By Coenraad De Beer
More or less 3 weeks ago, several anti-scammer websites fell victim to DDoS (Distributed Denial of Service) attacks by the Storm botnet. The comments made on blogs and news sites about these attacks, made it clear once again that cyber security experts are well aware of the dangers of malware infections, which are the backbone of any botnet, as well as the impact these infections have on the online industry. The fact that security experts realise these problems is all good and well, but it does not really help addressing the problem. Normal computer users need to understand the implications of malware infections as well, but more importantly, they have to carry the consequences of their actions if they refuse to take appropriate preventative measures against malware.
Before we start, I would like to explain a couple of terms to users not familiar with DDoS attacks and botnets. A botnet is a network of software robots controlled remotely by crackers. A software robot in this specific case is a compromised computer, infected with specific malware types like Trojan horses and worms. A compromised computer is also called a "zombie computer". A botnet is therefore a collection of compromised or "zombie" computers. I am not going into the details of a DDoS attack, but a Denial of Service attack basically happens when a botnet sends thousands, even millions, of communication requests to a web server. This results in a bottleneck of incoming traffic, causing the server to crash, or making it so slow that it cannot serve the website to normal visitors anymore. An attack from a big botnet will therefore have a much larger impact on a web server than an attack from a smaller botnet. Okay, now that we have the jargon out of the way, lets delve deeper into the impact of malware infections on the Internet as a whole, but also for the individual Internet user.
The Internet is often referred to as the information superhighway. Off course the Internet as we know it today, is much more than just an information superhighway, the Internet has become a digital world where many offline tasks can be done online as well. You can work, play, recruit, date, shop, chat, watch TV, listen radio and do many other things online. But for the sake of this article I will stick to the term information superhighway, because the rules of the road fit perfectly in with what I want to illustrate. According to Wikipedia, it is estimated that up to one quarter of all personal computers connected to the Internet, are part of a botnet. This estimate is not that hard to believe, I will even go so far to say that this figure may even be bigger than a quarter of the Internet's population, especially if you take into account the rate at which malware infections spread through the Internet. Ignorance plays a big role in malware infections, but don't leave negligence out of the equation. If it only stopped at ignorance and negligence, large and influential companies are able to address the problem, but they are unwilling to sacrifice profit for the safety of other Internet users.
Internet Service providers are in pole position to address the increasing threat of malware infections, the one thing that's making botnets grow larger and larger by the day. Unfortunately they are only interested in making money instead of providing a safe and quality service to their loyal and honest customers. No they would rather keep the clients distributing malware, sending out spam or taking part in Denial of Service attacks, because it means loss of revenue for them if they decide to suspend the services or terminate the accounts of these clients. Most ISPs will state in their Terms of Service that they do not tolerate this kind of behaviour, but it is only done to make them look great on paper, they seldom enforce these terms. John Masters, anti-spam activist and a dedicated supporter of Cyber Top Cops, sent me an e-mail the other day, suggesting that we should roll out penalties against people who use unprotected computers connected to the Internet. Although I realise the difficulty of getting something like this into place, I personally think it is a great idea and I wholeheartedly agree, but before we start to punish the user, start with the ISP for not taking action against the user.
It makes a lot of sense to fine people who use unprotected computers on the Internet. This is why I referred to the information superhighway earlier in this article. The Internet can be compared to a real highway, where several road safety rules apply. Driving on a highway with a vehicle that's not roadworthy does not only put your own safety at risk, but also the safety of other road users. If a traffic officer pulls you off the road and find that your vehicle is not roadworthy, you will most probably receive a fine (unless you bribe the traffic officer). If you continue to drive like this you may end up with a suspended driver's licence. The same principle applies to computer security. If you use an unprotected computer on the Internet you're not only putting your own safety at risk, but the safety of other Internet users as well. If your ISP becomes aware of the fact that you're connecting to the Internet without appropriate, up to date anti-malware software installed on your computer, you are supposed to be fined for putting the safety of all other Internet users at risk. They should suspend your services if you continue to connect to the Internet with an unprotected computer.
Your computer may be distributing malware, sending out spam, phishing e-mails and advance fee fraud scams. Your computer may even be used in Denial of Service attacks. So you end up becoming an accomplice in Internet crime. You unknowingly become a spammer, a scammer or a malware distributor. By using an unprotected computer you contribute to cyber crime instead of fighting it. That's not all, the malware may be monitoring your keystrokes, capturing everything you type, stealing passwords, e-mail addresses, account numbers, social security numbers, credit card numbers, names, telephone numbers, physical addresses... can you see where I'm going with this? These programs are able to compile a complete profile about yourself, this information is then transmitted back to the operator of the malware, who may use it to commit fraud in your name, in other words steal your identity. The perpetrator may even clean out your bank account, open credit cards or take out loans in your name and guess who is going to receive the bills at the end of the month, you!
