Slashdot Mirror
"Phishing" Attacks to Increase
neutron_p writes "The number of people who succumb to identity thieves' "phishing" e-mails could go way up if immediate action isn't taken to preempt the next generation of attacks, according to an Indiana University School of Informatics researcher. "Phishing" e-mails appear to be sent by legitimate businesses, but are actually created and distributed by villains who are after your personal information. They describe some thieves' tricks. One kind of context-aware attack tricks eBay bidders into giving out identifying information by leading bidders to believe they've won an auction. In another kind of context-aware attack, a potential victim might receive a message from a known person -- for example, a friend or loved one - asking him or her to go to a Web site to update banking information."
But off-topic, did anyone else notice the "Further Reading" section below the article?
- The Elements of Style, Fourth Edition by Roger Angell
- The Art of Innovation : Lessons in Creativity from IDEO, America's Leading Design Firm by by Tom Peters
- Reporting Technical Information by Thomas E. Pearsall
- Optical Illusions : Lucent and the Crash of Telecom by Lisa Endlich
- National Electrical Code 2002 Handbook
The dead tree compilation of HOWTO: PHISH (except for maybe the last one). Ha!wasnt there a recent article about google doing something about this here: http://it.slashdot.org/article.pl?sid=04/10/18/023 6201&tid=111&tid=217&tid=95&tid=1
as I understand it, yahoo's signing technology, which hopefully will become a standard, will help stop such attacks. Google signing on to it helps push it quite a bit
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Number of Idiots On the Internet To Increase...
Was the addition of yellow highlighting for secure sites, and the domain in the status bar. It really makes picking up when you're on a secure site easier. In the past you had to really look for that little lock icon or whatever.
Phishing is just conmen moving to the internet. They use similar tricks in the real world, just on a smaller audience. Here in the DC area there are several police imposters running around, some of them tricking people into withdrawing all the money from their bank (it's counterfeit!!!) and others actually using flashing lights to pull over people on the road.
Give anyone who falls for one a Darwin award.
[ Monday is a terrible way to spend one seventh of your life. ]
Social engineering will always work, and will always be very easy, because users are stupid.
Phishing is just technology-enabled social engineering.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Until the majority of the people out there have the critial thinking skills to deal with this sort of thing the problems will continue. The same people who are stupid enough to give out their info to someone who e-mails them are the one buying shit from SPAM e-mails.
Humor from a Genetically Molested Mind
In related news, Google has recently updated Gmail with an automatic detection of phishing attempts / spoofed emails; suspicious emails will be displayed with a warning:
"Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more"
Like spam detection, it's not perfect, of course, but I think it's a very good idea.
quidquid latine dictum sit altum videtur.
The author of the article is just jealous because I'm going to get millions from Nigeria, and he isn't!
For example
1.) fleetbank send out some email advertisment
2.) hackers now have a model email to modify
3.) hackers can just redirect some links and resend it to different users.
So to fix this, real companies need to STOP sending out spam.
Maybe the scammers are just too technically challenged to hack and prefer using the good old social engineering.
This is totally insecure, but very convenient.
for example, a friend or loved one - asking him or her to go to a Web site to update banking information
OK, hands up, whose mother has a habit of wanting one to provide bank account info via some web site? I can see the duplicitous falling for the fake 'from your bank' emails, but from friends and loved ones???
And some people want democracy to be MORE direct???
This is one from a friend I only know online, so take it's truthfulness with a grain of salt. Out of a mix of curiosity and a bet/dare with a co-worker, he engineered to insert a small harmless fake phish into email, one distributed to members of staff around the organisation, which provides financial support for other government departments. It was a completely stupid one, with the email simply asking staff members to go to a site and re-confirm their credit information, and the site took down names/addresses/SS/credit card numbers etc. Out of more than a hundred employees, *ONE* person came to him as support to check what the email might be, and fifteen filled out their complete credit information.
That was around 10% of people, adults who should know better, who simply gave up their personal information to nobody they knew, just because they were asked. My friend lost his bet, he thought it would be closer to 30%, but still... send out hundreds of thousands of phish scams and you're guaranteed a good haul.
