Phishing...Web scammers abound, beware

This is from a PC World newsletter subscribtion; it affects anyone and everyone using e-mail, so I posted it here rather than in the Computer Talk forum.

Booming Web Scam: Phishing
by Steve Bass, PC World

If it's not spyware we have to worry about, it's phishing (no, not "pishing"). Phishing is when scammers send e-mails cleverly disguised as coming from a real company--but are actually from someone trying to snarf up credit card numbers or passwords. The word is a metaphor for fishing, with the scammer offering you authentic-looking bait and hoping you'll bite. Unfortunately, too many of you grab the hook.

As a buddy said to me recently, it's a scammer's paradise out there.

It Almost Happened to Me

Don't feel bad if you fell for a phishing scam. They're on the increase; see "Phishing Attacks Skyrocket":
http://www.pcworld.com/news/article/0,aid,116007,tk,sbx,00.asp

I got a brilliant e-mail from a PayPal phisher the day before I started writing this newsletter. Unlike most of the poorly written, typo-laden, bizarrely formatted phishing e-mails I get, this one looked so real that it almost fooled me. In fact, part of the message--"We recently reviewed your account, and suspect that your PayPal account may have been accessed by an unauthorized third party"--kinda made sense. Take a look at the e-mail I received:
http://ftp.pcworld.com/pub/screencams/paypal%20e-mail.txt

For the sake of research, I broke one of my cardinal rules and clicked on the link in the e-mail. This isn't something I encourage you to do: I had special protection (more on that in "Protect Yourself Against Phishers," below).

But first, I want to show you how phishing is done so you'll have a better sense of why you never want to click a link in a suspicious-looking e-mail.

Pull Back the Curtain

When I clicked on the link that appeared in the e-mail, I was brought to a site that appeared to be PayPal, but wasn't. Instead, it was the scammer's site designed to look like PayPal. (The site was closed at press time.)

The Java coding on the fake site, and in the message I received, is really good (says my Java expert, David Jung). Basically, the person behind the message copied a PayPal screen to get all the right links and the appearance, and then added the fields that capture your user ID and password.

Feeling Curious?

Some of you may be interested in seeing the guts of a phishing message. If you view the source code, you'll see the mysterious workings of an HTML coder. Here's how: In Eudora, right-click on the message, choose View Source; in Outlook Express, right-click on Message and choose Properties, click the Details tab, click Message Source, and click the maximize button on the right hand corner of the message; in Outlook, open the message, right-click anywhere in the message, and choose View Source.

If you viewed the source code, what you'd see in my e-mail--and on the fake PayPal page--is where the phisher actually took me when I clicked on the link. Here's the long-winded, disguised URL:
HREF="https://%32%31%31%2E%74%6D"

(Comment from GW: I truncated the above URL since it made this column extraordinarily wide!)

It was easy to translate the bogus URL in the source code: I just copied and pasted it into Karen's URL Discombobulator, a free utility with a great name that reminds me of something out of a Woody Allen flick. Here's what I got:
http://ftp.pcworld.com/pub/screencams/Discombobulator.jpg

Remember: This phishing site isn't around anymore, so the info that the Discombobulator gives you isn't very useful now. But if you want to try the program on code in suspicious e-mail you receive, you can grab a copy here:
http://snipurl.com/Discombobulator

BTW, if you're interested in Java coding, you'll like this: The phisher used "OnMouseOver," to fake you out--and they've used it well. In some e-mail programs, when you open the phishing message and scroll your cursor over the bogus link, this code makes a yellow tool tip appear that shows the PayPal URL, creating the warm illusion that clicking on the link will lead you to a safe page.

Dig This: I've been so caught up in figuring out the Crimson Room, I almost didn't get this newsletter in on time. It's a really, really difficult puzzle, a Flash game that I doubt even the brightest of you will get through in short order. So go kill a little time. (One clue that's not cheating: Use the Tab key to find out where to click.) BTW, it took me over 2 hours, on and off, but I finally got to the end. In two weeks I'll provide a page with clues--and spoilers. Here's the puzzle:
http://snipurl.com/crimson_room

Protect Yourself Against Phishers

I've found two free tools you can download, both easy to install and use. The browser extensions help you detect spoofed Web sites by showing you the actual site that you're on. For instance, when I clicked the link in my phishing e-mail, the resulting screen looked like PayPal--but the tools showed me that I was actually at 211.28.155.210, and PayPal would never show you a raw IP address when you're logging in. That's very cool.

