Wherever there’s a fast buck to be made, there you’ll find phishing scams and internet fraudsters. Some enterprising souls evidently decided that phishing for the credit card details of ordinary people was insufficiently ambitious, so they turned their attention to the nascent carbon credits market:

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded.

When workers entered their credentials into a bogus web page linked in the e-mail, the hackers were able to hi-jack the credentials to access the companies’ Trading Authority accounts and transfer their carbon credits to two other accounts controlled by the hackers.

[…]According to the BBC, it’s estimated the hackers stole 250,000 carbon credit permits from six companies worth more than $4 million. At least seven out of 2,000 German firms that were targeted in the phishing scam fell for it. One of these unidentified firms reportedly lost $2.1 million in credits in the fraud.

Now, in no way do I condone this sort of criminal activity… but I can’t help but feel that any organisation dealing with big-money transactions that doesn’t train its employees in decent email security procedures in this day and age is only getting what it deserves. Phishing is essentially a mediated version of the social engineering hack, and that’s an old enough phenomenon that you’d think any organisation with a lot to lose would take a little more care over it… I wonder if we’ll ever learn, or if we’re hardwired to fall for confidence tricks and bluff deceptions in perpetuity? [image by foto43]