Phishing

Last week I wrote that skepticism may be the most important thing you bring with you when dealing with the Internet. A few days later in the Wall Street Journal, Walter Mossberg said basically the same thing - "...the most insidious Internet security problems today rely on human gullibility, not tricky software."

His article, How to Avoid Cons That Can Lead to Identity Theft, included this advice "Don't click on links to offers for free software or goods that you receive in an email, especially from a sender or company you've never heard of." … Read more

Previous postings on this blog, like any blog, have been narrowly focused. Sometimes it helps to look at the forest rather than the individual trees. To that end, I take a step back here for an overall cheat sheet to Defensive Computing.

Skepticism

Perhaps the most important aspect of Defensive Computing is something money can't buy, skepticism.

Obviously this applies to email messages, many of which are scams. A relatively new approach appeals to your patriotism - emails from people claiming to be soldiers stationed in Iraq who need help bringing money home. Yeah, sure. Skepticism is not only … Read more

PayPal is seriously considering blocking some browsers from accessing its site, according to a paper (PDF) available to shareholders.

Titled "A Practical Approach to Managing Phishing," the paper admits that there's no one silver bullet to prevent fraudsters from making money on the Internet. However, authors Michael Barrett, PayPal's chief information security officer, and Dan Levy, the company's senior director of risk management for Europe, say companies could and should start addressing five specific areas:

Prevent fraudulent e-mail from getting into users' in-boxes

Prevent phishing sites by shutting them down

Authenticate users so that stolen … Read more

This introduction to vishing is offered in the hope that being aware of it makes you less likely to fall for a vishing based scam.

Vishing is short for voice phishing. Voice refers to the fact that the scam is perpetrated over the phone. Phishing is a scam designed to "criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity..." according to Wikipedia.

As people get less trusting (deservedly so) of email, the bad guys hope victims put more faith in phone numbers.

A recent article by Brian … Read more

In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.

While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.

In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.

The phishing problem is a particular threat to campaign sites, for a … Read more

Whenever you type an address into an Internet browser, that address is instantly resolved into the site's numerical Internet address by a DNS server located somewhere in the world. On Tuesday, Symantec announced that online criminals have started to remotely redirect your home network router's DNS server so that whenever you type in a financial institution or other trusted site, your browser will instead be redirected to a bogus or phishing Web site.

The practice, called pharming, usually attacks the DNS servers directly, but this latest attack brings it all home (if you are using broadband connectivity). Fortunately, … Read more

Warning of a new scam targeting non-profits comes from Alex Eckelberry of Sunbelt Software, the company behind the anti-Spyware program CounterSpy.

The scam starts out with an email message that seems to be from Barbara Moratek Vice President, Director of Grant Programs at Ivete Foundation. The come-on in the body of the message is:

"Would you have additional information for prospective donors or volunteers other than what is on your website? Thank you in advance."

I've said before, you can never trust the FROM address of an email message. According to the email header from one of … Read more

A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.

F-Secure cites a Halifax … Read more

My previous posting was an introduction to both DNS and OpenDNS. Here, I offer a brief review of the features and services offered by OpenDNS.

First though, let's consider what happens when DNS breaks. As noted previously, the DNS system translates computer names into IP addresses. So if it breaks, it may seem that your Internet connection is broken when in fact, it's fully functional. That is, from your ISP's perspective everything can be working fine, all the lights on your modem and router* can be normal, but still, you can't get to any Web sites … Read more