FTC Warns of Bogus E-mail “Complaint”

November 1, 2007

The Federal Trade Commission this week warned businesses to be wary of “a bogus e-mail,” ostensibly from the government agency, that links and has an attachment that will download a virus enabling “key logger” technology.

Keylogging software enables an identity thief to potentially grab the victim’s passwords and account numbers, the FTC’s Oct. 29 release stated.

A similar technology was used in an August attack on job search site Monster.com. The thieves used an intricate mix of technological techniques—including phishing e-mails, Trojan horses and more—to raid the web site’s resume database and access users’ sensitive data before sending them an e-mail installing “ransomware” on their computers. (Ransomware is malicious software that encrypts the data on the computers it infects and demands payment for its decryption).

In the FTC e-mail case, the message contained the agency’s seal, and warned the recipient “a complaint has been filed against you and the company you’re affiliated with,” SC Magazine reported. The spoof e-mail was rigged to look as if it came from “frauddep@ftc.gov” but the e-mail’s true origin was hidden. Some readers might at least have noticed many grammatical errors, misspellings and incorrect syntax in the e-mail—a common indicator marking an e-mail as suspicious.

“When you get something from the FTC, you’re not going to see things written by people who are obviously not native English speakers,” Dave Marcus, security researcher and communications manager for McAfee Avert Labs, told SCMagazineUS.com.

Social engineering cons recipients

Yet social engineering tactics in which identity thieves construct e-mail messages imitating legitimate organizations to build false credibility, and appear to appeal to the recipient personally, are being employed more regularly now in order to con victims into opening message attachments.

The FTC warned against clicking on the bogus e-mail’s links or opening the attachment. “Once you open the attachment, that’s when the virus is launched and that’s when they can start stealing your identifying information,” David Torok, a director in the FTC’s Bureau of Consumer Protection, told SCMagazineUS.com.

The spam e-mail’s reach was “pretty virulent and widespread,” Torok told SCMagazineUS.com. “We’ve received calls from some companies where every person in the company has received a copy.”

Anyone who had already opened the e-mail’s attachment was encouraged to run an anti-virus program.

Recipients were encouraged to forward the e-mail to spam@uce.gov and then delete it. E-mails sent to that address are kept in the FTC’s spam database to assist with investigations.

Protect yourself online

The United States Computer Emergency Readiness Team’s Cyber Security Tip on “Avoiding Social Engineering and Phishing Attacks” offers this advice:

• “Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.”
• “Be suspicious of unsolicited phone calls, visits, or e-mail messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.”
• “Do not reveal personal or financial information in e-mail, and do not respond to e-mail solicitations for this information. This includes following links sent in e-mail.”
• “Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).”

More information about bogus e-mails, phishing, and virus protection is also available at www.OnGuardOnline.gov.

Our September newsletter had an in-depth article on the Monster.com data breach. Find out more.