What do scammers always use to their advantage? What enables con-artists to swindle their victims? What is the most important thing scammers always rely on? Only one thing, the victim's inability to think for himself/herself.
The other day I saw an add for an e-book about some magical way to cancel traffic fines or to get them refunded (I'm not going to mention the name of the book, because it is a load of hogwash and I'm not going to give it any form of exposure except for illustrating my point). For starters, some lines on the website were poorly formatted with some strange HTML coding. Certain pieces of the text were aligned to print over other pieces of text, making some parts of the page totally illegible. This was caused by some funny div-statements used by the web designer. (This guy obviously did not know what he was doing). But it is not important to know what the web designer did wrong, it is more important to note that the seller of this e-book could not be trusted. Why? Because if he can't even format his website properly (or at least get someone to do it for him), how can you be certain that the owner won't steal you money and sell you a piece of junk looking like his website? But lets forget about the poorly designed website for a moment and focus on the product he was trying to sell.
This book, will presumably help you to get your traffic fines cancelled or even refunded by exploiting flaws on parking and speeding tickets. The book is therefore aimed at traffic fines in general and not UNFAIR or INVALID traffic fines (as a matter of fact, the author makes no mention of the words UNFAIR or INVALID on his website). The site does not even contain a single encouragement to motorists to keep within the speeding limit, to put money in the parking meter or to drive safely within the bounds of the laws of the road. No, the sole purpose of this book is to get traffic fines cancelled or refunded, whether you committed an actual offence or not. Now think about this for a moment, why should you buy a book to exploit the loopholes of the law in order to save money in traffic fines, if you can save money by just sticking to the law? In other words you don't need to spend a single penny to save money, you just need to use your damn brain. This book is actually encouraging reckless driving and should be banned. If you really exceeded the speed limit for instance, why should you be able to get the traffic fine cancelled. You contravened a law and you should pay the fine (and don't give me that bull that loopholes in the law is there to be exploited). It is a whole different scenario if you were wrongfully accused of a traffic offence, but this is not what the book is about (or at least that is not the impression the site gave me). But the most disturbing fact is that there are people who will actually buy this book. Really, you got to be brain-dead to buy a piece of junk like this! And this is why I ask the humble question, have we lost the ability to think for ourselves?
Have you ever wondered why people accept so many things and question so very little? I believe this is often the result of a fast paced lifestyle, where there is no time to think about something, you need to make a decision immediately without contemplating. But can we blame our bad decisions on the pressures of modern day life? Any normal person possesses the ability to reason, but it seems as if more and more people are losing this ability by the day. Are we really losing the ability to think for ourselves, or are we deliberately suppressing our ability to reason? I always ask myself these questions when I analyse scam e-mails and fraudulent websites and most of the times I simply cannot understand how it is possible for a healthy mind to be swindled by obvious scams like these. And by obvious, I mean scams containing obvious and common signs of fraud and deceit.
I have to admit, not all scams are that obvious and it has to be mentioned that some of them are quite cleverly designed to look like the real thing. But the majority of scams contain telltale signs of deceit (whether it is a scam e-mail, a fraudulent website, an obscure add in a magazine, a call from an unknown individual or a dishonest salesman). The main problem is, many people only accept the solution or promise presented by the scammer and never pay attention to the means by which the scammer attempts to solve the problem or deliver the promise. The driving force behind the success of almost any scam is money and greed. You need a combination of both to make a scam successful and a greedy victim walks a greater risk of stepping into the trap set by the scammer, without realising it. But greed is not the only factor, ignorance is another weakness exploited by scammers, to improve their chances of successfully swindling their victims.
How long will we be able to use ignorance as an excuse? There are so much information about the latest scams, freely available on the web. Financial institutions post warning messages and examples of scam e-mails on their websites and some companies even communicate directly with their clients about the latest tricks and gimmicks used by scammers. With all this information at our doorsteps and sometimes even in our laps, how can we use the lame excuse of "I didn't know"? Computer illiteracy is also a stumbling block for many people, but computers have become part of our everyday lives and fewer people are computer illiterate these days. But there will always be a technological gap among computer users, because not everyone eat, sleep and drink computers. There will always be advanced and novice computer users and the latter are often at risk of falling for scams, where they don't comprehend the mechanics exploited by the scammer. But this can easily be remedied through a little bit of education. Most online banks and shopping sites have detailed guides and tutorials on the risks and signs of phishing, identity theft and other forms of fraud. These guides are often very detailed, but quite simple and easy to understand, with graphical illustrations and examples, specifically targeted at novice users. But advanced computer users should read these guides as well, because the fact that you know everything about computers does not make you immune to all forms of online fraud.
With all this information at our disposal, how is it still possible for some scammers to swindle their victims? I believe people are not taking the time to familiarise themselves with the risks of online fraud. If you don't know how to use the address bar of your browser, or why the address bar turns green on certain sites or how use your status bar to preview the address of a link, you are like a suicide bomber. It is like driving a car without the proper training, you are a danger to yourself and everyone around you. Like I mentioned earlier, the information published by banks and online shops, regarding the methods used by scammers to swindle their victims, are not that hard to understand (and for goodness sake if you don't understand these guides ask someone you trust to explain them to you). So if we have all the information about the techniques used by scammers and if they are easy to comprehend, why on earth do people still fall victim to these obvious scams? Simply because they don't read the information available to them. If your bank account was emptied by a bunch of crooks, because you clicked on a link in some e-mail about updating your personal details or something like that, then you are either living on a different planet or you haven't been paying attention to the warnings communicated by your bank. Where have you been in the last decade or so? These scams have been an active threat to the online community for several years now, so how is it possible that you haven't heard of these scams before? Honestly, people need to wake up and smell the coffee! Open your eyelids and pay attention to your surroundings! Start to THINK for yourself and stop depending on other people to do it for you!
Unethical marketers are able to convince some people to buy stuff they don't need, simply because some people are like zombies, allowing outside influences to manipulate their thoughts. Scammers follow the same tactics, they force the victim into believing everything they say in their scam e-mails or on their scam websites. The promise of millions of dollars, a valuable object or the threat of suspension of your bank account, is often so sudden (or promising), that people forget to think about the source of the e-mail or the means by which the scammer are communicating with them. The initial contact made by a scammer is a crucial point in the development of a scam. If you can't identify the scam early on, chances are that you won't realise you are being conned, until the damage is already done. The only way to identify these scams is to use common sense and a bit of scepticism. I'm not saying you need to be over-suspicious towards every e-mail and phone call you receive, but you need to look very critical at every form of communication, where you don't know the person on the other side. In other words, ask yourself the following common sense questions (where the answer to each question is obviously NO): Will the bank ask for my credit card number over the telephone? Will my bank send me an e-mail request to update my personal e-mails? Will an official from another country contact a total stranger, in connection with a multi-million dollar transaction? Will the Executive Director of the FBI use a free e-mail service to contact me about some scammers who MAY have contacted me in the past? Will a company like PayPal or Amazon make spelling and grammatical errors in their e-mails? If this is such a great business opportunity or such a revolutionary product, why haven't I heard about it before? Is it possible to make loads of money by simply distributing a chain letter received through the post? The list goes on and on...
You see, by asking a couple of critical questions you will soon be able to identify whether an e-mail, phone call or a letter in the post is a scam or not. It just needs a little bit of reasoning and common sense, there is no rocket science to it. But if you are too lazy to think for yourself, deliberately ignoring the warning signs of common fraud, then you deserve to be scammed!
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about internet fraud and malicious software
Showing posts with label Phishing. Show all posts
Showing posts with label Phishing. Show all posts
Tuesday, April 27, 2010
Saturday, August 02, 2008
Cyber Top Cops Goes Spammy (or rather SHPAMEE)
You may have noticed that my last article was published more than 2 months ago. I may have been absent from the blog, but I was not taking a break. I devoted all my time and attention to a new project aimed at educating the Internet community about Internet crime. All my hard work finally paid off and I am proud to announce that the project is finally ready for launch.
But now a little more about the reasons behind the creation of this project.
Identifying a spam e-mail before opening it, is crucial, because spam is the cause of several problems like malware, fraud, distribution of illegal and harmful substances, porn, piracy, identity theft and even more spam (yes, one spam e-mail can be the igniting spark for a forest fire of spam). I mentioned earlier that we will use this project as an alert service where possible, but the main goal remains education. Why so much emphasis on education, isn't it more important to get the word out on new threats and outbreaks? Well, from my point of view I believe education plays a larger role in our defences against cyber crime.
I guess a lot of people are wondering why we didn't publish the names and contact details of spammers and scammers along with the examples in the previous project. A spammer never distribute spam under his/her own name, so the spammer will use an alias and the originating e-mail address is often spoofed. So the details are basically useless and our focus was never on the people behind the spam, but more on the mechanics of the spam examples. It is more about the things that spammers do than the persons distributing the spam. However we realised that it would be an additional benefit for the community if we published these phony details along with the examples, especially with 419 scams. This means that you that you are not only educating people about the schemes of a 419 scammer, you are also alerting them about the aliases, e-mail address and telephone numbers used by these swindlers. So as you can see we are back at the ideal of combining education and alerts into a powerful weapon against cyber crime.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about internet fraud and malicious software.
Today marks the launch of a new educational initiative called the SHPAMEE project. SHPAMEE is short for Spam, Hoaxes, Phishing and Malware E-mail Examples and replaces the current Hoaxes, Spams & Scams section of our website. The main goals of the new project will remain the same as the old one, but the SHPAMEE project features several new enhancements and improvements over the old project:
- Full headers of e-mail examples will now be published.
