Forwarding Emails: Do Your Homework!
Every day I see email forwarded by someone trying to warn me of some new threat or with some “interesting news”. Unfortunately most of these types of forwarded emails are false. In most cases it is harmless forwarding of emails with the only drawback being extra junk in your inbox and floating around the Internet.
In other cases, these emails themselves are a threat. Some emails will inform you of a “threat” and give you steps to take to “fix” your computer or “remove” the threat. Following the “advice” in these emails can cause problems in some cases.
Please do NOT forward these types of emails or follow the instructions in them without first doing your homework.
Do a search on the “information” you received. Below are a few good links to sites with information on hoaxes, myths and real threats. There are many sites that will help you find the truth about the emails you get, I like these ones.
TruthOrFiction.com
This site lists emails and topics and gives you “Truth” or “Fiction” information from their research. It can be quite amusing to just browse some of the information they have.
This site is well organized so you can select topics or just do a simple search.
http://www.truthorfiction.com/
F-Secure
F-Secure is a European based international computer security company. The information and tools available are very useful for your security.
Hoax Search:
http://www.f-secure.com/hoaxes/
“Phishing”
What is “Phishing”? It is like fishing in the sense that criminals send out mass emails “bait” hoping someone bites. The bait is an e-mail out falsely claiming to be a legitimate organization like a bank, credit card company, online payment service, or any service, company or website they think people will trust in an attempt to trick people into giving private information that can be used for identity theft, theft from your bank, online account, etc. The e-mail will direct the unsuspecting person to visit a Web site where they are asked to update personal information, such as user names, passwords, credit card information, and bank account numbers, which the legitimate organization already has. This Web site, however, is spoofed and was set up only to steal information.
Link manipulation/spoofing
Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub-domains are common tricks used by phishers. Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the spoofed site.
Website forgery/spoofing
Some phishing scams use JavaScript to alter the address bar to make it seem legitimate. This is done by placing a picture of the legitimate company’s URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.
In another method of phishing that is quite popular, an attacker uses a trusted website's own scripts against the victim. These types of attacks (cross-site scripting) are particularly nasty, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. This attack is very hard to spot as it is the link to the website is crafted to carry out the attack.
Damage caused by phishing
The damage ranges from loss of access to email and other online accounts to loss of money, investments, etc. Phishing is becoming more popular, because of the number of unsuspecting people who are easily tricked into divulging information to phishers. The collected information includes credit card numbers, social security numbers, and mothers' maiden names. It is also possible that identity thieves can add more information to what they have gained through phishing simply by accessing public records. Once this information is acquired, the phishers may use a person's details to create fake accounts in a victim's name, ruin a victim's credit, or even prevent victims from accessing their own accounts. As you can surmise the result can be a destroyed life. That is why it is extremely important everyone learns to recognize phishing and avoid being caught.
Recognizing Phishing and test your Phishing IQ
To help people learn more about phishing and to improve their ability to recognize it there are sites with information and tests you can take.
http://www.microsoft.com/athome/security/email/phishing.mspx
http://www.sonicwall.com/phishing/
The best advice is to learn to recognize phishing and spoofing. Please check and use the sites above. The next best is to use a browser and email program that help you to recognize phishing and spoofing. Browsers and email programs are adding some protection. I recommend using Firefox for your browser and install an anti-phishing and anti-spoofing add-on. Once you have installed Firefox go to tools, add-ons, hit “get extensions” and search for the add-ons you want. Use Thunderbird for your email. Both are free and both are more secure than the Microsoft products. Get them here:
http://www.mozilla.com/en-US/products/?flang=en-US
Finally: Read Your Messages in Plain Text
Most e-mails written in HTML (Hypertext Markup Language: the authoring software language used on the Internet) is harmless. However, others contain malicious code. It is safer to set your e-mail program to only show messages in plain text format (often in the options or settings section of the software). This will prevent malicious code from running.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment