|
|
Your Se@rch On The 'Net
Begins Here!™
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Internet Marketing - Tips and Info
|
|
|
|
|
|
|
<< They're Phishing Your Identity Online >>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In this e-report you will:
- Learn about phishing
- Find out how you can become a victim of phishing
- Learn how to recognize a phishing e-mail
- Learn how not to become a victim
- Learn how to protect yourself from the phishers
- Get resources for your education
- Learn what to do if you've been a victim of an Identity Theft
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dear friend,
On Thanksgiving day my computer got hit by the worst virus ever. For three full days I tried to
remove the virus, but without any luck. Finally I had to give my computer to a technician to
reformat the hard drive and try to save as many files as possible.
The most amazing thing was that there was obviously nothing wrong with the computer.
Because I have a little bit of a technical knowledge, I was able to spot the hacker controlling
my web browser.
Later when I did a research about this, I learned that I was a victim of "phishing." Hence, I
dedicated my time to dig up all the available resources to help you learn so you don't become
a victim. Or, if you've already been a victim of phishing, this report will help your recovery.
You can read the article I wrote about my awful experience with it by clicking on the link
below. It will open in a new window.
|
|
|
|
|
|
|
|
|
|
|
|
|
They're Phishing Your Identity Online
|
|
|
|
|
|
|
Learn about phishing
What is phishing?
Definition: Phishing is a term coined by hackers. It's a method used by hackers to obtain
your personal information for purposes of identity theft by using fraudulent e-mail messages
that appear to come from legitimate businesses. These e-mails are designed to fool you into
revealing your personal data such as account numbers, passwords, credit card numbers,
Social Security numbers and such.
Identity theft is the name of the game. Whose identity you might ask? YOURS.
In 1998, U.S. Congress passed the Identity Theft and Assumption Deterrence Act, which
made identity theft a federal crime subject to as many as 15 years in prison.
But it looks like that the hackers are either not informed of it or they simply ignore it because
they've discovered ways of how to hide their own identity.
They mask their identities by using a wide array of computer servers, opening and closing their
operations quickly and working mostly outside the United States. All of this makes it more
difficult for U.S. law enforcement to catch up with them.
So identity theft continues to flourish despite the fact that it's a federal crime. And one
increasingly popular way of capturing personal data is the form of phishing.
Phishing has gotten out of control especially on the Internet. Message Labs, a security
company http://www.messagelabs.com, reported that they have intercepted more than 18
million phishing emails during the course of 2004. A trend that Message Labs expects to
continue in 2005.
"Email security attacks remain unabated in their persistence and ferocity," said Mark Sunner,
chief technology officer at MessageLabs.
Graham Cluley, senior technology consultant for Sophos http://www.sophos.com, has
reported: "We are increasingly seeing organized criminals writing Trojan horses to monitor the
activity of innocent computer users. They wait for them to visit a legitimate banking Web site
before stealing their essential login information."
Several reports indicated that 5%, and even up to 20% of the "phished" individuals fall victim
to this scam.
Will you be the next victim or will you be prepared to protect from it?
It is a relatively new phenomenon in the world of Internet scams and most anti-spam filters and
messaging security solutions are ineffective at stopping them.
Another reason for it is because phishing attacks are growing quite sophisticated and
difficult to detect, even for the most technical people.
A vulnerability researcher company Secunia http://secunia.com, has posted details of a
dangerous Internet Explorer (IE) flaw that allows phishers to spoof websites more
realistically than ever before.
The vulnerability is caused by a cross-site scripting vulnerability in the DHTML Edit ActiveX
control.
Thomas Kristensen, chief technology officer for Secunia said: "That is huge. When you cross-
site script a website, the user can’t see that anything unusual is happening. The URL looks like
it's a legitimate site and if you go to the SSL padlock, it will show a certificate for the site even
though it is controlled by malicious scripting."
While you think you're looking at a legitimate and a secure website, the malicious scripting
can control what is seen in the browser window. This is exactly what happened to me. You
can read about it in my article.