- Names (aliases) and contact details of perpetrators will no longer be removed from the examples, but will be published along with the examples.
- More emphasis will be placed on the techniques used by spammers to bypass spam filters and these techniques will be highlighted more prominently.
- E-mail examples will be categorised and grouped more effectively, combined with an integrated search feature, something that was missing from the previous project.
- An RSS feed will be updated each time when a new example is published. This will help users to stay up to date with the latest examples published on our site. The RSS feed will also be used as an alert service, where possible, to warn subscribers about the latest spam outbreaks (however the main purpose of this project remains education).
- E-mail examples will be discussed in greater detail.
Why replace the old project? A lot of work was done behind the scenes to simplify our job of publishing these e-mail examples. Too much time went into the preparation of the e-mail examples, so we had to find a way to publish the examples in a more efficient way. I'm still not completely satisfied with the current publishing model and I'm constantly working on improvements, but the new system saves us a lot of time and the time saved during publishing is used to investigate and discuss the examples in greater detail. The number of examples in the database might be disappointing at first, but we plan to add new examples on a regular basis. We could cut back on the time spent on investigating each spam example, to publish more examples in a shorter time frame, but we do not want to sacrifice the quality of our comments and the background information about each spam example. After all, this is what the project is all about, publishing interesting and valuable information about these examples to educate the Internet community. We still have a huge backlog of examples to publish, quite obviously, because there is never a shortage of spam examples to investigate.
But now a little more about the reasons behind the creation of this project.
There is still a huge problem among Internet users when it comes to the identification of spam. I get loads of requests from people who want me to take a look at some dodgy e-mail to confirm whether it is legitimate or not. Most of these dodgy e-mails are 419 scams and it is shocking to see that there are so many people who are still unaware of these scams, not even to speak of their inability to identify these e-mails as fraudulent. Many people might say: "That's easy for you to say, you work with these scams everyday, so it is easy for you to spot a scam when you see one". Perhaps so, but it is not rocket science to identify a 419 or phishing scam, you just need to use common sense and a little bit of scepticism. There are always certain elements in these e-mails that do not add up and the scammers make these mistakes over and over again.
Identifying a spam e-mail before opening it, is crucial, because spam is the cause of several problems like malware, fraud, distribution of illegal and harmful substances, porn, piracy, identity theft and even more spam (yes, one spam e-mail can be the igniting spark for a forest fire of spam). I mentioned earlier that we will use this project as an alert service where possible, but the main goal remains education. Why so much emphasis on education, isn't it more important to get the word out on new threats and outbreaks? Well, from my point of view I believe education plays a larger role in our defences against cyber crime.
My biggest problem with any alert service is the fact that many threats need to occur before one can take notice of them. There is always a delay between discovering a threat and alerting the public about it and a lot can happen during this time. Another drawback about an alert service is the fact that it can only reach the people who are subscribed to the service (unless you make use of mainstream media off course), so not everyone gets the message. Education on the other hand enables people to think for themselves and helps them to asses the situation on their own terms, based on their knowledge and previous experience. This means the threat is isolated more effectively and buys more time for the alert services to get the word out. So I'm not against an alert service, I simply believe that education will enable the community to adapt to new threats much quicker than a community relying on alert services alone to keep them safe. Your best weapon would therefore be a combination of education and alerts.
I guess a lot of people are wondering why we didn't publish the names and contact details of spammers and scammers along with the examples in the previous project. A spammer never distribute spam under his/her own name, so the spammer will use an alias and the originating e-mail address is often spoofed. So the details are basically useless and our focus was never on the people behind the spam, but more on the mechanics of the spam examples. It is more about the things that spammers do than the persons distributing the spam. However we realised that it would be an additional benefit for the community if we published these phony details along with the examples, especially with 419 scams. This means that you that you are not only educating people about the schemes of a 419 scammer, you are also alerting them about the aliases, e-mail address and telephone numbers used by these swindlers. So as you can see we are back at the ideal of combining education and alerts into a powerful weapon against cyber crime.
Through the SHPAMEE project and a series of educational articles in the weeks to come, I plan to educate the Internet community about the common flaws made by spammers. But what if the spammers start to pull up their socks and correct their mistakes? Spammers will always make mistakes and it is our goal to stay up to date with their latest tricks and gimmicks and communicate these deceptive techniques through the SHPAMEE project.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about internet fraud and malicious software.
Wednesday, September 05, 2007
Choose Your E-mail Address Carefully
By Coenraad De Beer
Did you know that it is important to choose the right name for your electronic mailbox? Very few people realise it and therefore expose themselves to things like identity theft, phishing and yes you guessed it, annoying spam.
What do you normally use as a login name or nickname when you register for an online service? Many people use a number or a keyword that is easy to remember and the easiest thing to remember is obviously your own name. However, your own name is the last thing you should use for any kind of login details and the same rule applies when you choose an e-mail address.
