Don't Be a Phish.
Phishing is a Con Game.
If you Play, Your Credit Card Information
or Ecommerce Login Will Belong to Thieves.
Give them Half an Hour
and they will Steal Everything.
A WARNING
"Phishing" is the name
for an increasingly common Internet confidence scam. This nasty
technique involves the use of Emails that appear to be from legitimate
companies, which ask either for login information or for credit
card information.
The thieves who send out these messages are
prepared to use any returned information immediately. Phishing
reportedly is also very successful, with as much as a 5% success
rate. This is a SERIOUS problem.
Note on Ecommerce: Ecommerce may just as well be called
"commerce"; it is that important. As with any technology,
there are concerns and problems. This message discusses problems
that could occur with any aspect of our financial life. An awareness
of possible problems does not reduce the value of these services,
nor make them less useful.
This knowledge should, however, make them safer
to use. |
Major services are most often used as bait
by these criminals. These include Ebay, PayPal, and Earthlink,
but any service is vulnerable. Although initial Phishing emails
were crude, they have now become very sophisticated- and much
more dangerous. Confidence scams work on gaps in human psychology
which we are all subject to. On any given day, anyone can be
taken in by these scams; it is necessary to know that they exist
to protect against them.
Many of the criminals engaged in this activity
are from overseas, often from Eastern Europe. It remains to be
seen if the Internet will ever be able to protect users from
this type of abuse; currently there are only limited defenses.
We repeat- These criminals are not waiting around once they receive
access to your finances. They will act on this information immediately,
with no delay. Not all credit card companies offer protection
against this type of fraud, so victims may end up liable for
tens of thousands of dollars of fraudulent charges. Ebay vendors
have found their reputations can be stolen, and used for fake
auctions.
The web pages shown by these Phishing emails
are very professional, and cannot easily be told from the real
thing. The graphics may be exactly the same. The links may work,
connecting you to the real site. In addition, the URL shown in
the address bar at the top may also be correct!
A massive security flaw in Internet Explorer
(Microsoft calls it a "Feature") allows a web page
to change the URL in the address bar to whatever the programmer
wishes to show. The URL address that Internet Explorer's browser
shows can be different than that of the actual website. Don't
trust the URL the browser shows you in the Internet Explorer
Address bar! More Info here.
IN ADDITION: See the Anti-Phishing
Working Group Alert further down this page detailing a new
and sophisticated technique of creating a FAKE address bar using
Javascript code.
Please be VERY SUSPICIOUS of any email asking
for Login or Financial Information- "About to Expire",
"Please Login", "Account Expiration", etc.
are all types of come-ons that encourage users to give up important
information. If in doubt, call the company and talk to a Human.
Or connect manually (by typing the address yourself into the
Address Bar) to the company's web site. Do not let any outside
communication connect you to a site for entering financial information.
You are safer if you initiate the connection yourself. Remember
that a link on a web page or in an Email may connect to a totally
different site from the text shown for the link.
Some accounts expose more about you than you
may expect. Amazon's One-Click ordering can be turned into a
nightmare. PayPal and Microsoft's Passport systems often hold
credit card and bank account access that may put your finances
in jeopardy. Know your risks. Keep multiple passwords, with a
combination of letters and numbers. Change passwords on a regular
basis. Too many passwords? Start canceling accounts.
Vendors who collect credit cards over the Internet
can also have their security broken, potentially releasing hundreds
of thousands of credit card numbers to criminal organizations.
Such "innocents" as WNYC radio have had these records
stolen (the janitor did it), and used for identity theft.
Viruses and Spyware/Adware software have major
security considerations. A virus can "re-write" your
Internet connection to redirect all Amazon.com connections to
a fake site, or send all Ebay logins to a thief. Spyware and
Adware can hijack your browser. Anti-virus software is NOT
optional; it is required admission to the Internet. We like
Computer Associates's Etrust Anti-Virus; McAfee's Anti-Virus can also work well. Automatic
updating is essential; we suggest setting your anti-virus software
to check for updates every 4 hours or so. AntiVirus will not
take out "commercial" Spyware or Adware- we are not
sure why this is so. Spyware/Adware can be cleaned by tools such
as the excellent freeware SpyBot Search & Destroy. Install
a copy today from:
http://www.safer-networking.org
Our Virus info page is at: http://www.softprose.com/information/antivirus/index.shtml
See our Spyware/Adware page at: http://www.softprose.com/information/antivirus/spyware.shtml
SpyBot can be set to run automatically every day with
this command:
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
/taskbarhide /autoupdate /autoimmunize
/autocheck /autofix /autoclose
See the "Scheduled Tasks" Control Panel item to automate
this.