People still don't realize the significant impact of cross-site scripting. I've experienced it first
hand - unfortunately. This is the vulnerability that phishers and scammers have been looking
for.
Many people are getting on the Internet on a daily basis while some people are even using the
web browser for the first time. As a result, some people are going to continue to be
fooled into giving up their personal financial information in response to a phishing email or on
a phishing website.
Will you be one of the victims?
Message Labs reported that the perpetrators of phishing attacks have developed new methods
to increase their chances of stealing your personal information.
They said that recently phishing e-mails have been designed to capture online banking details
automatically when you open the email, rather than when you click on URL links within
the message. Phishers have also attempted to recruit unsuspecting users into becoming
middlemen for money laundering operations.
Your online identity is becoming more valuable as more and more day-to-day activities
take place on the Web. Activities such as online banking, shopping online, doing business
online, making travel arrangements and such. Anyone who can steal your online identity, will
do so for intentions of become you in order to carry out all kinds of fraudulent activities in
your name.
You may find out when your credit card bill arrives in the mail of the credit card that you have
never ordered. Or when a collection agency gives you a call for the unpaid balance of the
purchase you've never made from the company you've never heard of.
Well, somebody did it in your name, without your permission and pretending it was you.
|
|
|
|
|
|
|
How can you become a victim of phishing?
The most dangerous of all is the vulnerability of your web browser.
Secunia Research has reported that the vulnerability, which affects most browsers, can be
exploited by a malicious website to "hi-jack" a named browser window, regardless of which
website is the true "owner" of the window. Please visit their website to get more information on
this issue - http://secunia.com
Based on the level of the security settings of your web browser, malicious people can
conduct cross-site scripting attacks. They can execute a script code in your browser session
in context of an arbitrary site.
To explain this in less technical words, while doing your research online, you could visit a
malicious website that contains this malicious code in its html. And because of your web
browser vulnerability, all you need to do is visit the website. Yes. That's all it takes.
Once you click on this malicious website, almost instantly the malicious script is being
downloaded on your hard drive through the ActiveX control zone in your web browser. That
malicious script then takes control of your browser and dictates your Internet activity. Again, I
fell victim to it and you can read about it in my article.
Another and the most common way to become a victim of phishing is through your e-mail.
The hacker will send you e-mails that claim to come from legitimate businesses that
you might have an account with -- banks such as Citibank; online organizations such as
eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo and EarthLink;
online retailers such as Best Buy; and you name it.
Let me show you what these e-mails look like. I've had a free Yahoo e-mail for about 3 years
now. That e-mail address has been harvested by what it seems like the whole world. Very
rarely that I would get an e-mail from a person that I know. Most of it is viruses and unwanted
promotions.
Here's what the phishing e-mails look like.
|
|
|
|
|
 |
|
|
|
|
|
|
|
 |
|
|
|
Usually phishing messages demand that you have to update your account data, which
can include credit card numbers, bank account numbers and such. The hacker then steals
that information and uses it to purchase goods or transfer funds out of your bank account.
But that's not always the case. As you can see above from my Yahoo e-mail Bulk Folder,
they'll say anything in the subject line to get your attention so you can open the e-mail or
download the attachment.
Also, they'll say anything in the e-mail, once you've opened it, to get you to go to their
bogus website so they can either download a malicious script on your hard drive or get you to
give them your information.
If the e-mail is in html format, they'll say anything in the subject line to get you to open the
e-mail so the malicious script contained in the e-mail would then self download on your hard
drive.
Some of the most dangerous new attacks even involve employees being sent phishing
e-mails that appear to come from their employers.
So the e-mail can come from anybody - or the hacker will pretend to be anybody that you
may be related to or have dealings with in order to get you to open the e-mail.
Federal Trade Commission Chairman Timothy Muris has reported: "Phishing is a two time
scam. Phishers first steal a company's identity and then use it to victimize consumers by stealing
their credit identities."
