Forget the rich benefactor, the next e-mail scam you should watch out for is from your “friends.”
A man almost parted with £2,200(RM15,400) when a friend pleaded for his help after being allegedly mugged in London. Fortunately, the man noticed that something was amiss and contacted his friend to verify the claim only to find out that he was still in Malaysia.
The incident, which was reported in an English daily in Sabah last week, is a new form of e-mail spoofing, said an information security expert.
Chia Wing Fei, security response team manager at F-Secure Asia Pacific said such e-mail scams are more dangerous as they are rarely picked up by security software.
Furthermore, the recipients are more likely to believe such things because it comes from someone they personally know.
And because such e-mail messages go undetected by an Internet service provider’s spam filters or antivirus products, the frequency of such incidents cannot be properly ascertained, Chia said.
“These attacks are also sent in extremely low volumes – sometimes only a single copy is sent – which makes it difficult for traditional spam filters to catch them,” he added.
Chia explained that such e-mail messages are sent from out-going mail servers that have not been properly configured, creating an opportunity for third parties to send e-mail through it.
They also change the “received-from,” “reply-to” and “return-path” fields to show a legitimate looking e-mail address and point of origin.
Chia also said that these types of attacks cannot be categorised as phishing as the sender usually does not ask for financial details and there are no links to a phishing site.
“Phishing is all about tricking the user into giving out his or her user names, passwords, bank account and credit card details, and recipients are asked to confirm the details by clicking a link that leads to a phishing site,” he said.
To pull something off like this new e-mail scam, Chia said perpetrators carry out proper intelligence work on both the nominated sender and recipient.
He said the information could have been harvested from anywhere.
“It could be from a stolen notebook computer, a blog or even a profile on social networking sites,” he said.
Although it is rare, Chia said the e-mail could also contain malicious attachments that aim to gather confidential information from personal computers.
Like the scam, an e-mail for these targeted attacks are not sent in huge volumes in order to fool firewalls.
“It also looks like a legitimate e-mail but the malicious attachment executes malware that gathers confidential information for the sender,” he said.
Chia added that computer users need to be more cautious about this type of e-mail messages and make sure to verify any of their friends’ pleas for help.
In addition, users should also be careful of people requesting to be added into their social networking site profiles.
“People shouldn’t simply accept friend requests and even if they know the person, they should always verify their details. Sometimes it might be someone impersonating a friend,” Chia warned.