How are we supposed to tell the difference between a legitimate email from a company and a phishing attempt when places like CapitalOne use skeezy companies like bfi0.com for sending email to their customers? A link that says "Click here to access your statement" that actually goes to http://capitalone.bfi0.com/T8RT044ABB6D98DEB357FB2 EDD4A80 makes me feel safe inside.
Do you kick down a door, or do you try the knob first?
Also, there are various graduations of criminal, from petty thug to criminal mastermind. There are more thugs than masterminds (mostly because if there were tons of masterminds, all the cool costumes would be taken).
Read it how you will. This is, I assume, much easier than hacking into the bank. Doesn't mean that you couldn't hack into the bank.
One easy way to address this situation would be to have a plugin or feature for most e-mail clients that would prominently display the general source of the message (i.e. "China, Brazil, DSL user in Texas, etc.) as a prominent part of the normally-viewable message headers.
It is well known that most spam and phishing e-mails are coming from one of two sets of IP space: China and Korea and related "rogue IP space", and DSL-based zombie proxies. It would not be difficult to use a database or design an algorhythm which could 'flag' e-mail messages as suspicious based on the comparison between the from header information and the SMTP relay.
Users who then received messages could get a color-coded warning when they view the message, i.e.:
"WARNING: This e-mail claims to be from the domain ebay.com but it originated from a system suspected of being located in China - use caution"
Very simple, elegant and helpful solution. Which probably means it would never be adopted.
fixed link
here
oh, and btw, how the hell is my post offtopic???
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Yeah, that's a likely scenario. Your dad or mom writing you all concerned that your bank information needs updating. Has anyone, anywhere, ever had that happen in real life? OK, never mind, I'm sure it has happened to someone, and for sure that person is reading this comment and will respond all indignantly. But you get the point. I cannot believe this approach would be accepted. This is not a typical, 'Hey, check this out' type of email from a relative. It's just a little too strange to work.
Now I have been phished, usually by Citibank-looking emails asking me to click here and update my information. The fact that I don't have a Citibank account was my first clue. The fact that I read /. and know about phishing was my second clue. The fact that I know banks don't operate that way was my third clue. But they are professionally looking emails, until you look closely and find all the typos. But pretending the email comes from Mom?? The first thing I would do is call her up and ask what's going on. And then she could say, "You called, it worked!"
Oh wait, this is a phishing expedition, not from bad guys, but from parents who want more phone calls from their children!
You can read more about efforts to combat phishing here. Lots of purty charts and plenty of specific examples.
#!
I was pleasantly surprised at a commercial I recently heard on the radio while driving. It was a public service announcement laying down the basics of phishing (they even said "spelled with a 'ph'") and what kinds of warning signs to look for. I hope to see more announcements of this type, as computers begin to affect almost 100% of the people in our society.
I use phishing techniques to get 419 scammers to give me their email password so i can shut them down. I usually direct them to a URL promising to contain a scanned image of my passport or whatever. The link usually goes to a log in screen for their particular email provider. This works great. I know they'll just get another email address, but this is a small thing I can do to disrupt them a little.
Now that we're in the PTO War that will last the rest of our lives, is Congress cracking down on the phishers who depend on trademark violation to bait their hooks as hard as the RIAA is persecuting perceived violators of their copyrights?
--
make install -not war
The same folks will fall for Pharting scemes.
"It has come to our attention that your Scents information may have been compromised. In order to prevent you becoming victim to an incorrect Rose scent on a virtual bouquet, or an invalid Roast Turkey smell this Christmas you should log in and sniff at our server to verify your sniffers.
Thank you!"
Ewwww!
Busy aligning my non-linear thoughts.
An interesting thing about these scams is how game theory applies to them. If they don't send out any emails, of course they don't make any money. If they send out only a thousand or so per day, they'll probably succeed one or two people, and make a decent amount of money. Additionally, they'll remain more anonymous and reduce the risk of word spreading about this scam. If EVERY scammer sends out millions of these emails, people will catch on quickly and profits will plummet. That's what they did now. Everyone jumped on the bandwagon and the scam bubble burst.
