The Mac Security Blog

Security & Privacy

An Interesting New Phishing Technique: Text Only E-mail

Posted on by

We found an interesting phishing e-mail in our Spam mailbox this morning. (It got spam-filtered thanks to Intego Personal Antispam.) Unlike the usual phishing e-mails, there were no links in this one. In fact, if it were not from the suspicious reply-to address, and the poor English, it could almost be believable. Here’s what it said:

THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent
automatically by the computer.
If you are receiving this message it means that your email address has
been queued for deactivation; this was as a result of a continuous error
script (code:505)received from this email address. To resolve this problem
you must reset your email address. In order to reset this email address,
you must reply to this e-mail by providing us the following Information
for confirmation.

Current Email User Name : {                    }
Current Email Password : {                      }
Re-confirm Password: {                         }

Note: Providing a wrong information or ignoring this message will resolve
to the deactivation of This Email Address.

You will continue to receive this warning message periodically till your
email address is been reset or deactivated.resolve

It is a simple technique for harvesting e-mail account info – user names and passwords – and we have the feeling that this might actually work. After all, many users are worried about entering their credit card numbers on-line, but may not be hesitant about sending an e-mail account password by e-mail.

Well, let’s get down to it: do not ever send any confidential information by e-mail! Never! The simple reason for this is that e-mail goes through many servers, and can be intercepted at any location along its route. Even if you wanted to send a password or other confidential information to, say, your spouse, don’t use e-mail. Unless you have some sort of encryption, all that information is sent in clear text, readable by anyone who hacks a server and sniffs data.

In this particular case, you should know that no network administrator will ask for your password by e-mail. They would call you, or, if it were for a business e-mail address, probably stop by your desk. In addition, there’s no reason to ask for a password to resolve any kind of incident with an e-mail account.

Just remember: phishing can come in many forms. Never send any confidential information by e-mail. Period.

Comments are closed.