Hack37.Don t Get Reeled In by Phishers

Hack 37. Don't Get Reeled In by Phishers

Watch out the next time your bank, eBay, or PayPal sends you an email asking for account information; it might be a scammer on a "phishing" expedition that will send you to a web site to steal your account information. Here's what you can do to make sure you don't become the catch of the day.

Of all the obnoxious scams circulating on the Internet, the worst might be phishing attacks, in which you're sent a spoofed email that appears to be from a bank, eBay, PayPal, or other financial institution. Often, the email address appears to be a valid email address, and the email includes the institution's logo and looks exactly like any other email you might get from it. Many of the links in the email will lead to the real site as well.

The email tells you that you need to log into your account for some reasonperhaps to verify your personal informationalthough often, you're told you need to log in because the institution's fraud-detection team has found suspicious activity in your account and needs you to provide information about it.

These emails can be exceedingly convincing. For example, the email shown in Figure 4-14 looks real, but in fact, it isn't from PayPal. If you click the link at the bottom of the message, you'll be sent to a site that looks like PayPal.

Figure 4-14. A phishing email, made to look like a message from PayPal

The site shown in Figure 4-15 looks just like the regular PayPal site. With such fraudulent sites, the design and logo will be the same, and in some instances, even the URL will look authentic.

Figure 4-15. A spoofed version of the PayPal site

But the site is a fraud. When you log in, the phisher steals your username and password. Then he can empty the bank account associated with your PayPal account or use that information in identity theft to open up new accounts and take out new credit cards in your name.

How effective are phishing attacks? According to the antiphishing organization Anti-Phishing Working Group (http://www.antiphishing.org), up to five percent of people who get phishing emails are fooled into giving out their private information.

The problem is only getting worse. The Anti-Phishing Working Group says phishing expeditions are increasing at a rate of 50% per month. The research firm Gartner estimates that 57 million people in the U.S. have received a phishing email. And according to the Truste web site, $500 million was lost in 2003 alone due to phishing attacks.

It can be excessively difficult for law-enforcement officials to track down the source of phishing attacks. That's because often, the emails aren't sent directly by the scammers. Instead, the scammers use so-called zombie networks to send the phishing attacks. These networks are made up of hundreds or thousands of PCs, whose unwitting owners have no idea their PCs are being used in this manner. Trojans have been planted on them and are then used to send out the phishing attacks. The security firm Ciphertrust estimates that as few as five zombie networks are responsible for most of the phishing email on the Internet. The best way to protect against Trojans is to keep your antivirus software up-to-date and to use a personal firewall. For details about how to use a firewall, see [Hack 77] and [Hack #78] .

Increasingly, phishing attacks aren't conducted by lone individuals. Instead, they are tied to organized crime. In November 2004, for example, a suspected member of the Russian mob was arrested for allegedly participating in phishing fraud.

4.7.1. What You Can Do About It

Phishing attacks are scary stuff, but you don't have to be victimized. In fact, there are several things you can do to make sure you never get reeled in.

First, you can use a simple bit of JavaScipt code to find out the real URL of the site you're visiting. Type the following JavaScript into your browser, and press Enter:

javascript:alert("Actual URL address: " + location.protocol + "//" +  location.hostname + "/");

A small window will pop up in the middle of your browser, telling you the actual web site you're visiting, as shown in Figure 4-16. Examine the URL, and you'll see whether you're really visiting the site you think you're visiting. If the address in the window doesn't match what you see in your browser, get thee somewhere else because it's a phishing attack.

Figure 4-16. JavaScript proof of a fraudulent site

You can also use this JavaScript code, which will do the same thing as the previous code, but adds a little bit of extra information:

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" +  location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\n If the server names do not match, this may be a spoof.");

As shown in Figure 4-17, this pop-up window includes the real URL of the site you're visiting, as well as the URL displayed in the address bar.

Figure 4-17. More information from more JavaScript

Of course, it's unlikely that you're going to memorize either piece of code and have it on hand every time you visit a web site you worry might be a spoof. So, there's a simpler solution. You can get a nifty, free add-in that will report to you on the real URL of the site you're visiting.

SpoofStick (http://www.corestreet.com/spoofstick) is a free add-in to both Internet Explorer and Firefox that detects phishing attacks. It installs as a toolbar in either browser, so you can turn it on and off when you want. When you're on a site and you're not sure whether the site is a spoof, turn on the SpoofStick toolbar by choosing View Toolbars SpoofStick in either browser. The SpoofStick toolbar will appear, as shown in Figure 4-18, displaying the site's real URL. If the site is a spoof, leave it as quickly as you can; you're about to be victimized by a phishing scam.

Figure 4-18. SpoofStick's evidence of a phishing scam

You can customize the size and color of the "You're On" message by clicking the Options button, choosing Configure SpoofStick, choosing the size (small, medium, or large) and color of the message, and clicking OK.

To turn off the toolbar, choose View Toolbars SpoofStick.

EarthLink, a popular Internet Service Provider (ISP), also offers a free antiphishing toolbar, though it works only with Internet Explorer, not Firefox. Head to http://www.earthlink.net/home/tools and download and install the EarthLink Toolbar. Whenever you visit a site that might be fraudulent, you'll be redirected away from the phishing site and instead sent to the web page shown in Figure 4-19.

Figure 4-19. EarthLink Toolbar's ScamBlocker

If you want to live dangerously by visiting the site even after receiving this warning, click the button at the bottom of the page that reads "Continue to this potentially dangerous or fraudulent site." Even if you click, you won't be sent there unless you also turn off the toolbar's ScamBlocker feature (click the ScamBlocker button so that it turns red).

Even if you don't have the EarthLink Toolbar turned on, it will still stop you from visiting phishing sites.

Which toolbar should you use? I prefer SpoofStick. EarthLink's toolbar works by checking to see whether the site you're visiting is on a list it has of potential spoof sites. And if you're one of the first potential victims and the site hasn't yet been added to the list, you'll be allowed through, but you'll think you're safe.

Of course, the paranoid among us might prefer to use both.

4.7.2. Hacking the Hack

The tools in this hack will go a long way toward making sure you're never the victim of a phishing scam. But you should also take these precautions as well:

• Never respond to unsolicited mail from anyone purporting to be your credit card company, bank, eBay, or other financial institution; in other words, don't click any links in those emails. Most financial institutions have gotten savvy to phishing scams, so they won't send out emails with links to your log-on page. If you get a message that you think might be real, head to its web site on your own, not via an email link, or call your financial institution and speak with a representative.

• Don't enter your Social Security number on any web site, unless a reputable financial institution requires it for you to open an account. Again, enter your Social Security number only if you go to the site yourself to open an account, not in response to an email message.

• Don't fill out forms in email messages that ask for personal financial information or passwords. Again, the email can be forged.

To help protect others and set the law enforcement dogs on the phishers, forward the email to the Anti-Phishing Working Group at reportphishing@antiphishing.com, send a copy to the Federal Trade Commission at spam@uce.gov, and file a complaint with the FBI's Internet Fraud Complaint Center at http://www.ifccfbi.gov.

4.7.3. See Also

• Microsoft has a useful Knowledge Base Article that explains how to protect yourself against spoofed sites. Go to http://support.microsoft.com/default.aspx?scid=kb;en-us;833786. For advice on what to do if you've been victimized by identity theft, go to the Federal Trade Commission's site about identity theft: http://www.consumer.gov/idtheft.