I believe that the success of these scams will decline over time. Just like with the 409 scams, there will a larger number of people who fall for it at the beginning, but then numbers will drop. Will it always be profittable for them? Most likely, yes, unless email verification becomes much more standard. Will they go away? No. Will they eventually find some new scheme that is even more clever? Without a doubt.
I dunno what my point is. Someone agree with me.
I got a phishing e-mail (should it be called 'bate'?) a week or so ago, but there were two key things that let me know it was a scam (aside from general common sense):
1) I don't have an account at the bank listed (Citibank, in this case.)
2) The e-mail itself was a giant GIF. (It did have the 'fail-to-get-around-spamblocker' words in text at the bottom, though.)
Instead of getting rid of phishing scams, we should get rid of low-common sense/stupid people on the net. Then we wouldn't have this problem. Or many others.
A leader is only a leader when he has followers.
It's "Phishing", and the general idea behind it is to send someone an email saying something like "We, Citibank, need you to update your banking information due to a database crash." They then send you to a site that LOOKS legit, and you then enter your information or even just your username / password. The phishers then have your account information, and they are free to do whatever they please with it. As has been said, it's only because uneducated grandmas and fools actually do what the emails say that the Phishers keep sending their crap. - Yolego
Whenever I get a phishing email I click the link so that I get the real url (the emails usually use Javascript to make it look like you're going to a legitimate website). I try to load the base url to see if it's actually some person's website who's been hacked, and doesn't know that he's hosting phishing pages. But usually, it's someone who's probably hosting a site on a residential connection. A traceroute should tell you where. Then, I blast that site with as much traffic as I can. Because they're often on low bandwidth connections, I can often take them out myself. The apachebench tool is handy for this.
These people are often located in countries where the law enforcement of these crimes may be lax or non-existent. Therefore, I believe that vigilante justice, along with consumer education, are some of the few things we can do to prevent people from getting ripped off.
Americans lose $500 mln yearly to phishing.
That's large enough amount for personal scale, especially if you've lost the savings that have been put up against a new house or new car.
But on the large scale, banks won't care, the loss is $3-4 a person, you lose more per year on some dubious surcharges.
its so easy to blame the problem being stupid. but people that grew up with only the 'real world' don't really have any referance to understand this by. I mean, I'd be dumb to fall for a trick where a dumpster across the street from me claims to be my bank. but you don't have to settle for that online, copys are easy. if a building across the street from me became a perfect copy of the bank I went to, I'd be like "hey, new branch, convenient"
-You're wasting your time. Alfador only likes me.
Credit card companies, banks, paypal, and any site that deals with financial transactions that could be comprimised by phishing scams need to establish a 1-point policy for client email: never link back to the site from the email. If every company did this, and users were instructed to always type the url in the browser to access thier account, and made if clear that the company would never send an email with links to the site or account, eventually people would be able to tell the phishing from the real. I know its not a perfect solution, but the convenience of "click here to access your account" emails is what fuels the phishing scams.
OTOH, I have yet to personally get a phising scam (and I get them every day) that purported to be from a company I actually do business with, with the exception of paypal. And all my credit cards are from big, national companies.
"I forgot my mantra."
This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys.
Need a Python, C++, Unix, Linux develop
Sad to say, but there are simply too many people out there that believe everything they read on the internet. Once the older generation passes on, I suspect this problem will go away, but until then scams like this and the old telephone ones will be a ripe place for ripoffs.
...his third year uni student brain started ticking over, realised it might be a trap and he should proceed warily, and announced his plan was to give his bank details to the guy so he'd get the cash in his account and then skip out on the scammer.
:P.
It's not just the older ones, not all the time. Take a third year university student I know who came in all excited that he got an email from this guy in africa who needed to transport $20million out of the country...
