Rossander’s Security Reader

Earn millions! Help a damsel in distress! Win the lottery! Work at home! Whoops, I overpaid – please send back the overpayment!

These are just a few of the scams out there. The average adult American receives 4½ emails, phone calls or pieces of mail per week attempting one of these scams. Thirty percent say they receive 10 or more a week and 18% admit that they or a family member have fallen for one of them.

The National Consumers League (NCL) recently launched a website fakechecks.org to help educate consumers about check-fraud scams like these. The website includes a “fraud test” and some great videos that show exactly how these six scams work and how to recognize them when they come in . Take a few minutes at home to see how many of these you would fall for. And remember, this is what these scammers to for a living. Some of them are very good at building a rapport and sounding trustworthy. They play on our inherent trust and desire to be helpful and courteous.

Remember also that in a check fraud scheme, the victim is responsible for the lost money and any overdraft or returned check fees. The fraudster ought to be responsible but given the odds of catching him/her, that is dangerous wishful thinking. The bank has no responsibility if you fall victim to check fraud like the ones above.

If you are a victim who recently wired money to fraudsters, report the incident immediately to the security department of the business that handled the wire transfer. If the payment hasn’t been processed yet, they might be able to get your money back. If it’s an older scam, report it at fakechecks.org.

Phishing is an increasing and serious problem. Luckily, consumers and even some tools are getting better at identifying and deleting them. Unluckily, many legitimate messages get thrown away because they look too much like phishing messages. TRUSTe and Ernst & Young recently published a white paper on "How Not to Look Like a Phish". Here are a few thoughts that can help you keep your messages from looking too much like a phish:

• Don’t request personal information from customers via a hyperlink in an email. If you need information (such as an updated address), tell the customer to go to your company’s website and log in. Don’t provide a "convenient" link.
• Personalize the email whenever possible. This proves that you know your customer’s name. For example, use "Dear John" instead of "Dear Sir".
• Don’t get your customers in the habit of linking through someone else to get to you. For example, if you are going to provide a link in the email, if should look like www.yourdomain.com, not www.somebodyelse.com?redirect=www.yourdomain.com;. Never use the IP address in the link. http://208.109.181.210 will still take you to rossander.org but readers can’t be expected to know that or to recognize when the address has been tampered.
• Be very cautious about using click here links. You may think they read better but customers should rightly be suspicious of any attempt to obscure the destination of a link. Written-out addresses are better.
• Use simple and intuitive domain names and directory paths. The longer the address line, the more likely it is for something to be spoofed and the harder it will be for your customers to recognize the falsification.
• Proofread and spell-check all your communications. While more phishers are improving their English, many users still rightly assume that a grammar or spelling mistake is evidence of a possible phish by someone whose native language is not English.
• Avoid messages with an urgent, threatening or time-sensitive tone. (I had an example in here but it made this message look too much like a phish and got blocked. Don’t say anything about passwords and account cancellation.)

For the full report, go to truste.org.

How good are you at identifying a phishing con? Do you delete the message or do you take the bait? How often can you get hooked?

Carnegie Mellon’s Usable Privacy and Security Lab (CUPS) has developed a game to teach people how to identify several common clues that a message is a phish. The game takes about 10 minutes to play and is suitable for all ages. You will play PHIL, a "young fish living in Interweb Bay" as your father teaches you how to find food (legitimate links) and avoid dangers (fraudulent links) .

The game focuses on how to dissect the URL in the phishing message in order to sort out the scams from the good messages. According to the researcher who developed the game, users improved their accuracy in spotting fake sites from 69% before playing the game to 87% after.

Phishing works by tricking you into following a link and volunteering the confidential information to a scammer. Phishers will attack both your personal and work accounts. Phishers have recently been very effective at mimicking trusted sites such as the Better Business Bureau. The only way to protect yourself is to be alert to the scam. There are plenty of other scams out there but this game hits some of the most common tactics.

The game can be found at cups.cs.cmu.edu/antiphishing_phil/ quiz/ .

Last week, Westfield’s top executives were targeted with a very specific phishing email alleging to be from the Better Business Bureau. As you can see below, this phish uses the BBB’s official logo and colors and follows the format and structure of a legitimate message. When the victim clicks on the "convenient" link in the message, it installs a trojan downloader onto the computer. The downloader then starts loading up the computer with keyloggers, back doors and other spyware. If not caught in time, the hacker will have complete control of the computers of the top executives of the company.

