Journal: Contact Scraping & Social Engineering

Recently, a less well known form of identity theft, called "Contact Scraping", has come to the fore. The practice is an activity similar to Phishing and deceives victims into voluntarily giving their email user-name and password to the scammers.

This seems on the surface of it absurd, why would anyone do such a thing? Because Google, Yahoo and thousands of others are allowing people to use their existing email accounts and their passwords to log into a number of legitimate non-related sites. As a result of this people are now accustomed to entering their email address and that same email account's password into non e-mail login forms.

This fraud is, like phishing, reliant upon social engineering—the use of suggestion and exploitation of cognitive biases to bamboozle users into surrendering sensitive information, by presenting what appear to be legitimate circumstances which require seemingly logical actions on the part of the user. Phishing is the most common example of this but many other variants, such as mere confidence trickery have this aspect.

In the Contact Scraping scheme, the scammers log into the victims email account and download its contact list, which is then used for various undesirable purposes.

Unforgivably, a number ofotherwise "clean" sites (the New York Times cites 'tagged.com' and 'mylife.com') are doing this. In Contact Scraping, the sites usually do exist and have at least some more or less legitimate functions. In the least dangerous cases the sites have clauses in their "terms of service" allowing them to do this, and do nothing more dangerous than spam all of your contacts, using your name, with invitations to join the site.

On a much more urgent note the scammers have access to an email account that can be used to send spam or fraudulent messages. In these days of cheap storage, a typical account can have years of back messages archived, emails which may contain even more damaging information.

The Vistua Groupware Email is as susceptible to this problem as any other web-based email system

So what to do? As with any other form of social engineering fraud, the key is to pay attention. Carefully analyze the source, watch for spelling errors and the like and never enter pre-existing credentials except at very well known sites.

<< Vox III Tour | News Index | Editorial: DTV and IP >>

News & Notes is the a journal of The Vistua Network Administration and the factuality of this content is guaranteed. From time-to-time, this content may contain normative statements or set policy.