Why is it important for a spammer or phishing scammer to know your name? The main reason is authenticity. Let me explain with an example. If you have an account with PayPal and you receive an e-mail asking you to update your details, are you going to take the e-mail seriously if the e-mail starts with "Dear PayPal Customer"? Most people will say no, but what if your name is John Doe and the same e-mail starts with "Dear John Doe"? You can easily argue that anyone can send a PayPal look-alike e-mail starting with "Dear PayPal Customer", but not everyone knows my name, so chances are good that the latter version are probably from PayPal. I won't be too sure of that, especially if your e-mail address is john.doe@example.com. People often use a dot (.), a dash(-) or an underscore (_) as a separating character in their e-mail addresses and even a novice computer programmer will be able to extract the name and surname part from an e-mail address similar to the one given above
An e-mail starting with your name draws your attention immediately, so you tend to read more carefully and in most cases, the whole e-mail. Most people will respond immediately if they hear someone calling their name. The same basic principle applies to e-mails starting with your name, or containing your name in the subject line. This is why it is so popular among e-mail marketers to use your name in the subject line, you immediately want to see what the e-mail is about, because the person addressed you personally, like a friend or familiar person would do. Spammers use the same technique so that recipients open their e-mails and read what's inside. They normally use the first part of your e-mail address as your name in the hope that it contains your real name.
What about jdoe@example.com or doej@example.com or jd@example.com? If everyone calls you John, then jdoe, doej or jd will have little effect on drawing your attention. If someone sends you an e-mail with a subject line reading "john.doe check this out" and another one sends you exactly the same e-mail, but changes the subject line to "jdoe check this out", which one will draw your attention the most? The fist one off course and it will attract even more attention if the spamming software replaced the dot between your name and surname with a space, wouldn't it?
Ok, so lets come back to the example of the PayPal phishing e-mail. People are less suspicious when their real names are mentioned in the e-mail, but you will always be able to spot a scam if you choose an e-mail address that is not related to your name, surname or any of the nicknames your friends and family normally use. In other words, when you see someone using the first part of your e-mail address in the subject line, instead of your real name, you can know for sure that the e-mail is the work of a spammer and if the sender used it in the body of the e-mail, then it is obvious that the sender doesn't have a clue what your real name is. PayPal is supposed to know what your real name is, so if your e-mail address is jdoe@example.com, then they will never send you an e-mail starting with "Dear jdoe", only spammers will.
What if my current e-mail address contains my name or surname? I know that it is a lot of work and a huge frustration to change from one e-mail address to another, a lot of people have to be informed and a lot of e-mail subscriptions have to be changed. If your current e-mail address contains your name or surname, consider changing it as soon as possible and rather choose a name that does not reveal any personal information. A telephone number written on a little piece of paper reveals nothing about the name or surname of the owner, your e-mail address should have the same effect on strangers.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.
Did you know that it is important to choose the right name for your electronic mailbox? Very few people realise it and therefore expose themselves to things like identity theft, phishing and yes you guessed it, annoying spam.
What do you normally use as a login name or nickname when you register for an online service? Many people use a number or a keyword that is easy to remember and the easiest thing to remember is obviously your own name. However, your own name is the last thing you should use for any kind of login details and the same rule applies when you choose an e-mail address.
Why is it important for a spammer or phishing scammer to know your name? The main reason is authenticity. Let me explain with an example. If you have an account with PayPal and you receive an e-mail asking you to update your details, are you going to take the e-mail seriously if the e-mail starts with "Dear PayPal Customer"? Most people will say no, but what if your name is John Doe and the same e-mail starts with "Dear John Doe"? You can easily argue that anyone can send a PayPal look-alike e-mail starting with "Dear PayPal Customer", but not everyone knows my name, so chances are good that the latter version are probably from PayPal. I won't be too sure of that, especially if your e-mail address is john.doe@example.com. People often use a dot (.), a dash(-) or an underscore (_) as a separating character in their e-mail addresses and even a novice computer programmer will be able to extract the name and surname part from an e-mail address similar to the one given above
An e-mail starting with your name draws your attention immediately, so you tend to read more carefully and in most cases, the whole e-mail. Most people will respond immediately if they hear someone calling their name. The same basic principle applies to e-mails starting with your name, or containing your name in the subject line. This is why it is so popular among e-mail marketers to use your name in the subject line, you immediately want to see what the e-mail is about, because the person addressed you personally, like a friend or familiar person would do. Spammers use the same technique so that recipients open their e-mails and read what's inside. They normally use the first part of your e-mail address as your name in the hope that it contains your real name.
What about jdoe@example.com or doej@example.com or jd@example.com? If everyone calls you John, then jdoe, doej or jd will have little effect on drawing your attention. If someone sends you an e-mail with a subject line reading "john.doe check this out" and another one sends you exactly the same e-mail, but changes the subject line to "jdoe check this out", which one will draw your attention the most? The fist one off course and it will attract even more attention if the spamming software replaced the dot between your name and surname with a space, wouldn't it?