What are the practical implications of implementing a penalty system for reckless Internet users? First of all, the ISP needs to have solid evidence, proving that the guilty party was really using an unprotected computer. Secondly, if the user had anti-malware software installed on his/her computer, the ISP needs to prove that the software was outdated. Finally, if the user had up to date anti-malware software installed, the ISP needs to prove that the software was not appropriate for preventing malware infections. This means that anti-malware software needs to comply with certain safety standards before they can be accepted as approved anti-malware solutions. This will effectively force all anti-malware developers to put their software through specific tests, conducted by a computer security standards authority. This will also cause anti-malware application prices to rise, which may pull the plug on the development of free anti-malware solutions, unless the developers certify these free applications as well. The ISP should use special software to check whether these approved anti-malware applications are installed on the client's computer. The software should send out several warnings to the clients who do not comply with these standards, giving them a reasonable amount of time to attend to the problems and providing detailed instructions on how to resolve them. Access to the Internet should only be terminated if the user fails to respond to these warnings.
Many people might ask, how should I update my anti-malware application if my Internet access is terminated? Your Internet access should only be terminated if you fail to respond to the warning notifications sent to you. If you end up with a terminated Internet access account, it means you ignored the notifications and you should have thought about the implications of your actions before you decided to ignore them. Other may claim that they are computer illiterate and cannot install software or keep them up to date. Most anti-malware applications update themselves and it does not take a rocket scientist to install them. With most of these installations you simply need to click on the "Next" button until you see a "Finish" button. If you can surf the Internet, then I'm sure you know how to click a button. I understand that not every Internet user is a computer expert, so if you find it difficult to install software, join an online forum like BleepingComputer.com, GeeksToGo.com or TechGuy.org and ask for assistance. It is extremely important to secure your computer before it gets infected with malware.
I just painted a pretty grim picture, didn't I? The burden placed on Internet Service Providers to check up on clients, to prove that clients are using unprotected computers, to penalise those who disobey the rules and to close down the accounts of regular offenders. Then there is the problem of high anti-malware prices and no more free anti-malware solutions for the people who cannot afford expensive anti-malware protection. But this is where the Internet is heading if we do not take action now. Online fraud is causing consumers to loose confidence in Internet shopping. Phishing scams are making users afraid of signing up for Internet banking services. People are weary of online payment and trading services like PayPal and eBay, no matter how safe they claim to be. Spammers are stealing bandwidth and the Internet user have to cough up for the costs. Expensive hardware and software is needed to fend off Denial of Service attacks. Malware is at the root of all these problems. It is the biggest contributor to cyber crime and eliminating malware is like removing a species from the food chain. This will be a big blow to spam and bot networks, resulting in less spam and phishing scams, fewer Denial of Service attacks and fewer stolen identities, passwords and credit card numbers. All the money saved through proper prevention of malware, including malware related problems like spam and Denial of Service attacks, can be utilised to build better protection against malware and assist companies to continue the development of free anti-malware solutions for home users.
So what is the bottom line? Internet Service Providers need to take responsibility for their networks. Customers are paying for Internet access, free from spam and malware attacks. It is the responsibility of the ISP to keep spam and malware infections within acceptable limits. Proper legislation needs to be put into place and governments need to take action against ISPs if they allow these threats to rise beyond acceptable limits. How do ISPs keep these threats within acceptable limits? Listen to the complaints sent through to your abuse departments, stop ignoring them, terminate the services of regular offenders and publish these actions for everyone to see. Make examples of those who do not want to listen and soon enough you will have people sticking to the rules. People will continue to do what they want if they know there is no punishment for their wrongdoing.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, providers of free malware removal assistance and helpful Internet security tips for the novice user. In the next instalment of the PC Security DIY article series, we will look at the foundation of Internet Security, using a secure browser and e-mail client and getting into safe browsing and e-mail reading habits.
Monday, September 24, 2007
Wednesday, September 05, 2007
Choose Your E-mail Address Carefully
By Coenraad De Beer
Did you know that it is important to choose the right name for your electronic mailbox? Very few people realise it and therefore expose themselves to things like identity theft, phishing and yes you guessed it, annoying spam.
What do you normally use as a login name or nickname when you register for an online service? Many people use a number or a keyword that is easy to remember and the easiest thing to remember is obviously your own name. However, your own name is the last thing you should use for any kind of login details and the same rule applies when you choose an e-mail address.
Why is it important for a spammer or phishing scammer to know your name? The main reason is authenticity. Let me explain with an example. If you have an account with PayPal and you receive an e-mail asking you to update your details, are you going to take the e-mail seriously if the e-mail starts with "Dear PayPal Customer"? Most people will say no, but what if your name is John Doe and the same e-mail starts with "Dear John Doe"? You can easily argue that anyone can send a PayPal look-alike e-mail starting with "Dear PayPal Customer", but not everyone knows my name, so chances are good that the latter version are probably from PayPal. I won't be too sure of that, especially if your e-mail address is john.doe@example.com. People often use a dot (.), a dash(-) or an underscore (_) as a separating character in their e-mail addresses and even a novice computer programmer will be able to extract the name and surname part from an e-mail address similar to the one given above
An e-mail starting with your name draws your attention immediately, so you tend to read more carefully and in most cases, the whole e-mail. Most people will respond immediately if they hear someone calling their name. The same basic principle applies to e-mails starting with your name, or containing your name in the subject line. This is why it is so popular among e-mail marketers to use your name in the subject line, you immediately want to see what the e-mail is about, because the person addressed you personally, like a friend or familiar person would do. Spammers use the same technique so that recipients open their e-mails and read what's inside. They normally use the first part of your e-mail address as your name in the hope that it contains your real name.
