Phishing for Your Money

FlyFishing

When I was twelve the word phishing didn’t exist. Back when AOL was charging by the hour for internet access, hacked AOL accounts were a dime a dozen. You could go into just about any chat room on AOL and the odds were good that you would later get an IM or an email purporting to be from AOL Security or Site Support requiring you to respond with your login and password. The success rate of this tactic was mind boggling, AOL actually started sending emails and IM’s stating they would never, ever, never request you send your password. People still fell for the ploy like a wounded gazelle to the lion.

Phishing is essentially the process of trying to gather protected information like account numbers, usernames, and passwords by pretending to be someone/something you trust and would actually provide that information to.

A typical phishing scam will begin with an email request to a large group of people who may or may not have account with the target company. The email will usually go something like this:

Dear Awesome Reader,

We here at SuburbanDollar Bank value your safety and security, we recently had a security breach at our corporate office in Idaho Falls, ID and your account information may have been compromised. We are currently monitoring your accounts to ensure no fraud occurs but we highly  recommend you login to your account today and verify the listed charges are your own.

Sincerely,

Kyle

SuburbanDollar.com

The bold/underlined items above would relate to a site that looked like it was the real site. Maybe it was SuburbanDollar.biz, or SuburbanDollarSecurity.com. Either way it would seem natural to you to login to the site. There would be zero difference in the appearance and the function of the site you end up on. When you login you will even be redirected to the correct site so you can access your account as normal. What happens is the site you initially login to was not a real site for the bank and a hacker just logged your username and password so they can go back later and clean your accounts out.

It is phishing because they are throwing thousands of lines in the water hoping a couple of little phish bite. You could get an email for Bank of America even though you have never had an account with them. The hacker doesn’t care because odds are a good chunk of them are going to have an account with Bank of America.

Spear Phishing

Spear phishing is a form of phishing that scares me considerably more than random messages sent to billions of people.  Regular spear fishing is where you chase down a fish, you see the fish, you know the fish, then you shoot the fish at point blank range. In the internet form spear phishing the attacker studies his target to learn what they do, who they are. They then create a plausible reason for the target to provide information they would otherwise never give out over the internet. The amount of information available about people on the internet is astounding, you could even generate an email like this:

Dear Mr Baker,

I am a good friend of Dave Ross who I understand you met on your travels here in New Zealand. He told me you and your family are currently having problems obtaining work visa’s. I work for Wallabe Wallets in Auckland and I think we could work something out where I could possibly sponsor a work visa for you. I also have a good friend who is a dean of students at a private school here who may be able to assist your wife, Courtney, in getting a teaching position. I know it is an odd request but I really would like to help out you and your family. If you could send me a photo copy of your, and your wife’s passports I could get started on the necessary paperwork.

Sincerly,

Foster A.F. Beer

You may recognize some of the facts from the above message, they all came from Baker’s travel posts on Man Vs. Debt. I know Baker probably wouldn’t fall for something like this but you can see how including facts and making the message personal can make it more plausible.

The majority of average Phishing e-mails are written by some money grubbing Russian Hacker who doesn’t speak very good English. Tell tale signs of a fake e-mail are typos. A big bank has so many loopholes to jump through before sending out a mass mailing that they aren’t going to have typos like I have in my posts. Hey it is just me. Spear Phishing on the other hand is targeted and precise. The people creating these messages are much more sophisticated and these scams will not be so easy to spot.

Tips for Not Getting Hooked

  1. Never click on a link in an email. Never click a link in an email, it could be bad and you didn’t catch it. Bookmark all of your financial related websites and only access those sites via the bookmarks or by directly typing in the website address. This way you avoid the potential of falling prey to those click through e-mails.
  2. Watch for typos. Like I said previously, most mass produced phishing emails are going to have typos, things you wouldn’t normally expect. If you see something like this immediately delete/discard the message. If you truly suspect it is a phishing scam, especially for your bank or other financial institution you should report it to that bank. They will log it and verify it is a fake and notify their other users.
  3. Never click on a link in an email. Even when your friends send you that forwarded message about the hot chick running on the beach with the big, you know, toes.. Don’t click it. It could be what you expect or it could be a virus, trojan or some other nefarious site.
  4. Think before you act. If you really sit and think about the request someone is making of you, regardless of the facts they use, is it normal. Would you really ever email a complete stranger a copy of your passports? He did say he knew my buddy Dave, but why don’t I call him up and meet him person. The old adage holds up here, if it seems to good to be true, it probably is.
  5. Never click on a link in an email. I know that poor dead horse is getting beaten something fierce. You don’t want to see that video anyway, don’t click on the link.
  6. Web Browser. I mentioned browser choice yesterday when I covered protecting your money. Modern browsers are starting to work to protect you and weed out some of these phishing sites. Make sure your browser is up to date.

Times have changed since the AOL days and scams are becoming more and more prevalent, recent news reports are talking about how thousands of Hotmail accounts as well as Gmail, Yahoo, and AOL accounts were compromised and their credentials posted on the internet after falling prey to a phishing scam (SeattlePI). Not only is phishing dirty and mean, it is illegal.

Just recently the FBI cracked down on a phishing group during operation “Phish Fry” and they arrested 33 in the US, 20 people are still at large. Don’t think you are safe in other countries either, 47 people were arrested as part of the same operation in Egypt (Washington Post).

Now swim free little fishes and watch out the people who want to steal your money, your identity, and your life.

Photo: (rengber)

{ 2 comments… read them below or add one }

1 Mrs. Micah October 8, 2009 at 9:42 am

It’s funny, I learned about phishing and spoofing through Neopets when I was 14ish. It was really abominable stuff–people would send neo-mails pretending to be from the Neopets team, set up fake login pages that looked exactly like Neopets login pages and redirect their Neopets stores to them so it looked like you’d logged out and had to log back in before buying.

What was so wrong about these was that it was almost entirely kids playing. I know it wasn’t “real” money, but stealing from kids is low. I suppose some of the people were doing it were other kids/teens, but I know a few were adults.

On the other hand, Neopets taught its users a lot about this with no real-world consequences. The site now uses a login procedure similar to ING Direct’s now, with a special picture & phrase (pic and name of your “pet”) after you enter your username so you you know it’s them. They’d send out warnings, kids talked about it in the forums, and you’d run into examples. So it was a good learning experience.

Reply

2 kenyantykoon October 9, 2009 at 6:52 am

i got it- never click a link on an e mail 🙂

Reply

Leave a Comment

Previous post:

Next post: