Tech Team Newsletter - Volume 4 Issue 10

Tech Team: In the Trenches

November 2006 Volume 4 Issue 10

Table of Contents

"Phishing" – No Rods Required
By Starlyn J. First

"Phishing" and "pharming." Granted, the spellings are in "leetspeak" in which "ph" is commonly substituted for "f" (but that’s another article!). However, the phonetic meanings allude to sophisticated lures to "fish" or "farm" for financial information, passwords and anything else phishers can use for criminal activity. And, at its 10-year anniversary, when the first noted mention of phishing appeared on an AOL newsgroup page, it’s becoming an increasingly worrisome issue.

Whether a novice or a technically savvy end-user of computers and online activity, chances are extremely high you’ve received an e-mail or instant message written with the sole intent of scaring you into responding. Have you found yourself looking at such an e-mail and thinking, "Hmm, this looks important; I’d better see what it’s about" or "what if this is something I need to address; what will happen if I don’t?" That’s exactly what the phishers are hoping for. They are very good at masquerading as a trustworthy entity, and utilize social engineering techniques to get you to give up your passwords, credit card details and more. (Social engineering = ‘spoofed’ e-mails leading you to counterfeit Web sites.)

For instance, phishers have become so good at what they do that their success rate is very high for attacks on social networks such as MySpace, chat rooms, and the like. In the past, e-mails were indiscriminately sent in hopes of latching on to a certain service or bank’s customer base. Now, they can establish which bank potential phishes (that’s you!) have a relationship with, and utilize that info to send that spoofed e-mail you’ve most likely seen in your inbox. You’re now a targeted version of phishing, appropriately named "spear phishing." As a REALTOR®, there may be times you need to obtain personal information on a client. Just be aware that, once you tap into specific financial institutions and the like, you may then be a target.

So, how do you recognize the technical deceptions phishers design to fool you into thinking e-mails and links are legitimate? First, look for misspelled URLs, a common trick, or they can make the text for a link look like a valid URL, but it actually goes to the phisher’s site. Many Web browsers will give you the option, through a warning message, to continue to the site in question, or canceling. As a REALTOR, you don’t want to miss out on a sale’s opportunity or a potential client lead. Therefore, you may be tempted to open all e-mails and head to the linked site. Heed the warning, take a second look at that address bar or link, and go forth wisely.

Sometimes, an attacker can use a bank or service’s own scripting or photos (logos, etc.) directing you to sign in on the company’s Web page – and everything appears to be correct. But, the link to the Web site is designed to attack. This one is very difficult to spot except to the trained eye, so don’t beat yourself up if you find yourself there. This method recently was used against PayPal. If you’ve used PayPal in the past, you probably have seen this attempt. In fact, phishing has become very prevalent against PayPal as well as AOL. The latter has added a line throughout its site (and on instant messages), "AOL employees will never ask for your password or billing information." They also suggest it’s a good idea to change your password often to avoid phishing and spyware/crimeware activity.

Even phishing attempts against the IRS have been reported, created to obtain sensitive information from U.S. taxpayers! Nothing is sacred, and no one entity is exempt from these creative miscreants.

And, just when you think you’ve become educated enough to recognize phishing attempts, now there are messages that direct you to dial a phone number to inquire about a "problem" with your bank account. Prompts then tell you to enter your account number and PIN. Don’t be fooled. Contact the company in question to inquire about legitimate e-mails. Err on the side of safety. Don’t be phishes and, technically, your life will go swimmingly well.