Some of the e-mails may look quite real, featuring corporate logos and formats similar to the
one's used by the company they're claiming to have sent the e-mail.
Here are two examples from the e-mails above. One of them is claiming to be the Microsoft
Corporation that has included an attachment of the Current Network Security Patch, and the
other one is claiming to be PayPal asking me to update my account.
The reason I feel comfortable opening these e-mails is because after my bad experience that I
talk about in my article, I've installed 4 types of security software on my computer .
I'll talk about the ways to protect yourself toward the bottom of this report.
Phishing E-mails:
|
|
|
|
|
 |
|
|
---------------------------------------------------------------------------------------------------------------
|
|
|
|
|
 |
|
|
|
How do you recognize a phishing e-mail?
A rule of thumb would be to make it a habit to always look at your browser window's
status bar before clicking on any kind of link. It will show you the destination URL without
you having to click on it. That way you'll know if the destination of the link is really what the
link says it is or instead it's aiming at a different planet in the universe.
Make sure you locate your status bar in your browser. In the Internet Explorer browser window,
the status bar is on the bottom.
Here's what the status bar showed for the "pretended" PayPal e-mail shown above when I
placed the pointer over the link that I was told to click on.
|
|
|
|
|
 |
|
|
I was told to click on this link
to update my account ====>>
|
|
|
|
|
|
|
But this is the true destination
of the link, presumably the
hacker's website =========>>
|
|
|
|
 |
|
|
|
|
|
And here's the result I got when I scanned the attachment claiming to be a security patch sent
by Microsoft.
|
|
|
|
|
 |
|
|
|
If you cannot locate your browser window's status bar for one reason or another, place the
pointer over the link and click on the right mouse button. A small window will pop-up.
Look for the option called "Properties." Click on "Properties" with the left mouse button.
The Properties window will show up giving you the true URL destination of the link.
|
|
|
|
|
 |
|
|
|
Another way to recognize a phishing e-mail would be to look at the From: and To: fields of the
e-mail. A legitimate e-mail would be signed by the sender. It will either have the name of the
sender or the company that the e-mail has been sent by.
Unlike the e-mail above claiming that it has been sent by Microsoft.
From: "MS Corporation Public Bulletin" <zvpispmpjhdgt@mpii.microsoft.com>
To: "Commercial Customer" <customer_kzgvuxf@mpii.microsoft.com>
Well, how did it end up in my Bulk folder when my e-mail address is not
customer_kzgvuxf@mpii.microsoft.com?
But sometimes this could be misleading. Don't solely depend on it. The hackers can
sometimes do a really good job of making it look like a legitimate e-mail.
In any case, once you become well informed and spend a day or so to read through the
resources I'm providing you with throughout this report, you'll be able to spot a phishing e-mail
without any problems.
Nevertheless, let's look at ways to avoid biting the hook.
|
|
|
|
|
How can you avoid the hook?
1. E-mail is not a 100% secure and a reliable way of communication. Unless you're
absolutely confident and you have confirmed with the sender of the e-mail, never send
your personal information, such as ID, password, account number, credit card number,
Social Security number and such, over the e-mail.
It doesn't matter who's asking you for it. The experienced hacker would do one hack of a job to
pretend to be someone that you have dealings with in order to steal your identity.
2. Keep in mind that legitimate companies don't operate this way.If you get an e-mail telling
you to update your account, always go to the company's website by manually typing the
web address in the address bar of your browser and log into your account from there instead
from the link provided in the e-mail.
A hacker can easily make the link www.paypal.com look like www.paypaI.com. Instead of the
lowercase letter "L," I used the uppercase letter "i." When you copy and paste the red address
in the address bar of your browser with "Times New Roman" font, it will look like this:
www.paypaI.com.
But with the html code in your e-mail, they can link or redirect www.paypaI.com
(www.paypaI.com) to any of their phishing websites made to look exactly like the PayPal site
and make you think that you're really looking at the real PayPal website.
