New Targeted E-mail Attack Hits Business Execs

Erik Larkin writes "The same scammers who have been sending out the faked but highly convincing BBB and IRS e-mails are now targeting named victims with a new variety of e-mail that looks like a business invoice. Our editor-in-chief was sent one here at PC World."

It's about time...

[eneville]

I think it would be wise for companies to switch to use something like GPG and keep keys safe. The sooner this happens the sooner scammers will have a more difficult job with this style of social engineering.

The circle of life...

[Telecommando]

In nature, the successful predator always goes after the weak and the lame first.

Where I work we had to implement draconian measures concerning attachments and files because the execs kept clicking "run anyway" even though the anti virus software warned them it could be an infected file. They honestly thought they knew more than the AV software.

Good Thing?

[Bob9113]

At the risk of sounding a little jaded and anti-establishment (which would surely make me an outcast on this site, haha):

I think maybe this is a good thing. I think the scammers have been, to this point, largely targeting the gullible. Old people, drug abusers, the socially awkward. The problem with that is those sections of our society are, I would guess, significantly underrepresented in the political process.

If the friends and contributors of our ruling elite class start getting tagged, perhaps we will see some Internet legislation that is focused on taking out the really vile scum, instead of just the low grade malefactors that infringe copyright for personal use. Copyright legislation is going gangbusters because the people Congress talks to believe it is good. If those same people start to feel the bite of scammers, maybe they'll get serious about finding these assholes and putting them away.

Email as file transfer

[termigan]

I've seen all sorts of people here comment that email is getting too risky for businesses to use. From where I stand, that's not the real problem. The problem that's at the center of both the malware and spam problems is that it's become very hard to quickly determine the credentials of a person sending you information. In the case of email, the solution to the malware problem is simple: strip out all html tags and attachments off as the mail is received. There is no way to get malware from an email without active content. (HTML, Attachments, etc.)

When you make email safe, you then have the real problem distilled to its essence: How do internet users safely receive files over the internet. And the answer to that is authentication, but then credentials become tradeable items, and you have malware going after credentials.

The problem is not with email, it's with the whole internet's permissiveness. Every solution you put in place gets knocked to its core problem that there's no easy way to definitively say what person you're interacting with at the time. And this will be a tough sell; We're used to an anonymous internet. To solve the problem of internet crime once and for all, I predict that we will have to give up our ability to become entirely anonomous. There will be bumps in the road, but once everything that lands on your computer can be attributed to a real person, your email and internet will be as safe and sane as your US-Mail. Maybe even safer, because it will be easier to exclude content from people with bad reputations.