Ok, so lets come back to the example of the PayPal phishing e-mail. People are less suspicious when their real names are mentioned in the e-mail, but you will always be able to spot a scam if you choose an e-mail address that is not related to your name, surname or any of the nicknames your friends and family normally use. In other words, when you see someone using the first part of your e-mail address in the subject line, instead of your real name, you can know for sure that the e-mail is the work of a spammer and if the sender used it in the body of the e-mail, then it is obvious that the sender doesn't have a clue what your real name is. PayPal is supposed to know what your real name is, so if your e-mail address is jdoe@example.com, then they will never send you an e-mail starting with "Dear jdoe", only spammers will.
What if my current e-mail address contains my name or surname? I know that it is a lot of work and a huge frustration to change from one e-mail address to another, a lot of people have to be informed and a lot of e-mail subscriptions have to be changed. If your current e-mail address contains your name or surname, consider changing it as soon as possible and rather choose a name that does not reveal any personal information. A telephone number written on a little piece of paper reveals nothing about the name or surname of the owner, your e-mail address should have the same effect on strangers.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.
Monday, June 25, 2007
Pay Close Attention To The URL's In Your E-mails
By Coenraad De Beer
More and more phishing scammers are starting to use clever eye-deceiving techniques with the URL's in phishing e-mails, making victims believe that the URL belongs to the real company portrayed in the fake e-mail. If you receive e-mails from your bank or other financial institutions, look twice before you click on any links.
I'm not talking about the anchor text of the link or the ten feet long look-alike URL's you normally find in conventional phishing e-mails, no I'm talking about the domain name, the one thing that clearly distinguishes a legitimate URL from a fake one. Online banks normally use simple URL's for their online banking services, making it easy to distinguish them from the long obscure URL's normally used by phishing scammers. But before we go into the details of the deceiving techniques used by phishing scammers, let me give you a brief explanation of how URL's work.
The Top-Level Domain and Sub-Domain
Lets say you are a client of Example Bank. The Example Bank website is called www.example.com. This is the top-level domain. They use the sub-domain www.secure.example.com for their online banking application ('secure' is a sub-domain of example.com, also owned and administered by Example Bank).
Secure Encrypted Connection
Secure encrypted connections always use the prefix https://. So the complete URL for Example Bank's online banking website will be https://www.secure.example.com. Any URL collecting sensitive information like credit card numbers, social security numbers, user names, passwords, etc. should start with the https:// prefix, if it doesn't, get away from it as far as possible.
Expanding The URL With Directories
Directories containing data and files, are also stored on a domain. Lets say the login page for the online banking system is called 'loginpage.php' and is stored in the 'login' directory. The final URL, containing these elements, will look like this: https://www.secure.example.com/login/loginpage.php
Variations
Scammers try to fool users by using variations of well-known URL's. If we change our URL to https://www.secure.example.invalid.com/login/loginpage.php, then we are no longer referring to the online banking website of Example Bank, but the website invalid.com. The latter part of the URL between https:// and the first forward slash (/) is the crucial factor, determining whether the URL points to the right site or not.
Now you have a basic idea of how URL's are constructed and how phishing scammers manipulate them to fool the uninformed. Phishing scammers hide these manipulated URL's by displaying the valid URL in the anchor text (the text of a link). The anchor text is only a clickable object and can be anything under the sun. The underlying URL and not the anchor text itself, determines which website opens when the user clicks on the anchor text. Most browsers and e-mail clients allow the user to view the URL by hovering the mouse pointer over the link. The actual URL is then displayed in the status bar, the horizontal bar at the bottom of the application screen.
People have started to spot these manipulated URL's more easily and this technique is slowly loosing its effectiveness. As a countermeasure to this problem, scammers started to register domains with different extensions. For instance, scammers may register a domain like example.org, example.info or example.co.uk to launch phishing attacks on clients of example.com. However this will not fool the informed and observant client.
It is in the nature of all cyber criminals to look for new and advanced ways of claiming victims. Phishing scammers are now focussing on registering top-level domains, spelled exactly as the real domain, except for one single letter (or maybe two). An example of such a domain was recently reported at CastleCops, where a Western Union domain was forged as VVesternunion.biz. Most screen fonts separate the two V's quite clearly, but with certain fonts you won't be able tell the difference between VVestern and Western. Less than a day after the scam was reported at CastleCops, another phishing e-mail was reported at Cyber Top Cops, this time involving a forged Sterling Online Banking domain. The anchor text of each link in this e-mail was displayed as sterlingonlinebanking.com but the actual URL pointed to sterlingonlinebenking.com. This is quite a long domain, so one can easily fail to spot the small difference in spelling.
