I took note of a local article this week that referenced phishing as “fishing”. I figure it was a spell checker that caught it, but still it made me wonder if average folks still don’t understand what “phishing” is.
The FTC and other US government agencies sponsor and operate the website OnGuardOnline.gov which “provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.”
On phishing, they provide some great educational information and tips - explaining phishing as:
Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.
For a more comprehensive break down, check Wikipedia.
Better yet, here is Phishing Explained in Three Minutes by CommonCraft:
UPDATE: I learned of one more great tutorial on phishing scams by PayPal through an email they sent today - totally worth checking out!.
Surely you’ve seen these message. I had a great example land in my inbox this week, so I thought I’d quickly demo it here.
First, you can see it in my “Deleted” folder after I did some routine purging of email in my Return Path account. A few things to point out, sorted by “Sender” you can see I have a bunch of legitimate Facebook notices, from the bonafide Facebook corporation.
But, I also have this additional notice from the Facebook Upgrade Center. Looks totally legit along side other messages from Facebook in my inbox. Note the From: address is info@facebook.com. This is called spoofing and it is an inherent problem with email on the Internet. It is the reason that add on protocols for “email authentication” exist, providing legitimate senders, like the bonafide Facebook, a way for ISPs to validate return email addresses that spammers like to forge. Email authentication is its’ own topic and there are tons of resources - but I’ll tackle that in a later post. For the most part just realize that legitimate senders are using it to help ISPs identify them as the good guys and not scammers.
So, the From: line is spoofed, and most studies on consumers and email show that email users make their assessment of spam versue mail they want by assessing the From: line first and the Subject: line second. In this case both are believable as legitimate.
It is always good to be suspicious, and one way to protect yourself is to scrutinize the website links in email. In this message, you can see the URL of the link they included starts out with “http://login.facebook...” - so at a glance, seems fine, but it continues with “...default.videomessageid-vrblqkto9.sessionnewid83.com”
The most important part of web site links, relative to the owner operators, is discerned by looking at the domain and link from right to left. Starting with .com or .net or .org or whatever Top Level Domain is in the link, you can see now in this example that Facebook probably does not operate sessionnewid83.com. This is probably the result of “domain tasting” - a method that identity theives use to register domain names cheap and use the domain for spam and identity theft during a trial “grace period”. So not only do they abuse the domain but they can get their money back afterwards! Registrars are being pushed to fix this problem - friend John Levine has posted details on that here.
Okay, now the thing is, it is best to not click these links at all. It is possible for the landing pages to have rogue code that could infect your computer at that point alone. But if you don’t notice these small details or aren’t paying attention, you do, and that’s why phishing works!
The good news is that, today, major browser providers, Firefox and Internet Explorer all have built in Phishing filters. In my case, with Firefox, I click the link and here is what I get:
Phew! Thanks Firefox! I’ve known about phishing filters in browsers for a while, but this was the first time I’ve seen a phishing filter trigger live for me on a click. You can read more about these browsers phishing filter capabilities here:
Internet Explorer Phishing Filter
Firefox Phishing and Malware Protection
So, always scrutinize your email, pay attention to links, and make sure your are upgraded and protected with the latest browser technology. It is just too easy to be a bad guy these days, but the good guys continue to fight back.
Tags: browser, Email, email authentication, internet, phishing, spam, spoof
