Monday, February 07, 2005
Phishing is getting more tricky and insidious
"Phishing" scams, you'll remember, are when someone sets up a fake web site pretending to be your bank or something else so they can trick you into typing in your banking password. Then they can use the password to loot your account.
Security people used to recommend, back in the good old days a few months ago, that you type in your bank's web address yourself or choose it from a bookmark. The crooks have already found a way around that precaution. If they can get one of their programs running on your computer they can reprogram your computer to intercept requests for the real bank's address and send them to the crook's web page instead. In other words, you can type the right address and your computer will go to the wrong one anyway.
Can you tell whether you've been sent to the wrong web site? Maybe, maybe not. There's an arms race going on between phishers and web browser developers where the browser developers program in new ways to show where you really are on the web, and the phishers invent new ways to trick the browser into displaying the wrong location.
Right now the crooks are ahead. There is a new and better version of an old trick where they'd put their crooked web site at a name subtly different from that of a real web site. For example, they'd replace the lowercase letter L in the real site's name with a numeral one, so they might put their password stealer at "chemica1bank.com" and try to trick you into clicking on a link to there. The new way is to use a feature of modern browsers that lets them display web site addresses from multiple human languages.
Some languages, it turns out, have letters that look like they're part of the English alphabet but really aren't. Here's a safe example. Take a look at these links which are not Paypal. Hover over them, paste them into another program, or even follow them(they go to a page that says "meow"). If you follow the second link, see what happens when you click the padlock icon at the bottom right of your browser window.
The padlock icon is supposed to ensure that you're really talking to the website you think you're talking to. It doesn't help you against this scam: it sits there and solemnly says, in effect, "I've just used sophisticated mathematics to prove for sure that this web site isn't paypal but has a name that looks the same". Gee thanks.
(Skip this paragraph unless you're the type who likes to look under the hood of a car. There's still a way you can find out you're being scammed. Click on the padlock icon and look for something with a name like "view certificate" or "certificate details". It will show a name for the site you're looking at. The name will begin with "xn-" if there are non-English characters in the name. But that doesn't prove you're being scammed, because a legitimate Swiss bank or French eBay subsidiary might put non-English characters into their name.)
Want a chuckle? There's only one web browser where this new scam doesn't work. It's Microsoft Internet Explorer. It's so far out of date it doesn't even have the feature this scam takes advantage of.
All these scams wil work against Mac and Linux users too.
What can you do?
|
Security people used to recommend, back in the good old days a few months ago, that you type in your bank's web address yourself or choose it from a bookmark. The crooks have already found a way around that precaution. If they can get one of their programs running on your computer they can reprogram your computer to intercept requests for the real bank's address and send them to the crook's web page instead. In other words, you can type the right address and your computer will go to the wrong one anyway.
Can you tell whether you've been sent to the wrong web site? Maybe, maybe not. There's an arms race going on between phishers and web browser developers where the browser developers program in new ways to show where you really are on the web, and the phishers invent new ways to trick the browser into displaying the wrong location.
Right now the crooks are ahead. There is a new and better version of an old trick where they'd put their crooked web site at a name subtly different from that of a real web site. For example, they'd replace the lowercase letter L in the real site's name with a numeral one, so they might put their password stealer at "chemica1bank.com" and try to trick you into clicking on a link to there. The new way is to use a feature of modern browsers that lets them display web site addresses from multiple human languages.
Some languages, it turns out, have letters that look like they're part of the English alphabet but really aren't. Here's a safe example. Take a look at these links which are not Paypal. Hover over them, paste them into another program, or even follow them(they go to a page that says "meow"). If you follow the second link, see what happens when you click the padlock icon at the bottom right of your browser window.
The padlock icon is supposed to ensure that you're really talking to the website you think you're talking to. It doesn't help you against this scam: it sits there and solemnly says, in effect, "I've just used sophisticated mathematics to prove for sure that this web site isn't paypal but has a name that looks the same". Gee thanks.
(Skip this paragraph unless you're the type who likes to look under the hood of a car. There's still a way you can find out you're being scammed. Click on the padlock icon and look for something with a name like "view certificate" or "certificate details". It will show a name for the site you're looking at. The name will begin with "xn-" if there are non-English characters in the name. But that doesn't prove you're being scammed, because a legitimate Swiss bank or French eBay subsidiary might put non-English characters into their name.)
Want a chuckle? There's only one web browser where this new scam doesn't work. It's Microsoft Internet Explorer. It's so far out of date it doesn't even have the feature this scam takes advantage of.
All these scams wil work against Mac and Linux users too.
What can you do?
- Treat a web visit like a phone call. Don't give out personal information if someone else calls you or if someone else sends you a link to use. Only give out credit card numbers, passwords etc. if you're the one who started the transaction.
- Bookmark your bank and other sensitive web sites and use the bookmarks to go there. Yes, that won't always protect you, but it will stop some scams and here's how you can stop the others:
- Always run anti-spyware products. They're designed to catch programs that play tricks like changing where your web browser goes.
# posted by Frederick @ 9:54 AM Email to a friend:
Haloscan: they provide trackback