Although it
seems obvious, you should pay careful attention to bank statements,
check your account balance periodically, take any call from a
credit card company VERY seriously, and use a credit card that
limits your liability in case of fraud. (NOT all cards do so,
and some require reporting within 15 or 30 days- not always possible!)
A further word of advice: Don't give out credit card information
over the phone to a caller! If you must do this (to satisfy,
for example, an outstanding bill), call them BACK first.
Use a REAL Email Address for Ecommerce, which
you check often. This may give a vendor a chance to warn you
if there is a problem. If you don't want to trust a vendor with
your Email address, you should never trust them with your credit
card number.
Look for the lock- The padlock on the bottom
of your browser should be closed when doing any Ecommerce activity,
indicating a secure connection. If you don't see the closed padlock,
don't enter any financial information.
Don't accept unusual secure certificates for
Ecommerce. "Authorized" secure certificates are generally
safe, and are transparent- You will not see a warning message
about "accepting" a certificate if it is from a reputable
provider. (Verisign
and Thwate
are the two largest.) However, "home made" secure certificates
will also "close the lock", but there will first be
a warning message and you will need to "accept" the
certificate. Don't do Ecommerce with a site that offers a strange
certificate; there is something wrong! The $250 or so per year
the store spends to maintain a legitimate certificate is meaningless
to a real business, but a serious hurdle for a thief- along with
the other requirements to get a certificate from a legitimate
company.
We live in an increasingly complex and dangerous
world. There are many rewards from technology, but also problems.
The first step to protecting yourself from these problems is
knowing about them.
REPORTING Phishing Emails:
Criminal activity of any type should be reported.
There are two parties in particular that are interested in any
Phishing Emails:
First is the Federal Trade Commission (FTC), at uce@ftc.gov.
Next is the party who is being used as the bait in the con, such
as Earthlink, Ebay, or PayPal. Most companies respond to either
fraud@[Domain name], or abuse@[Domain name]. So for Earthlink,
send a copy to fraud@earthlink.net,
and for Ebay fraud@ebay.com.
The non-profit trade group at http://www.antiphishing.org also asks for
a copy of any Phishing scam, and maintains up to date information
and alerts. They ask that a copy of any Phishing emails (with
Header information) be sent to them at reportphishing@antiphishing.org.
IMPORTANT: Include the Internet Header information
in the Email, as this is critical for tracing the Email back
to the sender.
This is slightly technical:
Outlook Express (NOT Outlook): Open the message. Go
to File>Properties. Select the second tab at the top, Details.
You will see the Internet Headers field. Copy this information
to the clipboard (Select it and hit CTRL-C.) Close Properties.
Press the Forward button to create a Forwarded copy of the message.
Now paste (CTRL-V) this information into the top of this forwarded
Email. Enter the address where it is going, and hit "send".
Outlook (Not Outlook Express): Open the message. Go to
View>Options, and see the Internet Headers field. Copy this
information to the clipboard (Select it and hit CTRL-C.) Close
Options. Press the Forward button to create a Forwarded copy
of the message. Now paste (CTRL-V) this information into the
top of this forwarded Email. Enter the address where it is going,
and hit "send".
Eudora: Open the message. Press the "Blah,Blah,Blah"
icon button in the toolbar before right clicking on the message
and selecting "Forward". Enter the recipient's address
and hit Send.
Other Programs: Consult the Help file for your Email program
under "Headers" if the above information does not allow
you to forward Email with the Internet header information intact.
|
Special
Notice from the Anti-Phishing Working Group
APWG THREAT ADVISORY ALERT - New Phishing Attack
New Phishing Attack Replaces Web Browser Address Bar with Malicious
JavaScript Fake
http://www.antiphishing.org/phishing_archive/Citibank_3-31-04.htm
March 31, 2004
I. Description
-------------------------------------------------
A dangerous new type of phishing attack has been detected that
replaces the "Address" bar at the top of a Web browser
with a working fake, using JavaScript. This technique allows
the phisher to display a completely fraudulent Web address URL,
while taking the consumer to the phisher's spoofed site.
This sophisticated new attack
type does not make use of the MS Internet Explorer bug published
last November, but extends the same visual effect to multiple
browser platforms. It does so by automatically detecting the
consumer's browser, and applying a custom JavaScript that replaces
the look and feel of the Web address bar with an appropriately
designed working fake.
II. Analysis
-------------------------------------------------
A consumer receives a forged email that pretends to be from a
bank. The email claims that the recipient must verify their email
address, and includes a web link. When clicked, the user's browser
is opened, and they are taken to a Web page with an email verification
form. The web link is HTML and the displayed text appears to
link to the real bank's site.
