Newegg Password Reset Scam: A Harbinger of Threats to Come?
Posted on: 2010-08-26 15:43:54 By Adam Wosotowsky @ McAfee Labs Blog McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but also appears to be abusing Newegg’s own password reset system to further the scam. The spammers are taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication, so this process is probably being scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent. In all likelihood this scam is designed to make the recipient anxious by suggesting an unauthorized individual has attempted to access the account. Read more... |