This was not a wide-spread spam attack. The phishers knew exactly who in the company would normally receive these kinds of complaints. They knew the correct names and email addresses of their targeted victims. They also spoofed the return address so the email appears to have come from someone at bbb.com – a registered alternate to their main address, bbb.org. This was a well-crafted phish.

Nevertheless, there are a few clues that this was a phish.

1. Float your mouse over the bold blue link in the message BUT DO NOT CLICK THE LINK. Look in the gray bar at bottom left of your computer screen and you should see the link’s destination. In this case, the link goes to http://document-repository.com/redirect.htm?... The BBB’s real website is bbb.org. While there are sometimes legitimate reasons for an organization to use an alternate internet domain, it is more often illegitimate. If you see a mismatch, be very suspicious.
2. The case number in the subject line does not match the case number in the body of the message. The odds are that the “case number” in the subject line is a code used by the hacker to see which messages were successful and which were blocked.
3. The date of the complaint is 14 May 2007 but the message was sent in late August. Even the BBB isn’t that slow.

If you are an executive or work in close support to an executive, recognize that you are a special target. Hackers know that you have exactly the kind of access and permissions that they most want to target. They believe that you don’t have a lot of time to stay current on technological threats. And they know exactly who you are – with all the automated databases and executive listings, there is no anonymity. Hackers (or anyone else) can by listings with your name, title and email address. See here for an example. And yes, this company requires you to sign a written statement promising to abide by the CAN-SPAM law but the kind of person who will steal credit card numbers, fraudulently register internet domains and send out a phish is probably willing to forge a signature on their form.

Always be suspicious of any unsolicited email asking you for information or to follow a link. Double-check the link before clicking it and never disable your anti-virus and anti-spyware protections.

Update:
The image at the bottom of the article worked perfectly when I sent it out in an email newsletter. Unfortunately, when I archived it into this blog, the site’s software doesn’t seem to handle the image mapping properly and the widget I used to make the phish’s links appear to work is failing. Until I can figure out how to get it fixed, please ignore some of the wording above. But remember that floating your mouse over a link is a good way to tell where it’s really pointing.

I still remember the first time someone sent me an electronic greeting card. It was kind of hokey but it really brightened up my day. Sending one back was convenient, fun and best of all, free. Unfortunately, someone has recently launched an aggressive campaign that combines the worst aspects of spam and malicious software and is exploiting the popularity of e-cards. The hacker is using pre-packaged software to spam millions of messages across the internet that read with some variation of "You have received an ecard from" a school mate, a colleague or a family member.

If you open the message, you’ll see a standard text-only message describing the e-card and offering you a link to a website where you can download your e-card. The messages claim to be from any of several legitimate ecard websites but in the versions that I’ve seen, the link is a raw IP address (such as http://12.345.67.89), not a domain name (www.example.com). Other versions may get more sophisticated and cover the IP address with a fraudulent domain. The IP addresses trace back to hundreds of different owners. My suspicion is that these are individual machines which have been hijacked as part of someone’s botnet.

Opening the email won’t do anything immediately bad to your computer (other than waste your time) but following one of the links is another story. Do not under any circumstances follow these links. Merely opening the page will trigger the download of a particularly nasty computer trojan horse which will then attempt to download even more malicious software onto your machine.

If your anti-virus program is up-to-date and running, it should catch and stop this trojan. However, if you get any kind of alert or think that you might have triggered one of these downloaders, you should run a full virus scan on your system. Call your IT department for instructions. Never open a message from an unrecognized sender and never open an attachment or follow a link in a message that you were not expecting.

Note: If you think the email card might be legitimate, you can check by opening a browser and typing the address of the greeting card company (for example, www.hallmark.com or www.bluemountain.com) and follow the instructions on the site to ‘pick up an e-card’. This will usually involve entering the email address of the sender and a confirmation number from the email. If the message was legit, it will show up on the website. As long as you type in the address yourself (rather than following a possibly faked link) and you’re going to a major company that you trust, it should be safe to check.