Detailed Information

Browsing the internet means we are visiting a web site page by navigating to a specific address. We search on a keyword, enter an address or click on a link to a site address. The web page that we end up at – may look familiar - or at least professional and seems accurate and trustworthy.

BUT IS IT AN IMPOSTER?

• Are we entering the correct address of the site we want to visit or do business with?
• How do we know what we see or enter is accurate or legitimate?
• It may look like the real web site based on text and images, but is it the real McCoy or is it an impersonator?
• Can someone intercept information I send to a legit web site?

Microsoft reports that: In the past two years, the number of confirmed phishing sites has grown twenty-fold -- from 580 to 11,000 (source: Anti-Phishing Working Group, April 2006 report.)

Phishing in the NEWS:

New tool enables sophisticated phishing scams

Tool automatically creates dynamic phishing sites that pull in data from the target Web site, RSA says. 

By Joris Evers Staff Writer, CNET News.com   Published: January 10, 2007, Source

Security experts at RSA have come across a new tool that automatically creates sophisticated phishing sites, a sign that cybercrooks are getting increasingly professional. 

The tool, which RSA calls the "Universal Man-in-the-Middle Phishing Kit," is available on underground online marketplaces for about $1,000, Jens Hinrichsen, RSA's product marketing manager for fraud auction, said in an interview Wednesday. 

"Unlike other phishing kits which have been in existence for quite some time, this kit is unique because with a very simple user interface you can choose whatever site you'd like to spoof," Hinrichsen said. "The arms race continues; we on the security side have to continue to escalate resources and invest in technology." 

Phishing scams are a prevalent online threat that typically use fraudulent Web pages and spammed e-mail messages to trick people into giving up personal information such as user credentials or credit card data. 

Using the new kit, a fraudster only has to enter variables such as which site should be spoofed and where the fraudulent page will be hosted. The tool then produces a dynamic Web page in the PHP (hypertext preprocessor) scripting language. The fraudster hosts this page somewhere on the Web, typically on a compromised Web server or a free Web host, and lures people to it with spammed e-mail messages or other links. 

 
Shrewd phishers monitor the log-in process to validate that the data they capture is legitimate, Hinrichsen said. An incorrect username and password combination would be discarded. Also, the man-in-the-middle-style attack lets the miscreants continue to eavesdrop on the victim's interactions with the legitimate Web site, according to RSA. 

The most popular phishing targets are banks and online payment services such as PayPal. Auctioneer eBay is also a common target. Fraudsters run phishing scams to collect personal information that can be used for identity fraud. 

Phishing protection is becoming common. The latest versions of Firefox and Internet Explorer include phishing shields. Also, security firms such as Symantec and McAfee sell antiphishing software. 

Protection technologies typically rely on a list of known bad Web sites and display a warning when a user surfs to one of those. This means, however, that a brand-new fraudulent site won't be detected.

In general, people should be cautious when following links to any site that requires a log in. It is better to type in the address or use a bookmark. 

The Phishing Threat Today
A July 2005 study by the Ponemon Institute, a data privacy and business ethics research firm, shows 59 percent of consumers reported reducing online transactions as a result of phishing scams. 

A June 2005 survey by Gartner Inc. of 5,000 U.S. consumers reported that the number of phishing attack e-mail recipients grew by 28 percent.

"Phishing attacks are not subsiding, despite some industry theories that phishing is a fad that peaked in 2004. An estimated 2.42 million U.S. adults report losing money in phishing attacks," the Gartner study said. 

"According to these victims, total financial losses this past year amounted to nearly $929 million. Perhaps the biggest impact for businesses is a newfound and serious consumer distrust of e-mail." 

Beware of Phishing!
Be careful with emails that APPEAR to come from your own bank or other online businesses with which you have accounts. Go to their site directly and log in yourself rather than trust an unsolicited mail’s instructions and links. 

Accounts that were already compromised are being used to get further information from users. An email arrives with the user's credit card or ATM card number on it. The email asks that the PIN be updated on the website linked in the email. The solution is to call the bank and/or visit the bank in person. Call the company from a phone number published in the phone book rather than online from a website (who knows, it might be a pharmed site) to verify that the financial institution does, in fact, need the requested info. There are some things that shouldn't be done online. 

