Print
By Michael Brown
If you’ve ever received an e-mail from PayPal, eBay, or a financial institution in which the sender asks you to log onto a website to confirm your online user ID and password, you’ve witnessed the handiwork of an Internet con artist.
These types of fraudulent e-mails are classified as “phishing” schemes, because crooks chum the waters with millions of pieces of spam, hoping a few fish will swallow the bait. The problem occurs when you click what you assume to be a legitimate link in the e-mail. Sure, it says “www.ebay.com,” but the HTML code within the message masks the true destination: a criminal website hosted who-knows-where with the sole purpose of stealing your identity.
Pharming exploits often go hand-in-glove with phishing schemes, but the former can be much more difficult to identify—and thus far more effective. One of the most sinister pharming techniques exploits the vulnerability of the Internet’s domain name system (DNS). The DNS translates web and e-mail addresses into a unique IP address. If a hacker manages to “poison” a DNS directory—altering it so that a familiar URL becomes associated with a string of numbers pointing to a fraudulent website—he can funnel thousands of unwitting victims into his clutches, even though the victims typed the correct URL into their browser.
Trojans are yet another insidious threat that can make pharming easier for hackers. The Banker trojan, for example, accomplishes the same goal as DNS poisoning by rewriting your PC’s local host file. Because your web browser checks your local host file first—and the data in the local host file overrides the information contained in the DNS servers—a thief can direct you to a fake website and snatch your bank login, and you might not even know it until it’s too late.
Be it phishing or pharming, the intent is to trick you into revealing your login ID and password, or to install spyware on your PC that’s capable of stealing even more sensitive information. But you’re not defenseless. The key is to practice safe surfing and to remain ever vigilant.
TIP 1: DON'T ASK, DON'T TELL:
Here’s one absolutely simple way to protect yourself from phishing schemes: Never, ever, ever respond to an e-mail query from a financial institution, auction site, or anyone else asking you to confirm your identity on a website. Legitimate organizations will never ask for this information via e-mail,
so you should never reveal it.
TIP 2: KNOW YOUR SOURCE: If you’re not a customer of the financial institution or other company that’s pinging you for information, immediately delete the e-mail. Hackers cast a wide net in the hope of catching a few victims.
TIP 3: RESIST THE URGE:
Never click the hyperlinks contained in an e-mail, even if the correspondence looks perfectly legit; for that matter, even if the correspondence is legit. It’s a habit you need to get into, because masking the URLs embedded in HTML code is child’s play for a hacker or other malcontent. Type the URL into your browser, instead, and then bookmark the site for future reference.
TIP 4: FAKE LEFT One way to reduce the chances of being taken in by a fraudulent website is to first provide a password you know to be false. If the site accepts the bogus password, you know there’s something amiss.
TIP 5: USE PROTECTION Malcontents exploit browser vulnerabilities and use viruses to get your data. Keep your web browser and your antivirus software’s virus definitions up to date at all times. Most virus software has an auto-update feature for this purpose. If you’re using Firefox, you can configure it to check for updates either automatically or on demand: Click Tools, then Options, and then choose Advanced and scroll down to Software Update. To update Internet Explorer, click Tools, then Windows Update, and follow the directions on Microsoft’s Windows Update website.
IF YOU GET HOOKED: As with all other criminal activities, phishing and pharming schemes will likely be around as long as there are Internet users to victimize. Fortunately, it’s relatively easy to keep yourself out of harm’s way. And if you’re ever defrauded by a scam artist, you can minimize the damage by acting quickly.
If you suspect you might have inadvertently given away your login and password to a service or financial institution, contact the company quick-like and inform them you were the victim of fraud—and change that password anywhere else you might have used it (although you shouldn’t be using the same password in more than one place anyway).
If you’ve surrendered personal information—credit-card info or your Social Security number, for example—ask the three major credit bureaus (Equifax, Experian, and Trans Union) to place fraud alerts on your credit file. Close any accounts you know or suspect have been tampered with. Report the incident to your local police department, complete with an ID Theft Affidavit, and file a complaint with the Federal Trade Commission. The FTC maintains a database of identity-theft cases—Consumer Sentinel—that law-enforcement agencies in the U.S., Canada, and Australia use in their investigations.
If phishing and pharming schemes can’t be eliminated, we can at least make things more difficult and costly for the cretins who orchestrate them.
Links:
[1] http://www.maximumpc.com/articles/magazine/2005
[2] http://www.maximumpc.com/articles/magazine/2005/july_2005
[3] http://www.maximumpc.com/articles/magazine
[4] http://www.maximumpc.com/user/login?&commentfragment=comments_top_anchor