What about jdoe@example.com or doej@example.com or jd@example.com? If everyone calls you John, then jdoe, doej or jd will have little effect on drawing your attention. If someone sends you an e-mail with a subject line reading "john.doe check this out" and another one sends you exactly the same e-mail, but changes the subject line to "jdoe check this out", which one will draw your attention the most? The fist one off course and it will attract even more attention if the spamming software replaced the dot between your name and surname with a space, wouldn't it?
Ok, so lets come back to the example of the PayPal phishing e-mail. People are less suspicious when their real names are mentioned in the e-mail, but you will always be able to spot a scam if you choose an e-mail address that is not related to your name, surname or any of the nicknames your friends and family normally use. In other words, when you see someone using the first part of your e-mail address in the subject line, instead of your real name, you can know for sure that the e-mail is the work of a spammer and if the sender used it in the body of the e-mail, then it is obvious that the sender doesn't have a clue what your real name is. PayPal is supposed to know what your real name is, so if your e-mail address is jdoe@example.com, then they will never send you an e-mail starting with "Dear jdoe", only spammers will.
What if my current e-mail address contains my name or surname? I know that it is a lot of work and a huge frustration to change from one e-mail address to another, a lot of people have to be informed and a lot of e-mail subscriptions have to be changed. If your current e-mail address contains your name or surname, consider changing it as soon as possible and rather choose a name that does not reveal any personal information. A telephone number written on a little piece of paper reveals nothing about the name or surname of the owner, your e-mail address should have the same effect on strangers.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.
Did you know that it is important to choose the right name for your electronic mailbox? Very few people realise it and therefore expose themselves to things like identity theft, phishing and yes you guessed it, annoying spam.
What do you normally use as a login name or nickname when you register for an online service? Many people use a number or a keyword that is easy to remember and the easiest thing to remember is obviously your own name. However, your own name is the last thing you should use for any kind of login details and the same rule applies when you choose an e-mail address.
Why is it important for a spammer or phishing scammer to know your name? The main reason is authenticity. Let me explain with an example. If you have an account with PayPal and you receive an e-mail asking you to update your details, are you going to take the e-mail seriously if the e-mail starts with "Dear PayPal Customer"? Most people will say no, but what if your name is John Doe and the same e-mail starts with "Dear John Doe"? You can easily argue that anyone can send a PayPal look-alike e-mail starting with "Dear PayPal Customer", but not everyone knows my name, so chances are good that the latter version are probably from PayPal. I won't be too sure of that, especially if your e-mail address is john.doe@example.com. People often use a dot (.), a dash(-) or an underscore (_) as a separating character in their e-mail addresses and even a novice computer programmer will be able to extract the name and surname part from an e-mail address similar to the one given above
An e-mail starting with your name draws your attention immediately, so you tend to read more carefully and in most cases, the whole e-mail. Most people will respond immediately if they hear someone calling their name. The same basic principle applies to e-mails starting with your name, or containing your name in the subject line. This is why it is so popular among e-mail marketers to use your name in the subject line, you immediately want to see what the e-mail is about, because the person addressed you personally, like a friend or familiar person would do. Spammers use the same technique so that recipients open their e-mails and read what's inside. They normally use the first part of your e-mail address as your name in the hope that it contains your real name.
What about jdoe@example.com or doej@example.com or jd@example.com? If everyone calls you John, then jdoe, doej or jd will have little effect on drawing your attention. If someone sends you an e-mail with a subject line reading "john.doe check this out" and another one sends you exactly the same e-mail, but changes the subject line to "jdoe check this out", which one will draw your attention the most? The fist one off course and it will attract even more attention if the spamming software replaced the dot between your name and surname with a space, wouldn't it?
Ok, so lets come back to the example of the PayPal phishing e-mail. People are less suspicious when their real names are mentioned in the e-mail, but you will always be able to spot a scam if you choose an e-mail address that is not related to your name, surname or any of the nicknames your friends and family normally use. In other words, when you see someone using the first part of your e-mail address in the subject line, instead of your real name, you can know for sure that the e-mail is the work of a spammer and if the sender used it in the body of the e-mail, then it is obvious that the sender doesn't have a clue what your real name is. PayPal is supposed to know what your real name is, so if your e-mail address is jdoe@example.com, then they will never send you an e-mail starting with "Dear jdoe", only spammers will.
What if my current e-mail address contains my name or surname? I know that it is a lot of work and a huge frustration to change from one e-mail address to another, a lot of people have to be informed and a lot of e-mail subscriptions have to be changed. If your current e-mail address contains your name or surname, consider changing it as soon as possible and rather choose a name that does not reveal any personal information. A telephone number written on a little piece of paper reveals nothing about the name or surname of the owner, your e-mail address should have the same effect on strangers.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.
Monday, August 20, 2007
Fighting Spam - Is It A Loosing Battle?
By Coenraad De Beer
A loyal reporter of spam asked me the other day whether we are fighting a loosing battle against spam. He goes out of his way to report several spam e-mails every day, not the normal routine of spotting a spam e-mail and forwarding it, no this guy did his homework before he went out on a crusade to battle spam. Because I know what hard work it is to take action against spam, I can understand why he asked this question. After a hard day of fighting spam, you come to the conclusion that all your attempts are in vain. Abuse departments never reply to your reports and the volumes of spam hitting your mailbox seem to magically increase as you report more spam. So you are left with only one unanswered question, are we fighting a loosing battle?
