Rating: NNNNN
Malevolent geniuses are trying to steal from you through the Internet. They’re devious little Lex Luthors planning theft and fraud on a massive scale, and their primary strategy is to go phishing. Phishing scams are official-looking but fake e-mails and Web sites designed to lure you into revealing personal financial information – or the keys to access that information, like a login name and password. They appear to come from a trusted source (your bank, PayPal, eBay, etc) and tend to use a logical call to action that is hard to resist.
Last June, during the two-week-long hemorrhaging of the Royal Bank’s national IT infrastructure due to some bad code and an even worse code-review process, a “Dear RBC Royal Bank Customer” e-mail started arriving in in-boxes. It looked like an official request asking for card numbers and passwords in order to verify customers’ standing due to “increased fraudulent activity.” If you didn’t follow through, said the e-mail, your “account will not be verified and your access to the account will be blocked.”
Clicking a link in the e-mail led to a slickly designed Web site (complete with RBC corporate branding) where you were asked to enter account information. It all appeared legitimate until a close look revealed the URL wasn’t quite right.
A properly skeptical and jaded 21st-century Internet user would obviously recognize this e-mail’s malodorous stench, but some people didn’t.
The Anti-Phishing Working Group (www.antiphishing.org) announced last week that it received 6,597 new, unique phishing e-mail messages in October. This was more than three times the number of reports received in August and shows a 45 per cent monthly growth in the variety of scams. When you factor in that each unique message is sent to millions of people, the quantity of phishing scam e-mail in circulation is staggering.
Just like ubiquitous Viagara, Cialis and penis-enlargement spam, these phishing scams wouldn’t exist if they weren’t profitable.
The message you need to hear is this: Do not trust your e-mail. If you receive an unsolicited e-mail request asking you to verify personal information by clicking a link, don’t do it. If you’re tempted, ask a friend to put on some boots and kick you in the genitals instead, as it will likely hurt less in the long run than being a victim of identity theft or financial fraud.
Be aware that phishing scam artists are increasing their level of sophistication. Some scams emerging in Brazil during the last few weeks are particularly frightening. These are next-generation phishing scams that take advantage of successful virus-writing techniques.
The cryptically-named JS/QHosts21 scam, a new type of “blended threat” (hybrid virus/phishing scam), takes advantage of security holes in Microsoft Windows to install a Trojan horse that changes your Hosts file, a component of Windows that your Web browser refers to when it looks for the IP address of a Web page URL you request.
By entering their own IP address into your hosts file and associating it with the domain name of a bank site, the phishers can transparently, to you, redirect your browser to their own Web site – made to look like the bank site – when you attempt to reach the real bank’s site. Then, when you try to log in, the phisher has your user name and password and you, as they might say in l33t-speak, have been 0wn3d (i.e., had).
Another of the Brazilian “blended threats” involves a Trojan horse that launches a “keylogger” that records every keystroke you make when you visit certain bank sites. This allows the evil people on the dark side of the Internet to get your login information when you visit a real bank site – while you remain oblivious to being a victim until your life and financial well-being are turned upside down.
Now that you’re being attacked from all sides by manipulative, intelligent people, protect yourself. Good security settings can prevent Microsoft’s security holes from being exploited, and a good, current version of a security program (like Norton AntiVirus or McAfee VirusScan) can easily filter out these e-mails from your in-box in the first place.
Also update your antivirus software, anti-spyware programs, e-mail filters and firewall programs. Regularly change your passwords and pressure your financial institutions to start issuing one-time-use passwords or other two-factor authentication methods (like a RSA-encryption key fob with a password that changes every 30 seconds). That way, if you are successfully phished, it won’t matter because one of the passwords will be useless.
The age of static user names and passwords is dead, and anyone who continues to depend on them will pay a heavy price.
tech@nowtoronto.com