3. Never download any attachment or any kind of file from any website without first running it
through your Antivirus software even if the e-mail was sent by your loved one. The virus can
self e-mail itself to anyone in the Address folder of the sender. So, while you may think your
loved one sent you an e-mail with attachment, in the reality, he or she never did.
4. You might be the best prey for the hacker if you have a poorly configured e-mail
program and no antivirus software. I'm talking about the e-mail programs that open the
e-mails without you physically clicking on them. You know, the one's with a split window. All
you need to do is scroll down through your e-mails with the up-down arrow keys on your
keyboard and you can see the content of the e-mail in the bottom window.
Some phishing e-mails contain malicious scripting meant to run automatically when you open
the e-mail. With your split window e-mail program and no antivirus software, you leave your
doors wide open for the phishers.
If you don't know how to reconfigure your e-mail program so it doesn't open the e-mails itself,
make sure you have the most updated antivirus software active at all time. Also, make sure
your e-mail software isn't doing anything crazy with attachments, like downloading them
automatically.
As a rule of thumb, don't open any e-mails that you know for sure they're phishing e-mails.
Just simply delete them.
5. Keep a close eye on your online and banking accounts regularly. Check in with your eBay,
PayPal and other such accounts periodically. And try to change your passwords on a regular
basis.
6. Be suspicious of any email urging you to give them your personal financial information.
Also, phishers usually include exciting (but false) statements in the subject of the e-mail as
well as the message, to get you to react immediately. That's because the phishers change
servers constantly so they don't get caught.
Chances are that if you don't respond to the phishing e-mail the same day, the server may not
be found any more even if you click on the fake link the day after. So if you're not sure about a
certain e-mail, just wait for a few days before clicking on the links provided in the e-mail.
|
|
|
|
|
How can you protect yourself?
1. In regards to the vulnerability of your web browser, please visit Secunia at
http://secunia.com. They provide a solution for each browser. Just key in the browser name in
the search box located at the top right corner.
Here's the link for the Internet Explorer: http://secunia.com/advisories/13482/
Secunia also provides a test that you can perform to check the vulnerability of your web
browser. Here's the link for the test of your Internet Explorer browser:
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
Also, always check the website of the company providing the web browser you're using. They
will always have the latest patches for the potential problems that your browser may have.
Here's the link for the Internet Explorer: http://www.microsoft.com/security/default.mspx
But please, don't fall for the "phishing" e-mail with the current security patch. Microsoft, and all
the other companies in that regard, don't send out software patches by e-mail, just like
financial companies don't send out e-mails with fake links for you to follow.
2. Secure your computer with a Firewall at minimum. If you're surfing the Internet without a
fully updated Antivirus software or without a firewall, it's just a matter of days before you
become a victim of some kind of a virus.
Unfortunately, that is the reality.
After my bad experience with the phishing e-mail, I've installed a firewall in addition to the
Norton Antivirus software from http://www.symantec.com/index.htm, and in addition to the
deep registry scanner and Antispyware software from http://www.pctools.com.
So as a good general policy that will help keep your computer free of harmful viruses and
spyware, keep your antivirus and antispyware software up to date and active. Even if a
malicious script gets in your hard drive, you already have the protection to fight it.
When you do the math, the fee for keeping your Antivirus software updated regularly
would be almost nothing compared to the damage that a virus may cause you.
About a week before I wrote this report, as I was doing my research on a particular key phrase
for another report, I did happen to click on a websites which contained a malicious script in its
html.
A window from my Norton Antivirus popped up almost immediately with a notification that a
malicious PHP scripting was downloaded on my hard drive. Of course, the antivirus software
deleted it instantly.
