Posts tagged as:

security

FlyFishing

When I was twelve the word phishing didn’t exist. Back when AOL was charging by the hour for internet access, hacked AOL accounts were a dime a dozen. You could go into just about any chat room on AOL and the odds were good that you would later get an IM or an email purporting to be from AOL Security or Site Support requiring you to respond with your login and password. The success rate of this tactic was mind boggling, AOL actually started sending emails and IM’s stating they would never, ever, never request you send your password. People still fell for the ploy like a wounded gazelle to the lion.

Phishing is essentially the process of trying to gather protected information like account numbers, usernames, and passwords by pretending to be someone/something you trust and would actually provide that information to.

A typical phishing scam will begin with an email request to a large group of people who may or may not have account with the target company. The email will usually go something like this:

Dear Awesome Reader,

We here at SuburbanDollar Bank value your safety and security, we recently had a security breach at our corporate office in Idaho Falls, ID and your account information may have been compromised. We are currently monitoring your accounts to ensure no fraud occurs but we highly  recommend you login to your account today and verify the listed charges are your own.

Sincerely,

Kyle

SuburbanDollar.com

The bold/underlined items above would relate to a site that looked like it was the real site. Maybe it was SuburbanDollar.biz, or SuburbanDollarSecurity.com. Either way it would seem natural to you to login to the site. There would be zero difference in the appearance and the function of the site you end up on. When you login you will even be redirected to the correct site so you can access your account as normal. What happens is the site you initially login to was not a real site for the bank and a hacker just logged your username and password so they can go back later and clean your accounts out.

It is phishing because they are throwing thousands of lines in the water hoping a couple of little phish bite. You could get an email for Bank of America even though you have never had an account with them. The hacker doesn’t care because odds are a good chunk of them are going to have an account with Bank of America.

Spear Phishing

Spear phishing is a form of phishing that scares me considerably more than random messages sent to billions of people.  Regular spear fishing is where you chase down a fish, you see the fish, you know the fish, then you shoot the fish at point blank range. In the internet form spear phishing the attacker studies his target to learn what they do, who they are. They then create a plausible reason for the target to provide information they would otherwise never give out over the internet. The amount of information available about people on the internet is astounding, you could even generate an email like this:

Dear Mr Baker,

I am a good friend of Dave Ross who I understand you met on your travels here in New Zealand. He told me you and your family are currently having problems obtaining work visa’s. I work for Wallabe Wallets in Auckland and I think we could work something out where I could possibly sponsor a work visa for you. I also have a good friend who is a dean of students at a private school here who may be able to assist your wife, Courtney, in getting a teaching position. I know it is an odd request but I really would like to help out you and your family. If you could send me a photo copy of your, and your wife’s passports I could get started on the necessary paperwork.

Sincerly,

Foster A.F. Beer

You may recognize some of the facts from the above message, they all came from Baker’s travel posts on Man Vs. Debt. I know Baker probably wouldn’t fall for something like this but you can see how including facts and making the message personal can make it more plausible.

The majority of average Phishing e-mails are written by some money grubbing Russian Hacker who doesn’t speak very good English. Tell tale signs of a fake e-mail are typos. A big bank has so many loopholes to jump through before sending out a mass mailing that they aren’t going to have typos like I have in my posts. Hey it is just me. Spear Phishing on the other hand is targeted and precise. The people creating these messages are much more sophisticated and these scams will not be so easy to spot.

Tips for Not Getting Hooked

  1. Never click on a link in an email. Never click a link in an email, it could be bad and you didn’t catch it. Bookmark all of your financial related websites and only access those sites via the bookmarks or by directly typing in the website address. This way you avoid the potential of falling prey to those click through e-mails.
  2. Watch for typos. Like I said previously, most mass produced phishing emails are going to have typos, things you wouldn’t normally expect. If you see something like this immediately delete/discard the message. If you truly suspect it is a phishing scam, especially for your bank or other financial institution you should report it to that bank. They will log it and verify it is a fake and notify their other users.
  3. Never click on a link in an email. Even when your friends send you that forwarded message about the hot chick running on the beach with the big, you know, toes.. Don’t click it. It could be what you expect or it could be a virus, trojan or some other nefarious site.
  4. Think before you act. If you really sit and think about the request someone is making of you, regardless of the facts they use, is it normal. Would you really ever email a complete stranger a copy of your passports? He did say he knew my buddy Dave, but why don’t I call him up and meet him person. The old adage holds up here, if it seems to good to be true, it probably is.
  5. Never click on a link in an email. I know that poor dead horse is getting beaten something fierce. You don’t want to see that video anyway, don’t click on the link.
  6. Web Browser. I mentioned browser choice yesterday when I covered protecting your money. Modern browsers are starting to work to protect you and weed out some of these phishing sites. Make sure your browser is up to date.

