Sunday, October 19, 2014

Job Board Analysis


I've been working on a blog post relating to the barter of personal information, most of it is unsurprising really but the flagrant disrespect for personal identity seems to be widespread.

An economy of scale where your information is bought and sold is inevitable - whether its your personally identifiable information, the email address you used to sign up to a newsletter or the details you forgot to remove from public access on a social networking site.

This isn't the place for that full post but an offshoot of that research unveiled something that may be of use to others. This year I started using a new sequence of mechanisms designed to trace the flow of information whilst I use the job boards - they're an essential business tool because as a contractor / freelancer it's the easiest way to find clients.

However these sites often require registration and up front disclosure of details - meaning you're essentially putting your details in the hands of a 3rd party. Most of the sites automatically create an account for you the minute you apply for a role, and - despite best efforts from your side - automatically subscribe you to 3rd party offers, newsletters, etc, etc.

Once you've applied for a job you have to log in, uncheck the relevant spam mailer and distribution options and hit the apply button. That, in my view, is unacceptable as it essentially puts you on the spam lists before you get a chance to opt out. Most job sites are guilty of it - most notably JobServe and TechnoJobs.

So you've now applied for a job but at least two organisations have your details - the job website data owners and the recruitment agency. That assumes that your details haven't already gone to a 3rd party for re-use too.

TL;DR

Of the three distinct phishing attempts made in October, they all came from PII which indicates it was skimmed from CwJobs applications or profiles. Had it all come from only one of the accounts I'd make a guess that it had come from compromised data at Harvey Nash but other permutations disproved this.

All three phishing attempts came from CwJobs email addresses which have only been used on that site, which means that either the recruiters or CwJobs - or both - aren't protecting personally identifiable information correctly.

Looking at it objectively it's more likely that the spammers are creating recruiter accounts on these boards and simply harvesting the details, capturing new job seeker update feeds, or acquiring the data more directly. Either way I've stopped using CwJobs altogether.

We cannot guarantee that other jobs boards aren't already compromised but hopefully the dragnet will either help ICO take the case forward or provide incentive to the site owners to review their validation procedures.

I've sent a copy of the blog post to the listed email address of the lawyer named in the spam, as well as the spammers "personal" email address to invite them to respond.

Phishing Explained

You really don't need to read this section if you're already aware, this is more aimed at people who have less experience with the web and email. I'm not writing this to extol any knowledge virtues but because I'm tired of answering the same questions from friends and relatives. Now I can just give them a URL to read.

So...

The aim of phishing is to get you to give up some personal details in order to access your account and get some money - or better, get you to give them money directly and save them the extra leg work. It's not about anything else.

I've got a dead relative in Malaysia and I should contact the Malaysian barrister using his Russian personal email address. Obviously if you want to check the address then having a poke around for the office on street view will show you where they are.

Of course it turns out this particular legal firm actually exists and uses a different gmail account, but that's just paperwork.

Now if by this point you still think this is a potentially viable email with genuine offers you need to re-read the last few paragraphs carefully. Make sure you follow the links in this post (not in your spam / phishing email) and think about it. Any email that asks you for personally identifiable information - Full name, date of birth, mothers maiden name, shoe size, etc... just delete it. If it's a bona fide conversation they'll be sending you a letter or calling you to make contact first. Don't give out any details over email to anyone you don't actually know.

I've included the entire email text in case anyone out there is searching for the same problem, and can get an indexed response based on content.

Key and questionable details highlighted...Even if it was a legitimate scenario the person is asking you to commit fraud with them (really they'll ask you for an initial fee for bank set up and you'll never hear from them again).

Oh and it really isn't Lee Li Yen (a practising lawyer in Malaysia).

No. 16-1, Jalan Solaris 3,
Solaris Mont Kiara, 50480,
Kuala Lumpur, Wilayah
Persekutuan, 50480, Malaysia.

Dear <my name>,

My name is Ms. Li Yen Lee, a legal practitioner with LI YEN & CO in No. 16-1, Jalan Solaris 3, Solaris Mont Kiara, 50480, Kuala Lumpur, Wilayah Persekutuan, 50480, Malaysia

I saw your contact and profile and decided that you could cooperate with me in this proposition.

I have a client by Name Mr. Jabari <my surname>, who was deceased in November, 2009, in Kuala Lumpur, Malaysia. I am contacting you because you have the same surname as my deceased client and I felt that you could help me in the distribution of funding that were left in my deceased client's bank account. This funding is closed to be declared un-serviceable by the bank as there were no indicated next of kin or next of beneficiary of the funding in the bank account.

The total amount of cash in the bank account of my deceased client is US$ 12.5 Million (Say, Twelve Million, Five Hundred Thousand United States dollars Only) The bank had issued to me a notification to contact the next of kin of my deceased client for either to re-activate the bank account or to make claim of beneficiary, of the funding in the bank account, with a month surcharge of 6% to be deducted as an Escrow safe keeping fee of the bank account, so as to avoid the indefinite closure of the bank account. My proposition to you is to seek your consent, and to present your kind self as the next-of-kin and beneficiary of my deceased client, since you have the same last name with him.

This means that the proceeds of his bank account would be paid to you as his next of kin or the legitimate beneficiary. When the proceeds in his bank account are paid to you, we would share the proceeds on a mutually agreed-upon percentage of 55% to me and 45% to your kind self. All the legal documents to back up your claim as my client's next-of-kin would be provided by the court. The most important thing I would need is your honest co-operation in this proposition. This would be done under a legitimate arrangement that would protect you from any breach of the law.

If this business proposition offends your moral and ethical values, feel free to back out. Please contact me at once if you are interested, reply through my Personal email (barristerliyenlee@yandex.com)

Regards,

Bar. Li Yen Lee.
Advocate.