Given the ever increasing amount of junk mail, spam and other unsolicited e-mail that bombards us on a daily basis, it can be time consuming and frustrating to try and separate the small percentage of “legitimate” messages from the large piles of bogus ones.  In order to try and circumvent junk e-mail filters and other types of antispam software, spammers have become progressively more sophisticated and wily in the methods they use to get us to read their duplicitous communications.

While spammers try to persuade you into buying or investing in a solution, there are more dangerous attacks plaguing the online community.  These attacks are known as pharming and phishing.

Pharming is the act of redirecting users to fraudulent websites or proxy servers.  This is typically accomplished through DNS hijacking or poisoning and occurs surreptitiously since the site looks legitimate.  For instance, a person may believe they are entering information on their online banking or investment site when in actuality, they are providing sensitive data to someone who is pretending to be from the organization.

Phishing can be defined as “the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.”  The bait in this case is the e-mail message.  It is thrown out (delivered to your inbox) with the hope that while most will ignore the bait, some will be tempted into biting (responding).

In most cases that involve phishing, a bogus e-mail directs you to visit a website that closely mimics a legitimate site you frequently visit, for example, an online shopping, or financial services center.  You are then asked to provide and update personal information, such as passwords and credit card, social security and bank account numbers — information that the real organization already has.  The phony website then records and steals sensitive data.

Phishing and Instant Messenger
March 2005 marked a new level of sophistication for phishing attacks when Yahoo Instant Messenger became the target vehicle.  The attack begins when a user is sent a message from someone on a buddy list directing him/her to a website and prompted to sign in.  Phishers obtain the user name and password strings to access and steal personal information stored as part of the account.

Dissect a Phisher’s Communication
The following example shows a phishing attack designed to steal sensitive financial account data.  I’ve provided the actual text of the message, and I’ll point out that there are quite a few tell-tale signs that the e-mail is fraudulent.

We have recently noticed one or more attempts to log into your PayPal account from a foreign IP address and we have reasons to believe that your account may have been hijacked by a third party without your authorization.

If you recently accessed your account while traveling, the unusual login in attempts may have been initiated by you.  However, if you are the rightful holder of the account, click on the link below to log into your account within the above-mentioned period.

https://www.paypal.com/cgi-bin/ webscr?cmd=_login-run

If you choose to ignore our request, you leave us no choice but to temporaly suspend your account.

We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.

If you received this notice and you are not the authorized account holder, please be aware that it is in violation of PayPal policy to represent oneself as another PayPal user.  Such action may also be in violation of local, national, and/or international law.  PayPal is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft.  Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law.

Thanks for your patience and understanding as we work together to protect your account.

Sincerely,
PayPal Account Review Department
PayPal, an eBay Company

1.  Scare Tactics — The phisher tries to convince you that if you don’t respond as requested, something bad will happen.  In this case, someone is apparently attempting to log into your PayPal account without proper authorization.  These types of fear-based tactics are often successful on the very young, inexperienced computer user and the elderly.

2.  Misspelled Words and Grammar Errors — Grammatical errors and misspelled words should raise a red flag.  For example, temporarily is spelled incorrectly in the correspondence, and there are other misuses of grammar and spelling.  Often the phisherman’s native language is not English.  This is also a tactic used to get around certain spam filters that detect specific keywords as junk e-mail.

3.  Generic Name — Dear HR, Dear Info, Dear Invoices — these are all examples of the types of phishing e-mails that I receive on a regular basis because of my inclusion on certain distribution lists within the company.  In reality, phishers use any e-mail address they can get their hands on.  If the e-mail is not personally addressed, there is a good chance that it is fraudulent.  Even if the message is sent directly to you, it could still be the product of a phishing attack.  A general rule to live by — if someone is trying to obtain information from you and you question the legitimacy of the solicitation, look up the company telephone number and call them to verify that they have authorized the collection of the data.  Never give out your user name, password, mother’s maiden name or other information that can be used for identity theft.

Inspecting Headers
If a message is received from outside your organization, Internet header information is added and accessible.  I use Microsoft Outlook and Exchange Server and can access this information by opening the message, then from the View menu, choosing Options and examining the Internet Headers section.