Phishing attacks usually involve popular web sites and programs such as eBay, Amazon, AOL and major bank and credit card companies. Here are some samples.

Banking - the following email sample looks legit but is a SCAM:





AOL – here is an example in the News: Feds Nab Teen Who Scammed AOL Jul. 21, 2003 
WASHINGTON -- U.S. regulators said on Monday they had charged a 17-year-old boy with using "spam" e-mails and a fake AOL Web page to trick people out of their credit-card information and steal thousands of dollars. 

Officials at the Federal Trade Commission said they had agreed to settle their case against the teenager, who was not identified because of his age, after he agreed to pay back $3,500 he had stolen, and to submit to a lifetime ban on sending spam. 

It's the first enforcement action the FTC has taken against an Internet "phishing" scam -- the use of spam, or unwanted junk e-mail, to lure computer users to look-alike websites, where they are deceived into forking over personal financial data. 

"We're only beginning to discover the extent of these e-mails. They're only beginning to proliferate right now," FTC commissioner Mozelle Thompson told a news conference. 

In the case cited on Monday, the teenager's e-mails told recipients they needed to update their AOL billing information and instructed them to click on a hyperlink connected to the "AOL Billing Center." 

The link diverted people to a phony AOL website that contained the company's logo and links to real AOL Web pages, the FTC alleged. There, they were instructed to enter their credit-card numbers, along with their mothers' maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers and AOL screen names and passwords. 

A spokesman for AOL, a unit of media conglomerate AOL Time Warner, said the company welcomed the FTC's action. 

Spokesman Nicholas Graham said almost anyone can mimic any company's logo and graphics, and he advised Internet users to "beware and be vigilant." 

"We've always told our members that AOL will never ask them for their password or billing information. It's the golden rule of AOL," Graham said. 

The teenager used his newfound information to go on an online shopping spree, the government charged, and to log on to AOL in his victims' names and send more spam. He also recruited other people to take delivery of fraudulently obtained merchandise he had ordered



PC Magazine reports: On average, 28% of the test responses incorrectly identified fraudulent e-mail as legitimate.


eBay – here is a sample email threat:

This email appears to come from eBay but apparently is spoofed, pretending to be from eBay. Not difficult to do.

The top links within this email – when I hover my mouse cursor over them – go to some other web site than the ebay.com domain, to http://66.206.0.23  which is the actual server’s IP address. This throws up a BIG RED FLAG - so they appear suspect and I wouldn’t dare click on them. That web site could be a way to do me harm.

I used this Internet & Network investigation tools: http://www.dnsstuff.com/ and it identifies the URL behind the 2 links in the email as belonging not to eBay but “Cyber World Internet Services” out of Spokane, Washington.

Because I have not placed any bid recently on eBay, I am suspicious of this email anyway, and it would be safer for me to ignore it and log into eBay myself to check for any messages or bids made from my account to be sure nothing negative is happening in my account or bids. I did a check and there are no recent bid activities from me, so this email was NOT sent from eBay!

Is it “bugged?”

Whenever you view any html-based email, a tiny image, called a “web bug” could be present in the code. When the email is browsed, even though the tiny image may not be visible to you, the fact that you browse it can be audited on the server hosting that image file. The audit log can identify me via a possible cookie read on my hard disk from the server to tell the owner that I read his email. Now the owner knows my email address is valid and he can add me to his spam mail-list database. If you turn off tracking cookies either by a preventative shield in an anti-spyware program you have installed, or by going into your Internet Explorer and disabling cookies, this is prevented. But other web sites requiring cookies may now not work for you. A Catch-22.

Turn HTML preview and viewing off in your email program and only read emails in Rich Text or Plain Text to avoid this risk.

And avoid opening suspicious and unsolicited emails as best you can!

Note to eBay users:
If you receive an apparent email that discusses your eBay account, you may see if it is genuine by going to eBay web site, log into MY-EBAY and go to MY-MESSAGES. If the email is legit, the same message will also be found here. If the same eBay email is not in My Messages, it’s a fake. Please forward it to spoof@ebay.com.

