 |
 Social engineering as applied to the ordinary home computer user
February 18, 2005 - Part II
This site is cunningly constructed to portray the real Smith Barney Web site. Even the address in the address bar of the browser corresponds to the real location. How is this done? A vulnerability in browser software allows pranksters to create Web sites with non-Latin characters that will be interpreted as English-alphabet letters in the browser's address bar. Hackers can even counterfeit the padlock icons at the bottom of a browser's status bar (example from another phishing scheme):
Another way to recognize phishing is that the e-mails or Web sites may be written in broken English. Large, reputable companies use proper English in their communications. Be suspicious if you find many errors.
Your next steps
So what do you need to do? Don't click anything in phished e-mails and Web sites; recognize phishing e-mails and delete them from your inbox at once; and report the case of phishing to the company that the rogue mail or site was impersonating. Also, you can go to the anti-phishing working group's site and report the incident there, as well as read more information about recent phishing attacks and ways to resist them. There is also the Identity Theft site maintained by the Federal Trade Commission, where you can report an incident or find further information about ID theft.
To recognize a phishing scam, you should know the following:
- No legitimate or well-maintained organization will ever ask that you enter your account or password information in a form accompanying the soliciting e-mail. If you happen to receive an e-mail from a company or organization you deal with, requesting sensitive information, before giving out any details, you need to contact this company by phone or e-mail. But use the contact information that is publicly available and can be found in a respected online or offline source.
- Verify the links contained in the incoming e-mails, as they are often spoofed to impersonate the locations of well-respected companies. To do this, if you see a link relating to, say, https://chaseonline.chase.com/chaseonline/logon/sso_logon.jsp?fromLoc=ALL&LOB=COLLogon, type this link manually, see where the browser would take you, and compare this location with the location you would've been transferred to if you'd clicked the scammer's link.
So there's one simple guideline you need to adhere to: If you're contacted to provide important information, you should verify that the recipient is a legitimate entity.
Moving next, not only phishing can harm individual computer user, but the excessive trust one can have towards some kind of included information. Recently, I have seen many virus-containing e-mails with a report at the end of an e-mail that looks like this:
----------------------------------------------------
Email is clean
Antivirus Scanner Report:
No viruses found.
----------------------------------------------------
Here, a simple trick is being played. The perpetrator gets you to click to see the attachment to an e-mail by making you believe in its innocence and importance. The author tries to persuade you that the email has been checked with an antivirus and is free from viruses, which is actually a lie.
The cases provided in this brief article relate to social engineering as it applies to general home computer users, whereas in the corporate world, the scope and reach of social engineering are significantly larger. Folks at large companies need to ask their IT staff for further recommendations on how to resist the threats of social engineering.
Summary
To summarize all of the above, you shouldn't trust all the correspondence you receive, even if some messages are coming from your friends. You should always check e-mails for viruses, try to install an antispam program that blocks junk and most unsolicited bulk mail, and never trust a message that asks for financial or other substantial data before explicitly verifying its source.
Back to Part I
|
|
