Rants, Raves and Revelations
By Harry {doc} Babad, November 2006
Internet Risks for Your and Yours – Don’t Get Caught
For the last several months we at macCompanion, partially addressed Internet security for both the individual and corporations.
In the August issue of macC, I reviewed Steal This Computer Book 4.0 – What They Won’t Tell You About the Internet by Wallace Wang [No Starch Press (O’Reilly Press)]
In the October macC issue of macC, Ted Bade & I talked about The Internet: The Missing Manual: Taming the Jungles of the Internet by David Pogue and J.D. Biersdorfer [Pouge Press, O’Reilly].
This month, moving from individuals to corporations, I review Enemy at the Water Cooler — Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures by Brian T. Contos [Syngress Press, O’Reilly & Associates Inc.]
As I was checking to figure out which of Paul Taylor’s tips I would use in my column for November, I ran across the following article from Apple Barrel, Ridgecrest, CA in Paul Taylor’s Hint & Tips.
It contains about as clear a set of guides and warning as I have seen. It deserves stand-alone attention, so here it is.
My data has been stolen but so far I’m safe. A federal government contractor’s employee lists were not as secure as they should have been. I done what needed and am keeping my toes crossed, since I can’t type w/o my fingers. Yes, I've done the notification thing and now check every statement as soon as I receive it.
When the subject of Internet fraud becomes mainstream — meat for such magazines as Business Week [www.businessweek.com], Consumer Reports www.consumerreports.org/main/home.jsp and Time Magazine www.time.com/time/archive/ we should all tune in – I have and will.
§ § § § § § § § § § § § § § § § § §
Ignore The Bait
Reprinted with Paul Taylor’s and Apple Barrel Permission
Tracy Baker (a digital Journalist) warns “Don’t Get Hooked By Phishing Scams” and she offers some help to readers who may still be unsure about the dangers of the Internet.
You’ve become accustomed to deleting ridiculous Nigerian “money scams and all those spam messages promising to help you lose 50 pounds in five days, but this message looks different; it has the eBay logo and uses the same fonts as eBay’s site. It contains links to eBay pages and is professionally written. It’s telling you your account has been associated with fraudulent activity and is about to be suspended, unless you can provide some personal details to prove that everything is on the up-and-up.
As official as an email like this appears, don’t take the bait! Millions of consumers rely on the Internet to shop, pay bills, and manage their financial accounts, and a new generation of scam artists is using a combination of social engineering and technological savvy to bilk unwary consumers out of their money or steal their identities. This practice is called phishing (that’s short for pass-word harvesting fishing), and although the techniques used in this type of scam are timeless, the Internet has provided phishers with a vast ocean in which to cast their nets.
Phishing email messages differ in their specifics, but they all share a few common traits. First, they appear to come from a legitimate company, using the same graphics you’d expect to see at that company’s web site. Second, they try to create a sense of urgency, telling recipients that their accounts are about to be suspended or are otherwise experiencing major problems. Third, these messages contain forms to fill out or links to online forms where users are supposed to enter personal information, such as an account password or a credit card number. Once you enter the data in the form and click submit, it is sent to the scammer’s computer and he or she can use it to steal from you.
Phishing scam artists consistently come up with evermore-elaborate schemes to ply their illegal trade, but by following a few simple rules, you can play detective and catch them in the act instead of becoming their next victim.
Rule#1: Pay Attention To URLs
URLs (uniform resource locators) are the characters you type into your browser’s address bar in order to visit a particular site, and a favorite trick among phishing scammers is to make users think they are going to one URL when they are really visiting another URL.
URLs can tell you a lot about the site you are visiting. The URL for our web site, for example, is http://www.smartcomputing.com. The “.com” portion is the top-level domain identifier (also called the domain extension), and generally it tells you what type of site it is. For example, “.com” identifier is mainly used for commercial web sites, whereas “.edu” is for educational institutions and “.org” is for nonprofit organizations. The companies most commonly targeted by phishing scammers mainly use “.com” top-level domains, so if you see a URL such as “ http://www.ebay.org “ or http://www.citibank.edu linked to a spam email, it’s highly likely to be a site set up by a scam artist.
The most important part of the URL, as far as detecting a phishing site is concerned, is the domain name. This is the text to the left of the top-level domain identifier (such as “smartcomputing” in our example). All content at the Smart Computing web site is accessible via the “smartcomputing.com” domain name, so any additional text between the domain name and the top-level domain should raise a red flag.
