http://strom.com/awards/351.html
Most of
us know by now not to give out our passwords, ATM PINs, or other secret
information when requested by e-mail. But an increasing number of people are
giving out that information, even those of us who should know better. What
makes this doubly annoying is that the scam is an old one, and it has nothing
to do with technology per se.
The
technique is called phishing, and some very clever crooks use it. Here’s
how it works. You put together a bunch of HTML-formatted e-mail messages asking
people to reconfirm their account information. The messages look like the real
McCoy, including corporate logos and from what at first glance looks like a
legitimate e-mail address. The two scams that I got recently were from sites
that had the eBay and Citibank logos. Both asked me to “verify my
personal information” by clicking on a link in the message that took me
to the phished site.
Many
people have fallen for this scam -– including retired police officers and
others who have plenty of experience with the criminal mind. It is amazingly
easy to pull off -– all you need is a dollar and a dream and some good
HTML coding skills to lift the appropriate logos from the true corporate sites.
Buy a list of a few million e-mail addresses and you are ready to sit back and
watch those passwords roll in, and soon you will have access to hundreds of IDs
to harvest.
The Federal Trade Commission has issued a warning but
until now it hasn’t received much airplay. And several newspapers and Web
sites have also covered the topic, including many in the U.K. where phishing
seems to be picking up.
In
addition to the FTC page, here’s an anti-phishing site has some useful
information and links:
The term
has actually been in use since the middle 1990s, but lately either the scam
artists are getting better at their HTML coding skills or the intended marks
are running better e-mail clients that support more HTML-formatted messages, or
perhaps a little of both. According to e-mail
protection vendor Brightmail, they are seeing plenty of phishing and brand
spoofing scams, accounting for 27% of all e-mails filtered in October. The
company, which also sells an anti-fraud screening service as part of its
overall product lines in preventing sp*m and virus attacks, maintains a
"decoy network" with over 2 million e-mail IDs to attract fraudulent
emails. It doesn’t help matters that people are very comfortable
with ordering stuff over the Internet and sending their credit card numbers
around cyberspace.
There
really isn’t a simple cure, however. E-mail filtering products can try to
screen out these messages, but it isn’t all that easy as the con artists
change addresses at the drop of a hat. ISPs can shut down the IP addresses used
by the crooks to collect the personal data and host the phony sites that draw
in the marks, but again it is staying a few steps behind the bad guys. What it
really comes down to is that you and I have to be more vigilant about
responding to the come-on message.
I almost
fell for the Citibank phish this past summer. But then I wondered why Citibank would
be sending a message to my outside e-mail address at CMP, when it has a
perfectly good and secure means of sending me messages using the Citibank
online banking system. Of course, when I examined the message more carefully I
could see that it was going to some external site that had nothing to do with
Citibank. What annoyed me more than anything was that it took the bank several
months before they posted a message (using their own system of course) before
they issued a warning notice to me and their other customers.
The
crooks are getting cleverer. Some of the phony site URLs are very, very close
misspellings from the actual site addresses, and easy to miss with a quick scan
of the domain name.
The moral
of the story is never give out your password to anyone at anytime. And have a
healthy bit of skepticism when you go through your inbox, and don’t
immediately respond when you get one of these messages anyway.
Editor's
Note:
A number
of you are accessing e-mail via wireless means. If you are interested in
wireless security, developing wireless apps or in just familiarizing yourself
with this area, check out www.mobilizedsoftware.com. There’s a column on
security written by my editor Jennifer Bosavage as well as numerous articles on
development and design.
Entire contents copyright 2003 by David Strom,
Inc.
David Strom, dstrom@cmp.com, +1 (516) 562-7151
Port Washington NY 11050
Web Informant is (r) registered trademark with
the
U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library
of Congress
If you'd like to subscribe (issues are sent
via email),
please send an email to:
mailto:Informant-request@avolio.com?body=subscribe.