The first tool is EarthLink's ScamBlocker, which the ISP makes available for free to everyone, not just its members. ScamBlocker is available on an Internet Explorer-compatible toolbar that includes a Google search engine and a very effective pop-up blocker. The one downside is that the EarthLink Toolbar is larger (from top to bottom) than the other IE toolbars I use. There's a complete review in "EarthLink Readies Anti-Phishing Tool":
http://www.pcworld.com/news/article/0,aid,115652,tk,sbx,00.asp

You can download the EarthLink Toolbar with ScamBlocker from PC World:
http://www.pcworld.com/downloads/file_description/0,fid,23276,tk,sbx,00.asp

The other tool is SpoofStick. This is nice and simple, and works just like the EarthLink Toolbar but without its other features. Once nice touch: The height of the toolbar is adjustable. BTW, the author, a forthright guy, says on his Web site, "it's not a comprehensive solution, but it's a good start." There are versions for IE and for Mozilla's Firefox. [With thanks to PC Mechanic's Daron L. Olesch-Williams for telling me about SpoofStick.] We have a copy for you here:
http://www.pcworld.com/downloads/file_description/0,fid,23319,tk,sbx,00.asp

Good Book: You may be surprised that I still read books. One I'm recommending is "There Must Be A Pony In Here Somewhere" (Crown Publishing Group, 2003, 800/733-3000), Kara Swisher's 300-page saga of AOL. I got a kick out of how Swisher talks about AOL's early years (I can't imagine how the company ever got off the ground), unravels the AOL Time Warner merger (what a fiasco), and provides insight into where AOL will end up in the next few years. (The title refers to the punch line of an old joke; and no, I'm not going to give it away. Read it on page 3.) About $17 or under $10 used on Amazon.com:
http://www.amazon.com

Bass's Cardinal Phishing Rules

I have two simple rules:

1. Be paranoid. I suspect any message asking for info such as credit card numbers, passwords, sexual proclivities--anything of consequence.

2. Play it safe. Don't click on a link in a suspicious e-mail. Instead, open your browser and head for the page by typing the link in yourself (for instance, http://www.paypal.com). My sense (and my experience) tells me that if, say, your credit card's expiration date needs an update, the official site will notify you as you log on.

I also encourage you to look at the Anti-Phishing Working Group's site:
http://www.antiphishing.org/

There's valuable info, including specific advice on how to steer clear of phishing expeditions:
http://www.antiphishing.org/consumer_recs.htm

Thanks GW!!!

GW, I can't get very far on the puzzle, I will probably have a stroke before 2 weeks. lol Can't wait for your clues!!!

You truly amaze me, girlfriend....what a lot of info. Thanks.

Today I got 2 Mailer Daemons saying my e-mail (I never sent) had errors and didn't go through. Pages of addresses I never heard of. Can someone use my e-mail address to send spam? Even when I'm not on-line?

frankay they're not actually using your address to send that to you. its another coding trick, either trying to get your info or giving you a virus.
There are some viruses that can break into your email account and send emails from you to other people...but I think thats an older virus, and probably not what you're talking about.
I would say dont click on an email that says delivery failure or "Re:" in the subject if you've never sent the email its referring to. It's sometimes hard to tell...but I say better safe.

Many spammers use software send to every conceivable combination of letters at a given ISP (as in blah@isp.com, blah2@isp.com, etc.). Many of those spam come back to them as undeliverable, but it costs them nothing and the more they try the more their return is.

I have an option to bounce back to sender....is that a good idea or not?

Frankay
Most likely, someone who has youe email in their address book has the netsky virus. There is nothing you can do about it unless you contact everyone that has your email address and tell them to check their computers for the virus.

This message was edited Jun 5, 2004 8:12 AM

Earthling, not really. In the off chance that your program's bounce message is easily recognizable as being faked, that will just tell the spammer they've reached a live account.

This is great info gardenwife. I got an email from paypal today, telling me to beware that I might be getting spoof emails from someone saying they are paypal but aren't actually them, and they said not to ever give out your pass word or user name on any email, but to go to the actual paypal web site and do so there. I've been sent spoof emails by people claimng to be ebay before. Of course I didn't do anything but delete them. I contacted ebay to let them know of the spoof or spam I had received. I noticed your replying to my post on computer forum about the virus. (spyware) I did down load that spyware program, and am still having trouble getting rid of the spyware. go figure. didn't mean to drag that over here though. You really know your ps and qs on computers don't you

kathy

I'm back again, There were only 2 or 3 windows that popped up at the beginning when I first connected to the internet, I was able to ex out of them, and have been on line for about 20 min, and no other windows have come up, I'd say that was quite an improvement since the beginning. So I know im getting somewhere. just not quite there yet. still running scans though. Do I need to reboot everytime I run a scan?

kathy

oh jeese that last message was suppose to go on the computer forum post, I'm so sorry disregard, it , i'm bringing it over there. Ha! I thought I was on that forum and just posted again. See , this spyware stuff is making me crazy.

kathy

Today we got an email to verify our ebay info. OUr account was going to be suspended because someone was trying to hijack it. I started to fill it out and then decided, nah, this isn't kosher. Sent it to ebay and soon got a response that it was a fake, trying to get our info. I got suspicious because we just did get a hijack 2-3 mos. ago and ebay immediately suspended our account, then notified us. Not the other way around. Also noticed spelling mistakes in the email. Whew! glad I didn't fill it in!!!!!

Sometimes, if your e-mail program has a status bar in the bottom, you can hover over a link and see in the status bar that it is actually going somewhere other than the link which appears; often you'll see an IP address, just a series of numbers like 56.456.42.2 and the rest of a URL after it. That, especially, clues one in that things are not as they appear.

thanks, good idea, Kim!