In June this year, Neo from WebProWorld started a very interesting discussion on spam. Although his post mainly revolved around forum spam, he did touch a very actual topic. Spam is not only limited to one medium only, spam is a much bigger problem than most people realise. We have to deal with forum spam, search engine spam, e-mail form spam, guest book spam (for those who still use guest books on their websites), article spam (yes article syndication can also turn into annoying spam), IRC spam, blog spam, comment spam, ebook spam, affiliate network spam, mobile phone spam, and of course the infamous unsolicited junk e-mails. I am sure I missed a couple, but I think you get the picture, spam has infiltrated almost every digital form of communication. No wonder people become pessimistic about fighting spam.
Some interesting reasoning came to light during this discussion on WebProWorld. One thing that sticks out its head in every discussion about spam is the apathetic approach towards spam. The attitude of "spam has always been a problem and will always be, live with it, accept the problem, you cannot change it, nor can you fix it". There is no merit in any of these statements, so lets take a closer look at them and I will show you why. "Spam has always been a problem". Really? Spam started to become a problem when people discovered its marketing potential. Spam wasn't a problem in the early days of the Web, we allowed it to become a problem by accepting the problem. Yes people got punished back then, but the spam volumes increased so much that it became impossible to punish every single spammer. Companies seem to be more concerned about treating the symptoms (with spam filters) than attacking the root of the problem. The right statement would be: "Spam has always been allowed to be a problem."
"Spam will always be a problem". Do we know for certain? Spam may eventually cause the collapse of the e-mail communication system and how do something remain a problem if the infrastructure is gone? If you believe that spam will always be a problem, then you obviously believe that whatever replaces e-mail will also fall victim to spam. Probably, but the creators of a new communication infrastructure will be complete idiots if they allow history to repeat itself. Spam has become a problem because of crippling legislation and in certain cases a total lack of legislation. How can we battle spam if legislation allows spammers to spam you until you tell them to stop? Its like allowing murderers to kill you until you tell them to stop. Can you see how ridiculous our current spam legislation is, spam will always be a problem, as long as we allow useless laws to regulate it.
"Live with it, accept the problem, you cannot change spam, nor can you fix it". People change, they adapt to their environment. Our kids are growing up with spam, so it will have a far smaller effect on them than it had on us. Those of us who grew up with commercials and ads displayed during our favourite TV shows, have developed a kind of blindness to these ads. Our children will also develop spam blindness over time, they will not respond to spam as easily as we do. It is a matter of education and removing the ignorance. Spam only works because people continue to respond to them. According to an article by Michael Specter, "Damn Spam - The losing war on junk e-mail", spammers usually need to send a million e-mails to get fifteen positive responses, for the average direct-mail campaign, the response rate is three thousand per million. With a response rate as little as that you can easily see where spam could be heading if we can limit the response rate to zero. There will be no sense in sending spam anymore. People need to realise what is counted as a response and what they can do to limit accidental responses. Yes, simply by opening the e-mail already counts as a response in many cases.
Should we accept spam, should we live with it? Well you can easily ask, should we accept serious crimes like murder, rape and armed robbery? Just think what would happen if we had the same attitude towards these wrongdoings, crimes forbidden by civil law. What is civil law, it is actually common sense. We know it is wrong to steal money from someone else, but we are willing to live with a system where it is acceptable for other people to waste our money. That is exactly what spam is. Conventional advertising demands an investment from the advertiser, making it an unattractive medium for cheap unsolicited bulk advertising. However in the case of spam, the consumer ends up paying for the advertising. Some spammers do not even pay a penny for sending these batches of spam, they have bot networks doing the work for them. These bot networks consist of consumer PC's infected with malware. The one consumer (the sender) unknowingly pays to send the spam and the other consumer (the recipient) unknowingly pays to receive the spam. So the consumer coughs up on both sides of the channel.
Brad Taylor, Gmail anti-spam engineer, sees the battle against spam as a war. One side eventually gets tired and anti-spam authorities cannot allow themselves to get tired in this struggle against spam. Sometimes the spammers get tired of trying to fool the spam filters and eventually give up, but only for a short space of time. During this rest period they regroup to find a loophole in the filtering system. Once they discover a way around it, they start spamming again. Stock market spam is a classic example of this roller coaster ride. Stock market spam was quiet for some time and suddenly they started popping up like weed via PDF attachments. Spammers will always try to circumvent the system. Does this mean we should give up trying to beat them at their own game? Absolutely no, spammers annoy us with their unsolicited junk, so if we have means to our disposal to annoy them too, why not use it? The war against spam is far from over, the battle against spam is far from lost, I say bring it on.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about the importance of reporting spam.
A loyal reporter of spam asked me the other day whether we are fighting a loosing battle against spam. He goes out of his way to report several spam e-mails every day, not the normal routine of spotting a spam e-mail and forwarding it, no this guy did his homework before he went out on a crusade to battle spam. Because I know what hard work it is to take action against spam, I can understand why he asked this question. After a hard day of fighting spam, you come to the conclusion that all your attempts are in vain. Abuse departments never reply to your reports and the volumes of spam hitting your mailbox seem to magically increase as you report more spam. So you are left with only one unanswered question, are we fighting a loosing battle?
