Monday, June 25, 2007

Pay Close Attention To The URL's In Your E-mails

By Coenraad De Beer

More and more phishing scammers are starting to use clever eye-deceiving techniques with the URL's in phishing e-mails, making victims believe that the URL belongs to the real company portrayed in the fake e-mail. If you receive e-mails from your bank or other financial institutions, look twice before you click on any links.

I'm not talking about the anchor text of the link or the ten feet long look-alike URL's you normally find in conventional phishing e-mails, no I'm talking about the domain name, the one thing that clearly distinguishes a legitimate URL from a fake one. Online banks normally use simple URL's for their online banking services, making it easy to distinguish them from the long obscure URL's normally used by phishing scammers. But before we go into the details of the deceiving techniques used by phishing scammers, let me give you a brief explanation of how URL's work.

The Top-Level Domain and Sub-Domain
Lets say you are a client of Example Bank. The Example Bank website is called This is the top-level domain. They use the sub-domain for their online banking application ('secure' is a sub-domain of, also owned and administered by Example Bank).

Secure Encrypted Connection
Secure encrypted connections always use the prefix https://. So the complete URL for Example Bank's online banking website will be Any URL collecting sensitive information like credit card numbers, social security numbers, user names, passwords, etc. should start with the https:// prefix, if it doesn't, get away from it as far as possible.

Expanding The URL With Directories
Directories containing data and files, are also stored on a domain. Lets say the login page for the online banking system is called 'loginpage.php' and is stored in the 'login' directory. The final URL, containing these elements, will look like this:

Scammers try to fool users by using variations of well-known URL's. If we change our URL to, then we are no longer referring to the online banking website of Example Bank, but the website The latter part of the URL between https:// and the first forward slash (/) is the crucial factor, determining whether the URL points to the right site or not.

Now you have a basic idea of how URL's are constructed and how phishing scammers manipulate them to fool the uninformed. Phishing scammers hide these manipulated URL's by displaying the valid URL in the anchor text (the text of a link). The anchor text is only a clickable object and can be anything under the sun. The underlying URL and not the anchor text itself, determines which website opens when the user clicks on the anchor text. Most browsers and e-mail clients allow the user to view the URL by hovering the mouse pointer over the link. The actual URL is then displayed in the status bar, the horizontal bar at the bottom of the application screen.

People have started to spot these manipulated URL's more easily and this technique is slowly loosing its effectiveness. As a countermeasure to this problem, scammers started to register domains with different extensions. For instance, scammers may register a domain like, or to launch phishing attacks on clients of However this will not fool the informed and observant client.

It is in the nature of all cyber criminals to look for new and advanced ways of claiming victims. Phishing scammers are now focussing on registering top-level domains, spelled exactly as the real domain, except for one single letter (or maybe two). An example of such a domain was recently reported at CastleCops, where a Western Union domain was forged as Most screen fonts separate the two V's quite clearly, but with certain fonts you won't be able tell the difference between VVestern and Western. Less than a day after the scam was reported at CastleCops, another phishing e-mail was reported at Cyber Top Cops, this time involving a forged Sterling Online Banking domain. The anchor text of each link in this e-mail was displayed as but the actual URL pointed to This is quite a long domain, so one can easily fail to spot the small difference in spelling.

Several different phishing scams are often sent to a single recipient. It is easy to ignore these e-mails, because the same e-mails are delivered over and over again, they contain similar characteristics and no one really cares about e-mails from companies of which you are not even a client. But the game of phishing becomes a dangerous one if you receive a phishing e-mail representing a company, one of which you happen to be a client. Your chances of becoming a victim increase when the phishing scammer uses some of the eye-deceiving gimmicks discussed in the previous paragraph. It is therefore extremely important that you double check the URL's before clicking on them, especially if the e-mail appears to be from your bank or any other financial institution.

Most online banks request their clients to visit their home page and log into their account from there, their e-mails never include links pointing directly to the secure online banking server. Instead of adding links to their e-mails, some organizations instruct their clients to type the domain name directly into a browser, without even mentioning the domain name in the e-mail. But this only works with clients of well-known companies like PayPal and eBay.

As a general rule or thumb, banks never send e-mails to their clients requesting them to verify their details, to take part in online surveys, or informing them about suspicious activity discovered or restrictions placed on their account. Banks will not send you an important notice via e-mail and walk the risk of never reaching your inbox, something that happens very often with all the spam filters installed on our machines these days. You can be sure that your bank will require a personal visit from you, at one of their branches (or even head office in severe cases), whenever you need to resolve serious matters like account restrictions, suspicious activity on your account or fraud. A simple e-mail, a quick login and a click of a button will not do the job in the real world. Computers are way too gullible for that.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software. The details discussed in this article are put into practice through simulation 2 and 3 of their Online Threat Simulations.