Amazon.com - here is a Phishing email example:

Dear nofinerxxx@aol.com,

Greetings from Amazon Payments.

Your bank has contacted us regarding some attempts of charges from your credit card via the Amazon system. We have reasons to believe that you changed your registration information or that someone else has unauthorized access to your Amazon account Due to recent activity, including possible unauthorized listings placed on your account, we will require a second confirmation of your identity with us in order to allow us to investigate this matter further. Your account is not suspended, but if in 48 hours after you receive this message your account is not confirmed we reserve the right to suspend your Amazon registration. If you received this notice and you are not the authorized account holder, please be aware that it is in violation of Amazon policy to represent oneself as another Amazon user. Such action may also be in violation of local, national, and/or international law. Amazon is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the full extent of the law.

To confirm your identity with us click here:
hllp://www.amazon.com.sign-secure.cc/xxxxxxxx.php?exec/obidos/flex-sign-in/ref=gw_hp_si

After responding to the message, we ask that you allow at least 72 hours for the case to be investigated. Emailing us before that time will result in delays. We apologize in advance for any inconvenience this may cause you and we would like to thank you for your cooperation as we review this matter. 

Thank you for your interest in selling at Amazon.com.

Amazon.com Customer Service
http://www.amazon.com

This message and any files or documents attached may contain classified information. It is intended only for the individual or entity named and others authorized to receive it. If you are not the intended recipient or authorized to receive it, you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately then delete it from your system. Please also note that transmission cannot be guaranteed to be secure or error-free.


Note the odd hyperlink in the email above that they want you to click on. See the domain name includes “amazon.com” but careful examination shows that the URL is really going to a domain: amazon.com.sign-secure.cc and not just amazon.com

That is a WARNING – WARNING – WARNING!


Amazon.com provides Guidelines on Identifying Phishing or Spoofed E-mails Source Link 

From time to time, you might receive e-mails that look like they come from Amazon.com, but they are, in fact, falsified. Often these e-mails direct you to a Web site that looks similar to the Amazon.com Web site, where you might be asked to provide account information such as your e-mail address and password combination. Unfortunately, these false Web sites can steal your sensitive information; later, this information may be used to commit fraud. Below are some key points to look for in order to identify these e-mails: 

1. Know what Amazon.com won't ask for

Amazon.com will never ask you for the following information in an e-mail communication:

Your social security number or tax identification number 
Your credit card number, PIN number, or credit card security code (including "updates" to any of the above) 
Your mother's maiden name 
Your Amazon.com password 

2. Requests to verify or confirm your account information

Amazon.com will not ask you to verify or confirm your Amazon.com account information by clicking on a link from an e-mail. 

3. Grammatical or typographical errors

Be on the lookout for poor grammar or typographical errors. Some phishing e-mails are translated from other languages or are sent without being proofread, and as a result, contain bad grammar or typographical errors.

4. Check the return address

Is the e-mail from Amazon.com? While phishers often send forged e-mail to make it look like it came from Amazon.com, you can sometimes determine whether or not it's authentic by checking the return address. If the "from" line of the e-mail looks like "amazon-security@hotmail.com" or "amazon-fraud@msn.com," or contains the name of another Internet service provider, you can be sure it is a fraudulent e-mail. 

5. Check the Web site address

Genuine Amazon.com web sites are always hosted on the "amazon.com" domain--"http://www.amazon.com/. . . " (or "https://www.amazon.com/. . ."). Sometimes the link included in spoofed e-mails looks like a genuine Amazon.com address. You can check where it actually points to by hovering your mouse over the link--the actual Web site where it points to will be shown in the status bar at the bottom of your browser window or as a pop-up. 

We never use a web address such as "http://security-amazon.com/. . ." or an IP address (string of numbers) followed by directories such as "http://123.456.789.123/amazon.com/. . . ." 

Alternately, sometimes the spoofed e-mail is set up such that if you click anywhere on the text you are taken to the fraudulent Web site. Amazon.com will never send an e-mail that does this. If you accidentally click on such an e-mail and go to a spoofed Web site, do not enter any information and just close that browser window. 

