Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Internet Attackers on Phishing Expeditions

    By
    Larry Seltzer
    -
    December 1, 2003
    Share
    Facebook
    Twitter
    Linkedin

      As I said in my 2004 Outlook column, our e-mail accounts are now filled with some recent advances in the field of “phishing.” If you havent been paying attention, the term refers to a particular type of Internet scam in which a user is tricked into giving up personal information, like bank account information.

      According to Wordspy, the term phishing comes from the fact that attackers are “fishing” for data. Why “ph”? Wordspy says something about using sophisticated techniques. If thats where it comes from, its a pretty lame etymology. According to an FTC advisory on the problem, the technique is also known as “carding.” The FTC alert has some good guidelines for non-technical consumers.

      /zimages/4/28571.gifCheck out eWEEK Labs Tech Outlook 2004: A Look Ahead at Security for more views on the future of security.

      In the past, phishing attacks usually appeared as e-mail from some legitimate company; Citibank and PayPal are frequent targets, for example. The e-mail usually says something to the effect that the company is reverifying account information and needs you to re-enter it. The e-mail will either have a link to a similarly fraudulent Web site or perhaps an HTML form directly in it.

      Plenty of people fall for these e-mails, even though its not hard for a more-sophisticated user to see right through them. I found it easy to tell that the Citibank e-mail about my account was phony since Im not a Citibank customer. However, many people who receive such e-mails must assume that some mistake was made and chalk it up to mega-corporate incompetence.

      Ive received many such messages myself, and in almost every case by the time Ive received the e-mail, the corresponding Web site is already down. Thats because the big companies that are targeted by these attacks are pretty good at contacting (threatening) the hosts of the offending pages and persuading them take the page down.

      At the same time, there are a few things you can look at for guidance if you suspect youre being phished. The first thing to look for is if the message asks you to send personal information directly in e-mail. This is a really bad idea, although its not actually proof that the requestor is a scammer.

      I once had a hosting account at Hostway and contacted technical support. The support person actually asked me in e-mail for my username and password. That was the moment that I decided to take my hosting business elsewhere.

      If the message doesnt come from an address at the company it supposedly represents, thats also suspicious, but not dispositive. Sometimes real companies will hire third parties to send out bulk mailings for them. There are good ways and bad ways to handle this of course, but it means you have to dig a little deeper.

      Next: How to pick out the phish.

      Page Two

      If youre resourceful enough to look at the source code of an HTML message (the command can be found under the View menu in your browser), look at the links in the message itself. (These may be in a regular A HREF tag, or handled by JavaScript in an onclick handler, or perhaps in a FORM ACTION clause.)

      If the domain in the link is not clearly for the right company, treat the message as suspicious. If the domain uses HTTP obfuscation tricks like decimal IP addresses, hex characters or an @ symbol (which redirects the domain to the last one in the URL), then its almost certainly a scammer.

      For example, the URL http://3479379682 is the equivalent of www.2600.org. For a technical explanation of some of this, see the How to Obscure Any URL page at PCHelp.

      Now, Id like to be able to tell you that you can just click on links to see where they go, but this isnt a great idea. Its possible for a Web page to contain malicious code that can attack a weakness in Internet Explorer, and you wont know where you are going until you get there.

      Of course you can mitigate this risk considerably by keeping your browser up to date and running personal firewall software, but you cant eliminate the risk. If the link in an e-mail is at all suspicious, try to prescreen the link before following it.

      The Mimail worm, the latest major phishing attack, took a giant step forward in sophistication by blending its phishing attack with a mail worm application. The “link” in the Mimail e-mail was actually an executable that asked the viewer for personal and credit card information in an official-looking interface, with the added capability of being able to spread itself through the usual worm-spreading techniques.

      Mimail strikes me as a real wave of the future. Its a classic example of the threat “blending” that malware experts have spoken of for years. Luckily, since its an executable attachment, its easily blocked with any relatively modern version of Outlook or Outlook Express and probably by any antivirus program.

      I have received a few Mimails myself. The messages came from Do_Not_Reply@paypal.com, showing that the senders are clever enough to try to look legit. The subject line contained the red flag of spam: random characters after a long string of blanks. In this case it read: “IMPORTANT onxoamaa”. The attachment was named www.paypal.com.pif. If Outlook hadnt blocked the attachment, my antivirus software probably would have.

      Many anti-spam vendors are jumping on the antiphishing bandwagon. Brightmails Anti-Fraud service leverages the companys significant amount of e-mail filtering to uncover fraudulent uses of identities in e-mail. It looks for such uses, notifies the company named as the source of the message and then filters against the fraudulent use.

      We can expect other antispam companies to enter this business. Still, large companies such as Brightmail, especially ones that filter both business and Internet service-provider mail, will have a big advantage because of the reach of their coverage.

      Phishing is one of those sad developments in the Internet that make anyone turn paranoid. I recently received an e-mail apparently from E-ZPass, a system for using transponders on cars to automate the collection of tolls, which is particularly handy here in the Northeast U.S. The message, like others before it, notified me that my monthly statement was available and provided a link for it.

      In the past that these messages came from an address at Chase.com (as in Chase, the bank). In this case though, the message came from postmaster@ezpass.acsonline.com and its link was to https://63.87.171.246/index.asp?rid=1234567 (Ive changed the last number in the URL). Because the URL is an IP address, its not possible to verify that the certificate at the address is valid or matches the site.

      I went to some effort to verify this one, because even if it was completely valid it betrayed some atrociously bad practices on the part of E-ZPass or its contractors. Calling up E-ZPass wasnt a practical option; as a customer, I know that the least call involves waiting a minimum of 30 minutes on hold. But I did confirm that the ACSonline address is probably legit, since E-ZPass appears to hold the registration rights for Ezpass.com. However, it appears that the company is just sloppy about handling identity and site security—no surprise to people of New Jersey.

      The real lesson of this E-ZPass debacle is that its not always easy to distinguish frauds from sloppy, but legitimate business e-mails.

      This is a really bad situation, since most people are in no position to evaluate the many possibilities and doing so would take more time than most people are willing to spend. This is why mass-phishing will be the hot threat of 2004.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×