GCN LAB IMPRESSIONS
'Hit man' phishing scam makes an offer you can refuse
Recently we have seen phishing scams that begin in the private sector make the jump to specifically target federal employees. In one case, attackers targeting Gmail accounts gained access to the accounts of U.S. government officials.
Phishing, in fact, is by far the most common means of attack in federal networks, so every fed should be aware of the latest trends in these areas in case the attacks are aimed again at the government.
To an attentive user, many phishing e-mails can be easy to spot — poor grammar, typos, dodgy e-mail addresses and absurd scenarios being some of the tip-offs — but some of them still get through anyway.
To hackers, government users are phish in a barrel
A new trend in phishing attacks — which actually is a revival of an old one — is turning violent. Targeted just at users in Australia so far, it’s a pretty scary delivery that comes as a text message.
The message supposedly is sent from a hit man who was contracted to kill the recipient. However, this hit man is supposedly looking to get a better deal than his employer offered, and is willing to let the victim off the hook for a mere $5,000.
The text of the message is: “Sum1 paid me to kill you. Get spared, 48hrs to pay $5000. If you inform the police or anybody, death is promised.”
A Yahoo address is given for the lucky mark to contact the hit man to negotiate for their life. Police in Australia believe this is the work of an organized crime ring. They have advised people to ignore the e-mails, but don’t know if anyone actually has paid the ransom.
Personally, having played the Hitman video game series (one of my favorite), I would be tempted to e-mail the would-be assassin and admonish him for breaking the code. How dare he contact a mark and offer a way out of a sealed contract. If I forwarded such an offer to his employer, it would be he who would be under the gun. No hit man should be that unprofessional. But I digress.
This may well be a local scam and never reaches the United States. But I think there is at least the possibility that this might be a trial run to see how profitable such a scam involving the threat of violence might be in terms of a fishing attack. Call it fishing with dynamite.
In 2007, for example, a similar scam made the rounds in the United States, this one from a supposed hit man who had been contracted for $50,000. The message promised to let the target off the hook for $80,000 and would show evidence that that hit was real for $20,000 (the real goal of the scam).
It’s conceivable that if the technique yields a lot of response, it could be modified in other ways, and re-targeted at feds, especially if the Chinese are behind this as they were with the other known federal attacks.
Think about an e-mail that supposedly came from a hit man, but instead of demanding money, it demanded access to a federal network, or sensitive passwords. What if it threatened a user’s kids or family? Sure, the vast majority of people would never fall for something like this, but past scams have proved that the unlikely can happen.
Let’s hope it doesn’t come to that, but be on your guard just in case.