Never thinking for once that there just might not BE a $20million to start with. Sucked straight in. AFAIK he was just couldn't be bothered going ahead or was warned off by someone else - he still seems to be financially stable
My firewall was subjected to the now-often seen ssh attacks.. but this one was different, there were thousands of attempts.
When I pasted the originating IP address into Firefox, a web-based interface for sending phishing emails was shown, complete with defalt 'paypal' text filled in.
When I followed the link in the 'paypal' email (another IP address) i discovered that not only did the site contain a 'paypal' site, but also an 'ebay' and 'Wells Fargo' site too.
I took a mirror of the offending pages, and I'm about to do a write-up... but I thought I'd post a quick precis of what I found, considering the relevance of the story.
I've actually recieved one of these emails. It looked legit.
Really legit.
In fact, the only clue that it wasnt an official notice was the email came from ebay.(official sounding name).com
That and they asked for my l/p, which I know not to give over email.
Honestly, I can say that this goes beyond normal user stupidity. People are being scammed, and these are expert scams. Yeah, people need to apply more critical thinking skills to these things, but I think you are not giving the creators of these emails enough credit.
I mean, they look _really_ official.
no
Here the /. article and here is the test. I think those test were bogus though because it didn't let you see the full source email.
Where did this term Phishing come from?
Whenever I see it I think of the Band Phish who are now retired as a band. And weren't at all about attacks or fraud. Heck they probably hold a trademark on Phish, and should sue everyone for using it in this manner. This is a lot differnt then the spam and hormel thing. Spam ala hormel was bad ala mail spam. Phish ala the band isn't nearly as relatable to this "phishing" stuff.
Phishing schemes and scams are based upon taking advantage of people's ignorance.
Proper education is key to solving this problem. All the techonology in the world isn't going to prevent someone from passing their info to some criminal.
Think about this, this scam could have been conducted for regular brick and mortar bank by having a scam artist walk door to door asking people to update on a paper form their account information. Of course no one will do this because we all know better than to just give our information to a stranger knocking on our door.
The same applies to email. Once people realize this is not an acceptable method to update or pass information, then these scams fall out of favour.
Education of the internet is a must for everyone that uses it. Sort of like financial management education when you get your first credit card, the same should be applied to those getting internet access.
Live forever, or die trying.
So far I've read multiple 'stupid user' accounts. It amazes me that so many people are so arrogant because they see this type of stuff day in and day out that they'd expect every person out there to think of people this evil to come up to them with this type of attack.
People genuinely trust folks, that's why they call it social engineering. You can walk just about anywhere with a clipboard and a pen and get access to just about anything in a standard business environment.
Working for a vendor I've had many 'seasoned sysadmins' rattle off a password to me like it was nothing. Granted I've never once used them outside the context that they were given but the fact that some of them would affect the bottom line of the company with a few simple commands would not be the best thing.
Do I call those admins stupid? no, not really. Guess that is where I differ. I don't find the BOFH and similar things funny either though.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
short for password harvesting fishing
It's not North Korea, it's South Korea. The place is full of ridiculously fat broadband connections, and the ISPs don't seem too bothered about what goes on on the networks. Since Koreans aren't any brighter than the rest of us, an awful lot of those broadband connections go to Windows machines which have been 0wnz0red since about 30 seconds after they were first switched on.
And that's before we even consider the mail servers installed in every school in the country, which are wide-open mail relays out of the box. Aaarrrggghhh!
South Korea would be paradise to be in - fat connection and nobody giving a filesystem check what you're doing with it - but the consequences for the rest of the world are becoming a nightmare.
Real Daleks don't climb stairs - they level the building.
Gmail now will mark suspicious email with a banner that says something to the effect of "This email does not appear to be from who it claims. Learn More...", with a link to information about phishing scams.
Well, if you think you are, then why not see if your prone to phishing scams, or if it's a legitimate e-mail offer! Take the Mail Phishing Test
;)
Enjoy!
