Catching and Frying Phish - IslamOnline.net

The “phish” is not the water-living animal nor is it the rock band “Phish.” The phish is you, and odds are you have been the target of at least one “phishing” attempt. (The word “phishing” was coined by taking fishing and applying hacker-style spelling, e.g. “phreaking”). If you were caught, odds are you were fried.

Phishing refers to a specific sort of attack where criminals send out spam with forged headers (spoofed e-mails) to draw gullible people to fake Web sites where they enter sensitive information such as account numbers, user IDs and passwords. These data are then used for direct financial fraud or wider identity theft.

By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. Phishing is on the rise with the number of unique phish attacks doubling over the past summer.

Let's take a look at a typical phishing message that came to my Yahoo account. This one isn't as elegant as some others I received and deleted, so bear with me.

[Warning Sign #1 - This is a completely generic greeting. A company like Citibank would address me by name. And on top of it I don’t have an account. This doesn’t bother the criminals of course—they know non-account holders will simply delete the e-mail and it costs them nothing.]

[Flag #2 - Incorrect spelling and usage of email. While most of us may be sloppy in how we use it in our day to day e-mails, you rest assured that a mass mailing from a multinational bank would have spelled it as e-mail—the correct usage.]

[Flag #3 - why would Citibank tell me the message was sent by its server and not its customer care department or security. Very strange.]

You must complete this process by clicking on the link below and entering in the small window your Citibank ATM-Debit Card number and PIN that you use on ATM.

[Multiple Flags - Syntax errors. Entering what in the small window. Logic flaws. How does this help verify my e-mail address? (Which is obviously working or the mail would have bounced). Grammar error. ‘You use on ATM’ is improper English. You should always look for peculiar wording and bad spelling and grammar. Admittedly authentic messages may have these sorts of problem, but it’s rarer than in spam - especially spam written by non-native speakers of English. Truth is, a large portion of phishing spam is international in origin].

This is done for your protection - because some of our members no longer have access to their email address and we must verify it.

To verify your email address and access your bank account, click on the link below:

[More Flags. Obviously this makes no sense. If members no longer have access to their e-mail and if this was sent to that same e-mail how can they be verifying it? Why would you want to access your bank account to verify your e-mail account?]

http://www.‎c‏i‎tibank.c‏om/?vsgdDmUKkuXHwiUFUPsre2g55l46v0k11YKYWqrZ6lpeFuf3SaDU6u9wq

[Big Warning Flag: I right-clicked the link and selected properties (NEVER click on a URL from a strange or suspicious source without knowing exactly what it is - and its appearance is no guarantee of where it takes you.]

http://www.google.com/url?q=http://www.google.com/url?q=http:// www.google.com/url?q=%%348Tt%%350%%33a/%2Fbvkiy39fe.com* 20836%%32E%%364A.%%352%%355%2f%%33F9v37c2av7z482kqVw7EM2Hew3k2v3k< /U>

As I suspected, the URL in the visible version of the message was just camouflage. Google is a legitimate website, but the phishing spam was exploiting a since closed flaw in Google’s security and sending me to a bogus site far, far away. In either event it clearly isn’t a Citibank site and if I had followed the instructions I would have gotten burned and likely lost a lot of money, if not been involved in a more extreme case of identity threat.

If you’d like to test your phishing spam detection skills, I encourage you to visit Mail Frontier’s Phishing IQ Test at http://survey.mailfrontier.com/survey/quiztest.html. It only takes a few minutes and will give you an idea of how well-developed your detection skills are.

So that’s the anatomy of a piece of phishing spam. I find them personally irritating because a great deal of industry effort has gone in to making on-line banking, shopping and financial transactions secure. Phishing spam, in addition to being fraudulent, undermines confidence in this, thus reducing the effectiveness of this benefit.

To avoid getting hooked, filleted and burned, we have to go back to the basics. As I’ve said in previous articles on computer security, the first line of defense is you. [People - The Key to Anti-Virus Defenses]. While following the below recommendations won’t guarantee safety, they will certainly prevent you from joining the elite 5% of those who have fallen for the scam.

