educate their workers as well as research the proper countermeasures required to defend against these attacks. There should always be policies in place for employees to properly identify important people (such as business partners and bosses) when they are communicating with them.