E-Mail Headers, Real and Forged — Message headers are written in reverse with the last SMTP server to touch the message before the final destination listed.  In the example that follows, Microsoft Exchange attempts to identify and match the IP to the SMTP listed (smtp.emaruha.com to the IP 211.133.134.177).  Since there was no match, the tag RDNS failed was added.  In fact, emarucha.com is a legitimate site (a Japanese restaurant) but it doesn’t match the SMTP cited location and IP.

Sometimes secondary e-mail headers are added to try and make it through antispam measures.  Some signs of this include duplicate, identical IP addresses, and a string for the server name which includes an @ symbol which normal servers cannot resolve.

Received: from smtp.emaruha.com ([211.133.134.177] RDNS failed) by ourexchangeservername.payneconsulting.com with Microsoft SMTPSVC (6.0.3790.1830);Wed, 6 Apr 2005 03:48:27 -0700 Received: (from root@localhost) by smtp.emaruha.com (8.11.7/3.7W05032811) id j36Ao6A00988; Wed, 6 Apr 2005 19:50:06 +0900Date: Wed, 6 Apr 2005 19:50:06 +0900

Message-Id: <200504061050.j36Ao6A00988@smtp. emaruha.com>

Display Format — Since the attackers want you to think that the message is a legitimate communication from the forged sender, they often embed real logos into the message that make the correspondence appear more trustworthy.  In order to accomplish this, they must force the display format as HTML.  Most authentic e-mails offer a plain text version to allow mail user agent compatibility.

These are only two examples of information that is accessible in every externally originated e-mail message.

How Can You Protect Yourself?
There are varying levels of measures that you can take to protect yourself from phishing and pharming attacks — but it all begins with education.  Every member of your organization must be aware (and kept abreast) of recent news concerning the safeguard of information.

Information Technology Response
DNS Lookup — IT Personnel can use nifty tools to perform a reverse lookup of IP and DNS information.  The site http://www.dnsstuff.com/ sniffs out real and fraudulent IP addresses and traces origins.  Type your IP address in the Reverse DNS Lookup box to locate information, or you can open an e-mail received from an external source, choose View, Options and copy the IP address from the Internet Header to the Reverse DNS lookup utility.

Patch That Hole — Ensure that your browser security and virus definitions are current.  Microsoft regularly releases security patches for Windows and Internet Explorer.  For more information, click Start, All Programs, Windows Update or go to http://www.microsoft.com/security.

Education — Teach your users (all of them) to be suspicious of any e-mail or request for personal information.  Create and enforce a firm policy on the handling of e-mail and website data entry.  Keep updating and distributing information on a regular basis.  Focus on the following:

Overview of Phishing, Pharming and Importance for Firm Communication

How to Differentiate Secure Sites from Those That Are Not Secure — Secured websites are prefixed by “https.”  Never make online purchases from sites that are not secured.

When in Doubt, Don’t Click That Link — Embedded hyperlinks to websites in e-mail messages, can, when clicked, hijack you to a fraudulent site where personal information is requested, or to a legitimate site, after having passed you through other sites designed to steal information (pharming) without your knowledge.  If you receive a message from a company requesting information, it’s a better idea to look up their telephone number and verify that the request is legitimate.

Complain — You can report phishing and fraudulent e-mail attacks by forwarding the message to spam@uce.gov, reportphishing@antiphising.com and to the company being spoofed.  Complaints to the FBI and affiliated Internet Fraud Complaint Center can be filed at www.ifccfbi.gov.  The site contains a link to file an online complaint.

“Philing” Lawsuits
At a recent security conference that I attended, Bill Gates and Symantec CEO John Thompson spoke separately of initiatives that they would take to prevent the proliferation of phishing, pharming, spam and viruses.  Microsoft recently filed 117 “John Doe” lawsuits against phishing site operators in an effort to curtail phishing and identity theft.  The lawsuits were filed in federal court in Seattle.  Phishing and pharming are serious issues — fight their proliferation with knowledge.

About our author . . .

Donna Payne is president and founder of Payne Consulting Group, headquartered in Seattle.  She and the company have authored 11 books on Microsoft Office including the bestselling series:  Word for Law Firms.  Payne is a member of Microsoft Legal Advisory Council, the American Bar Association, the American Society of Journalists and Authors and the Project Management Institute.  She can be reached at donnapayne@payneconsulting.com.