In June this year, Neo from WebProWorld started a very interesting discussion on spam. Although his post mainly revolved around forum spam, he did touch a very actual topic. Spam is not only limited to one medium only, spam is a much bigger problem than most people realise. We have to deal with forum spam, search engine spam, e-mail form spam, guest book spam (for those who still use guest books on their websites), article spam (yes article syndication can also turn into annoying spam), IRC spam, blog spam, comment spam, ebook spam, affiliate network spam, mobile phone spam, and of course the infamous unsolicited junk e-mails. I am sure I missed a couple, but I think you get the picture, spam has infiltrated almost every digital form of communication. No wonder people become pessimistic about fighting spam.
Some interesting reasoning came to light during this discussion on WebProWorld. One thing that sticks out its head in every discussion about spam is the apathetic approach towards spam. The attitude of "spam has always been a problem and will always be, live with it, accept the problem, you cannot change it, nor can you fix it". There is no merit in any of these statements, so lets take a closer look at them and I will show you why. "Spam has always been a problem". Really? Spam started to become a problem when people discovered its marketing potential. Spam wasn't a problem in the early days of the Web, we allowed it to become a problem by accepting the problem. Yes people got punished back then, but the spam volumes increased so much that it became impossible to punish every single spammer. Companies seem to be more concerned about treating the symptoms (with spam filters) than attacking the root of the problem. The right statement would be: "Spam has always been allowed to be a problem."
"Spam will always be a problem". Do we know for certain? Spam may eventually cause the collapse of the e-mail communication system and how do something remain a problem if the infrastructure is gone? If you believe that spam will always be a problem, then you obviously believe that whatever replaces e-mail will also fall victim to spam. Probably, but the creators of a new communication infrastructure will be complete idiots if they allow history to repeat itself. Spam has become a problem because of crippling legislation and in certain cases a total lack of legislation. How can we battle spam if legislation allows spammers to spam you until you tell them to stop? Its like allowing murderers to kill you until you tell them to stop. Can you see how ridiculous our current spam legislation is, spam will always be a problem, as long as we allow useless laws to regulate it.
"Live with it, accept the problem, you cannot change spam, nor can you fix it". People change, they adapt to their environment. Our kids are growing up with spam, so it will have a far smaller effect on them than it had on us. Those of us who grew up with commercials and ads displayed during our favourite TV shows, have developed a kind of blindness to these ads. Our children will also develop spam blindness over time, they will not respond to spam as easily as we do. It is a matter of education and removing the ignorance. Spam only works because people continue to respond to them. According to an article by Michael Specter, "Damn Spam - The losing war on junk e-mail", spammers usually need to send a million e-mails to get fifteen positive responses, for the average direct-mail campaign, the response rate is three thousand per million. With a response rate as little as that you can easily see where spam could be heading if we can limit the response rate to zero. There will be no sense in sending spam anymore. People need to realise what is counted as a response and what they can do to limit accidental responses. Yes, simply by opening the e-mail already counts as a response in many cases.
Should we accept spam, should we live with it? Well you can easily ask, should we accept serious crimes like murder, rape and armed robbery? Just think what would happen if we had the same attitude towards these wrongdoings, crimes forbidden by civil law. What is civil law, it is actually common sense. We know it is wrong to steal money from someone else, but we are willing to live with a system where it is acceptable for other people to waste our money. That is exactly what spam is. Conventional advertising demands an investment from the advertiser, making it an unattractive medium for cheap unsolicited bulk advertising. However in the case of spam, the consumer ends up paying for the advertising. Some spammers do not even pay a penny for sending these batches of spam, they have bot networks doing the work for them. These bot networks consist of consumer PC's infected with malware. The one consumer (the sender) unknowingly pays to send the spam and the other consumer (the recipient) unknowingly pays to receive the spam. So the consumer coughs up on both sides of the channel.
Brad Taylor, Gmail anti-spam engineer, sees the battle against spam as a war. One side eventually gets tired and anti-spam authorities cannot allow themselves to get tired in this struggle against spam. Sometimes the spammers get tired of trying to fool the spam filters and eventually give up, but only for a short space of time. During this rest period they regroup to find a loophole in the filtering system. Once they discover a way around it, they start spamming again. Stock market spam is a classic example of this roller coaster ride. Stock market spam was quiet for some time and suddenly they started popping up like weed via PDF attachments. Spammers will always try to circumvent the system. Does this mean we should give up trying to beat them at their own game? Absolutely no, spammers annoy us with their unsolicited junk, so if we have means to our disposal to annoy them too, why not use it? The war against spam is far from over, the battle against spam is far from lost, I say bring it on.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about the importance of reporting spam.
Monday, June 25, 2007
Pay Close Attention To The URL's In Your E-mails
By Coenraad De Beer
More and more phishing scammers are starting to use clever eye-deceiving techniques with the URL's in phishing e-mails, making victims believe that the URL belongs to the real company portrayed in the fake e-mail. If you receive e-mails from your bank or other financial institutions, look twice before you click on any links.