5. If an e-mail looks suspicious, go directly to the Amazon.com Web site

When in doubt, do not click the link included in an e-mail. Just go directly to www.amazon.com and click "Your Account" in the top right menu to view recent purchases, or review your account information. If you cannot access your account, or if you see anything suspicious, let us know right away.

6. Do not "unsubscribe"

Never follow any instructions contained in a forged e-mail that claim to provide a method for "unsubscribing." Many spammers use these "unsubscribe" processes to create a list of valid, working e-mail addresses.

7. Protect your account information

If you did click through from a spoofed or suspicious e-mail and you entered your Amazon.com account information you should immediately update your Amazon.com password. You can do this through Your Account by choosing the option to "Change your name, e-mail address, or password" found under Account Settings.

Please be assured that if someone has been able to look at your account, they are not able to see your full credit card information. However, orders can be sent from your account using your credit card so please contact us immediately if you notice any orders that you do not recognize. 

However, if you did submit your credit card number to the site linked to from the forged e-mail message, we advise that you take steps to protect your information. You may wish to contact your credit card company, for example, to notify them of this matter. Finally, you should delete that credit card from your Amazon.com account to prevent anyone from improperly regaining access to your account. To do so, click "Edit or delete a credit card" under Payment Settings in Your Account.

How To Report Phishing E-mails or Request Account Assistance

If you have received an e-mail you know is a forgery, or if you think you have been a victim of a phishing attack and you are concerned about your Amazon.com account, please let us know right away.

The Evil Twin - Wireless Phishing Threats 
The “Evil Twin” is essentially a wireless version of a phishing scam—users think they're connecting to a genuine hot spot for their wireless laptop but are actually connecting to a malicious server, which can then extract information such as bank details. The attack can be carried out by anyone with the right equipment in the vicinity of a legitimate base station, according to Dr. Phil Nobles, wireless Internet and cybercrime expert at the U.K.'s Cranfield University. "The [malicious base station] jams the connection to a legitimate base station by sending a stronger signal within close proximity to the wireless client, thereby turning itself into an 'Evil Twin,'" Nobles said in a statement. Users are invited to connect via a fake log-in prompt, he said.

Be careful to which wireless access point you connect to when traveling or at a café!

Instant Message Phishing attacks

Instant messaging is increasingly a target of phishers, as the latest attacks show. Most recently, in early March, Yahoo Inc. confirmed, came under attack through Yahoo Messenger, its IM service. In the attack, users receive an IM message that often appears to be coming from a buddy-list contact. The IM attempts to lull users into clicking on a URL, which then takes them to a spoofed Yahoo page requesting login information for their Yahoo accounts, according to an analysis by Akonix Systems Inc. 

Be wary of any hyperlink within an instant message. The message may seem to be from your friend but their account can become hijacked – so do not trust any hyperlink within an instant message for your safety!

You know, if I had younger children using a computer with internet access, I would have to set up strong guidelines or even not allow instant messaging and possibly email use. Think how easy it is for someone to send an attractive link to a child via instant message or email or a link on a web page. The child clicks on it and the exploit is launched and infects the family computer - especially if the child's account has admin permissions!

Microsoft’s upcoming IE 7 to have new, built-in anti-phishing capabilities:
In the beta, these are available only on Windows XP SP2. When the Phishing Filter is enabled:
1) the browser checks against a locally stored list
2) and a Microsoft server whenever accessing a suspect Web site to see if the site is on a known-phisher list
3) the Phishing Filter also looks for characteristics typical of phishing sites.
If the site is on a list, a warning pops up on the browser bar alerting the user not to provide information to the site. If the site is not on a list but is deemed suspect, the pop-up warning tells the user that the site demonstrates phishing characteristics.


Take your time…pay attention to where you browse to!

Just as you would be careful where you drive your car to in a big city – avoiding the risky, seedy side street – use extreme care where you browse to on the internet. 

Clicks are quick! “OOPS” May Be Too Late!



About those tricky POPUPS:

You should never provide information to an unsolicited caller on your telephone – even if they claim to be the Bank, the government or a survey taker. Likewise, never follow instructions in an unsolicited or suspicious email. Never answer to affirm an unsolicited software installation pop-up window or supply your personal data or email address in any unnecessary form on the Internet. Remain anonymous if you can and don’t deal with strangers.

