Summertime Phishing Phun

By David Shamah The Jerusalem Post, Friday, August 5, 2005

Summertime, and the living is easy, or so the old saying goes. July and August give you an opportunity to do the outside stuff you don't have an opportunity to do the rest of the year.

Like phishing. Yep, that's the life - throw out a line with some tasty bait on it and see what the sea throws back. There are plenty of fish out there, and sooner or later one is going to take you up on your kindly offer and bite - and all you have to do is real the sucker in!

Wait a minute - there's something fishy here; shouldn't I have used the word "fishing?" Well, no, actually. You seem there are fish - and there are phish. And unfortunately for you, the phishers try to do to us exactly as we do to the denizens of the deep.

No doubt you have been treated to an e-mail from some financial institution you have never even heard of, urging you to contact them immediately with your personal details (account number, credit card number, etc.). Citibank, Paypal, and something called SunTrust (must be a bank) seem to think I am in great danger of being a victim of fraud in my account - so in order to put my account on a list of "protected" accounts, I need to prove my identity by submitting my personal details.

Now, you and I have been around the computer block long enough to know that this is just some scam; it's hard to believe that anyone responds to this kind of thing. In fact, what I've just described is a classic "phishing" fleece, where trusting souls submit their information willingly to some crook at the other end of the Web, allowing them access to bank accounts, credit cards, and other personal information.

Phishing is big - it accounts for as many as 3% of all e-mail messages, according to a study this month by an IBM partner. MessageLabs, an e-mail security company, said it collected 9,139,704 phishing e-mails in May, a 226 percent jump from April, topping the previous record of 7,724,659 phishing e-mails in April. The idea, I suppose, is that sooner or later someone is going to fall for the scam - and since the e-mail process is more or less automated, it's not like it's extra work for the phishers to blanket the world with their messages.

But make no mistake - many more people are phish-aware than they used to be, and the scam is much less effective than it was in its early days. Which means two things; one, that the scammers who perpetrate these things are looking for "the next big thing" in on-line fraud, and two, they are likely to become even more aggressive about getting what they want. And as scamming software gets more sophisticated, the chances that they will be able to reach into your computer and steal what you refuse to give them voluntarily becomes ever higher.

How about this for a scenario: You get an e-mail announcing a sweepstakes, free MP3 download, or on-ling game that looks interesting. Seems innocent enough, and you are not asked for personal details - only to click on a link on the site in order to access the goodie. Unbeknownst to you, however, by clicking on that link, you have just downloaded a trojan horse program that lies in wait until it sees you surf to a secure (https://) Web site - and then goes into action, enabling a keylogger that records the name of the site, your name, password, and, maybe if its really lucky, your credit card number!

Sounds preposterous - but it has already happened! Just a year ago, customers of banking Web sites were targeted with just such a trojan horse- which enabled a keystroke logger to get at customers personal data. Users clicked on a seemingly innocent gif graphic, and there it was. The program was able to get through undetected because the form it took was unfamiliar to anti-virus programs - and of course, because of yet another security hole in Windows (since patched) that let the thing through in the first place.

It seem, in fact, that there's always a security hole of some sort out there that needs patching. XP users who have installed service pack 2 might have things a bit better, but given Microsoft's track record, you can be sure there are other undiscovered holes that will need plugging; if you're still using Windows 2000 or 98, you're as vulnerable as ever, if not more so, since hackers are upgrading the force of their anti-social software in order to compete with the stricter regimen in XP. And if the newest trend involves clicking icons, games, and other until now innocent Web activity - well, the rest of us are going to have to redefine for ourselves what "safe surfing" means.

But forget about viruses - "they" don't need tricks to get information out of the greedy. What if you could buy a big screen TV for half price? Some people would be suspicious of such a deal, but others would swallow the story they say on the Web site offering this (company went bust, inventory must be cleared out, etc.). All you have to do is submit your credit card - into the hands of the scammer who is counting on your greed to build his card collection!

With computers, as with many other areas of life, it's best to avoid trouble than to fix it afterwards - which means that the best strategy it to avoid Web sites and locations that are known to be problematic, either because they are run by the sort of characters whose company you would not care to keep, or because their sites have been involved in nasty activity in the past. If you could somehow know which sites are going to possibly infect your system with some bug that steals data, you'd be sure to stay away from them, and feel much more confident about the safety of your Internet activity - wouldn't you?

Luckily for us, someone thought of a solution to this dilemma - and they're giving it away for free! FraudEliminator will warn you if you are stepping into dangerous territory - and even prevent you from surfing to the worst offending sites, that are known to steal information!

FraudEliminator (which comes in a basic, free version and an advanced pay version) works like a plug-in toolbar for Internet Explorer or Mozilla Firefox. You can set FraudEliminator to alert you to different levels of danger, the most basic being that the site you are viewing is a dangerous one - at which point FraudEliminator will display a pop-up box preventing you from even looking at the site. You can also use it to block popups on suspicious, or even all sites. FraudEliminator will even warn you if it detects telltale signs of suspicion - like if a site's URL consists of its IP address (what, they couldn't shell out five bucks for a domain name that would, incidentally, require that they supply a name or address?) or alert you if the site you're checking out is located on a server in a country with a less than full commitment to preventing Internet fraud. It's the Internet equivalent of profiling, I suppose.

How does FraudEliminator know if a site is bad? Well, there's a dedicated staff that puts information into the program's database - and then there's the efforts of users, who are invited to report fraud. The FraudEliminator checks it out, and if your suspicions are correct, the site you've reported gets into the FraudEliminator Hall of Shame.

If that's the free version, imagine what you get when you spend $20 on the professional edition of FraudEliminator! Well, basically you get some more in depth data (like Whois information) and more frequent database updates - but the free version of this program is plenty useful. Forget all those prevention programs that can only fix things up after it's too late - FraudEliminator will make sure you don't get in trouble in the first place!

Download FraudEliminator for free from http://www.fraudeliminator.com. For all Windows 98 and better systems.

ds@newzgeek.com