Rossander’s Security Reader

PC World magazine put together a short tutorial on recognizing eleven common email scams. Each page includes an actual example, most culled from recent messages being sent out by the notorious Storm Warn gang, a group of hackers based out of Germany who not only run the scams themselves, but also sell their hacker toolkits to others.

Some of the scams seem pretty obvious (like number 10, the IRS scam) but others are very sophisticated in their tactics such as number 9 where the hacker is impersonating an indignant eBay customer accusing you of not responding to his question or number 11 where the hacker took the time to personalize the attack based on the victim’s alumni listing.

Number 5, the NFL stat-tracking software, is particularly effective because the webpage is so professionally done. And there really are some good free software programs out there. (Well, not completely free since they’re ad-supported but for an avid fan a few ads might not be too much to pay.) The problem is that there are a few very dangerous landmines hidden among the legitimate tools. Short of completely rewriting the code yourself, there is no way to tell the safe ones from the scams.

Never download "free" software unless you are completely sure of the reliability of the source and never load any software onto your work computer yourself. Always call your IT department.

If you have your own datacenter and have a dedicated IT staff that runs your own email system, you can skip this week’s Tip. If you use webmail (such as Gmail, Hotmail or Yahoo mail) or if you use an email service (such as XO Communications or AppRiver), you are using hosted mail (that is, someone other than your own IT people has a copy of your email on their servers and manages your email for you) and you may need to think about how to keep your emails safe between your computer and the host.

Hosted mail can be a very useful service. It lets individuals and small companies buy top-quality email services without needing a full data center and 24 hour support staff. (Personal webmail accounts can also be useful for keeping personal and professional messages separate. See the 27 Jan 2007 Tip for more.)

However, hosted email adds a layer of complexity to your security arrangements. When your email system is completely in-house, you can trust your perimeter defenses to protect messages from one employee to another even if the message itself is not encrypted. When you use hosted email, the message is leaving your perimeter before it gets back to your co-worker. Since standard email is not encrypted, that message could be intercepted and read by basically anyone during that period while it’s outside your perimeter.

The same applies when emailing outsiders. More and more companies are implementing secure email in order to protect messages with confidential content. Many of those systems use Transport Layer Security (TLS) which scrambles the message while it’s moving from the sender’s email system to the recipient’s email server but does not protect the message between the recipient’s email server and his/her desktop. That leg is a responsibility of the recipient.

While it is dangerous to generalize from just a few examples, all the email services that I’ve talked to have some way to secure that last mile from their email server to your desktop. XO Communications, for example, has detailed instructions on their webpage explaining the settings and port numbers that you have to set up on each desktop in order to connect to them securely. AppRiver has instructions for how to use the capabilities built into MS Outlook to protect the connection.

Unfortunately, the connection for the users of webmail is harder to make secure. Gmail claims on their website that encryption is available but a number of requests for help on their discussion groups have gone unanswered. Yahoo has yet to return our request for information.

If you can set up that last mile securely, you need to do so. If you can’t, be very sure that you do not use email to send or receive any confidential information such as SSNs or Drivers License numbers.

Have you ever replied to an email message only to realize too late that you just sent your reply to the entire department? Or worse, to the entire company? Reply to All should be used only when you are sure that every recipient on the list really wants and needs to read your reply.

Unfortunately, accidentally hitting Reply to All is an easy mistake to make.

If you are the sender of the original message, you can make life easier and safer for your readers if you use the bcc: field instead of the To: field in the email header. Bcc: stands for "blind carbon copy. Every user will receive the message but the recipient will see only his or her own name in the bcc: field. If a user accidentally hits the Reply to All button, the reply message will only be sent to the original sender.

As a matter of ettiquette, you should disclose the distribution list to your readers in the body of the message. This avoids any appearance of attempting to hide the distribution. A common convention is to use small italicized text in the first line with the text "sent bcc: to MidwestDivision".

At some point, all of us have received a "helpful" message from a co-worker or family member warning us about the latest internet virus. Unfortunately, the overwhelming majority of these messages are hoaxes – scare alerts started by malicious people and then passed on by well-intentioned users who think they are helping by spreading the warning. The message itself is the virus, and it depends on your goodwill (and gullibility) to spread.

Do not forward hoax messages. Some hoax messages carry malicious instructions about how to delete certain "corrupt" files – files that actually are not only safe but even necessary to your computer. In others, the hacker offers a convenient link or tool to "check your computer and remove the virus" or "improve your performance". Instead of downloading an anti-virus tool, you’re actually loading the malicious software itself.

Even "innocent" messages with no direct malware attached have caused the e-mail systems at some companies to collapse when hundreds of users forwarded a false alert to everybody in their address book.

If you receive an alarm email about a virus from anyone except your own IT department, just delete it, especially if the message includes any "special" instructions. (The instruction to run your own anti-virus program is probably safe but I’d never trust someone else to tell me to load a piece of software.)

If you suspect that the message might be legitimate, forward it to your IT department and let them determine if a wider announcement is appropriate. You can also check at f-secure.com for a good list of known virus alarm hoaxes.

Phishing is an increasing and serious problem. Luckily, consumers and even some tools are getting better at identifying and deleting them. Unluckily, many legitimate messages get thrown away because they look too much like phishing messages. TRUSTe and Ernst & Young recently published a white paper on "How Not to Look Like a Phish". Here are a few thoughts that can help you keep your messages from looking too much like a phish:

• Don’t request personal information from customers via a hyperlink in an email. If you need information (such as an updated address), tell the customer to go to your company’s website and log in. Don’t provide a "convenient" link.
• Personalize the email whenever possible. This proves that you know your customer’s name. For example, use "Dear John" instead of "Dear Sir".
• Don’t get your customers in the habit of linking through someone else to get to you. For example, if you are going to provide a link in the email, if should look like www.yourdomain.com, not www.somebodyelse.com?redirect=www.yourdomain.com;. Never use the IP address in the link. http://208.109.181.210 will still take you to rossander.org but readers can’t be expected to know that or to recognize when the address has been tampered.
• Be very cautious about using click here links. You may think they read better but customers should rightly be suspicious of any attempt to obscure the destination of a link. Written-out addresses are better.
• Use simple and intuitive domain names and directory paths. The longer the address line, the more likely it is for something to be spoofed and the harder it will be for your customers to recognize the falsification.
• Proofread and spell-check all your communications. While more phishers are improving their English, many users still rightly assume that a grammar or spelling mistake is evidence of a possible phish by someone whose native language is not English.
• Avoid messages with an urgent, threatening or time-sensitive tone. (I had an example in here but it made this message look too much like a phish and got blocked. Don’t say anything about passwords and account cancellation.)

For the full report, go to truste.org.