Help Protect Yourself from Online Crime
Published: November 8, 2004
By Sandi Hardmeier, MVP
Over the past few years, online banking and other Web-based financial services have exploded in popularity. As our lives have become more hectic the convenience and simplicity of online transactions have released us from standing in line and saved us much valuable time.
It was inevitable that the dishonest among us would notice our increasing use of the Internet and look for an opportunity to swindle and scam. The modern day 'rip-off merchant' uses social engineering to trick unsuspecting people into voluntarily giving away sensitive personal information such as credit card numbers, Social Security numbers, Personal Identification Numbers (PINs), and passwords with an ultimate goal of credit card or other monetary fraud, and identity theft. They may also use HTML e-mail and security vulnerabilities to download malicious software, such as Trojan Horses, onto victim computers.
In this column I will illustrate a few of the tricks that criminals use to try and convince us to trust them, reveal some of the ways that they hide their real identities, and provide information about how to help protect yourself from their harmful effects.
What is Phishing?
Phishing: creating a replica of an existing Web page in an attempt to fool a visitor into providing personal, financial, or password information.
The criminals responsible for phishing will send e-mail that claims to be from a legitimate business or government organization. The 'from' address will sometimes look legitimate but will often be fake.
The e-mail message may display pictures downloaded directly from the spoofed company's real Web site. If the company being imitated has sent e-mail in the past (for example, advertisements) the fraudsters will copy the format of the e-mail right down to the tiniest detail.
When a victim clicks on a false link in the e-mail message they are taken to a Web site that is an exact copy of a real business site. If there is more than one link in the message, several may go to a real business site, but the URL to be used to capture the victim's personal information will go to the fake site.
Below are some examples of what phish e-mail messages look like.
When we compare the URL in the message body of the e-mail (1) to the URL in the status bar (2) we can see that they are different.
Phish e-mail messages can look legitimate because they often use images or logos from the Web sites of the business they are pretending to be.
Tip: Check hyperlinks carefully
NEVER click on a link in a possible phishing e-mail message. Always type the URL of the company into your Web browser's address bar. Rest your mouse cursor on a hyperlink and look at the status bar to see where a hyperlink really goes.
Phishers sometimes use HTML forms sent via e-mail.
The fake form is used to collect sensitive data.
There were no false hyperlinks and all graphics were the real thing. Again, the Microsoft Outlook Express message window's status bar saved the day, revealing the real address behind the 'Security Center' button.
Sometimes phishers make a URL very long to try and hide their trickery. Here is an example:
Mousing over the link reveals a long URL in the status bar.
In the above example, the real, much longer URL was hidden and looked like this:
The danger here is that versions of Internet Explorer that don't have the latest security patches will ignore everything before the '@' character, and attempt to connect to the IP address at the end of the URL (which is not a Woodgrove Bank IP address). Also, because the URL is so long, the hapless victim cannot see the phisher's target URL in the Outlook Express status bar. Another danger is that not only is the target site hidden in the Outlook Express status bar, Internet Explorer may also display only www.woodgrove.com in its Address bar, when in fact it is connected to a phishing site.
There is another phishing technique that uses JavaScript to overlay a picture on to your browser's address bar thereby hiding where you have actually been sent. Sometimes the exploit does not work, as can be seen from the example reproduced below. We can plainly see the overlay picture — in the wrong place!
A phishing exploit that didn't work. The real Web address is exposed.
This technique does not work on systems running Microsoft Windows XP Service Pack 2 (SP2) because the Service Pack prevents hiding of the address bar. Below is a screen shot of an exploit demonstration page visited using Service Pack 2:
Windows XP Service Pack 2 helps prevent the phishing overlay technique from working.
Here is the same page, visited using Microsoft Windows Millenium Edition and Microsoft Internet Explorer version 5.50.4134.0100
The fake Web address lays over the real one.
Tip: Update to Windows XP Service Pack 2 and install all Internet Explorer critical updates.