Does anyone else think that the only real problem here is HTML email? It's good for nothing, wastes resources, and enables pretty much every kind of annoying spam, hidden redirect, tracking bug--it just keeps coming. Why do we have to build all these widgets to help users see that URLs aren't what they say they are, and such? Do we really want to wait for the spammers to start building javascript messages that alter the url after/when clicking, or whatever next becomes really annoying to people?
Isn't this enough of a problem yet to get the asinine companies that forced HTML down our throats (I'm looking at you AOL, MS, etc) to reconsider? Make the common clients block/ignore the HTML by default and *never* send HTML messages, instead of the current tactic of trying to trick or force users to send as HTML (maybe with an additional text version, if we're lucky), to just drown out the people asking for plain text.
Maybe I'm just bitter. It's always so difficult to watch stupid obvious mistakes blossom so thoroughly predictably. At least I can filter most all the spam by dumping HTML messages.
I wonder if anyone has thought about using a similar method to audit their own user base for inexperienced users who might fall for E-mail scams. I.e. send a message from a bogus domain registerred to "CompanyX Email Audits" requesting private data. Anyone who responds gets their account suspended until properly re-verified and a followup E-mail about how to avoid phishing attacks.
It might upset a few customers, but my guess is those customers might be a security liability that the company could live without...
You do the intelligent (or lazy) thing: Go to their site and log in normally. If they want your attention, it'll prompt you. That's what I do if I get one that is legit. I just go log in as normal. If it's really legit, the site will then prompt me for what it wants. If not, no problem.
I very recently complained to Schwab IT about their online statement delivery. It comes in an email, contains an html doc that contains a java app that directly asks for my account and password info. I wrote them a letter saying how bad an idea that was, and that it encourages less sophisticated users to trust the sender too much.
:)
...blah blah...
...blah...
Their response indicated they didn't even understand what I was talking about. Should I have called it "Phishing"? I doubt it would have helped. How can a customer educate these people, and why should I have to? (Maybe someone in their IT dept reads slashdot
Here is my letter:
To Director of Technology,
I am disappointed in the security offered by the transaction statement I receive each month. I am required to save an html file, which when opened presents me with an account/pin dialog.
- I have no way of knowing where that information is going to be sent.
- I cannot verify the originator of *any* email. How can I be sure that *this* email is definitely from schwab.com? (one b or two?) If the email is spoofed, the contents of the html document are suspect, putting my password etc at risk.
- Since this arrived by email, I did not initiate the connection. It is generally a bad practice to give out personal information when one did not initiate the transaction (even in a phone call).
- The process required by your system encourages less sophisticated users to develop poor security habits, such as responding to emails (of unknowable origins) with personal information.
- I would feel *much* more secure if I initiated an https connection to a web address that *I* know is legitimate. It is significantly less likely an https connection mechanism would be exploited than a simple email message.
Until something changes about this process, I have no alternative but to consider these emails SPAM, and am in fact getting no benefit out of receiving them.
And their response...
I appreciate your concerns regarding your request of electronic statements. In regards to your concerns, PostX technology sends an "HTML envelope" that contains the encrypted payload. This "HTML envelope" opens to present the user with a prompt for the users password. Once the password is entered the local javascript or java applet accepts the user password and decrypts
the payload.
Documents sent through the PostX platform are encrypted with highly secure, industry standard algorithms. Symmetric encryption defaults to ARC4 but AES encryption algorithm is available as well. End to end encryption between users or firms assures the highest levels of confidentiality for critical, sensitive or personal data on public networks. The password is hashed with 160 bit encryption (SHA1) with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt the payload. The encryption is very secure. The most venerable part of the process is the password itself.
If you still have further concerns regarding the security of the contents that you have chosen to have delivered via email, then you may want to elect to cancel this request. You may do so by following these simple steps:
Sincerely,
Perhaps the best way to handle these is to get even.
Write a script which will go to the size and fill in bogus name/account/credit card info. Let's slashdot the phishers!
"-1 Troll" is the apparently the same as "-1 I disagree with you."
It is interesting how personal information became a form of capital in the modern age, and people want to have it.
