Ann Arbor Area Business Monthly
Small Business and the Internet

Phishing Trip

January 2009

By Mike Gould

No, we're not talking about following a jam band around. Phishing is the nefarious practice of spamming folks in hopes of convincing them to go to a camouflaged web site. Once there, users are up against phishers posting fake sign-in forms in order to gain access to the user's credit card numbers, passwords, and identities in general. I haven't covered this in a while, and since it's a brand-new year filled with challenges, perils, and, dare I say it, hope, it seems like a good idea to review some basic computer security as it pertains to small business and the Internet. (Wow. I finally got to work the name of this column into the content. Brand new year indeed.)

Bait and Switch
The term phishing originally described on-line bank fraud; that term has expanded as the Internet has. A recent article in TidBits (an email newsletter I read avidly every week, URL below) sums things up nicely:

"The definition of phishing … expanded to include essentially any fraudulent Web site that tries to collect your private information - from banks to online games."

The way this usually works is that you receive a seemingly-legitimate email from your bank, your credit card company, or some other entity you do business with. The message is something like: "We have discovered a problem with your account, and you need to go to our ever-so-trustworthy web site to straighten it out. Signed, your faithful financial business partner."

You click on the conveniently included URL, which looks like: yourbank.com/fixcredit.html. Your browser opens up to a window that looks exactly like that of your bank, where you see a message that informs you that due to a break-in attempt/computer crash/act of God, you need to confirm your account's contact information. So you fill out your account number, social security number, and password and hit the submit button, confident you are in good hands.
You moron.

Bungle in the Jungle
Well, not you, personally. As any reader of this column knows by now, no legitimate entity will ever ask you for this sort of thing via email. I'm hoping that my completely clued-in and hip readers will share this information with any morons they may know. After all, once these people have had their identities stolen, along with all their money, credit, and retirement funds, they will come crawling to you for help, and you just don't have the resources or time to deal with such problems.

The main thing to watch out for here is going to a web page from a URL embedded in an email. If you shop at Amazon.com, you can be assured you are on the right page by looking at the address in your address bar: amazon.com = OK. But if you end up at fixpassword.amazon.com, you have a problem.

The Internet is a poorly-policed jungle and phishing is sort of like one of those pits with the stakes at the bottom, covered up with normal-looking undergrowth. Or maybe a loop of rope under a mat that yanks you upside-down into a treetop, and all your money falls out of your pocket. If only you hadn't stepped up to that sign that said "Stand here while we fix your password".

Hope for Dopes
The people (Microsoft, Mozilla, Apple, et al.) who make your browsers (Internet Explorer, Firefox, Safari, etc.) and email products (Outlook, Thunderbird, Apple Mail, etc.) are starting to realize their place in this scenario, and write some basic protection into their products.

There are several ways that browsers and email programs can warn you when you are attempting to go to a bad site. One technique often used by phishers is to disguise the destination URL you are clicking on: the email says to click on yourbank.com, but when you mouse over the URL, it reveals that instead of going to yourbank.com, you are going to blahblah/yourbank/. This means you are going to the blahblah phishing pond, where they have a folder named yourbank set up with lures, bait, and chum. This is a safety measure hopefully built into your email, but when you click on the bait address, your browser should warn you that your destination doesn't match the button you clicked to get there.

Another basic protection is the development of blacklists of known fraudulent sites and ISPs. When you click on such a site from Google, for instance, a warning will pop up alerting you to your dubious destination. You can still click through to it, but Google has done its best to warn you off. Internet Explorer and Firefox have this feature built in as well. Safari, Apple's browser, finally added this with their update to 3.2 (using Google's blacklist), and any Safari users out there would be well-advised to update.

The problem with the blacklist approach is that phishers are constantly starting up new phish ponds, and the folks who maintain the blacklists are always scrambling to keep up.

Security Checks and Balances
Another security effort is the use of digital certificates. When going to most secure sites, you will notice that instead of the URL beginning with http:// , it starts with https://. The "s" stands for secure and it means the owner of the website as applied for and received a digital certificate that your browser recognizes as a statement of legitimacy. You will also see an icon of a padlock somewhere on the page. The problem here is that such certificates are easy to come by, and as a phisher can obtain one, this is no longer a guarantee of identity. A beefed-up version of this is now available, called an Extended Validation certificate, but it has issues as well.

But how effective are these measures? Well, kinda. All the above can be defeated in one way or another, and phishers are constantly developing new kinds of malware. The weakest link is the hand on the mouse; make something moron-proof and someone will make a better moron. At this point, I suspect that most of the real dummies out there have lost everything including their Internet connections to Nigerian scammers and are no longer muddying up the gene pool of web surfers (to mix several moist metaphors).

So be careful out there. If asked for a password and account on a web page (such as when buying from Amazon), make sure you are on the page you think are.

More info:
Tidbits: http://db.tidbits.com/article/9862

Mike Gould, is a mouse wrangler for the U of M, runs the MondoDyne Web Works/Macintosh Consulting/Digital Photography mega-mall, is a member of Factotem.com, and welcomes comments addressed to mgould@mondodyne.com.

MonodoDyne <M> The Sound of One Hand Clicking...
734 904 0659
Entire Site © 2016, Mike Gould - All Rights Reserved