Types of messages to look out for
Phishers use very plausible excuses in their e-mail to convince people to go to their Web site and input financially sensitive information. The e-mail will use various approaches, including:
| • | Security or server updates, maintenance upgrades, online banking problems |
| • | Billing information requests or billing issues |
| • | Official or urgent notices |
| • | Account updates, e-mail or account verification requests |
| • | Consumer alerts, customer warnings |
| • | Your account has been, or may be, suspended or needs to be reactivated |
| • | Problems with your account, errors found |
| • | Suspicious transactions, fraud investigation, unusual activity |
| • | Someone sent you money, payment acknowledgments, order confirmations, lottery wins, jackpot wins, competition wins |
| • | Requests for assistance with fund transfers (the infamous 'Nigerian' scam) |
| • | Offers of advice on how to protect yourself from fraudulent transactions, identity theft solutions |
The Risk of Viruses
Always use an up-to-date antivirus program, and a firewall, for maximum protection from viruses and hackers. Some spam or phishing e-mail may try to download a virus on to your computer. I have received many spam e-mail messages that tried to download and install other malicious software.
Tip: If you receive a phishing e-mail message, don't go to the criminal's Web site even if you know it is false and you have no intention of providing personal information. Not only do some phish email messages attempt to install a Trojan horse onto a victim's computer, there have also been phisher Web sites that attempt to do the same thing.
Some antivirus programs are smart enough to detect an attempted phish by scanning for URLs that attempt to take advantage of known security vulnerabilities, or URLs for known phish web sites. The PhishBank.BL trojan detected below
Some antivirus programs will detect phishing e-mail.
Protect Yourself
Get helpful plug-ins
Not all antivirus products are the same - some may not detect phish URLs, and in any event, antivirus software is only as good as its latest update. Happily, there are plug-ins available that will help you reduce the risk of being fooled by phishers.
My favorite tools are the 'Spoofstick' toolbar and 'SpamBlocker' (which is a feature of a free toolbar provided by EarthLink).
Spoofstick and EarthLink's SpamBlocker work differently. Spoofstick simply shows you where you really are, and is especially useful against address bar overlays and long URLs that hide their true address. SpamBlocker redirects your browser away from known scam sites to a warning page and must be updated regularly. It is only effective against known and reported phish sites.
The Spoofstick shows you the real Web address.
SpamBlocker redirects your browser away from known scam sites.
Update to Windows XP Service Pack 2 with enhanced Outlook Express
The latest version of Outlook Express makes it much easier to protect yourself from dangerous scripts, and to hide from spammers and phishers. The picture below shows the Outlook Express security tab, and the settings that can help prevent spammers from discovering if their e-mail has been opened. These settings will help provide protection from hostile scripts and stop viruses from using Outlook Express to send spam e-mail without your knowledge.
Use these settings on the Outlook Express Security Tab to hide from spammers and phishers.
Get the latest updates
Get the Windows XP Service Pack 2 update and install all Internet Explorer critical updates to help protect against fake URLs.
If you do not have access to Service Pack 2, there are some ways you can protect yourself from the exploit.
| • | Compare the address bar URL to the address in the status bar. |
| • | Look for the secure site lock in the status bar. |
| • | Type the site's URL into your browser address bar. Do not click on hyperlinks in e-mail. |
| • | If a page is using the exploit, you will not be able to click in the address bar. |
Make sure it's secure
Always check the security status of a Web site before submitting financially sensitive information. Check the browser's status bar for a closed 'lock' icon. This indicates that the information you are providing will be encrypted during transmission, to help keep it secure.
Look for the lock icon.
Tip: What does TRUSTED mean?
The 'trust' granted by a browser, is not the same as the 'trust' granted by a person.
The 'lock' icon simply shows you that the address (the 'domain') of the site you are visiting matches the security certificate for the site. In other words, a browser's 'trust' is based on electronic paperwork, not reputation or behavior.
The 'lock' is no guarantee that the 'domain' is run by a 'good guy.'
The Last Word
The best protection from fraud is knowledge. Many of the major banks and financial institutions, and others who have been affected by phishing have information on their Web sites about their e-mail policy or advice on how to detect fraudulent e-mail that target their customers. If you receive a possible hoax e-mail message, report it to the business or government organization being spoofed. They will want to take immediate steps to protect you and their other customers. Remember that legitimate online businesses should never ask you for sensitive personal information such as passwords, bank account or credit card numbers, PINs, or Social Security numbers via e-mail. If you accidentally supply financially sensitive information to a suspicious site, contact the spoofed company immediately for advice and instructions.
Use the Windows Automatic Update service to install all critical updates relevant to your system. Install and regularly update an antivirus program. Use a firewall. Most importantly, be alert. Responsible companies will not request sensitive personal information by e-mail.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.