I'm not talking about the anchor text of the link or the ten feet long look-alike URL's you normally find in conventional phishing e-mails, no I'm talking about the domain name, the one thing that clearly distinguishes a legitimate URL from a fake one. Online banks normally use simple URL's for their online banking services, making it easy to distinguish them from the long obscure URL's normally used by phishing scammers. But before we go into the details of the deceiving techniques used by phishing scammers, let me give you a brief explanation of how URL's work.
The Top-Level Domain and Sub-Domain
Lets say you are a client of Example Bank. The Example Bank website is called www.example.com. This is the top-level domain. They use the sub-domain www.secure.example.com for their online banking application ('secure' is a sub-domain of example.com, also owned and administered by Example Bank).
Secure Encrypted Connection
Secure encrypted connections always use the prefix https://. So the complete URL for Example Bank's online banking website will be https://www.secure.example.com. Any URL collecting sensitive information like credit card numbers, social security numbers, user names, passwords, etc. should start with the https:// prefix, if it doesn't, get away from it as far as possible.
Expanding The URL With Directories
Directories containing data and files, are also stored on a domain. Lets say the login page for the online banking system is called 'loginpage.php' and is stored in the 'login' directory. The final URL, containing these elements, will look like this: https://www.secure.example.com/login/loginpage.php
Variations
Scammers try to fool users by using variations of well-known URL's. If we change our URL to https://www.secure.example.invalid.com/login/loginpage.php, then we are no longer referring to the online banking website of Example Bank, but the website invalid.com. The latter part of the URL between https:// and the first forward slash (/) is the crucial factor, determining whether the URL points to the right site or not.
Now you have a basic idea of how URL's are constructed and how phishing scammers manipulate them to fool the uninformed. Phishing scammers hide these manipulated URL's by displaying the valid URL in the anchor text (the text of a link). The anchor text is only a clickable object and can be anything under the sun. The underlying URL and not the anchor text itself, determines which website opens when the user clicks on the anchor text. Most browsers and e-mail clients allow the user to view the URL by hovering the mouse pointer over the link. The actual URL is then displayed in the status bar, the horizontal bar at the bottom of the application screen.
People have started to spot these manipulated URL's more easily and this technique is slowly loosing its effectiveness. As a countermeasure to this problem, scammers started to register domains with different extensions. For instance, scammers may register a domain like example.org, example.info or example.co.uk to launch phishing attacks on clients of example.com. However this will not fool the informed and observant client.
It is in the nature of all cyber criminals to look for new and advanced ways of claiming victims. Phishing scammers are now focussing on registering top-level domains, spelled exactly as the real domain, except for one single letter (or maybe two). An example of such a domain was recently reported at CastleCops, where a Western Union domain was forged as VVesternunion.biz. Most screen fonts separate the two V's quite clearly, but with certain fonts you won't be able tell the difference between VVestern and Western. Less than a day after the scam was reported at CastleCops, another phishing e-mail was reported at Cyber Top Cops, this time involving a forged Sterling Online Banking domain. The anchor text of each link in this e-mail was displayed as sterlingonlinebanking.com but the actual URL pointed to sterlingonlinebenking.com. This is quite a long domain, so one can easily fail to spot the small difference in spelling.
Several different phishing scams are often sent to a single recipient. It is easy to ignore these e-mails, because the same e-mails are delivered over and over again, they contain similar characteristics and no one really cares about e-mails from companies of which you are not even a client. But the game of phishing becomes a dangerous one if you receive a phishing e-mail representing a company, one of which you happen to be a client. Your chances of becoming a victim increase when the phishing scammer uses some of the eye-deceiving gimmicks discussed in the previous paragraph. It is therefore extremely important that you double check the URL's before clicking on them, especially if the e-mail appears to be from your bank or any other financial institution.
Most online banks request their clients to visit their home page and log into their account from there, their e-mails never include links pointing directly to the secure online banking server. Instead of adding links to their e-mails, some organizations instruct their clients to type the domain name directly into a browser, without even mentioning the domain name in the e-mail. But this only works with clients of well-known companies like PayPal and eBay.
As a general rule or thumb, banks never send e-mails to their clients requesting them to verify their details, to take part in online surveys, or informing them about suspicious activity discovered or restrictions placed on their account. Banks will not send you an important notice via e-mail and walk the risk of never reaching your inbox, something that happens very often with all the spam filters installed on our machines these days. You can be sure that your bank will require a personal visit from you, at one of their branches (or even head office in severe cases), whenever you need to resolve serious matters like account restrictions, suspicious activity on your account or fraud. A simple e-mail, a quick login and a click of a button will not do the job in the real world. Computers are way too gullible for that.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software. The details discussed in this article are put into practice through simulation 2 and 3 of their Online Threat Simulations.
More and more phishing scammers are starting to use clever eye-deceiving techniques with the URL's in phishing e-mails, making victims believe that the URL belongs to the real company portrayed in the fake e-mail. If you receive e-mails from your bank or other financial institutions, look twice before you click on any links.
I'm not talking about the anchor text of the link or the ten feet long look-alike URL's you normally find in conventional phishing e-mails, no I'm talking about the domain name, the one thing that clearly distinguishes a legitimate URL from a fake one. Online banks normally use simple URL's for their online banking services, making it easy to distinguish them from the long obscure URL's normally used by phishing scammers. But before we go into the details of the deceiving techniques used by phishing scammers, let me give you a brief explanation of how URL's work.
