Slashdot videos: Now with more Slashdot!
We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).
According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.
The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.
Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
Game companies like Twitch have publicly said that swatting is dangerous, but that there is little else they can do to prevent the pranks. Tracking the culprits behind the pranks is difficult. While bomb scares and other hoaxes have been around for decades, making threats anonymously has never been so easy. Swatters use text messages and online phone services like Skype to relay their threats, employing techniques to make themselves hard to trace. They obtain personal addresses for their victims through property records and other public databases, or by tricking businesses or customer service representatives at a victim's Internet provider into revealing the information. Brandon Willson, a gamer known online as "Famed God," made up a murder to get police to go to an unsuspecting west suburban resident's home last year and ended up behind bars in Nevada awaiting extradition. As part of the investigation, police traveled to Las Vegas to help local police execute a search warrant at Willson's home. Computers seized there contained evidence of the swatting incident, as well as similar incidents across the country, prosecutors claim. Willson faces up to five years in prison if he is convicted on charges of computer tampering and one count each of intimidation, computer fraud, identity theft and disorderly conduct. His mother, Brenda Willson, says her son is innocent and does not smoke, drink or have tattoos. "He would never swat," she says.