What happens when spam, that most annoying Internet hazard, is soaked liberally in the twisted Internet culture of hacking and identity theft? You get a pastime called “phishing.” Unfortunately, phishing has nothing to do with a relaxing afternoon on a lake, although it does involve bait and getting reeled in.
Phishing is an Internet attack in which victims are tricked into giving away personal information like usernames and PINs. Phishing is a new Internet scam compared to older threats like viruses and spam, but it’s on the rise. The Anti-Phishing Working Group (antiphishing.org) reports that the number of active phishing websites increases nearly every month, from 161 in October 2004 to almost 1,000 in January 2005. The same organization states that about 5 percent of phishing recipients are duped into giving away privileged information.
Hook, Line, and Sinker
Here’s what phishing looks like from the recipient’s viewpoint. You receive an e-mail message from from your bank or a major commercial website like eBay or PayPal. The e mail message claims something is wrong, something alarming but plausible, like a problem verifying your account information. Some phishing attacks offer something enticing, like a rebate or cash prize.
Your heart rate is elevated slightly, but you don’t panic. After all, mixups happen — like when your credit card was inexplicably rejected on Amazon.com. However, the sender has been kind enough to give you a way to clear the whole thing up. Simply click on a link and you’ll be taken to the website where the purported mistake can be corrected (or the prize claimed).
When you click on the link, you’re taken to the website, which looks the way it always does. Because your account is flagged, you have to provide a few extra pieces of information, but that’s okay, because in a few minutes everything will be taken care of, right?
Wrong (as you probably guessed). You’ve been phished, and you just gave your PIN, password, or SSN to someone who knows exactly what to do with it. Here’s what it looks like from the phisher’s perspective. That urgent warning about your account is just phish bait, a fabrication that looks fairly realistic, like a latex worm. The format of the e-mail message is stolen from a legitimate source; the phisher has made every effort at authenticity. When the victim clicks the link, he or she is taken to what looks like the real website, from the graphics to the website address. However, the website is more fakery. When personal information is entered, the hook is set, and the victim could be on the line for a long time.
Spotting Phish Bait
Fortunately, knowing how phishing works helps potential victims avoid a life-changing brush with identity theft. However, to the untrained eye some phishing attacks can look really authentic. How can you know if something is phish bait? Here are some tell-tale signs to look for before you even think about clicking anything.
Start at the top: phishing e-mail headers are faked. The “From:” field may say “PayPal Fraud Department,” but if you look at the complete headers of the e-mail message (most e-mail programs allow you to do so), you will see that it came from somewhere completely different. The “Received by:” headers often offer the most incriminating evidence that the message came from someplace other than where it claims.
Next, phishing e-mail is seldom personalized. So, instead of a salutation like “Dear Phil Jones,” the e-mail will begin “Dear eBay user,” or “Dear cardholder.” When phishing e-mail does employ a personalized greeting, it will often be a little off-kilter. For instance, if your credit card company is addressing you by your informal e-mail handle, something is wrong. The lack of a personalized salutation is often the first sign of trouble, so always pay attention to this.
Phish bait usually has an urgent tone, requiring immediate action on the victim’s part. The phish bait may claim you have only 24 hours to fix your account or claim your prize. An e-mail message with an urgent claim about a problem with your account is possible, but you should always think before you click.
Perhaps the best way to sniff out phishing is to independently verify the claims made about your account. Instead of clicking through the links provided in the e-mail message, open a new browser window and enter the URL of the website in question. Or, call the company on the phone. In other words, go in through the “front door” and access your account. If there is a real problem, you will be notified. On the other hand, if all is well in your account, the e-mail message is exposed as fake.
More Phakery
A starving hacker can’t be expected to survive on phishing alone, which is where pharming comes in. Similar to phishing, pharming has a nasty little twist called “malware.” Malware is a small piece of software, similar to a virus, that gets surreptitiously installed on a victim’s computer through e-mail or unprotected web browsing. Malware runs in the background, waiting for the victim to browse to certain websites, especially large e-commerce sites.
When the victim enters the URL of the selected site, he or she is transparently redirected to a fake pharming site, which looks and behaves almost exactly like the real site. When the victim enters a username, password, or other sensitive information at the pharming site, the information is transmitted to identity thieves.
To keep from getting pharmed, pay attention to details. For instance, large e-commerce sites and online banking sites have “https,” instead of just “http,” in the URL, signifying that they are hosted securely. Also, check to see that all parts of the website (like search or help tools) are working properly. If you suspect that you are being redirected to a phony site, use another computer to access the site and independently verify reported problems with your account.
More Dos and Don’ts
There is never a good reason to use an e-mail message to access an online account, so get in the habit of avoiding it, even if you know an e-mail message or link is legitimate. Verify all e-mail claims externally before giving away any important information.
Always be familiar with the procedures of your e-commerce sites and online retailers. For example, PayPal’s website and e-mail messages are replete with reminders that PayPal never asks you for personal information in e-mail. The more familiar you are with your online banks or e-commerce sites, the better your chances of seeing through scams.
It takes a few extra minutes, but always consider reporting phishing attacks. The best way to report phishing attacks is to notify the company involved. Some websites have a standard “abuse” or “spoof” e-mail address for reporting fraud (e.g., reports about fake PayPal e-mail can be sent to spoof@paypal.com). Search the security or privacy sections of the website for details.
Some phishing and pharming attacks can be screened out altogether with adequate virus and spam protection. Because phishing e-mail message messages have faked headers and come from open relays, they are usually fairly easy for spam filters to snag. And because the malware used in pharming is virus-like, it can be detected by virus protection.
As with most Internet threats, overlapping and complimentary layers of protection are the best defense. User education, operating system updates, virus coverage, spyware protection, spam filtering, password security, a strong firewall, and overall server security should be used in concert to protect against Internet threats. If you’re not sure what your security picture looks like, contact Iodynamics for a security assessment.