Several different phishing scams are often sent to a single recipient. It is easy to ignore these e-mails, because the same e-mails are delivered over and over again, they contain similar characteristics and no one really cares about e-mails from companies of which you are not even a client. But the game of phishing becomes a dangerous one if you receive a phishing e-mail representing a company, one of which you happen to be a client. Your chances of becoming a victim increase when the phishing scammer uses some of the eye-deceiving gimmicks discussed in the previous paragraph. It is therefore extremely important that you double check the URL's before clicking on them, especially if the e-mail appears to be from your bank or any other financial institution.
Most online banks request their clients to visit their home page and log into their account from there, their e-mails never include links pointing directly to the secure online banking server. Instead of adding links to their e-mails, some organizations instruct their clients to type the domain name directly into a browser, without even mentioning the domain name in the e-mail. But this only works with clients of well-known companies like PayPal and eBay.
As a general rule or thumb, banks never send e-mails to their clients requesting them to verify their details, to take part in online surveys, or informing them about suspicious activity discovered or restrictions placed on their account. Banks will not send you an important notice via e-mail and walk the risk of never reaching your inbox, something that happens very often with all the spam filters installed on our machines these days. You can be sure that your bank will require a personal visit from you, at one of their branches (or even head office in severe cases), whenever you need to resolve serious matters like account restrictions, suspicious activity on your account or fraud. A simple e-mail, a quick login and a click of a button will not do the job in the real world. Computers are way too gullible for that.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software. The details discussed in this article are put into practice through simulation 2 and 3 of their Online Threat Simulations.
More and more phishing scammers are starting to use clever eye-deceiving techniques with the URL's in phishing e-mails, making victims believe that the URL belongs to the real company portrayed in the fake e-mail. If you receive e-mails from your bank or other financial institutions, look twice before you click on any links.
I'm not talking about the anchor text of the link or the ten feet long look-alike URL's you normally find in conventional phishing e-mails, no I'm talking about the domain name, the one thing that clearly distinguishes a legitimate URL from a fake one. Online banks normally use simple URL's for their online banking services, making it easy to distinguish them from the long obscure URL's normally used by phishing scammers. But before we go into the details of the deceiving techniques used by phishing scammers, let me give you a brief explanation of how URL's work.
The Top-Level Domain and Sub-Domain
Lets say you are a client of Example Bank. The Example Bank website is called www.example.com. This is the top-level domain. They use the sub-domain www.secure.example.com for their online banking application ('secure' is a sub-domain of example.com, also owned and administered by Example Bank).
Secure Encrypted Connection
Secure encrypted connections always use the prefix https://. So the complete URL for Example Bank's online banking website will be https://www.secure.example.com. Any URL collecting sensitive information like credit card numbers, social security numbers, user names, passwords, etc. should start with the https:// prefix, if it doesn't, get away from it as far as possible.
Expanding The URL With Directories
Directories containing data and files, are also stored on a domain. Lets say the login page for the online banking system is called 'loginpage.php' and is stored in the 'login' directory. The final URL, containing these elements, will look like this: https://www.secure.example.com/login/loginpage.php
Variations
Scammers try to fool users by using variations of well-known URL's. If we change our URL to https://www.secure.example.invalid.com/login/loginpage.php, then we are no longer referring to the online banking website of Example Bank, but the website invalid.com. The latter part of the URL between https:// and the first forward slash (/) is the crucial factor, determining whether the URL points to the right site or not.
Now you have a basic idea of how URL's are constructed and how phishing scammers manipulate them to fool the uninformed. Phishing scammers hide these manipulated URL's by displaying the valid URL in the anchor text (the text of a link). The anchor text is only a clickable object and can be anything under the sun. The underlying URL and not the anchor text itself, determines which website opens when the user clicks on the anchor text. Most browsers and e-mail clients allow the user to view the URL by hovering the mouse pointer over the link. The actual URL is then displayed in the status bar, the horizontal bar at the bottom of the application screen.
People have started to spot these manipulated URL's more easily and this technique is slowly loosing its effectiveness. As a countermeasure to this problem, scammers started to register domains with different extensions. For instance, scammers may register a domain like example.org, example.info or example.co.uk to launch phishing attacks on clients of example.com. However this will not fool the informed and observant client.
It is in the nature of all cyber criminals to look for new and advanced ways of claiming victims. Phishing scammers are now focussing on registering top-level domains, spelled exactly as the real domain, except for one single letter (or maybe two). An example of such a domain was recently reported at CastleCops, where a Western Union domain was forged as VVesternunion.biz. Most screen fonts separate the two V's quite clearly, but with certain fonts you won't be able tell the difference between VVestern and Western. Less than a day after the scam was reported at CastleCops, another phishing e-mail was reported at Cyber Top Cops, this time involving a forged Sterling Online Banking domain. The anchor text of each link in this e-mail was displayed as sterlingonlinebanking.com but the actual URL pointed to sterlingonlinebenking.com. This is quite a long domain, so one can easily fail to spot the small difference in spelling.