Phishing undermines people’s confidence in online banking, shopping and financial transactions.

You should only communicate numbers such as credit card numbers or account information by telephone or through a secure website. (To make sure you’re on a secure Web server, check the beginning of the Web address in your browser’s address bar - it should be “https://” rather than just here.
Consider installing a Web browser tool bar to help protect you from known phishing fraud websites. EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a page that’s on Earthlink’s list of known fraudulent phisher Web sites. It’s free to all Internet users. Download at: http://www.earthlink.net/earthlinktoolbar
Regularly log into your online accounts; don’t leave them for as long as a month without checking each.
Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. If anything is suspicious, contact your bank and all card issuers.
Ensure that your browser is up-to-date and that security patches are applied in particular. People who use the Microsoft Internet Explorer browser should immediately go to the Microsoft Security home page— http://www.microsoft.com/security/-- to download a special patch relating to certain phishing schemes.
Use anti-virus software and keep it up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Others install programs called “key loggers” on your computer. These programs capture and send out any information that you type to the phisher, including credit card numbers, usernames and passwords, Social Security Numbers, etc.
Install a firewall (see Firewalls and You). It’s especially important to run a firewall if you have a broadband connection.

Following this advice won’t guarantee you safety. But to be a safe consumer you have to take a proactive role in your own defense and think smart.

Hooked and Regretting It

What if you’ve already been hooked? Or realize that you might have been hooked? If you have been tricked, don’t try to imagine it will go away. Assume you will become a victim of credit card fraud, bank fraud, or identity theft. The following steps should help get you through the worst of it. (Note that some procedures will differ from country to country. Make sure you understand your local laws):

If you have given out your credit, debit or ATM card information:

Report the theft of this information to the card issuer as quickly as possible.
Many companies have toll-free numbers and 24-hour service to deal with such emergencies.
Cancel your account and open a new one.
Review your billing statements carefully after the loss. If they show any unauthorized charges, it’s best to send a letter to the card issuer describing each questionable charge.

If you have given out your bank account information:

Report the theft of this information to the bank as quickly as possible.
Cancel your account and open a new one.

If you have given out your eBay account:

Contact eBay. They have a link for Hijacked Accounts.
If someone is currently listing auctions on your account, you may also use the hotline options: Member Problems... Law Enforcement... Please Investigate a Current Listing for Possible Fraudulent Activity.
Attempt to sign in and change your password.
If you are able to, you should sign in, change your password and hint immediately, and begin to undo any damage done by the hackers such as remove any bogus auctions, contact bidders and sellers, etc.
If you were unable to regain control of your own account, eBay will likely suspend it for a while until they complete their investigation.

If you have given out your personal identification information:

Identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. If you have given out this kind of information to a phisher, you should do the following:

Report the theft to the three major credit reporting agencies, Experian, Equifax and TransUnion Corporation, and do the following:
Request that they place a fraud alert and a victim’s statement in your file.
Request a FREE copy of your credit report to check whether any accounts were opened without your consent.
Request that the agencies remove inquiries and/or fraudulent accounts stemming from the theft.
Notify your bank(s) and ask them to flag your account and contact you regarding any unusual activity.
If bank accounts were set up without your consent, close them.
If your ATM card was stolen, get a new card, account number, and PIN.
Contact your local police department to file a criminal report.
Notify the Department of Motor Vehicles of your identity theft. You may need to contact other government agencies as well.
Check to see whether an unauthorized license number has been issued in your name.
Notify the passport office to be on the watch for anyone ordering a passport in your name.
Document the names and phone numbers of everyone you speak to regarding the incident. Follow-up your phone calls with letters. Keep copies of all correspondence.


			News \| Living Shari`ah \| Health & Science \| Politics in Depth \| Discover Islam \| Family \| Art & Culture \| Youth