In the past, when we were paying with actual money in person and banks were not widespread, someone who knew our personal info could not hurt us much.
When banks were invented and remote transfer of money became a reality, and especially after the introduction of credit cards, a person knowing your signature and personal details can destroy you.
And now some people are trying to create a personal criminal empire by collecting information and especially personal information.
In that sense personal info has value and people want to have it, so it's a form of capital.
Perhaps this (the malicious collection of information) is the negative side of the transformation of the economy into a knowledge/information-driven model.
It is sure that a solution must be found, otherwise people who have access to vast amounts of personal info and also have malicious intends, might endanger the modern economy.
Technological solutions can help, but I think the answer should be a cultural solution and especially education. i.e. netsurfers should be trained to not give away any personal information to anyone if they don't think about it very carefully. Giving away personal info in today's Internet is very much like giving away your money.
Is anyone else out there disturbed that /.'ers have moved to spelling out fsck instead of just writing fuck?
The lesson to learn is that when an account is online, you have to KEEP YOUR OWN LINKS. That way, (1) if you don't have an account with an institution, ignore the mail, or (2) if you do, use the front door you've used before.
This guideline is all anybody needs to protect themselves from these scams.
Identity theft is only a problem because we attach so much weight and importance to our individual histories. If we would stop screwing people over for life after things like bankrupcy, or when they fall ill, there wouldn't be a need to get other people's "clean" identities.
As someone who can't even get health insurance because of some mysterious "red flag" in my past, I can see why someone could get desperate enough to try to become someone else! I can't even imagine a scenario where I couldnlt open a checking account because I made a few mistakes as a young adult.
Identity theft won't stop until this "you are your credit score" mentality goes away!
why dont banks just set up 'monitored' accounts and put a little bit of money in it, then follow the trail :)
Phisher thinks theyve caught someone out, logs in and transfers money away ( im guessing to a relay account unless they`re REAL stupid ) , which relays on and on until it eventually gets somewhere the phisher can do something with
the money ( or goods they might buy with it online ) have got go to somewhere, right?
I just got scammed out of a thousand dollars from a crook who used a stolen "verified" Paypal account to pay me. When I saw the payment to be legit I let the guy pick up the merchandize from my house.
A few hours later the item was charged back by Paypal saying it was unauthroized.
Have a question for you guys. What are my chances to find Paypal liable for the loss if I can't find this crook?
Here's my take:
One is that Paypal sees themselves as an escrow service. If such is the case they have the right to intervene and take back funds from transactions that are deemed illegitimate. However if so, then they also have an obligation to ensure that account charges are in fact legit. The only reason I accepted the payment was that it was from a "verified paypal user". Therefore Paypal is liable.
The other argument would be that Paypal isn't an escrow service, but only a payment transfer service. If this is the case, once the money is in my account it belongs to me (like a cash exchange). They have no right to take it out of my account and put it back.
eTrade SUCKS
... so can we actually type out "legitimate" instead of using "legit?" I mean, I realize we all miss the days of "I checked it out and its legit, Microsoft will send you a zillion dollars if you forward this email to 10 people..."
If we don't use the word legit, it will serve as a spam flag.
Trying to use sarcasm in text-based forums does not work.
I see a lot of people blaming stupid people for this. And stupidity, naivete, etc. are definitely part of it.
But the fact is, some of the phishing emails look really good. I got one last week that was identical to a legit Citibank email, except that it went to http://citibankgroup.biz instead of https://citibank.com. Given all the weird URLs and bulk mailing companies banks use (and the fact that a lot of normal users view URLs to be voodoo), it not surprising to me at all that people fall for this stuff.
In the end, this is just a special case of spam. Verifying the sender using SPF or any of the other systems being adopted right now, will solve this problem. And disabling HTML email (among the worst design decisions ever made, IMHO), would also help a lot.
