Technorati
Digg
Delicious
Reddit
Newsvine
StumbleUpon
Buzz
Blinklist
Mixx
GooglePhishing for Dollars
September 29, 2006
Summary
Learn how to spot a phishing expedition - many people don't realize just how easy it is to get hooked.
Obviously Takumi wasn’t the brightest fisherman in the sea. He was also far from the first teen to fall prey to his own bait. A U.S. teen with more of a penchant for cash than photos was caught on his own phishing line in July 2003. Seventeen-year-old Michael used spam emails and a fake AOL web page to trick people out of credit card information that he used to steal thousands of dollars. While his plan was incredibly ill-advised, Michael himself was incredibly lucky when prosecutors agreed to a return of the stolen funds instead of serious jail time. Today, it’s very unlikely a deal that generous would be accepted. Since 2003, we’ve learned just how devastating and costly Internet crime can be.
Given the antics of Takumi and Michael, you’re probably wondering what an experienced adult criminal could do! You’ll be surprised. This article discusses phishing scams in detail and provides a pretty good overview of what the professional criminals can do. More importantly, it tells you how to spot a phishing expedition - you may not know just how easy it is to get hooked.
Here is a good example of a well-known phishing attempt, the PayPal scam:
Dear PayPal Customer,
We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.
Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause. Please confirm your account ownership by entering the information in one of the sections below.
Please Visit https://www.paypal.com/cgi-bin/webscr?cmd=_login-run and take a moment to confirm your account. To avoid service interruption we require that you confirm your account as soon as possible. Your account will be updated in our system and you may continue using PayPal services without any interruptions.
If you fail to update your account, it will be flagged with restricted status.
Thank you,
The Paypal Staff
Thanks for using PayPal!
-------------------------------------------------------
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at https://www.paypal.com/cgi-bin/webscr?cmd=_login-run Protect yourself against fraudulent websites by checking the URL/Address bar every time you log in.
If you’ve used the Internet to buy anything at auction, you’re no doubt familiar with PayPal. PayPal is the online service that most people use to pay for items that they purchase on sites such as eBay. While it’s not technically a bank, PayPal functions very close to a bank, allowing you to transfer money easily to any other PayPal user by simply sending an email message. Those types of transfers are possible because when you (or your parents) set up your PayPal account, they linked that PayPal account to an actual bank account or to a credit card.
Online shoppers like PayPal because it feels safer than handing out credit card numbers to perfect strangers. So what’s the problem? In recent years, PayPal has also become a major target for hackers and phishers. And it’s not alone. While we’ve talked about denial-of-service (DoS) attacks and worms aimed at taking out commercial websites, the biggest problem to hit most of the big online players—PayPal, eBay, Amazon, etc.—in recent years really hasn’t been security issues on their sites. The biggest problem has been phishers scamming financial details from their customers.
If you’ve used PayPal to purchase an auction item, you’ve probably already been hit by this scam. Even if you don’t have a PayPal account, you’ve probably been hit by this scam. That’s because phishers are a lot like spammers. They go for quantity, not quality. Since PayPal has over 78 million users operating in 56 countries, chances are that a good percentage of email addresses that phishers spam are going to actually be PayPal customers. Do they bother to check? No. This may also explain why your parents may have gotten requests to “update information” for credit cards they don’t actually hold. Phishers, like spammers, are just playing the numbers. If even a small percentage of consumers take the bait, they clean up.
You’ll notice that our sample PayPal scam email asks you to visit a specific web page, https://www.paypal.com/cgi-bin/webscr?cmd=_login-run. This is a common component of any phishing attempt, the embedded link. At some point, the phishing emails all ask you to click the link provided to log into your account and update or verify your account information. The problem, of course, is that the link doesn’t take you to your actual account. Instead, it routes you to a fake screen—often a series of fake screens—that have the same look and feel as the actual company.
If you follow the link, anything that you type from that point forward is sent directly to the con artist responsible for the phishing attempt. If you enter a user name and password, you’re giving that con artist everything he needs to impersonate you on that site. When the phishing target is a bank or bank-like account such as PayPal, you’re giving the criminal all the details he needs to literally empty your accounts. If you enter credit card information, you should expect some unexpected charges to follow shortly. You may even be providing all the data that crook needs to successfully steal your identity. If that happens, new charges on your accounts may be the least of your worries. A savvy thief could open countless NEW charge cards in your name, littering your credit report with unpaid accounts that could destroy your financial history almost before you’ve had a chance to even acquire one.
Keep in mind that email isn’t the only method used for phishing. The basic phishing scam actually predates computers by many decades. The big change here is that computers make it easier for the con artists to hide. Because emails are often created using spoofed addresses and fake routing information, they are difficult to trace.
