Protecting Yourself On the Web – Phishing Scams

I often encounter people who need me to help them fix their computers. Usually, it’s some kind of spyware or virus they got from a malicious website or spam/phishing scams in their email. I typically just clean up their computers, drop Spybot on the computer, and tell the person to be careful with what they click and to be aware of who is sending them stuff. Sometimes, I’ll go into greater detail if the person is willing to learn and wants to do something to stay safe online. Now, I’m going to post what I suggest that people try to stay safe, and hope that word spreads to more people. It’ll also make my job easier as I can just point people to my blog for details. I will be writing a series of blogs covering various topics such as phishing scams, lottery/inheritence scams, spyware/virus emails and instant messages, and anything else I can think of that might be something to avoid on the web.  The first blog I’m writing is on Phishing Scams and how to not fall for them and defend against future scams.

Phishing Scams – Think back to all of the emails you get about your Paypal account or your online bank account credentials being compromised. You probably don’t even use your Paypal account all that often and think that it’s probably not possible, but that email looks legit and you get curious. It has everything a real email from Paypal would, complete with official logos, images, a link to a website that looks just like the Paypal login page except for one major piece of damning evidence. When you’re on that Paypal login page, look at the address bar. Does it say ‘https://www.paypal.com/’ or is it an IP address that looks like ‘http://xxx.xxx.xxx.xxx/’ (the x’s represent numbers that make up the IP address) Paypal would never send their users to an IP address for the domain name. It will ALWAYS be Paypal.com (unless they change their name).

So, what happens when you login through this spoof page? Well, when you hit submit with your email address and password are sent to a database that someone had setup for the purpose of collecting people’s credentials. Once you’ve hit submit, they’ve got your information almost instantly, and will use your account as they see fit. Sometimes, scammers will tell you that you need to pay them to get your account back. This concept works the same for the bank scams, and anything else really that would involve your finances online.

Another way that these scammers will attempt to get your credentials is by simply asking you. Of course they won’t reveal their true identity, and will pose as an administrator of some type with the company telling you that your account has been breached and they need your login information to verify ownership or to get into your account to do something to block the alleged unauthorized user from getting to anything else in your account. If you’re not too computer and internet savvy, you might be prone to this attempt, but you need to remember that companies like Paypal and other financial institutions will NEVER ask you for your username and password. Also, the reasoning for their wanting of your password doesn’t quite make sense does it? What can they do with your account that you can’t already do? If someone is suspected of hijacking your account, you can login to your account first off to see if your password has been changed. If it hasn’t, you can simply change it and that’ll be the end of that.

Defending Against Phishing – How do you protect yourself from these scams you say? Here’s some steps you can take to make sure your account isn’t compromised.

1) When you get an email saying you need to login to your paypal or bank account due to a security issue take a close look at the email. Make sure everything looks legitimate, including who sent the email. If it doesn’t come directly from someone @paypal.com or your bank’s .com site. There are ways that people can spoof their email address to appear legitimate so then we can move on to step 2 of defending against this scam.

2) Mouse over the link they provide in the email and wait a second. Your browser or email client will display the true link in one way or another. When your mouse is sitting over the link, you can look at the status bar at the bottom of your browser or email client. In the status bar, you’ll see a website address. If it’s not showing a real domain name and showing an IP address instead, DO NOT CLICK IT! These two tricks will save you tons of time and trouble and will allow you to move on to the next steps of defense – blocking.

3) If you want to make sure that you don’t get hit by the same scam sites, or anyone else on your computer getting hit by them you can block the actual scam sites. To do this, you’ll need to right click on the malicious and illegitimate link provided to you and click Copy (MAC users will have to do something different, I don’t know what it is because I don’t use a MAC). Next, you’ll want to open your browser and add the site to a blocked sites/restricted sites list. Below are the steps to block sites in Internet Explorer and Mozilla Firefox – other browsers I don’t know, so you’ll have to poke around to find the equivalent areas.

Internet Explorer – Click on Tools then Internet Options. At the top of the Internet Options dialog box, click on the Security tab and then you’ll see a white box with some different icons in it. Click on the Restricted Sites icon, then below that box is a button that says Sites, click that. In the “Add this website to the zone” box, right click and paste the link you copied earlier. Instead of blocking that full address, we’re going to block the root of the address so that nothing from that address can get through. Edit out everything after ‘http://xxx.xxx.xxx.xxx/’ or ‘http://www.domainname.com’. Click the add button and the site is now blocked.

Mozilla Firefox 3.0 – A neat feature that Mozilla Firefox 3.0 has is a site labeling feature. In the address bar, you’ll notice that there’s an icon to the left of your address. These icons are color coded in accordance to their safety based on digital certificates that are used to validate the legitimacy of a site. Unfortunately, anyone can get a digital certificate signed to make their sites appear more legitimate. Firefox will automatically block any known threats, and prevent you with a red page warning you about the site. You won’t have to worry about that site getting you because Firefox blocked it for you. Let’s say you clicked the link anyways – you can click on the icon next to the address and view some information on the site. If you click the More Information button, a new little window will pop up with all kinds of information gathered on the site. There’s all kinds of helpful information there to let you know if the site is legitimate, and what kind of measures they take in making sure your information isn’t compromised (encryption) If you click the permissions tab, you can block the site from loading pictures, keeping cookies, opening pop-up windows. Doing this will pretty much block the site from loading up anything malicious to your PC. It won’t block the site completely, but Mozilla is pretty good at blocking out known forged/spoof sites.

Also, you’ll want to check for some kind of verification image from a digital certificate company such as VeriSign. The image will look like

And if you check in the status bar, you’ll see a link to something such as ‘https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/User/popup/SecurityKeyVIP-outside’ and when you click that, a window will popup offering you a little more information. Always make sure that the link showing up in the status bar is pointing to the actual domain name, and not something else like an IP address. Also, you always need to make sure it is a legitimate company providing the security. You can find out by simply going to their site, or doing a little search on them to find out if they’re legit or not.

4) Now that you’ve blocked the sites in your browser, it’s time to get rid of those emails. Nearly all email providers have a way of blocking spam/junk mail. Take full advantage of this feature and report/block all junk/spam so that you won’t receive as much. One thing you need to keep in mind is that spam email will never be completely blocked from your email. Things slip through all the time, and it’s practically impossible right now to block them all out.

Apply these concepts and practices to everything online. Phishing doesn’t only occur in your email with your paypal or bank accounts. People will attempt to get your social networking logins, your email credentials, and basically anything else they think is of value to them. Always remember that these sites will never ever ask you for your username and password. It’s unethical practice, and a security breach in itself.

Stay safe on the web!

-Bobby

~ by rewalker3 on October 14, 2008.