However, the URL does not take
the user to the bank's website. Instead, it takes him to a fraudster's
site. The fraudulent site instantly detects the user's browser,
and runs custom JavaScript code that removes the real address
bar and replaces it with a fake address bar at the top of the
browser window. The copy is exact. It has the "Address"
field, it displays a URL web address that appears to be a secure
link to the real bank (e.g. "https://"), and it has
the "Go" button on the right hand side. In almost all
respects, the web address and web page appear to be real. You
can even type in the bank's web address directly into the fake
Address bar. This is a live piece of JavaScript code, not a
static fake Address bar image.
Even more dangerous, if you right
click the page in order to view the HTML source code, the source
code of the phishing Java applet is not displayed. The real
source code to the phishing Address bar can only be seen by using
the top menu of your browser to view the source code.
There are only one or two
clues that the web page is not valid:
* Despite the fact that the address bar shows HTTPS in the Address
bar, there is no SSL padlock present in the lower corner of the
browser
* When the user types a different
URL into this address bar, the browser title does not change
from the fake 'Welcome' message.
III. Implications
-------------------------------------------------
This is one of the most sophisticated phishing attacks that we
have yet detected, and has serious security implications for
consumers. Because the fake Address bar remains installed even
after you leave the phisher's site, there is a possibility that
a phisher could use this technique to secretly track every web
site that you visit. Or even worse, a phisher could potentially
employ a "man-in-the-middle" attack to see everything
that you send or receive through your Web browser until you close
it.
It appears that this phishing
email has been around in one form or another since February,
and it seems to be evolving, similar to the way virus writers
share and evolve code.
IV. Solutions
-------------------------------------------------
* Unless an email is digitally signed, don't click on links in
the email message
* (Other solutions tbd)
V. Credit
-------------------------------------------------
The Tumbleweed Communications Message Protection Lab (www.tumbleweed.com)
is credited with this discovery and analysis.
VI. Legal Notices
-------------------------------------------------
Copyright (c) 2004 Anti-Phishing Working Group
Permission is granted for the
redistribution of this alert electronically. It may not be edited
in any way without the express written consent of the Anti-Phishing
Working Group. If you wish to reprint the whole or any part of
this alert in any other medium other than electronically, please
email info@antiphishing.org for permission.
|
Additional Links:
The Federal Trade Commission (FTC) has information about Phishing,
with suggestions:
http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
The FTC asks that suspected Phishing emails be forwarded to:
uce@ftc.gov
The Anti-Phishing Working Group (APWG) is a non-profit Trade
Group,
formed to fight Phishing scams:
http://www.antiphishing.org
(SoftProse Technology, Inc. is pleased
to be a participating
Member of the Anti-Phishing Working Group.)
Millersmiles.co.uk is a European website that has been on the front lines of the Phishing problem. They offer both Email and RSS warnings to (free) subscribers. See their current monthly RSS feed at the bottom of this page.
http://www.millersmiles.co.uk/identitytheft/spoof-email-and-spoof-web-page-library.htm
SpoofGuard is an "Open Source" Toolbar for Internet Explorer that will warn the user if they are entering a Phishing site. Includes an automatic update function, password protection, and an alogrithm for evaluating potential new threats. Adding this tool to Internet Explorer may offer a high degree of protection from Phishing attacks. Free.
http://crypto.stanford.edu/SpoofGuard
Earthlink has also released an anti-Phishing toolbar. Although there has been quite a bit of publicity for this software, it remains under development and may not be adequate protection against all Phishing attacks without some significant improvements.
http://www.earthlink.net/earthlinktoolbar/download/
PassMark is a concept promoted by Bill Harris, a former CEO of both Intuit (Quicken, Quickbooks) and PayPal. It is a system designed to protect institutions from Phishing attacks, by estabishing a unique "PassMark" image between the institution and a client that must be displayed on each web page to certify that it is truly from that institution. A PassMark option may start appearing on bank and financial institution sites.
http://www.passmarksecurity.com
Phony URLS- Information about Microsoft's security problem with Internet
Explorer and phony URLs in the Address bar may be found in this
article from theregister.co.uk:
http://www.theregister.co.uk/content/55/35253.html
Business Week has a good article on the Phishing problem:
http://www.businessweek.com/technology/content/oct2003/tc20031021_8711_tc047.htm
PC Magazine has a good
article at:
http://www.pcmag.com/article2/0,4149,1407048,00.asp
|
|
|