Monday, June 18, 2007

Security Flaw Announcements - The Wrong Way Of Doing The Right Thing

By Coenraad De Beer

The latest security flaws in the world of software are always popular topics for online discussions, newsletters and articles. Discovering the latest security flaw in a popular application is still the most favourite pastime for many freelance journalists and technical gurus. The problem does not lie in the disclosure of the flaws as such, the problem lies in the approach towards the disclosure as well as the timing of the disclosure.

Security flaw announcements have grown into a very popular electronic sport. It is a constant race against time to become the first one to announce the latest flaws found in the most famous software applications. Rival users of similar products are often in competition with each other to prove which application is the most secure. It is often a case of throwing mud at each other, instead of taking the safety of other users into consideration.

Do non-technical users sign up for technical newsletters, do they read technical blogs or do they take part in technical discussions? Many of them don't, it is in most cases only technical people discussing these matters and reading the technical newsletters. Most people are only interested in using the software and do not care about taking part in a forum discussion about the latest security flaw in the software. This is the point I'm trying to make, if your goal is the safety of other users, who do you want to save when your forum post or article never reaches the audience who needs the information the most? Even if you reach the right people, what's the use of announcing a flaw if you can't provide a safe and solid solution to the problem? What do you want people to do when a severe virus is raging on the Web, a virus for which there is no fix at that specific time? Do you think everyone will suddenly stop using the Internet because of your useless information? You are only giving the flaw unnecessary publicity, exposing each user of the software to even greater exploits.

The animated cursor flaw of Internet Explorer is a good example where there was no solid solution to the problem when it became a known threat. At least most people suggested that Internet Explorer users switch to Firefox, but every coin has two sides. The flaws of Internet Explorer proved once again that there is ample reason to switch to a safer alternative like Firefox, but we all know how reluctant most Internet users are to switch to a new browser. Yet again, if people do not want to listen to good advice, let them burn their fingers. Unfortunately this flaw resulted in debates about which browser has the most flaws, its like arguing about whose car is the fastest if there is no road to drive it on. Switching to a safer browser will not disinfect a PC already infected with a virus. After all, what's the use of having the safest browser in the world if you can't even get it to run on an infected PC?

Software developers should provide proper channels through which users can report flaws and more importantly, companies should act promptly on these reports. It is because of the poor response from major companies, that people start to seek alternative methods, out of frustration with their hear-no-evil, see-no-evil approach. A while ago I discovered a severe flaw in a very popular free anti-virus application, but the only channel through which I could discuss problems surrounding the free version, was through their online forum. This means you seldom talk to the actual developers or employees of the company, only forum moderators and members. I understand and I have experienced these frustrations, if there is no one you can talk to about a serious problem surrounding their software, who on earth do you turn to?

There is a huge difference between the announcement of a security flaw and the announcement of a patch to fix a flaw. If you can't provide a proper workaround for the problem, if you are unable to tell someone who can do something about it, keep it to yourself. Announcing security flaws without contributing to the solution is like someone announcing the release of poisonous gas into the air and instead of handing out gasmasks, he suggests that everyone hold their breath until the gas is gone.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.

Monday, June 04, 2007

Adult Related Content - Fuel For Spyware And Spam

Yes, our weekly article is back on track, due to time constraints and a huge workload, I was unable to write articles for the blog the last couple of months. Things are slowly getting back to normal and hopefully I will be able to fill our regular timeslot each week with a brand new article about cyber crime.

Before we get to this week's article, just a little interesting background information. The article was initially titled "Hardcore Porn - Fuel For Spyware And Spam". According to EzineArticles, this is in violation of Section 2-a of their Editorial Guidelines, more specifically "Website/Author/Brand Names are not Allowed in Your Title". My idea behind the words "Hardcore Porn" was to emphasise the hardcore facts that we are stuck with the most explicit and disgusting material shoved down our throats (and the throats of our children) everyday. I had to change the title to get it approved on EzineArticles, hence I stuck to the same title here.

Do you think Hardcore Porn is a brand name? Generally speaking, isn't this exactly the reason why we are stuck with this junk in our mailboxes? A brand being protected instead of our freedom to use the Internet without being plagued by psychopaths and sex maniacs. What do you think? Please post your comments.

