From:         Patrick Douglas Crispen 
Subject:      Tourbus - 27 June 04 - Social Engineering: Part Two

TODAY'S TOURBUS TOPIC: SOCIAL ENGINEERING: PART TWO
The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, separated by over 1,500 miles of the open Pacific from the nearest continent.

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show...

Social Engineering: Part Two Audience: Everyone

In my last post [see http://tinyurl.com/ypwzb if you missed it] we talked about something called "social engineering," a nasty scam our friends at Wikipedia define as

the practice of conning people into revealing sensitive data on a computer system, often on the Internet.

[Source: http://tinyurl.com/32coe ]

Why is social engineering important to you and me? Well, no matter how strong your firewall is, no matter how often you update your antivirus program, if a computer cracker can trick you into giving him your password or credit card number, all your time-consuming and expensive computer security precautions will be for naught.

One of the newest forms of social engineering is called either "password phishing" or simply "phishing." In a phishing attack, a criminal pretends to work for a company you trust -- usually your Internet service provider or financial institution -- and frantically contacts you via email or instant message to tell you that your account information is out of date or that there has been some fraudulent activity on your account. The criminal directs you to click on a hyperlink that takes you to what looks like a real corporate website where you are asked to verify your account information.

Of course, the website you are pointed to may LOOK like PayPal's or eBay's or Citibank's [or any other company's for that matter], but it isn't. It's actually a fake website set up on a server the criminal has pirated. And when you "verify" your account information, all you are doing is giving the criminal your username ... and password ... and social security number ... and mother's maiden name ... and sometimes even credit card number and expiration date.

But surely most Internet users are smart enough not to fall victim to a scam like this, right? WRONG! [And stop calling me Shirley!] According to a report from Gartner which was reprinted at Silicon.com, in the past year

more than 30 million [Americans] are sure they have been suckered in by a phishing email and of those a worrying two million went on to divulge sensitive information such as credit card numbers.

[Source: http://tinyurl.com/2rsge ]

Pretty scary numbers, aren't they?

How can you protect yourself from phishing scams? Well, there are some software solutions and even some websites you can check out, and we'll talk about those in a few minutes. But first, let my climb up on my soapbox.

During my perpetual college years at the University of Alabama, there were many times that I was so broke that I couldn't pay my bills. [GASP! A college student with ... NO MONEY?! Say it isn't so!] Did my many creditors send me polite emails reminding me that there was a "slight problem" with my account balances? NO! My creditors bloody well flooded my postal mailbox with angry snail mail letters and they also flooded my telephone line with angry calls at all hours of the day and night demanding payment. For a while there it got so bad that I seriously considered entering into the federal deadbeat student relocation program.

Fortunately, my days of academic-induced poverty are behind me. But let my experience as a former deadbeat serve as a lesson to you. Do you HONESTLY think that if ANY company in the word *REALLY* had a problem with your account, especially a problem where you could end up owing that company lots and lots of money, that the company would ONLY contact you via email ... once?!

NO! They'd send you squillions of snail mail announcements, flood your telephone line with calls, and send a big guy with hairy knuckles to your front door to "discuss your situation."

So, how can you protect yourself from phishing schemes? Well, you can start by following these three rules:

1. If you have an account with a company, don't trust ANYTHING you read in account-related email from that company. If there REALLY is a problem with your account, the company will contact you via snail mail [a.k.a. postal mail hand delivered by your postal carrier.]

2. NEVER click on a hyperlink in an email from a company with whom you have an account, regardless of how legitimate the email or hyperlink might appear. If you need to visit the company's website, close your email program, ignore everything you read in that email [including any web page addresses you may have seen], open your web browser, and manually key in the regular web page address for the company's *homepage*. Then login to your account with that company like you normally would. If there is a problem with your account, the company's website will tell you once you login.

3. If you need to personally contact a company with whom you have an account, the ONLY contact information you should trust is the information on your monthly, paper statement or on the back of your credit card. Assume that any contact information in a business email only points to a criminal wanting to steal your personal information.

Practice these three rules and you'll be well on your way to being safe. You might also want to pop in to

http://www.antiphishing.org/

from time to time. This site is constantly updated and tells you about the latest phishing scemes

http://www.antiphishing.org/phishing_archive.html

What should you do if you think you've fallen prey to a phishing scheme? Just hop on over to

http://www.antiphishing.org/consumer_recs2.html

for a list of things you should do and law enforcement agencies you need to contact.

As far as software solutions to the phishing problem, I've heard a couple people recommend a free browser plug-in called SpoofStick at

http://www.corestreet.com/spoofstick/

SpoofStick works with both Internet Explorer and Mozilla on a PC [sorry Mac users] and it helps you detect spoofed web sites. I'm kind of hesitant to add yet another bar to my web browser, but don't let my hesitation stop you.

I hope this helps! Stay safe out there.

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

That's it for today. Have a safe and happy week, and we'll talk again soon. 

           .~~~.  ))
 (\__/)  .'     )  ))       Patrick Douglas Crispen
 /o o  \/     .~
{o_,    \    {              crispen@netsquirrel.com
  / ,  , )    \            http://www.netsquirrel.com/ 
  `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
 _(    (   )_.'
---..{____}                  Warning: squirrels.

TOURBUS
HOME PAGE
LINUX
TUTORIAL
TOURBUS
ARCHIVES
Social Engineering Part Two, viruses, hoaxes, urban legends, search engines, cookies, cool sites
TOURBUS Site Search