Several different phishing scams are often sent to a single recipient. It is easy to ignore these e-mails, because the same e-mails are delivered over and over again, they contain similar characteristics and no one really cares about e-mails from companies of which you are not even a client. But the game of phishing becomes a dangerous one if you receive a phishing e-mail representing a company, one of which you happen to be a client. Your chances of becoming a victim increase when the phishing scammer uses some of the eye-deceiving gimmicks discussed in the previous paragraph. It is therefore extremely important that you double check the URL's before clicking on them, especially if the e-mail appears to be from your bank or any other financial institution.
Most online banks request their clients to visit their home page and log into their account from there, their e-mails never include links pointing directly to the secure online banking server. Instead of adding links to their e-mails, some organizations instruct their clients to type the domain name directly into a browser, without even mentioning the domain name in the e-mail. But this only works with clients of well-known companies like PayPal and eBay.
As a general rule or thumb, banks never send e-mails to their clients requesting them to verify their details, to take part in online surveys, or informing them about suspicious activity discovered or restrictions placed on their account. Banks will not send you an important notice via e-mail and walk the risk of never reaching your inbox, something that happens very often with all the spam filters installed on our machines these days. You can be sure that your bank will require a personal visit from you, at one of their branches (or even head office in severe cases), whenever you need to resolve serious matters like account restrictions, suspicious activity on your account or fraud. A simple e-mail, a quick login and a click of a button will not do the job in the real world. Computers are way too gullible for that.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software. The details discussed in this article are put into practice through simulation 2 and 3 of their Online Threat Simulations.
Wednesday, March 28, 2007
Scammers With A Death Wish
By Coenraad De Beer
Scammers come up with the craziest ideas these days. It is hard to believe that people still fall for the ridiculous e-mail scams in circulation all over the web. It is even harder to comprehend how scammers think they are going to swindle people into believing their devious lies and unbelievable stories. Unfortunately, online scams are a harsh reality. On the one side you have innocent, uninformed victims walking into the traps of merciless con artists and on the other side you have scammers following a "shoot in the dark with a shotgun" approach to claim as many victims as possible.
Online fraud is a serious matter, but you can't help laughing at the creative, yet ridiculous ideas of online scammers. Last month I received a link exchange request from someone running a password recovery website providing a password recovery service for people who lost their e-mail account password. The only problem is that they hack e-mail accounts without confirming the real owner of the e-mail account. The other absurdity is that you can normally contact your service provider when you loose your password and don't need a password recovery service if you are the real owner of the e-mail account. Sometimes I wonder whether cyber criminals have any brain cells between their ears or whether they are simply looking for attention. It is even more absurd, even hilarious, when they are trying to scam anti-fraud activists and cyber law enforcement agencies. I know that many of these scam e-mails are sent in bulk by spam bots and the spammers never really know who receive their junk e-mails, but some scammers make it just too easy for cyber law enforcement agencies to track them down.
It is not odd for one person to receive several phishing scams on a single day, each one pretending to come from a different bank or financial institution. The best of all is the fact that these phishing scams are carbon copies of each other, the only difference in each e-mail is the logo and trading name of the financial institution. Scammers discredit their fellow scammers by sending similar e-mails on the same day to the same recipient. If I receive a phishing scam from a bank, of which I'm not even a client, I will most definitely not respond to a similar e-mail, received on the same day, using exactly the same message, even if I am a client of this institution. If everyone starts to read their e-mails more carefully and in detail, you will soon see the ordinary e-mail user being able to identify a scam just by looking at the pattern, words, techniques, formatting and writing style used by many scammers.
One of the latest schemes used by 419 scammers is the Law Enforcement Agency scam. 419 scammers seem to be less successful with their usual e-mail scams, most probably because of what I mentioned in the previous paragraph. Lottery scams, company representative scams, scams involving war victims, cancer victims, plane crash victims, you name it, have flooded our mailboxes so much that we can smell these scams a mile a way just by reading the subject line. Unfortunately you still get people who are unaware of these threats and 419 scammers usually claim victims among these people. The Law Enforcement Agency scam involves 419 scammers trying to swindle previous victims of these scams. The "agency" allegedly apprehended a group of fraudsters and recovered millions of "pounds sterling" stolen from innocent victims. (I wonder why they haven't recovered any dollars). These funds will then be disbursed to victims filing a claim with this "agency". Victims need to supply loads of personal details as well as the amount of money stolen from them. The scammers claim that the victim will not spend any money until the cheque (notice a cheque and not a secure electronic transfer) is issued to him/her. Just ask yourself, why the need to pay money to reclaim something that was lawfully yours? Do the scammers honestly believe that people will fall for a lousy scam like this? People desperate enough to get their stolen money back will most certainly walk into this trap and spend more money only to loose more money and scammers are bargaining on this. Luckily you get people who learn from their mistakes and will never make the same mistake twice, so the scammers can forget to scam vigilant people who already experienced the trauma of loosing a lot of money to empty promises from a total stranger.
