The Purple Guys :: A Versent Company

The Verse - Volume 7
return

Tech Tips – Stay away from the phish

In the world of computers, phishing (pronounced "fishing"), short for password harvesting fishing, is the luring of sensitive information, such as passwords and other personal information, from a victim by pretending to be someone trustworthy with a real need for such information. It is a form of social engineering attack.

The term was coined in the mid 1990's by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.

Today, online criminals put phishing to more directly profitable uses. Popular targets are users of online banking services, and auction sites such as eBay. Phishers usually work by sending out spam e-mail to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the phisher's use.

Typically, a phishing email will appear to come from a trustworthy company and contain a subject and message intended to alarm the recipient into taking action. A common approach is to tell the recipient that their account has been de-activated due to a problem and inform them that they must take action to re-activate their account. The user is provided with a convenient link in the same email that takes the email recipient to a fake webpage appearing to be that of a trustworthy company. Once at that page, the user enters her personal information which is then captured by the fraudster.

Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers that can be faked as well. However, the file properties feature of several popular browsers may disclose the real URL of the fake webpage.

If you are contacted about an account needing to be "verified," you should contact the company directly, or type in the address for their webpage.

Be especially concerned about an address containing the "@" symbol, for example http://www.google.com@members.tripod.com/. These addresses will attempt to connect as a user "www.google.com" to the server "members.tripod.com". This will very likely succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, for example http://www.yourfavbankdomain.com.spamdomain.net.

In a recent case before the Federal Trade Commission (FTC), a 17-year-old male sent out messages purporting to be from America Online that said there had been a billing problem with recipients' AOL accounts. The perpetrator's e-mail used AOL logos and contained legitimate links. If recipients clicked on the "AOL Billing Center" link, however, they were taken to a spoofed AOL Web page that asked for personal information, including credit card numbers; personal identification numbers (PINs), social security numbers, banking numbers, and passwords.

The FTC warns users to be suspicious of any official-looking e-mail message that asks for updates on personal or financial information and urges recipients to go directly to the Web site of the company to find out whether the request is legitimate. If you suspect you have been phished, forward the e-mail to uce@ftc.gov or call the FTC help line, 1-877-FTC-HELP

Employment Opportunities | Privacy Policy | Newsletter Sign-Up

Versent "The Purple Guys" | 520 West Pennway Street, Suite 300, Kansas City, MO 64108 | 816.221.3900 | 877.221.3900 | Fax: 816.227.3910 | Email Us

"Any enterprise is built by wise planning, becomes strong through common sense and profits wonderfully by keeping abreast of the facts" – Proverbs 24: 3-4