The Top-Level Domain and Sub-Domain
Lets say you are a client of Example Bank. The Example Bank website is called www.example.com. This is the top-level domain. They use the sub-domain www.secure.example.com for their online banking application ('secure' is a sub-domain of example.com, also owned and administered by Example Bank).
Secure Encrypted Connection
Secure encrypted connections always use the prefix https://. So the complete URL for Example Bank's online banking website will be https://www.secure.example.com. Any URL collecting sensitive information like credit card numbers, social security numbers, user names, passwords, etc. should start with the https:// prefix, if it doesn't, get away from it as far as possible.
Expanding The URL With Directories
Directories containing data and files, are also stored on a domain. Lets say the login page for the online banking system is called 'loginpage.php' and is stored in the 'login' directory. The final URL, containing these elements, will look like this: https://www.secure.example.com/login/loginpage.php
Variations
Scammers try to fool users by using variations of well-known URL's. If we change our URL to https://www.secure.example.invalid.com/login/loginpage.php, then we are no longer referring to the online banking website of Example Bank, but the website invalid.com. The latter part of the URL between https:// and the first forward slash (/) is the crucial factor, determining whether the URL points to the right site or not.
Now you have a basic idea of how URL's are constructed and how phishing scammers manipulate them to fool the uninformed. Phishing scammers hide these manipulated URL's by displaying the valid URL in the anchor text (the text of a link). The anchor text is only a clickable object and can be anything under the sun. The underlying URL and not the anchor text itself, determines which website opens when the user clicks on the anchor text. Most browsers and e-mail clients allow the user to view the URL by hovering the mouse pointer over the link. The actual URL is then displayed in the status bar, the horizontal bar at the bottom of the application screen.
People have started to spot these manipulated URL's more easily and this technique is slowly loosing its effectiveness. As a countermeasure to this problem, scammers started to register domains with different extensions. For instance, scammers may register a domain like example.org, example.info or example.co.uk to launch phishing attacks on clients of example.com. However this will not fool the informed and observant client.
It is in the nature of all cyber criminals to look for new and advanced ways of claiming victims. Phishing scammers are now focussing on registering top-level domains, spelled exactly as the real domain, except for one single letter (or maybe two). An example of such a domain was recently reported at CastleCops, where a Western Union domain was forged as VVesternunion.biz. Most screen fonts separate the two V's quite clearly, but with certain fonts you won't be able tell the difference between VVestern and Western. Less than a day after the scam was reported at CastleCops, another phishing e-mail was reported at Cyber Top Cops, this time involving a forged Sterling Online Banking domain. The anchor text of each link in this e-mail was displayed as sterlingonlinebanking.com but the actual URL pointed to sterlingonlinebenking.com. This is quite a long domain, so one can easily fail to spot the small difference in spelling.
Several different phishing scams are often sent to a single recipient. It is easy to ignore these e-mails, because the same e-mails are delivered over and over again, they contain similar characteristics and no one really cares about e-mails from companies of which you are not even a client. But the game of phishing becomes a dangerous one if you receive a phishing e-mail representing a company, one of which you happen to be a client. Your chances of becoming a victim increase when the phishing scammer uses some of the eye-deceiving gimmicks discussed in the previous paragraph. It is therefore extremely important that you double check the URL's before clicking on them, especially if the e-mail appears to be from your bank or any other financial institution.
Most online banks request their clients to visit their home page and log into their account from there, their e-mails never include links pointing directly to the secure online banking server. Instead of adding links to their e-mails, some organizations instruct their clients to type the domain name directly into a browser, without even mentioning the domain name in the e-mail. But this only works with clients of well-known companies like PayPal and eBay.
As a general rule or thumb, banks never send e-mails to their clients requesting them to verify their details, to take part in online surveys, or informing them about suspicious activity discovered or restrictions placed on their account. Banks will not send you an important notice via e-mail and walk the risk of never reaching your inbox, something that happens very often with all the spam filters installed on our machines these days. You can be sure that your bank will require a personal visit from you, at one of their branches (or even head office in severe cases), whenever you need to resolve serious matters like account restrictions, suspicious activity on your account or fraud. A simple e-mail, a quick login and a click of a button will not do the job in the real world. Computers are way too gullible for that.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software. The details discussed in this article are put into practice through simulation 2 and 3 of their Online Threat Simulations.
Monday, June 18, 2007
Security Flaw Announcements - The Wrong Way Of Doing The Right Thing
By Coenraad De Beer
The latest security flaws in the world of software are always popular topics for online discussions, newsletters and articles. Discovering the latest security flaw in a popular application is still the most favourite pastime for many freelance journalists and technical gurus. The problem does not lie in the disclosure of the flaws as such, the problem lies in the approach towards the disclosure as well as the timing of the disclosure.
Security flaw announcements have grown into a very popular electronic sport. It is a constant race against time to become the first one to announce the latest flaws found in the most famous software applications. Rival users of similar products are often in competition with each other to prove which application is the most secure. It is often a case of throwing mud at each other, instead of taking the safety of other users into consideration.