This article was excerpted from Linda McCarthy’s new book called Own Your Space: Keep Yourself and Your Stuff Safe Online. To purchase this book, Click here
In This Article
By Linda McCarthy
Architect, Office of the CTO
Architect, Office of the CTO
Introduction
In May 2006, 14-year-old Takumi of Nagoya, Tokyo, became the first Japanese minor charged with the Internet crime of phishing. Takumi tricked users into divulging personal information by creating a website that he disguised as a popular Internet gaming site. Using this ploy, Takumi stole the identities of 94 people. He even tried to blackmail teenage girls from whom he’d stolen personal information into sending him naked photos as well.Obviously Takumi wasn’t the brightest fisherman in the sea. He was also far from the first teen to fall prey to his own bait. A U.S. teen with more of a penchant for cash than photos was caught on his own phishing line in July 2003. Seventeen-year-old Michael used spam emails and a fake AOL web page to trick people out of credit card information that he used to steal thousands of dollars. While his plan was incredibly ill-advised, Michael himself was incredibly lucky when prosecutors agreed to a return of the stolen funds instead of serious jail time. Today, it’s very unlikely a deal that generous would be accepted. Since 2003, we’ve learned just how devastating and costly Internet crime can be.
Given the antics of Takumi and Michael, you’re probably wondering what an experienced adult criminal could do! You’ll be surprised. This article discusses phishing scams in detail and provides a pretty good overview of what the professional criminals can do. More importantly, it tells you how to spot a phishing expedition - you may not know just how easy it is to get hooked.
What is Phishing?
As I said earlier, phishing (pronounced fishing) is just what it sounds like—con artists fishing for information. In computer terms, a phishing attack generally begins with a spoofed email. That email pretends to be from a company you know and trust and possibly already do business with. The email claims there’s a problem with your account, potentially fraudulent use or charges, or simply asks you to verify your information to help them to protect you. That’s actually a nice bit of social engineering—the con artist offering to protect you from security risks.Here is a good example of a well-known phishing attempt, the PayPal scam:
Dear PayPal Customer,
We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.
Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause. Please confirm your account ownership by entering the information in one of the sections below.
Please Visit https://www.paypal.com/cgi-bin/webscr?cmd=_login-run and take a moment to confirm your account. To avoid service interruption we require that you confirm your account as soon as possible. Your account will be updated in our system and you may continue using PayPal services without any interruptions.
If you fail to update your account, it will be flagged with restricted status.
Thank you,
The Paypal Staff
Thanks for using PayPal!
-------------------------------------------------------
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at https://www.paypal.com/cgi-bin/webscr?cmd=_login-run Protect yourself against fraudulent websites by checking the URL/Address bar every time you log in.
If you’ve used the Internet to buy anything at auction, you’re no doubt familiar with PayPal. PayPal is the online service that most people use to pay for items that they purchase on sites such as eBay. While it’s not technically a bank, PayPal functions very close to a bank, allowing you to transfer money easily to any other PayPal user by simply sending an email message. Those types of transfers are possible because when you (or your parents) set up your PayPal account, they linked that PayPal account to an actual bank account or to a credit card.
Online shoppers like PayPal because it feels safer than handing out credit card numbers to perfect strangers. So what’s the problem? In recent years, PayPal has also become a major target for hackers and phishers. And it’s not alone. While we’ve talked about denial-of-service (DoS) attacks and worms aimed at taking out commercial websites, the biggest problem to hit most of the big online players—PayPal, eBay, Amazon, etc.—in recent years really hasn’t been security issues on their sites. The biggest problem has been phishers scamming financial details from their customers.
If you’ve used PayPal to purchase an auction item, you’ve probably already been hit by this scam. Even if you don’t have a PayPal account, you’ve probably been hit by this scam. That’s because phishers are a lot like spammers. They go for quantity, not quality. Since PayPal has over 78 million users operating in 56 countries, chances are that a good percentage of email addresses that phishers spam are going to actually be PayPal customers. Do they bother to check? No. This may also explain why your parents may have gotten requests to “update information” for credit cards they don’t actually hold. Phishers, like spammers, are just playing the numbers. If even a small percentage of consumers take the bait, they clean up.
You’ll notice that our sample PayPal scam email asks you to visit a specific web page, https://www.paypal.com/cgi-bin/webscr?cmd=_login-run. This is a common component of any phishing attempt, the embedded link. At some point, the phishing emails all ask you to click the link provided to log into your account and update or verify your account information. The problem, of course, is that the link doesn’t take you to your actual account. Instead, it routes you to a fake screen—often a series of fake screens—that have the same look and feel as the actual company.
If you follow the link, anything that you type from that point forward is sent directly to the con artist responsible for the phishing attempt. If you enter a user name and password, you’re giving that con artist everything he needs to impersonate you on that site. When the phishing target is a bank or bank-like account such as PayPal, you’re giving the criminal all the details he needs to literally empty your accounts. If you enter credit card information, you should expect some unexpected charges to follow shortly. You may even be providing all the data that crook needs to successfully steal your identity. If that happens, new charges on your accounts may be the least of your worries. A savvy thief could open countless NEW charge cards in your name, littering your credit report with unpaid accounts that could destroy your financial history almost before you’ve had a chance to even acquire one.
Keep in mind that email isn’t the only method used for phishing. The basic phishing scam actually predates computers by many decades. The big change here is that computers make it easier for the con artists to hide. Because emails are often created using spoofed addresses and fake routing information, they are difficult to trace.
This article was excerpted from Linda McCarthy’s new book called Own Your Space: Keep Yourself and Your Stuff Safe Online. To purchase this book, Click here