Monday, April 04, 2005
Phishing keeps getting worse
There's yet another new wrinkle on the "phishing" scams that try to trick you into typing sensitive information into a rogue web site.
The first phishing scams ("phrauds"?) sent you email with a link to click and a scary message that said you needed to log in to your bank or eBay account right away. You could defend yourself by starting sensitive transactions yourself, from a bookmark or by typing the address.
More recently the crooks have been trying to reprogram your computer to send you to a different web address even if you type in the correct address. You could defend yourself, sort of, by running antivirus and antispyware software and practicing good hygiene to keep crooks from installing nasty software on your computer.
The current generation is really scary. The crooks are reportedly subverting the Internet's directory service that looks up how to reach a web site based on its name. It's as if someone reprogrammed the telephone network to send calls meant for one place to a different phone number. (Which has happened: see this amusing story).
I can't think of a really good way to protect yourself. You could try bookmarking or memorizing the actual address of your bank, which is a string of four numbers with periods in between them. But that's not a good idea because your bank might need to change addresses while keeping the same name.
There's a trick that I wish I had come up with. Enter a bogus password the first time you try to log in. The bad guys are trying to steal your real password, so they don't know what it is, so they can't tell it's bad and they have to let you in. Your bank will say no and ask you to try again. That trick will work until the bad guys start forwarding everything you type to your real bank. Next time you're in a "secure" session, right-click on the padlock icon at the bottom right of your browser window and just browse. Ignore most of the information you see, which won't make sense to you anyway. Look for the date the certificate was created, and the exact name to which it was issued. Be suspicious if it says something like "Freindly Bank" or "Payp@l". The ultimate check is too much work for normal people -- that would be making a note of the long string of letters and numbers called the "thumbprint" and getting susicious if it ever changes.
You could also get used to reading the "certificates" that are supposed to identify the web site you're sending your credit card to.
|
The first phishing scams ("phrauds"?) sent you email with a link to click and a scary message that said you needed to log in to your bank or eBay account right away. You could defend yourself by starting sensitive transactions yourself, from a bookmark or by typing the address.
More recently the crooks have been trying to reprogram your computer to send you to a different web address even if you type in the correct address. You could defend yourself, sort of, by running antivirus and antispyware software and practicing good hygiene to keep crooks from installing nasty software on your computer.
The current generation is really scary. The crooks are reportedly subverting the Internet's directory service that looks up how to reach a web site based on its name. It's as if someone reprogrammed the telephone network to send calls meant for one place to a different phone number. (Which has happened: see this amusing story).
I can't think of a really good way to protect yourself. You could try bookmarking or memorizing the actual address of your bank, which is a string of four numbers with periods in between them. But that's not a good idea because your bank might need to change addresses while keeping the same name.
There's a trick that I wish I had come up with. Enter a bogus password the first time you try to log in. The bad guys are trying to steal your real password, so they don't know what it is, so they can't tell it's bad and they have to let you in. Your bank will say no and ask you to try again. That trick will work until the bad guys start forwarding everything you type to your real bank. Next time you're in a "secure" session, right-click on the padlock icon at the bottom right of your browser window and just browse. Ignore most of the information you see, which won't make sense to you anyway. Look for the date the certificate was created, and the exact name to which it was issued. Be suspicious if it says something like "Freindly Bank" or "Payp@l". The ultimate check is too much work for normal people -- that would be making a note of the long string of letters and numbers called the "thumbprint" and getting susicious if it ever changes.
You could also get used to reading the "certificates" that are supposed to identify the web site you're sending your credit card to.
# posted by Frederick @ 3:26 PM Email to a friend:
Haloscan: they provide trackback