It's not my fault, you bastards!

Wait for it!
This page is big
so, it takes a while to load! 


Current Terror Level
Terror Alert Level

I've been alive for:
lifeclock
and counting...

Click for detailed Silverdale, WA Forecast

Disclaimer
 
In case you did not know this from before, I am making sure now that you are aware that this blog is completely mine and mine alone. In other words, I say what I want, to whoever I want, however I want, whenever I want. I am entitled to my own opinions as you are to yours. If you don't like what you read, then please go away and never bother to come back. You were not forced or coerced into coming here and most definitely, you are not obligated to stay. So leave, if you think you should. No if's, no and's, no but's, no exceptions.

This page is powered by Blogger. Isn't yours?


Technorati search


Wednesday, January 19, 2005

 
More on phishing scams via email

I read on the internet in a tech forum that phishing emails are up, way up over past years, over 4 times as many this year over last year. So, a word of warning is in order...

After my last blog entry in which I discussed email scams and spam, I thought you might want some details on how it is that phishing works. It works because of HTML (HyperText Markup Language), the language the web pages are written in. In HTML, there is a thing called an "anchor" tag. All tags use angle brackets, but I will use square brackets so your browser will not interpret what I type here as a valid clickable link or valid HTML tags I don't want your browser to get confused. Here is an example of a HTML tag:[B] and {/B]. This turns on BOLD and then turns off BOLD print on the page. [P] and [/P] denote the start and end of a paragraph. Here is an example of a paragraph with bold text:

[P]This is a [B]NEW[/B] paragraph.[/P]

It would look something like this when displayed by your browser:

This ia a NEW paragraph.

Note the word NEW is in boldface type. If you examine the source code from this page, you just might see the same code as I just put up above with angle brackets instead of the square brackets I used. OK, so this leads me to the anchor tag in HTML. The anchor tag looks like this:

[A href=http://www dot xyz dot com]click here![/A]

I substituted the dots in the address with the word "dot" so again, it would not be interpreted by your browser as a valid link. In the page when it is displayed by your browser, you will only see "click here!" but it points to the domain of xyz dot com. Imagine if I used "citibank" instead of the text "click here!". You would see an apparently clickable link to cittibank, but in reality would point to xyz dot com. Now, if at xyz dot com, there was a index.html file with a faked cittibank page, you would be fooled into thinking you were really at cittibank when in fact you were at xyz. Now, if they put up a page asking you to enter your account information and your password and/or PIN number, can you see what they could do to you with that information? How would the real citibank know it WASN'T you who logged into the account you have? They (the phishers) would have the account number, your password and/or PIN number to access the account! So, here is what to look for, one way a phisher can redirect your click to them rather than the place you think it is going to:

[A href=http://123 dot 123 dot 123 dot 123]www dot citibank dot com[/A]

Note again, I replaced the actual dot with the word to avoid confusion by your browser. The IP address is also fake. There may be a 123 dot 123 dot 123 dot 123 out there and it may be a valid address which is why I substitute the words for the actual period characters used in a real address on the web. The actual numbers of the IP address can be almost anything. The key is that there will be numbers, not a valid cittibank web address.

Somewhere in the body of the email you recieved, will be that anchor tag similar to the one I made up above. You can ONLY see this if you examine the source code for the email. If you display the email or preview the email, you would only see the text they want you to see, not the actual href pointed to in the anchor tag.If you clicked on this link, you woould go to the href, not what was displayed. If at this place, they then faked the real site and asked for you to log in, maybe you might do it and provide information which would allow them to log in as you at the real site and do some very bad things.

Moral: do NOT click on any link in any email purporting to be from your bank or credit card company. Examine the source code for the email. Your browser has that feature, find it if you don't know how to get there. Turn off any preview feature. Your browser can do this, turn off preview and find where you can examine the source code of a message. Never preview or open an email purporting to be from your bank or credit card company

There is another threat out there, an executable which is disguised as an attachment. An executable as an attachment will be EXECUTED when you open the email or if you PREVIEW the email. Executable attachments can have an extension of EXE, BAT, COM, SCR, and others. Sometimes, it will appear that it is a TXT file, but then they add many spaces to put the dot EXE extension off the screen so it isn't apparent what the actual extension is. Microsoft allows spaces in a file name, and also dots, so if I made a file name such as this:

notes.txt________________________________________________________.exe

(Many spaces after dot txt and before dot exe. I used underscore characters. Imagine the underscores are space characters in this example.) You might think this is a text file when really it an executable program. There may be enough spaces to place the dot exe off the screen to the right. If you opened or previewed this email, this executable would run (This is a built in function of your browser, thank Microsoft for this "feature") and whatever the EXE was designed to do would happen, install spyware, reformat you hard disks, whatever the payload the EXE file carried. Maybe nothing. But, can you take the chance?

Take a lesson here, do NOT preview email, do NOT display email automatically. Examine the source code for the email and look for these spam phishing links which point to somewhere else. Most are IP addresses, sometimes they are hijacked domains, ALL are potentially dangerous. Do NOT click on a link which purports to be from your bank or credit card company. You have a telephone number to call for your bank or credit card company which is found on your statements you get via the mail, USE IT, and verify the email over the telephone. Your bank or credit card company will NEVER use email to verify information, ever. Call them and maybe it might be for real, but if so, the phone call will verify you are talking with the right people, not phishing expeditions trying to rip you off.

As they used to say on a program called "Hill Street Blues",

"Let's be careful out there."



Comments: Post a Comment