Some web sites and Spyware on your computer can cause popups asking you to respond. 

Never execute unsolicited pop ups. Example:

Example Pop Up above – is it real or a HOAX? Don’t trust it!

Whenever one of those "uninvited" Pop up Ad Windows appear when you browse the Internet, NEVER click on the “Yes,” “No” or "decline button."

Close the popup window by clicking on the "X" in the upper right corner.

If there's no "X" in sight (a common tactic), hit ALT-F4 to close the window. And if that doesn't work, hit CTRL-ALT-DEL to bring up the Windows task manager and end your Internet Explorer session. Never click anywhere inside a popup ad window! Unfortunately, it is too much of a risk these days. Clicking within the window of an evildoer’s window can start a process installing a virus or worse. You may think you are following one instruction but actually activate another. Print this out and place next to the computer monitor!

Just Click The “X” or Alt/F4 !!!

Helpful Tools protecting you against bad web sites:

1. Netcraft – anti-phishing toolbar; FREE tool A new, free browser plug-in from English Internet services firm Netcraft Ltd. - fights phishing attacks and helps users investigate sites they visit. It is available for Internet Explorer on Windows 2000/XP and the Mozilla Firefox browsers. In a test run by eWeek, all but one phishing link they visited was interrupted by a popup from the tool bar (example of popup is below) and used the built-in menu link to report the one site that the tool bar didn't block.

Once installed, the tool bar exists as an Explorer Bar, much like the Google tool bar, and coexisted well with other Explorer bars in their tests. Once install, the toolbar looks like this in your browser:



Netcraft tracks phishing sites in its database and uses that data to block sites when users visit them. The company also uses some heuristic techniques to block practices often used by phishers to deceive users, such as including '<script>' tags in a URL and other known attacks. Even when the tool bar misses a phishing site, or some other type of Web-based fraud, the information in the tool bar could provide valuable clues about the legitimacy of the site. Download Netcraft Toolbar – free, 3mb file download. After installation using your admin account, you may have to play you’re your browser view/toolbar and Netcraft Options setting to get your Netcraft and other toolbars to co-exist properly at the top of your browser. If your computer is subject to a corporate security policy, note that you have to be a member of 'Power Users' or 'Administrators' to install the Internet Explorer version of the toolbar in that login account. While the Firefox version can be installed by any user, you may need to add the Netcraft Toolbar web site to the list of Allowed Sites in order to install it in Firefox.

2. SiteAdvisor – bad web site indicator; FREE tool now owned by McAffee. Test a Web Site for Safety before you visit it by using SiteAdvisor SiteAdvisor warns you before you interact with dangerous Web sites. Traditional security products focus on trying to clean up problems after they occur.

With SiteAdvisor:
1. You can enter the domain name into their web site database search feature first - to check out if it is safe visit your desired web site!

2. You may install their plug-in to get their tool built-into your browser:
http://www.siteadvisor.com/download/ie.html for Internet Explorer
http://www.siteadvisor.com/download/ff_preinstall.html for Firefox or other browser

How It Works:

They built a system of automated testers which continually patrol the Web to browse sites, download files, and enter information on sign-up forms. They document all these results and supplement them with feedback from users, comments from Web site owners, and analysis from our their own staff. To warn users that they are visiting an untrustworthy Web site, SiteAdvisor places a red X in the bottom corner of the browser. A yellow exclamation mark means that users should be cautious because tests have revealed some issues with the site, and a green checkmark means that the site is trustworthy. SiteAdvisor believes that Web surfers unwittingly make more than 1 billion visits to untrustworthy "red" sites every month. The company's database doesn't include data on every Internet site, but it covers sites that account for about 95 percent of all Web traffic, SiteAdvisor said.

