Spammers and phishers are exploiting websites to create visitor profiles for targeted attacks.
Anti-spamming solutions provider Blue Security says “hostile profiling” is easily accomplished using two new types of attack - registration attacks and password reminder attacks.
These attacks exploit sites that employ e-mail addresses as user identifiers during the registration process or for password reminders, allowing attackers to know whether a certain address belongs to a customer of such sites.
By automatically attacking hundreds of websites, spammers and phishers can generate a detailed consumer profile from any e-mail address, including the owner's addresses, hobbies, political views, purchasing preferences and health information, and then use this information for targeted spamming and phishing attacks.
Blue Security has found that a large majority of websites, including eight of the top 10 websites in the US, are vulnerable to registration attacks and password reminder attacks.
Some websites are already taking measures to protect themselves against such assaults by requiring billing information with each registration or implementing other security solutions.
In addition, Blue Security has found that registration attacks and password reminder attacks allow the harvesting of user addresses from nine out of 10 major ISPs, web-based e-mail providers and most recent non-bank phishing targets.
Eran Reshef, Blue Security chief executive officer, said, “Hostile profiling is yet another example of how online criminals abuse the internet to attack innocent users.”