Ever since I've installed the firewall, hackers who have somehow harvested my IP address
made quite a few attempts to download a Trojan Horse on my computer through one of the
ports. But my firewall notified me in all the instances that it stopped the Trojan Horse from
infecting my hard drive.
|
|
|
|
|
 |
|
|
|
 |
|
|
|
Report phishing e-mails
Forward copies of phishing e-mails you receive to reportphishing@antiphishing.com and
spam@uce.gov with the content of the e-mails intact so they can examine their source.
Also, forward the phishing e-mails to the company that the hacker is claiming to be so the
company is aware of this clown ruining their image.
If you have time, you might want to notify the Internet Fraud Complaint Center of the FBI by
filing a complaint on their website: www.ifccfbi.gov
|
|
|
|
|
|
|
|
|
If you've been a victim of an Identity Theft
Identity theft occurs when identity thieves steal your personal financial information so they can
make fraudulent charges in your name or withdraw money from your accounts without your
knowledge or permission. If you have given out this kind of information to a phisher, act
immediately to minimize the damage to your personal funds and financial accounts, as well as
your reputation.
The following information is for USA residents only. But if you live outside the U.S., all you
need to do is inform the corresponding agencies and companies representative to your
country.
1. Contact the Federal Trade Commission (FTC) to report the situation
- Online
- By telephone, toll-free at 1-877-ID THEFT (877-438-4338) or TDD at 202-326-2502.
- By mail to: Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W.,
Washington, DC 20580.
2. You may also need to contact other agencies for other types of identity theft:
- Your local Postal office if you suspect that an identity thief has submitted a change-of-
address form with the Post Office to redirect your mail, or has used the mail to commit
frauds involving your identity;
- The Social Security Administration if you suspect that your Social Security number is
being fraudulently used (call 800-269-0271 to report the fraud);
- The Internal Revenue Service if you suspect the improper use of identification
information in connection with tax violations (call 1-800-829-0433 to report the
violations);
- Contact your local police department to file a criminal report;
- Notify your local Department of Motor Vehicles to watch out for anyone ordering a
license in your name;
- Notify the passport office to watch out for anyone ordering a passport in your name;
- Notify your bank(s) and creditor(s) and ask them to flag your account(s) and contact
you regarding any unusual activity;
3. Notify the fraud units of the three principal credit reporting companies:
- To order a copy of your credit report, call (800) 685-1111 or write to P.O. Box
740241, Atlanta, GA 30374-0241.
- To report fraud, call (800) 525-6285 or write to P.O. Box 740250, Atlanta, GA
30374-0250.
- To order a copy of your credit report, call (888) EXPERIAN or write to P.O. Box
2104, Allen TX 75013.
- To report fraud, call (888) EXPERIAN or (888) 397-3742, fax to (800) 301-7196, or
write to P.O. Box 1017, Allen, TX 75013.
- To order a copy of your credit report, call (800) 888-4213 or write to P.O. Box
390, Springfield, PA 19064.
- To report fraud, call (800) 680-7289 or write to P.O. Box 6790, Fullerton, CA
92634.
4. In your credit reports if you notice that bank accounts and/or credit cards were set up
without your consent:
- Contact all creditors with whom your name or identifying data have been fraudulently
used, notify them of the identity theft and close the accounts.
- Contact all financial institutions where you have accounts that an identity thief has
taken over or that have been created in your name but without your knowledge. You
may need to cancel those accounts, place stop-payment orders on any outstanding
checks that may not have cleared, and change your Automated Teller Machine (ATM)
card, account, and Personal Identification Number (PIN).
- Contact the major check verification companies if you have had checks stolen or bank
accounts set up by an identity thief.
- CheckRite -- (800) 766-2748
- ChexSystems -- (800) 428-9623 (closed checking accounts)
- CrossCheck -- (800) 552-1900
- Equifax -- (800) 437-5120
- National Processing Co. (NPC) -- (800) 526-5380
- SCAN -- (800) 262-7771
- TeleCheck -- (800) 710-9898
|
|
|
|
|
|
|
|
|
|
|
|
|
This e-report prepared by
Steve Dimeck
|
|
|
|
|
|