Article written by Coenraad De Beer

People can't thank you enough when you helped them to get rid of spyware from their computer. But this gratefulness soon changes to disgruntlement when you tell them they need to stay away form their favourite porn websites, 3d sex games, sexy desktop mates and screen savers if they do not want to fall victim to another spyware attack. For these people it is too much to sacrifice, but what they don't realise or don't want to accept, is that all these things are not worth the damage they may cause.

Porn is not good for the human psyche, it becomes an addiction just like any other addictive substance. Whether you believe porn is immoral or not, is beside the point, it remains a fact and it is no good for your computer either. But lets forget about the adults for a while and think about our children. In homes where everyone does not have his or her own computer, is a family computer, used by each member of the family. If mom or dad surfs porn websites, do you think it will remain for the eyes of mom and dad only? Unfortunately no. It is not only mom or dad who gets hooked on porn, the family computer gets hooked as well, hooked by spyware. These websites make sure you come back for more by constantly throwing offensive pop-up advertisements in your face while browsing the Web or simply by working on your computer while being connected to the Internet. The spyware does not know and does not care who is in front of the computer screen, it is only the ad that counts.

A while ago I worked with a HijackThis log from someone struggling with annoying website redirects and Google warning him about being infected with spyware. I replied with the disinfection instructions, but also warned him about the adult related software that caused the infections. I never received any response from him, he was probably not prepared to get rid of his virtual desktop girlfriend. I guess he must love her very much for being willing to sacrifice his own online security, privacy and the freedom to browse without being redirected to websites he does not want to visit. Not my idea of an ideal relationship. The best of all is that this person also had Parental Control Software installed on his computer. This is either a naughty teenager bypassing the content filters installed by his parents, or even worse, a father who believes the content filters will prevent his children from being exposed by the filthy software installed on the computer. Parental content filters and control software are designed for Internet adult content filtering, like offensive images, websites, e-mails and text, not spyware or adult related software already installed and allowed to run on your computer. Using parental monitoring software (which does not block content) may help you monitor the activities of your children online, but it does not prevent them from being exposed to adult content in the first place. Anyway, what does it help to monitor your children if you can't set them a better example yourself?

With all the free e-mail services available today, everyone with Internet access have their own e-mail account, even your children. Some spyware programs are also e-mail address harvesters. When a child uses the same computer a parent or older family member use for browsing porn sites, chances are good that this poor child will fall victim to endless offensive, disgusting and explicit adult related e-mails. Everyone who uses the infected computer is at risk. If the spyware is a keylogger, the e-mail address is stolen the moment you type your e-mail address into a web form, this can be the page where you log into your e-mail account or when you sign up for a newsletter or web service. The most common method used by spyware is the extraction of e-mail addresses from the e-mail accounts set up with e-mail clients like MS Outlook, Outlook Express or Thunderbird. The spyware may even pull all the addresses from your address book and you may end up becoming a distributor of spam without even knowing it. I don't think your friends and family will be chuffed if they receive porn spam because of your inability to control yourself. If you continue to browse porn websites with the same computer used by your children for e-mail and other Internet activities, don't be surprised if they suddenly ask you out of the blue about Viagra or genital enlargement patches.

When your e-mail address lands on a spammer's list, you are in a catch-22 situation. It is futile to try and get your e-mail address removed from this list. By the time you succeed in getting your e-mail address removed, which is in any case unlikely to happen, your e-mail address will be distributed among many other spammers. Once a spammer has your e-mail address, it is an open channel for him to send you absolutely anything under the sun and no spammer is ethical, they don't mind how many children they pollute with porn spam, as long as someone reads their e-mails, they are happy.

Porn and spam have 2 things in common, they waste bandwidth and they are the same thing over and over again. Many people believe that porn is only innocent mischievousness. Whenever you encounter cyber crime, porn and adult related content is often involved. In a recent article by ( it was mentioned that adult sites are special favourites for causing trojan infections, taking control over your computer once you visit the website. I find it hard to believe that something that's responsible for things like trojan horses, identity theft, spam and many other cyber crimes, can be innocent.

Taking action against the injustice committed against our children, committed against the people who don't want this junk shoved down their throats, is really hard with poor legislation and so many people supporting the sites responsible for it. Many people browse porn websites without realising the dangers they pose (no pun intended). Off course many people don't care about these dangers, even if they know about it. It is just like any other addiction, people smoking crack don't care about the negative effects it has on their health. Next time when you have to convince someone about the harmful effects of porn, tell them about the dangers of visiting these sites. Educating people about the dangers of web porn and porn spam is the best way to battle an ever-increasing problem in cyber space.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.