Do non-technical users sign up for technical newsletters, do they read technical blogs or do they take part in technical discussions? Many of them don't, it is in most cases only technical people discussing these matters and reading the technical newsletters. Most people are only interested in using the software and do not care about taking part in a forum discussion about the latest security flaw in the software. This is the point I'm trying to make, if your goal is the safety of other users, who do you want to save when your forum post or article never reaches the audience who needs the information the most? Even if you reach the right people, what's the use of announcing a flaw if you can't provide a safe and solid solution to the problem? What do you want people to do when a severe virus is raging on the Web, a virus for which there is no fix at that specific time? Do you think everyone will suddenly stop using the Internet because of your useless information? You are only giving the flaw unnecessary publicity, exposing each user of the software to even greater exploits.
The animated cursor flaw of Internet Explorer is a good example where there was no solid solution to the problem when it became a known threat. At least most people suggested that Internet Explorer users switch to Firefox, but every coin has two sides. The flaws of Internet Explorer proved once again that there is ample reason to switch to a safer alternative like Firefox, but we all know how reluctant most Internet users are to switch to a new browser. Yet again, if people do not want to listen to good advice, let them burn their fingers. Unfortunately this flaw resulted in debates about which browser has the most flaws, its like arguing about whose car is the fastest if there is no road to drive it on. Switching to a safer browser will not disinfect a PC already infected with a virus. After all, what's the use of having the safest browser in the world if you can't even get it to run on an infected PC?
Software developers should provide proper channels through which users can report flaws and more importantly, companies should act promptly on these reports. It is because of the poor response from major companies, that people start to seek alternative methods, out of frustration with their hear-no-evil, see-no-evil approach. A while ago I discovered a severe flaw in a very popular free anti-virus application, but the only channel through which I could discuss problems surrounding the free version, was through their online forum. This means you seldom talk to the actual developers or employees of the company, only forum moderators and members. I understand and I have experienced these frustrations, if there is no one you can talk to about a serious problem surrounding their software, who on earth do you turn to?
There is a huge difference between the announcement of a security flaw and the announcement of a patch to fix a flaw. If you can't provide a proper workaround for the problem, if you are unable to tell someone who can do something about it, keep it to yourself. Announcing security flaws without contributing to the solution is like someone announcing the release of poisonous gas into the air and instead of handing out gasmasks, he suggests that everyone hold their breath until the gas is gone.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.
The latest security flaws in the world of software are always popular topics for online discussions, newsletters and articles. Discovering the latest security flaw in a popular application is still the most favourite pastime for many freelance journalists and technical gurus. The problem does not lie in the disclosure of the flaws as such, the problem lies in the approach towards the disclosure as well as the timing of the disclosure.
Security flaw announcements have grown into a very popular electronic sport. It is a constant race against time to become the first one to announce the latest flaws found in the most famous software applications. Rival users of similar products are often in competition with each other to prove which application is the most secure. It is often a case of throwing mud at each other, instead of taking the safety of other users into consideration.
Do non-technical users sign up for technical newsletters, do they read technical blogs or do they take part in technical discussions? Many of them don't, it is in most cases only technical people discussing these matters and reading the technical newsletters. Most people are only interested in using the software and do not care about taking part in a forum discussion about the latest security flaw in the software. This is the point I'm trying to make, if your goal is the safety of other users, who do you want to save when your forum post or article never reaches the audience who needs the information the most? Even if you reach the right people, what's the use of announcing a flaw if you can't provide a safe and solid solution to the problem? What do you want people to do when a severe virus is raging on the Web, a virus for which there is no fix at that specific time? Do you think everyone will suddenly stop using the Internet because of your useless information? You are only giving the flaw unnecessary publicity, exposing each user of the software to even greater exploits.
The animated cursor flaw of Internet Explorer is a good example where there was no solid solution to the problem when it became a known threat. At least most people suggested that Internet Explorer users switch to Firefox, but every coin has two sides. The flaws of Internet Explorer proved once again that there is ample reason to switch to a safer alternative like Firefox, but we all know how reluctant most Internet users are to switch to a new browser. Yet again, if people do not want to listen to good advice, let them burn their fingers. Unfortunately this flaw resulted in debates about which browser has the most flaws, its like arguing about whose car is the fastest if there is no road to drive it on. Switching to a safer browser will not disinfect a PC already infected with a virus. After all, what's the use of having the safest browser in the world if you can't even get it to run on an infected PC?
Software developers should provide proper channels through which users can report flaws and more importantly, companies should act promptly on these reports. It is because of the poor response from major companies, that people start to seek alternative methods, out of frustration with their hear-no-evil, see-no-evil approach. A while ago I discovered a severe flaw in a very popular free anti-virus application, but the only channel through which I could discuss problems surrounding the free version, was through their online forum. This means you seldom talk to the actual developers or employees of the company, only forum moderators and members. I understand and I have experienced these frustrations, if there is no one you can talk to about a serious problem surrounding their software, who on earth do you turn to?
There is a huge difference between the announcement of a security flaw and the announcement of a patch to fix a flaw. If you can't provide a proper workaround for the problem, if you are unable to tell someone who can do something about it, keep it to yourself. Announcing security flaws without contributing to the solution is like someone announcing the release of poisonous gas into the air and instead of handing out gasmasks, he suggests that everyone hold their breath until the gas is gone.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.
Subscribe to:
Comments (Atom)