-Esme
I'm going to state the obvious because I'm bored at work.... As the "People in the Know", it is our responsibility to inform our grandmothers, friends, co-workers, etc. of all the pitfalls of the online world. For each person close to us that we can warn, that's one more person who will learn the "easy" way. The rest will have to learn the "hard" way by getting burned. Eventually everyone will learn. Unfortunately, there will always be new and more creative scams. "Fool me once - shame on you! Fool me twice - shame on me!"
...I just hope the font people have set in the status bar is legible enough to catch the trickier ones. Look at these three characters: "I" "l" "1". In some fonts they are identical (uppercase i, lowercase L and the number one).
Paypal was one of the earliest business victims of phishing scams, which were successful becasue of the unfortunate last character in the name. The scammers registered paypai.com (shown in the url as paypaI.com) and paypa1.com (number one at the end) and set up convincing, secure sites to scam people.
I applaud the Mozilla people for giving users the tools to help spot scams, but people still have to use their heads.
- I posted an item for sale
- I realized I owed eBay about $40 in back listing fees
It was just before I was going to get into bed, and I skimmed over the message as I usually do before deleting it. My usual thinking: "Sure", I thought, "I'll get back to it tomorrow and pay them." This time around, I clicked the link and got the "standard" eBay login screen. Being tired and lazy, at this point I didn't even glance at the URL. I entered my login and password for eBay, and as it was redirecting I glanced at the address bar, and in horror I saw "cgi2.eb4y.com" or something munged like that.
In a panic, I immediately changed my eBay password, and all is once again well on my happy little computing planet. That being said, had I not caught that and gone straight to bed, who knows what I would've woken up to. The moral of the story is that you really have to be on your toes. The circumstances surrounding this dodged-bullet really were a perfect setup for me: owed eBay money, just posted a new item for sale that day, fatigue...
Common sense is the key!
E-mail scam plays on US elections3 714944.stm
By Alfred Hermida
Published: 2004/10/05 08:50:43 GMT
BBC News Online technology editor
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/
People are being warned about a scam e-mail which uses the US presidential poll to con them out of their money.
A junk e-mail invites people to dial a premium rate number to express their support for President George W Bush or rival John Kerry.
E-mail filtering firm BlackSpider estimates that almost a quarter of a million are being sent out every day.
In the past, net fraudsters have tried to use the 9/11 attacks and the tragedy in Beslan to get money.
900 number
At first glance, the presidential election message appears to be legitimate, saying it was sent from a Lycos.com address.
But BlackSpider Technologies said it had traced some of the e-mails to a server in the Czech Republic.
No doubt we will be seeing some messages like this in the next general election in the UK John Cheney, BlackSpider Technologies The mail reads: "Fellow Citizen: The extremely jubilant crowds in Baghdad appeared to vindicate President George Bush's belief that the military action in Iraq was the right move.
"But many questions still remain over the lack of hard evidence of Saddam's weapons of mass destruction. With these tough times before us, let us know."
It goes on to ask readers if they support President Bush, prompting them to call a 900 premium rate number.
It says votes will be sent to the Bush and Kerry campaigns.
In an effort to convince people it is a genuine message, the e-mail says who commissioned the poll.
The mail adds that the calls will cost $1.99, saying this is "a little price to pay for a better democracy".
"This is a relatively new scam," said BlackSpider CEO, John Cheney.
"The question is, are they breaking the law? In the UK they are, in the US they are not."
Sending unsolicited messages to personal e-mail is barred in the UK. But in the US, people have to opt out of receiving these sorts of messages.
Hotbed of scams
BlackSpider estimates that 240,000 of the presidential scam e-mails are being sent out worldwide a day.
The lack of any spelling mistakes and its resemblance to a genuine message means that it could slip through the spam filtering of home users.
This latest scam reflects how the nature of spam is changing.
In the past, spam was dominated by pornography. These days spam is a hotbed of financial scams, as well as a black market for fake pharmaceuticals and software.
E-mail scams known as phishing have tried to trick customers into giving away confidential bank details.
Other scams known as 419 try to part people from their cash by telling them they in line for millions from a deposed African leader.
