The FTC Fraud Department didn't really send you that phishmail

Phishing attempts spoofing (impersonating) government agencies aren't anything new. Here again, the FTC (Federal Trade Commission) is being used as a badge of authority to trick people into downloading something that is likely to steal their personal and financial details.

From the FTC press release about this most recent occurrence:

A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.

The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations.

The virus contains a keylogger, which logs information keyed into a computer and sends it back (electronically) to the phishermen (bad guys). This is a common method of stealing people's financial and personal information, which then is used to steal money.

The technical terminology used in the press release refers to a virus. Two other terms used to describe how a keylogger is planted on a system are malware and crimeware.

Keylogging software seems to be legally purchased, often touted as a way to spy on your family, or employees. Law enforcement and people committing more sophisticated forms of espionage have been known to use them, also.

If you are interested in seeing how many people are marketing keyloggers, click here.

Phishing might sound technical, but it almost always uses a psychological technique known as social engineering (trickery) to accomplish it's purpose. In this case, the trick (lure) to click on the attachment is fear, but in a lot of cases, it's something that's too good to be true.

The FTC refers people, who want to learn more about phishing to http://www.onguardonline.gov/.

Another place that has a lot of information about phishing is the Anti-Phishing Working Group.

Traditionally, the Phishermen relied on tricking people to give up the information they were seeking. More and more, keyloggers are being used that steal the information automatically.

Other posts, where I've written about keyloggers can be seen, here.

I've been getting a lot of queries on this site about another government agency (the IRS), who has also been spoofed frequently by the Phishermen. The last update on this was on September 19th, but my guess is that these are still circulating out there, also.

Full FTC press release on this matter, here.

Here is an interesting CNet blog post about FTC Chairman, Deborah Platt Majoras, stating publically that phishing is driving her insane. This was taken from a comment she made about a month ago to the first National Cybersecurity Awareness Summit.

(Deborah Platt Majoras courtesy of the FTC site)