Intranet Blog :: Main Page

Social media and intranet case studies, best practices, & evolution by Toby Ward.

Month Archive

September 2006
August 2006
July 2006
June 2006
May 2006

Web Development & Design Blogs - Blog Top Sites

Main Page

« July 06 | July 13 »

Tuesday, July 11

Criminals work smarter to take your money

by Toby Ward on Tue 11 Jul 2006 11:37 AM PDT

There’s more of your money to take; and the crooks are using more technology to take it.

e-Bay and PayPal phishing e-mails are becoming more and more prevalent. And now the dirty little crooks are no longer relying on e-mail to get you to cough up your dough. Some criminals have learned that we’re becoming more cautious about these e-mails – so they’re setting up fake call centers so that you phone-in and give your personal information after you receive the e-mail.

Phishing schemes often start with misleading spam urging people to visit a fraud website designed to mimic the real business website (such as e-Bay or PayPal). Once unsuspecting people go to the site they’re asked to give personal information – or are loaded up with spyware such as those that track and log your keystrokes.

According to Symantec's latest Internet Security Threat Report, there were 7.92 million phishing attempts per day during the second half of 2005, compared with the 5.7 million attempts per day it reported for the first half of 2005. And the attacks are becoming sneakier and more sinister.

Criminals Increasingly Blend IT Threats is an interesting read from eWeek: “As businesses and home users have become increasingly savvy about traditional threats delivered via e-mail attachments, criminals are finding new ways to lure end users to consume their attacks, according to the report. Researchers specifically cited a growth in the number of threats that use spam e-mail messages or IMs to distribute links to Web sites where malware or spyware is secretly downloaded to end users' computers.”

One of the keys to identifying a phisher is looking at the URL requesting you to update your information. If for example, rather then clicking through to the PayPal URL www.paypal.com, a phisher would have you go to a dummy site with a similar URL (e.g. paypal.palpay.com). Now, one crook even used a URL hosted on PayPal's legitimate site that had been altered by cyber-criminals using a “so-called cross-site scripting attack.” Little bastards!

Here are some tips from MailFrontier (TopTenTipsforFindingaPhish) to avoid being scammed:

Know thyself: Know the online companies you deal with. When a suspect email arrives, remember: it could be fraud, it's definitely spam, and it is definitely not for you. Delete it.
Subject matters: Consider the subject line of an email carefully. Citibank will never send you an email headed “_Citiibank_account_update ACT-N0W”. These messages may get through spam filters because they appear to come from a reputable source, but that doesn’t mean it’s really from Citibank.
Learn the language: Understand how the companies you deal with want to interact with you. For example, banks usually want you to access your account through their website–not an email link. “Phishing” emails stand out because they don’t follow the rules.
Browsing around: Practice safe browsing. Open a new browser window each time you log on to a web site that displays personal information. When you are done at that site, log out and close that browser window.
Spelling counts: Be sure to read emails that say they are from companies you know. Sometimes a real email will have a spelling or grammatical error, but anything more than one error is suspicious.
Mousing around: Scroll over the links in emails you receive and check them. In some email systems, you can scroll over the different links in an email and see the actual contents of the link. If the email says PayPal, but the link content says “ www.paipall.com”, be careful. And note: URLs can be disguised—so don’t take a suspect link at face value.
All form, no function: Never enter your personal or credit information into a form in an email. If you feel the email is legitimate, call the company or visit their web site and log in to provide the requested information.
It’s personal: Expect good customer service. Unless your name is “eBay User” or “johndoe99”, most “phishing” emails are not personalized. If you receive a “Dear Customer” email, it may be time to move on.
Make a statement: Read your statements – every one, every month to ensure your charges and debits are correct. Often information obtained through phishing is not used right away. Stay vigilant and report any suspicious activity immediately.
Stay current: Use and maintain your email protection software for spam blocking, fraud blocking, and anti-virus. If you have any questions, there are many fine web sites which can provide the latest information on the latest virus, “phishing” attack, or on-line scam.

Twitter Updates