Wednesday, June 11, 2008


The next step in phishing

I’ve recently seen a new angle[1] on phishing — the practice of sending deceptive email messages to try to snag personal information such as account numbers and passwords. Usually, the phishers try to hit your bank account, credit cards, or online payment system, hoping to get direct access to your money. But last week I got a message that tried to get access to an airline frequent-flier account:

Subject: AAdvantage Survey Program

Greetings from

Welcome to the American Airlines AAdvantage(R) program, the first and largest loyalty program in the world! We are proud to inform you that today June. 26 /2008 launch a new reward program. Please log in to your American Airlines account and take the 5 questions survey. For your effort you will be rewarded with $50

Your 50 dollars bonus code is AA-001NXX-2008NX22. Please log in to your account and follow the steps.

Thank you very much for your help and your patient and hope you will enjoy the American Airlines reward program in the future

American Airlines Reward Department
Please do not reply to this auto-answer message

The clues are the errors in grammar and the missing punctuation (and, um, the fact that it’s not “today, June. 26 /2008” yet). The actual link behind the text points to a web server in Russia.

Of course, if they can get at my AAdvantage account, they could cash in my miles. They could also buy tickets with my credit card if I’ve saved my card information in my account (I haven’t). And, of course, if they get any password, they can try using it in other places too. That’s all good reason for me to remind you to use proper passwords on these sorts of accounts, keep them secret, and don’t use the same password for all of them (limit your exposure, so if one is compromised it doesn’t give access to others).

It’s also a good reminder to keep your hand on your wallet. The bad guys will try to break into anything, from your bank account to your email and Facebook accounts. Watch out.

[1] Get it? Angle, fish, phishing.... Yeah, OK.

No comments: