PHISHING TIPS

Phishing is an attempt at stealing login information from an unwary user of another website, perhaps ebay or a bank. Although it would be nice to think you could trace these people, the reality is it isn't going to happen - the emails are not from "them", they're from someone elses' PC they've managed to break into to send the scam email in the first place. All you can do is be aware of what is happening and learn to dodge the pitfalls.

The people behind these frauds are getting really very good at "social engineering", and will use a variety of ways to attempt to get you to reveal personal information:



NEVER click a link in an email for a website that has your bank account details
ALWAYS type in the correct website address yourself in your web browser


The strongest protection against attempts like this is, in my experience, to buy your own domain name (i.e. website address) - I use www.123-reg.co.uk (link below) for mine, and tell it to redirect all email sent to that website to my normal email address. Buying a domain name like this does not need to be anything more complicated than "owning" a name - you don't need to buy hosting packages or put a website online, and it will cost you about £6.25 for two years.



I "personalise" the email addresses I give out to any company, so Paypal might get paypal@domain.com, ebay would get ebay@domain.com etc.

If you receive anything purporting to be from Paypal sent to anything other than the "personalised" email address you gave them, you know its a SCAM.

The next method in your arsenal should be to DITCH OUTLOOK EXPRESS and use a different email program - one which shows you what the true contents of the email, and not something that looks like a webpage - webpages can hide a multitude of sins, which usually involve telling you the link you are clicking goes to one website, but takes you somewhere entirely different.

An example of this might be (without the proper html codes):

http://www.paypal.com
[A HREF="http://www.stealmymoneyplease.com"]http://www.paypal.com[/A]

What you see is a link to Paypal, but in reality it takes you to a scam site

There are a few subtle variations on this, such as one that displays an "image map" stolen from the official site, but redirects you to the fake site.


More examples follow, which at first glance may look legitimate - these are SCAM SITES
** DO NOT ENTER ANY DETAILS ON THEM ! **

This will take you to a "hacked" Paypal site - the dodgy website forces your web browser to open the *real* Paypal page in a new window. What you don't realise is the dodgy site is recording everything you enter, allowing them to steal the account and your money.

http://200.213.250.176:81/www.paypal.com/cgi-bin/webscrcmd=_login-run/updates-paypal/index.html


...and a phony Bank Of Scotland email asking you to update your details - the first part of the website address looks real, but read the rest of the web address very carefully - you will be taken to a website called maxinder.info that has a "sub-domain" spoof of the Bank of Scotland website.

http://www.bankofscotland.co.uk.systemupgrade.maxinder.info/customers.ibc


I'm waiting for confirmation on this, but it may turn out to be one of the "best" scams of its type... its an Ebay scam and will say the email contains your username to prove its legitimate, but what it appears to be doing is taking advantage of a bug in Internet Explorer and your email program to "wave" at the real ebay site - the real ebay site recognises you if you ask it to remember your login details, and that allows the email to "snatch" your username to display in the email - clever huh !

It might be a nuisance telling sites never to remember who you are, but you'll be a LOT safer.

EMAIL SAFETY

I use an email program called TheBat! from http://www.ritlabs.com - it makes a good replacement for Outlook (commonly known as LookOut amongst "real" computer nerds !) - its not free, but its very good, and for me to part with money for something, it has to be !

TheBat! offers html (webpage style) or text display options which you can swap between quickly and easily by clicking on a "tab" below the message, but you may find it doesn't show you pretty html emails any more like LookOut - and for a very good reason - your email shouldn't be trying to access the internet.

It will display the information sent in the email, but nothing more - it will not take itself off to the internet to download information from some unknown source, as this helps identify your email address as being valid for receiving spam.

One common "message" from fraudsters who would like to take advantage of the flaws in html email is to write the email so it says "get yourself a capable email program" if you're not looking at the scam (webpage) version - nice of them to let you know you're doing something right !

MORE SOCIAL ENGINEERING

A recent and more disturbing variation on the "social engineering" theme is where they set up automated phone message services, where you might, for instance, be asked if you have satellite TV - you respond, and the call ends. A few weeks later, you'll get a call from someone claiming to be from the satellite TV company telling you your regular payment didn't go through as normal, and you're about to be cut off unless you make a payment there and then. This is a scam remember, so when you hand over alternative payment details they rob you.

There are others nicknamed "nigerian scams" or "419 scams", where you will be asked to pretend you're someone you've never heard of to get millions of pounds out of a bank account. These normally work by offering a large percentage / sum of money, and you are asked to pay certain "fees" along the way. Some of these scams have ended up with the greedy "recipient" being kidnapped and murdered - and i'm not joking !

New variations turn up on a regular basis, and often try to use recent events such as the asian tsunami or terrorist bombings somewhere - even to the extent where they will use real victims' names.

UNDERSTANDING EMAIL HEADERS

Email is unfortunately easy to "spoof" - i.e. pretend it comes from somewhere other than the true origin. As I said at the top of the page, these emails are not from the people trying to commit fraud themselves - they're using someone elses' PC that they've broken in to, in order to send this stuff out - and most of the time, the fraud websites they take you to are also using stolen space on someone elses' website.

To show you how email works, i'll include a couple of "headers" (the parts that say who its from and who its to) below, then try to explain what you need to be aware of. Unfortunately, most of the information that would help stop spam is "thrown away" when it arrives at your internet provider - its delivered in an "envelope" which is discarded, your ISP reads the "TO:" address, and then pigeonholes the email in your mailbox ready for collection.

X-Apparently-To: oldemailaddress@btinternet.com via 217.146.188.8; Sat, 19 Aug 2006 01:41:49 +0000
X-YahooFilteredBulk: 193.138.205.47
X-Originating-IP: [193.138.205.47]
Authentication-Results: mta832.mail.ukl.yahoo.com
from=nationwide.co.uk; domainkeys=neutral (no sig)
Received: from 193.138.205.47 (EHLO srv2.p4u) (193.138.205.47) by mta832.mail.ukl.yahoo.com with SMTP; Sat, 19 Aug 2006 01:41:49 +0000
Received: from apache by srv2.p4u with local (Exim 4.50) id 1GEFrK-00066p-U6 for oldemailaddress@btinternet.com; Sat, 19 Aug 2006 03:42:46 +0200
To: oldemailaddress@btinternet.com
Subject: Important ! Update Your Account®
From: Nationwide Bank®
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Sat, 19 Aug 2006 03:42:46 +0200
X-Antivirus: avast! (VPS 0633-4, 18/08/2006), Inbound message
X-Antivirus-Status: Clean

To make this easier to read, the only line you need to look at to find out the origin is the first "Received:" line shown in red (and in some circumstances, the second "Received:" line) - pretty much everything else can be created by the spammer and can not be relied on.

You work "backwards" from the end of the line - email for btinternet.com is now handled by yahoo.com which is our starting point as we know that is legitimate. What we're looking for is the first IP address before the "trusted" information, as that is almost always the true source. In some circumstances, you may see more "trusted" ISP information, in which case you work onto the second "Received:" line until you see one that isn't related to your ISP.

In this instance, we want to find out where 193.138.205.47 is - because you know a bank in your country won't be sending email to you from another country like Korea / Brazil / China (unless you live in those countries). To do this, we use a "whois" server...

If you go to www.samspade.org you can enter the IP address in a nice friendly "Do Stuff" box and it will tell you all you need to know. It doesn't work right all the time, but hey, what does :-}

An alternative site for checking the IP address (there are many though) is www.geektools.com - its a similar setup, but geektools also wants you to confirm you're not abusing the system automatically by getting you to enter a "code" that it displays. Geektools also has a free downloadable IP address checker / whois program under "tools" which can be handy if you find yourself doing this on a regular basis - again, its not infallible, but its pretty good ! If you have a choice of who to use for checking (such as in the downloadable version) "whois.ripe.net" is usually pretty good if the "automatic" option fails.

In this instance, the email was sent from a machine connected to this ISPs network:

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '193.138.204.0 - 193.138.207.255'
inetnum: 193.138.204.0 - 193.138.207.255
netname: KDIS
descr: KDIS Network
country: NL
org: ORG-KDIS1-RIPE
admin-c: RB3347-RIPE
tech-c: RB3347-RIPE
status: ASSIGNED PI
remarks: For abuse complaints contact abuse@kdis.nl
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: OPENPEERING-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: OPENPEERING-MNT
mnt-domains: OPENPEERING-MNT
source: RIPE # Filtered
organisation: ORG-KDIS1-RIPE
org-name: KDIS
org-type: NON-REGISTRY
address: Haddingestraat 18
address: 9711 KD Groningen
address: The Netherlands
phone: +31 (0)50 3142029
fax-no: +31 (0)847 110011
e-mail: noc@kdis.nl
org: ORG-OPB1-RIPE
admin-c: RB3347-RIPE
tech-c: RB3347-RIPE
mnt-ref: OPENPEERING-MNT
mnt-by: OPENPEERING-MNT
source: RIPE # Filtered
person: Rolf Berkenbosch
address: KDIS
address: Haddingestraat 18
address: 9711 KD Groningen
address: The Netherlands
phone: +31 50 3142029
e-mail: info@kdis.nl
nic-hdl: RB3347-RIPE
mnt-by: OPENPEERING-MNT
source: RIPE # Filtered

- which if you hadn't guessed is definitely NOT "Nationwide Bank" as it tried to fool you into believing in the "From:" and "Subject:" lines

You can have a play with this next one yourselves :-)

X-Apparently-To: oldemailaddress@btinternet.com via 217.146.188.92; Sat, 19 Aug 2006 00:32:10 +0000
X-YahooFilteredBulk: 84.16.240.221
X-Originating-IP: [84.16.240.221]
Authentication-Results: mta834.mail.ukl.yahoo.com from=online.lloydstsb.co.uk; domainkeys=neutral (no sig)
Received: from 84.16.240.221 (EHLO pointech.medyabim.com) (84.16.240.221) by mta834.mail.ukl.yahoo.com with SMTP; Sat, 19 Aug 2006 00:32:10 +0000
Received: from apache by pointech.medyabim.com with local (Exim 4.60) (envelope-from ) id 1GEDnH-0002ad-JJ for oldemailaddress@btinternet.com; Sat, 19 Aug 2006 02:30:27 +0300
To: oldemailaddress@btinternet.com
Subject: Upgrade Your Online Banmng Access.
From: Llyods TSB Bank
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Sat, 19 Aug 2006 02:30:27 +0300
X-Antivirus: avast! (VPS 0633-4, 18/08/2006), Inbound message
X-Antivirus-Status: Clean