The US presidential mail is just the latest trick used by spammers to part the unwary from their money.
"No doubt we will be seeing some messages like this in the next general election in the UK," said Mr Cheney.
There are no quick ways to explain to an 'average joe' how to check an email for legitimacy. The only hard and fast rule should be:
Do not EVER enter personal financial or identification information on a website you reach by using a 'link' in an email.
Instead open a new instance/tab/window of your webbrowser (It also helps to avoid using the browser most well known for its vulnerabilities, cough), and hand enter the original known address for the site belonging to the organization that you beleive is contacting you. If you dont *KNOW* the correct address, call them and *ASK*. If they need information from you, they will confirm the requirement there.
If you are not 100% certain of both the legitimacy of the request and your ability to tell, *CALL* the organization (IGNORE any suggestions given in the email not to call) and *ask* them if it is legitimate. (*NOT* using a phone number given in the email, use one you obtained when you established the relationship with the organization, or one you looked up yourself from a phonebook or directory assistance line)
Obviously, if you dont *HAVE* an existing online relationship with the bank/company/etc that the email comes from, then assuming it *IS* a fraud.
Actually there are several encrypted messaging companies that use this model as at least one of their options. There are two main reasons why this "push" method is used:
1.) Because the user can access their statements even if they're not on-line (although the contents stay encrypted on their hard disk).
2.) Because the financial institution chooses when they want to use their bandwidth to send the messages and doesn't receive random spikes that they would get if the user was "pulled" back to the site to view the content.
Of the two, obviously #1 is the overwhelming reason.
Several encrypted messaging providers also use a method that was patented by my employer (Tumbleweed Communications) that simply sends a notification message that allows the user to "pull" the data down from a secured webserver over an SSL connection. The user enters their credentials to the webserver (which can use a Single Sign-On system, or a variety of other methods) and at that point they may veiw the message and it's contents.
The draw-back of this method is that the user must be connected to view the information. If they download it to their desktop, it's not encrypted at rest on their machine. it also forces the provider to use more bandwidth and servers, but that's fairly trivial compared to other factors.
The argument essentially boils down to convenience vs. security, and in the real world convenience wins every time end-users are involved. Financial institutions want to provide services that are easy to access and give their users the relevant account information in readily usable formats. Statements can be delivered electronically more cheaply than in paper via the mail, and most times customers actually prefer it.
The other aspect which many people don't consider is that it's also vary possible for rogue postal employees to hijack data in transit, or for someone to simply steal it from your mail box before you pick up your mail. Given that, electronic delivery is actually a security improvement over the traditional paper statement delivery.
Also, it's worth noting that this entire method of encrypted delivery was invented because encrypted e-mail had such a poor adoption rate. Client support for S/MIME is excellent, but no one knows how to use it and organizations don't want to maintain the PKI that it takes to "do it right". Support for OpenPGP is much less ubiquitous and it's just as confusing to users. Add to that the fact that many users have a webmail account as their primary point of contact (Hotmail, Yahoo!, Gmail, etc) and none of those will support S/MIME or OpenPGP encryption (at least, not to my knowledge). You need a way to communicate with those folks.
Medium-strength security that is easy-to-use is a whole lot better than near bullet-proof security that only a few percent of the population will tolerate learning and using.
Someone is WRONG on the Internet!
Usually, phishing also involves cracking a server somewhere. I'm in the email security business, so I feel almost as close as family to hundreds of wealth but desperate Nigerians (who don't get to deliver much mail on the networks I protect) and loads of phishers (who don't get to deliver much more mail than the Nigerians).
In almost all cases, the link in the phishing mail leads to a compromised host. Phishers (most of them, anyway) aren't dumb enough to put the phishing site on a host that's actually theirs. Usually, it's all too obvious that the rightful admin of the host in question is utterly clueless that he/she has been owned.
You're dead right about the ROI, though. Stealing usable financial data off of a server is a lot harder than phishing. People report successfully filtered phishing mails to me as false positives every single day, and I always wonder if they sent it in before or after they gave away all of their financial info.