[TECnewhw] beware of "social engineering" attacks

Trevor Cordes trevor at tecnopolis.ca
Wed Oct 15 16:45:28 CDT 2003

A rash of new attacks are occurring that try to exploit human error and
tendencies.  You should be aware of these, how to spot them, and how
to react to them.

The most common form of attack is you will get an email that looks like
it's legitimately from some company you deal with (like ebay, paypal, a
bank or credit card company).  The email will usually say something like
"you need to update your info", "your account needs confirmation", or
"your password is going to expire".  They will either in the email ask
for your details or give you a link which will take you to a web page to
ask for details.  If you give them your details, they then have control
over your accounts and can do malicious things like steal your money or
ruin your ebay reputation.

Even if an email looks legitimate (with pictures and all), it probably
isn't.  Ebay, paypal and banks almost never email you and would almost
certainly never ask for your passwords or account numbers in an email. 
The latest trick is to make the link look like it goes to the legitimate
site (say paypal.com) but the URL behind the link actually takes you to
some hacker site.  They are preying on the lack of technical
understanding and sophistication of your average computer user.

The only way to be sure you are on the correct web site for a company is
to check the URL in the address bar.  The following should provide an
adequate test:

1. Any place that a bank or paypal will ask for a password or personal
information will have a URL that starts with "https://".  If that "s"
isn't there, then you are not safe!  Ebay, unfortunately, doesn't use an
"s" when asking for your password, so they are an exception to this

2. Check the host (aka: domain, website) name in the URL.  It should be
complete and accurate.  Watch for English letter tricks like
substituting zero (0) for the letter O or 1 for l, etc.  Train yourself
to spot the difference between www.paypa1.com and www.paypal.com, or
WWW.BM0.COM and WWW.BMO.COM.  Can you spot the difference?  The 1st
domain given in each example is bogus.

3. Make sure the host (aka: domain, website) name ends with a slash
("/").  "https://paypal.com/" is ok -- "https://paypal.com.cn/" is not.

4. To be absolutely sure, you should double-click on the little
padlock icon at the bottom right corner of the window and check who
it says it is "issued to", as well as in the Details tab click on
Subject and make sure the location information looks correct.  Doing
this can be a real pain, but it's a good idea to do this at least once
in a while, especially for a site you linked to from somewhere else
(like another web page or email).

Once you are sure of a site's authenticity you should bookmark it's
login page (or whatever page you are allowed to bookmark) and then use
that bookmark (ie: "favorite" in IE) to link to that site in the future.

If you think something may be bogus, email me a sample (optional), then
just delete it.  Even if you think an email is legit, don't use the
links they provide in the email.  Instead type the correct domain name
yourself into IE or use a verified bookmark you have previously made.

Sure, all this is a pain, but the reality is that there are lots of
people trying to rip you off by getting your passwords and info, and
none of the normal protection programs, like Windows Updates or Norton
AntiVirus, can possibly protect you from shooting yourself in the foot.

Be diligent, be wary and be skeptical.  Then you will be OK.

More information about the TECnewhw mailing list