PLAXO and other \"social engineering\" on the Internet

Late last week one of the employees at a customer of mine received what appeared to be a legitimate request from someone he has previously corresponded with via e-mail, to confirm and/or change his contact information which this person was now storing on a service called PLAXO.

This newsletter is aimed at preventing anything like this happening again if possible, and will deal with not only this particular (seemingly legitimate) company, but others both legitimate and not.
The employee confirmed the information and without understanding the consequences, signed up for the service himself, on the company's computer workstation that he was using at the time.

I discovered what had been done because I happened to be in the customer's office when one of their customers (who is also a customer and friend of mine) called to find out what "this e-mail from PLAXO is all about." As I said to the offending employee, "that's exactly what you should have done - call the person who e-mailed you to find out if it was legitimate - or called me - and above all, don't sign up for any service from a company computer!"

The problem is that in signing up, he, without really understanding what was going on, allowed the service (PLAXO) to download the complete list of contacts in his Outlook Express Address Book (several thousand addresses) and started a process that some of you on this list will now be familiar with - that of PLAXO sending out a similar "confirmation" e-mail to each and every one on the list.

Although the PLAXO business seems to be legitimate (they sell a better version of their free service and that's how they make their money it appears) one of my business associates categorizes it as "a social engineering virus" - a feeling I concur with. The link in the e-mail goes to a page where just about everything links to the download page for their software and only a very insignificant link goes to anything that tells what is happening.

The first thing to know is that, as far as I can tell, using the "Add/Remove Program Properties" tool (Control Panel) you can remove the PLAXO program and toolbar from Outlook Express (and presumably Outlook) I've done so with the employee's machine and will be scouting through it to see what it has done - and will report back to you when I'm finished.

The second thing is - the downloaded addresses can be deleted too - by deleting the account.

The account at PLAXO has also been deleted. If you inadvertently signed up too and wish to do this, the URL is: https://www.plaxo.com/signin?r=/delete_account

On the good side, their (PLAXO's) publicly stated policies are in part:

* Your information will NOT be used to send you spam or any other unsolicited commercial e-mail.

* Your information will NOT be used to maintain a spam mail listing.

* Your information will NOT be shared, sold, or distributed to any third parties (unless required by law).

Of course here in BC we know about the potential for the abuse of our information by US companies via the Patriot Act as that is a subject of contention with the BC government trying to outsource the data center for Medical Services to a US based company.

The whole policy may be seen at: http://blog.plaxo.com/archives/000022.html NOTE: we do not endorse this product/service - this is only a link for information purposes and we strongly suggest you view it from a "sanitized" web browser (i.e. one that has no identification information in it such as your name or e-mail address)

Enough of PLAXO for now - we'll keep you updated if more information comes to light.