For example, a web page located at “ http://www.smartcomputing.scammer.com ” would actually be located at the domain name “scammer.com” and a page at “ http://www.ebay.customerservice.com ” would actually be located at the domain name “customerservice.com,” not at “ebay.com”.
Any text that appears to the left of the domain name is a subdomain associated with the main domain. That’s so important it bears repeating. Any text that appears to the left of the domain name is a subdomain associated with the main domain.
In the examples we just provided, “smartcomputing” would be a subdomain of “scammer.com” and “ebay” would be a subdomain of “customerservice.com”. Ignore sub-domains and focus on the domain name when determining whether a link or URL is legitimate. Hyphens and symbols such as @ also are used to make a phish site’s URL appear more legitimate, so watch for those, too.
Unfortunately, some scammers have figured out how to use a sophisticated exploit that displays a fake address bar (containing a legitimate-looking address that doesn’t arouse suspicion) in a Web browser window, so other steps are necessary to fully protect yourself.
Rule #2: Watch The Padlock
All popular browsers display padlock, icons when user visits a secure site; these icons are generally in a lower corner of the browser window. When users visit secure sites, or secure portions of sites after they’ve logged in, the padlock icon appears and the URL in the address bar now begins with “https:” instead of the usual “http:” we see. Knowing this, if you ever see “https:” in the address bar but don’t see a padlock icon displayed, the page isn’t secure and it’s likely you’re visiting a phishing site, so don’t fill out anything or click any links. However, even this method isn’t entirely foolproof, as scam artists have figured out ways to forge padlock icons, so be sure to follow the other rules we cover for maximum protection.
Rule #3: Type, Don’t Click
The Internet has conditioned us to click on hyperlinks to open new pages, but don’t let that habit get the better of you when a seemingly urgent email arrives. One of the main techniques phishing scammers use to lull users into a false sense of security is to put links in an email — links that look like they point to a legitimate company site when they actually point to a phishing site. This is called link masking, and it’s easy to spot and avoid if you know what to look for.
Some email applications enable users to hover a mouse pointer over a link to see a pop-up window displaying the actual link. For example, a scammer might send an email that has a “ http://www.paypal.com “ link, but when you place the mouse pointer over the link, the pop-up window reads “ http://www.paypal.phishsite.com .” Of course, you should avoid clicking that link.
Also, most phishing sites use IP (Internet Protocol) addresses (such as 12.39.144.5) instead of domain names, so if you hover the pointer over a link and see a string of numbers, the link probably points to a phishing site.
Instead of clicking links in emails, type the URLs into your browser’s address bar, but do so only if the links use the proper company domain name.
Rule #4: Notice Login Inconsistencies
Some scammers cover their tracks by sending victims to the legitimate company sites after collecting personal information. Common examples of this are phishing sites that ask users to enter usernames and passwords they would use to log in at legitimate sites, and then automatically connect users to those sites after collecting their valuable login information. If ever you attempt to log in to a legitimate account after following a hyperlink in an email, and the Web site rejects your login information even though you typed it correctly, it is likely you’ve just been scammed. Contact the legitimate company that the phishing scammer pretended to represent, let them know what happened, and change your login password immediately.
Rule #5: Protect Bank Account Data At All Costs
It’s bad when scammers gain access to your credit card accounts, but at least most of these accounts are protected to the point where victims are liable for a maximum of $50 only. Debit card and bank accounts often don’t have this level of user protection, so never divulge bank account information in response to an email.
[Doc’s note – Credit card companies such as Visa and Master Card, but from only some banks, are affording customer the same protection on debit cards as the on credit cards. They foresee Federal Legislation to match that which some stated such as California are implementing.]
Rule #6: Keep Personal Information Personal
If you take nothing else away from this article, remember this: legitimate companies never should ask for personal information via email (and if they do, they’re not worth doing business with anyway). Never fill out a form via an email, and never blindly follow links embedded in emails — no matter how official they appear to be. Scammers rely on input from you to do their work, so by trusting your instincts and never responding to email messages that ask for personal information, you can help force these jerks to find real jobs and earn their own money.
Original written by Tracy Baker from Smart Computing, February 2005 • Vol.16, Issue 2
Also check out Phishing Scams Grow Teeth & You’re The Prey - This Is Personal by Tracy Baker http://www.computerpoweruser.com/Editorial/article.asp?article=articles/archive/c0606/34c06/34c06.asp&guid=
Apple Barrel, Ridgecrest, CA
Hints and Tips, June 2005
http://www1.iwvisp.com/croton/
§ § § § § § § § § § § § § § § § § §