My 2/27/08 Missoulian column
In Montana, fishing involves luring trout with dry flies in the summer or jigging in winter with tackle and bait. On the Internet, phishers consider you to be the catch, and you might not recognize them for what they are.
Botnets and scammers send out spam messages 24/7, trying to bait recipients into opening an attached file that will install malware that runs invisibly on PCs.
But not all spam contains Trojan horses or spyware, or links to them; some appears to be genuine e-mail from your financial institution or an online store. They urge you to check your account or confirm your account information, playing on your fears by saying the account has has been “accessed” by someone else and will be locked if you don’t take action. These e-mails are phishing scams, and the point is to get you to click on a link to an impostor Web site that will steal your information.
Every year, thousands of people get hooked and lose money and their personal information. According to the New York Times, “More than 3.5 million U.S. adults lost money to phishing scams and online identity theft in the 12-month period that ended in August (2007) a 57 percent increase over the previous year.”
“Social engineering” is the buzzword for the trick behind these high-tech confidence scams, an old craft in the new world of the Internet. It’s easier and takes less time for scammers to trick you into giving away your account information than it is to learn how to really hack a system.
If you click on a link in a phishing e-mail you are taken to a copy of the genuine site that has been downloaded and moved to another server – usually outside of legal jurisdiction – and changed for nefarious purposes. The nature of the Web makes it easy to copy a site and put it on another server in another country were the laws are lax. (There’s even a hacker kit that makes putting a phishing site together point-and-click easy.)
The fake Web site code is changed so any information entered doesn’t go to the bank but to the hackers. It’s bad enough if they get your account or credit card number, but some phish for enough information to steal your identity: your Social Security number, full name, date of birth, mother’s maiden name, etc. Some phishing sites also use security certificates, so they appear to be secure – with an “https” prefix on the URL – but, of course, that means nothing if the entire site is fake.
One giveaway to a phishing site can be the Web address. Advanced phishers use tricks to hide fake URLs, so check the address; if there’s anything in front of the “www” in the standard URL form – www.mybank.com – you should be suspicious.
I like to investigate the phishing e-mails I get – don’t try this at home, kids – and if you know how you can check the URL or the IP number of the phishing site (without downloading malware) with Whois, a phone book-like directory, and discover where the Internet provider is located.
Most IPs from phishing e-mails I have gotten have been from providers in Russia and South America. I’ve gotten a few that took me to a copy of part of the Internal Revenue Service’s Web site. The fake e-mail promised a refund on my taxes, and the phishing site had the IRS graphics and style copied exactly, but it had spelling and grammar mistakes, the IP was from South Korea and the Web site code revealed the hackers e-mail address there.
How do legitimate Web sites fight back? Most financial institutions and popular online sites – such as PayPal and eBay – by policy won’t send you an e-mail concerning your account with a link to their site. They may send an e-mail, but it will require that you go to a site you’ve already bookmarked, type the URL directly into your browser or call the company directly. If in doubt about the e-mail policies of your bank, check with it.
The safest way to go to your bank’s site is to type in the URL yourself, then bookmark the login page. Many bank sites have tried to mitigate phishing risks with features like personalized “site keys” and multiple captchas – images of squiggly letters and or numbers that you must enter on the site – but according to a security firm consulted in the New York Times article, many financial institutions are asleep at the wheel.
You need protect yourself from being hooked, so use common sense and don’t click on e-mail links that ask you to check your account or verify your banking information – they are phishing for you.
Next week: Anti-phishing tools that help uncover scams.
More on last week’s subject: When you run Windows under a limited user account, you can set your anti-virus and Windows updates to run automatically in the administrative account while you use a lower-level account for day-to-day work. That way your system gets updated without you having to log back into the administrative account.