From Spam Daily News
Hostile Profiling
Posted on
May 23, 2005
Blue Security details how fraudsters are exploiting Web sites to create visitor profiles for phishing attacks.
The company has found that "Hostile Profiling" is easily accomplished using two new types of attacks, registration and password reminder attacks.
These attacks exploit sites that employ e-mail addresses as user identifiers during the registration process or password reminding, allowing attackers to know whether a certain address belongs to a customer of such sites.
By automatically attacking hundreds of Web sites, spammers and scammers can generate a detailed consumer profile from any e-mail address, including the owner's place of residence, hobbies, political views, purchasing preferences and health information, and then use this information for targeted spamming and phishing attacks.
Blue Security has found that a large majority of Web sites, including eight of the top 10 Web sites in the United States, are vulnerable to registration attacks and password reminder attacks. Some Web sites are already taking measures to protect themselves against such assaults by requiring billing information with each registration or asking the user to solve a graphical challenge.
In addition, Blue Security has found that by using registration and password reminder attacks, user addresses can be harvested from nine out of 10 major ISPs, Web-based e-mail providers and the majority of recent non-bank phishing targets. These attacks also can be used to retrieve a Web site's entire customer list, exposing users to well-targeted phishing attacks.
Eran Reshef, CEO of Blue Security said, "Hostile Profiling is yet another example of how online criminals abuse the Internet to attack innocent users. Obviously, existing technology is unable to provide adequate protection from the cunning new methods devised by spammers and fraudsters almost every day. There is a need for a viable solution to spam, a solution that will not just block but eliminate spam and that will allow consumers and enterprises alike to reclaim their Internet experience."
SOURCE: Blue Security