Times have changed since the AOL days and scams are becoming more and more prevalent, recent news reports are talking about how thousands of Hotmail accounts as well as Gmail, Yahoo, and AOL accounts were compromised and their credentials posted on the internet after falling prey to a phishing scam (SeattlePI). Not only is phishing dirty and mean, it is illegal.

Just recently the FBI cracked down on a phishing group during operation “Phish Fry” and they arrested 33 in the US, 20 people are still at large. Don’t think you are safe in other countries either, 47 people were arrested as part of the same operation in Egypt (Washington Post).

Now swim free little fishes and watch out the people who want to steal your money, your identity, and your life.

Photo: (rengber)

{ Comments on this entry are closed }

Many people don’t know but this is National Cyber Security Awareness Month. As I have said in the past computer security is part of my job, it is my other passion if you will. I have talked about security in the past, but there is always more to share.

Our computers are becoming the centers of our financial universe. We automate everything, login to our accounts frequently, and monitor it all from single central place. Whether you use Mint, Yodlee, Quicken, or Budget Pulse the easiest way to your accounts and your money is through your computer.

This is a war and you are way behind, this my second post on security. Between the two of them you are well on your way to rocking out in relative safety.

Computer Management

You computer is like your car, or your home. Every now and then a problem will pop up that you didn’t know about before. The same thing happens with your PC or laptop. When problems come up that made it through debugging they need to be fixed. These problems can be minor, or the can be major security holes.

People actually get paid to do nothing but bang on software to find the holes, then develop a way to exploit that hole to take administrative control of your computer. For those of you who huff an puff everytime Microsoft releases a patch. I ask you to take an unpatched Windows XP machine and put on the internet unprotected. The firestorm that will ensue will be amazing. When a patch comes out, patch your machine. No reason to wait, you can’t possibly be doing anything that important.

Antivirus

This is one of my sticking points, antivirus is an extreme necessity, it is also an extreme pain in my, ahem. The problem with antivirus is it is resource intensive, most paid or free antivirus systems have an active scanning component which is resident in memory all the time. For the most part you are just going to have to suck this up. There is no way around it and you want to be sure you are running something for those instances where you click the wrong link. Through all my griping about it, it is worth it for the casual browser, it isn’t going to stop an determined attacker but will protect your from wild virus’.

Browser Choice

The browser you use to access the internet has a lot to do with your susceptibility to compromise and infection. Microsoft has the majority share of the browser market with IE. Because of this most hackers target vulnerabilities specific to IE. Just by switching to a browser like Chrome, Firefox or Safari you are cutting out a chunk of the browser attacks that are out there. I love Chrome because of its minimal interface and speed. I use it for accessing sites I know and frequent often. Random browsing always occurs in Firefox.

I use FireFox for random browsing because of one thing, and one thing only. No Script. No Script is a Firefox plugin which essentially blocks all scripts from running on a site unless I explicitly tell them they can. This will help to prevent zero day attacks that haven’t been patched. If you prevent them from running the code they can’t take control of your computer.

OS Choice

Most people don’t consider security as part of their OS choice, they only look at convenience. It is so much easier to just keep doing what you have always been doing then trying to change to something different. Typically Windows users don’t jump ship to Mac and vice versa. Even less utilized, but considerably more economical, is Linux.

The OS you operate is a big factor in your susceptibility to attack. The majority of computer exploits are for the Windows operating system, this isn’t to say the others don’t’ have their problems but why would anyone focus on something that has such a small market share.

So get out and get crackalacking on securing your PC and look for one more Cyber Security related post tomorrow.

{ Comments on this entry are closed }