Scammers from Nigeria have tried to become partners of cyber security agencies in an attempt to infiltrate and destroy anti-fraud organisations from the inside. Online scammers have become nut cases, fanatics, digital suicide bombers and kamikazes, trying every trick in the book (and some stupid tricks of their own) to reach their idiotic goals. It is just sad that they continue to claim victims with their amateurish schemes. Perhaps these scams are so amateurish that people struggle to see through them. It is a case of horribly underestimating your enemy, the worst part being unable to identify your enemy, even worse, not even realising that your are dealing with an evil opposing force.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users about online scams and malicious software. Visit our Hoaxes, Spams and Scams Section and educate yourself with real life examples of online fraud.
Scammers come up with the craziest ideas these days. It is hard to believe that people still fall for the ridiculous e-mail scams in circulation all over the web. It is even harder to comprehend how scammers think they are going to swindle people into believing their devious lies and unbelievable stories. Unfortunately, online scams are a harsh reality. On the one side you have innocent, uninformed victims walking into the traps of merciless con artists and on the other side you have scammers following a "shoot in the dark with a shotgun" approach to claim as many victims as possible.
Online fraud is a serious matter, but you can't help laughing at the creative, yet ridiculous ideas of online scammers. Last month I received a link exchange request from someone running a password recovery website providing a password recovery service for people who lost their e-mail account password. The only problem is that they hack e-mail accounts without confirming the real owner of the e-mail account. The other absurdity is that you can normally contact your service provider when you loose your password and don't need a password recovery service if you are the real owner of the e-mail account. Sometimes I wonder whether cyber criminals have any brain cells between their ears or whether they are simply looking for attention. It is even more absurd, even hilarious, when they are trying to scam anti-fraud activists and cyber law enforcement agencies. I know that many of these scam e-mails are sent in bulk by spam bots and the spammers never really know who receive their junk e-mails, but some scammers make it just too easy for cyber law enforcement agencies to track them down.
It is not odd for one person to receive several phishing scams on a single day, each one pretending to come from a different bank or financial institution. The best of all is the fact that these phishing scams are carbon copies of each other, the only difference in each e-mail is the logo and trading name of the financial institution. Scammers discredit their fellow scammers by sending similar e-mails on the same day to the same recipient. If I receive a phishing scam from a bank, of which I'm not even a client, I will most definitely not respond to a similar e-mail, received on the same day, using exactly the same message, even if I am a client of this institution. If everyone starts to read their e-mails more carefully and in detail, you will soon see the ordinary e-mail user being able to identify a scam just by looking at the pattern, words, techniques, formatting and writing style used by many scammers.
One of the latest schemes used by 419 scammers is the Law Enforcement Agency scam. 419 scammers seem to be less successful with their usual e-mail scams, most probably because of what I mentioned in the previous paragraph. Lottery scams, company representative scams, scams involving war victims, cancer victims, plane crash victims, you name it, have flooded our mailboxes so much that we can smell these scams a mile a way just by reading the subject line. Unfortunately you still get people who are unaware of these threats and 419 scammers usually claim victims among these people. The Law Enforcement Agency scam involves 419 scammers trying to swindle previous victims of these scams. The "agency" allegedly apprehended a group of fraudsters and recovered millions of "pounds sterling" stolen from innocent victims. (I wonder why they haven't recovered any dollars). These funds will then be disbursed to victims filing a claim with this "agency". Victims need to supply loads of personal details as well as the amount of money stolen from them. The scammers claim that the victim will not spend any money until the cheque (notice a cheque and not a secure electronic transfer) is issued to him/her. Just ask yourself, why the need to pay money to reclaim something that was lawfully yours? Do the scammers honestly believe that people will fall for a lousy scam like this? People desperate enough to get their stolen money back will most certainly walk into this trap and spend more money only to loose more money and scammers are bargaining on this. Luckily you get people who learn from their mistakes and will never make the same mistake twice, so the scammers can forget to scam vigilant people who already experienced the trauma of loosing a lot of money to empty promises from a total stranger.
Scammers from Nigeria have tried to become partners of cyber security agencies in an attempt to infiltrate and destroy anti-fraud organisations from the inside. Online scammers have become nut cases, fanatics, digital suicide bombers and kamikazes, trying every trick in the book (and some stupid tricks of their own) to reach their idiotic goals. It is just sad that they continue to claim victims with their amateurish schemes. Perhaps these scams are so amateurish that people struggle to see through them. It is a case of horribly underestimating your enemy, the worst part being unable to identify your enemy, even worse, not even realising that your are dealing with an evil opposing force.
About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users about online scams and malicious software. Visit our Hoaxes, Spams and Scams Section and educate yourself with real life examples of online fraud.
Subscribe to:
Posts (Atom)
