Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
You are in a maze of twisty little accounts, all alike (2007/3/30)
Kim Cameron of Microsoft writes in name that scam of someone who had received numerous emails that indicated someone had impersonated them, creating support requests as them at numerous sites.
One possibility is that this is a phishing attack. Presumably, the victim would trawl through the responses and those of unwanted accounts and activities, they would contact the site and cancel. Some of the "click here to cancel" pages on these sites might ask the person canceling their account to provide one or more attributes of personal information about themselves or their account to prove their identity. But some of the emails in this set of emails might, however, be fake, and direct the victim to phishing sites that merely collect that information in order to misuse it later. Kim writes
"I asked the person who was the target of this attack how he knew for sure he had been speaking with people from QuickenLoans, for example. It seems they just seemed credible, and helpful, so he never questioned their claims or asked to call them back."
Another possibility is cramming, in which one or more of these sites will bill the user and forward the proceeds to the attacker.
Yet another possibility is that the attacker is trying to tweak the victim's relationship with these sites. Suppose there is a large set of sites on the Internet. The victim "Alice" has accounts at one or more sites, and signed up using her email address alice@example-x.com. The attacker contacts all the sites for some innoculous support request pretending to be Alice, using the email address alice@example-y.com. Some sites ignore the request as Alice doesn't have an account there, some respond to alice@example-x.com, some respond to alice@example-y.com. Those which respond to the attacker alice@example-y.com, the attacker saves. Later the attacker contacts those sites and claims to be Alice who has lost her password. The email address alice@example-y.com matches that which Alice had used on an earlier support request, so the help desk helps the attacker change Alice's password.