What the plug-in tool looks like:

With Google, MSN, and Yahoo search pages, SiteAdvisor actually superimposes its ratings icons on top of items in the search results, making it easy for users to see when they may be on the verge of linking to a dubious Web site - so you know what you may be getting yourself into before you decide to go there. For instance, a quick Yahoo! search for vegetarian recipes turned up these results:

Here is another sample snapshot of a rating on some game sites, from the SiteAdvisor web site database:

SiteAdvisor in the News:

SiteAdvisor Finds Billions of Unsafe Web Visits 
By Ryan Naraine March 3, 2006  Source Link

An Internet security startup with roots at MIT (Massachusetts Institute of Technology) has slapped a red "X" warning label on approximately 5 percent of all Web traffic and warned that there are one billion monthly visits to Web pages that aren't safe for surfing. 

With an ambitious mission to use automated crawlers to test every Web site on the Internet, http://www.siteadvisor.com  officially rolled out a free trial version of a browser plug-in that places a "safe," "caution" or "warning" label whenever a user visits a Web site. 

The idea is to use the color-coded (red, yellow or green) system to mark every Web site and to help Web surfers determine if a site's content includes spyware, spam, viruses, browser-based exploits or online scams. 

A green checkmark is appended to sites tested by SiteAdvisor and cleared as having no significant problems. However, if a Web site tries to change the user's browser defaults or send a lot of "non-spammy" e-mail, the service will take a use a yellow exclamation mark to caution users. 

Web sites found hosting drive-by exploits, bundling adware/spyware with downloads or hammering inboxes with spam get the dreaded red warning "X." 

The browser plug-in, which is available for Internet Explorer and Firefox users, has been in beta testing for three months and, according to data collected over that period, "red" warning ratings were put on for sites representing more than 5 percent of Web traffic. 

About 2 percent of all Web traffic was given the "yellow" caution rating. 

As expected, many popular Web categories have a much higher percentage of red and yellow sites, said Tom Pinckney, co-founder and VP of Engineering at SiteAdvisor. 

For example, on the first page of Google search results for "screensavers," 10 of the 18 sites shown have "red" ratings. 

Ben Edelman, a respected anti-spyware activist who is serving as an advisor to the Boston-based start-up, said the company ratings are based on actual tests of executables hosted on destination sites. 

In an interview with eWEEK, Edelman said SiteAdvisor uses an automated crawler that surfs billions of Web sites monthly to look for executable downloads. 

When an executable is found, it is automatically downloaded onto a virtual machine and installed. The proprietary technology is able to click installation prompts and agree to EULAs (end-user licensing agreements). 

Once a file is installed on the virtual machine, the SiteAdvisor technology looks for all new files created, including changes to the file system and registry. 

A packet sniffer tracks network monitoring to figure out if a piece of adware/spyware/malware is sending traffic from the machine. 

"We put up the rating based on what we find on those sites," Edelman said, stressing that the technology also signs up for e-mail newsletters to track spam that may be sent from that domain. 

It will also monitor the process of unsubscribing to warn end-users if a Web site is making it tough to opt out of a mailing list. 

In addition to the results from the automated crawler, Edelman said feedback from user comments from Web site owners and analysis from SiteAdvisor staff will help determine the ratings. 

In addition to the color-coded ratings on the browser plug-in and on the display of Google, Yahoo, MSN or other search engine results, SiteAdvisor host a Site Report page that documents the results of every test on every Web site. 

Edelman said new sites are tested daily and previously tested sites are re-tested often. Since its launch, the service has tested Web sites representing more than 95 percent of Web traffic and signed up for e-mail subscriptions from more than 1.3 million registration forms. 

More than 475,000 downloads have been analyzed for adware, spyware and viruses. 

What you should do - SUMMARY:

1. Be suspicious of and do not respond to unsolicited emails
2. Turn off HTML viewing in your email program
3. Take your time and understand where you surf on the internet and pay attention to what site you actually go to
4. Close suspicious popups using the X or Alt/F4
5. Be wary to which wireless access point you connect to when traveling or at a café!
6. Avoid clicking on any hyperlinks in instant messages or emails. Go to the web site directly instead of trusting the supposed link presented to you.
7. Install the Netcraft anti-phishing toolbar into your browser
8. Use the free SiteAdvisor bad web site database lookup and install their free plug-in into your browser

http://www.siteadvisor.com

http://www.antiphishing.org/