TCS - Cyberfraud - Dont Take the Pfishing Bait

Cyberfraud - Dont Take the Pfishing Bait

by Ira Wilsker
Golden Triangle PC Club
From the February 2004 issue of the I/O Port Newsletter

You have probably received an email apparently from a business that you have done business with, claiming that you need to access your account online to verify your personal information. You click on the link in the email, and you are taken to an authentic looking website complete with logos, privacy and security statements, and other visual factors that make it look authentic. The address in the address bar of your browser shows the internet address (URL) of the familiar business, followed by some lengthy random-looking characters. To verify the authenticity of the page you click on the links on the page, and they take you to the proper sites, so now you trust that this website is legitimate, and any fears you may have had are now allayed. As instructed by the website, you now enter your full name, account number, PIN number, mothers maiden name, social security number, and other personal information. After entering the data you click on the send button, and you are welcomed with a screen thanking you for your continued patronage from this business. Congratulations! You are now an identity theft victim, having taken the bait from what has recently become one of the most widely used methods to collect personal information for criminal purposes, referred to as Pfishing or Phishing.

The terms Pfishing or Phishing were coined to indicate fishing or looking for information. The spellings with the prefixes PF of PH are the ways that some hackers modify the spelling of common words to indicate their intended meanings. In recent weeks the incidence of using Phishing to steal identities for the purposes of illicitly obtaining money or goods has skyrocketed, with the blended threat of a computer virus or worm that sends out spam emails containing the bait from millions of infected computers.

One of the most prolific crop of current computer worms is the Mimail (My Mail), which has now appeared in over 20 different versions, each containing some form of malicious payload. One endemic variety of Mimail which appeared around the New Year was an authentic looking email from EBays popular PayPal online payments service. PayPal has millions of registered users, so that while many recipients of the Mimail worm-bearing spam will not have PayPal accounts, many of the recipients will have PayPal accounts. The From: line of the email says that it is from PayPal security or customer service, and has an email address of customerservice@paypal.com, security@paypal.com or some similar valid looking address. The email directs the recipient to click on a hyperlink that looks like a valid PayPal link, but in reality obscures the real destination. Clicking on the link performs at least two functions, installing the worm on the computer while it connects to the authentic looking website. The worm then hijacks the email address book (typically some version of Outlook or Outlook Express, but can also search the hard drive for email addresses), and then using its own integral email program, uses the infected computer to spam all of the addresses in the address book with similar malicious spam emails. To compound the matter, since the infected spam emails can come from millions of sources, uses variations of subject lines, and authentic (but forged) from lines, these dangerous emails often pass through many of the spam filters now commonly used. Some variations of the worm are polymorphic (many changing) in which the payload code can mutate slightly with each iteration, possibly making it difficult to detect by recently updated antivirus software.

Other versions of the Mimail worm spread in similar ways, but use slightly different messages and payloads, and appear to be from other institutions. One vicious version making the rounds appears to be from Citibank, claiming to be from "Citibank Security Department" or "Accounts Management". According to a press release from Citibank warning about this scam, these emails claim that Citibank is upgrading its servers and needs to verify customer information, or that "Accounts Management" is seeking credit card information so that customers might "maintain the Citibank experience." The real Citibank website at www.citibank.com has a link at the bottom of the page about e-mail fraud where it has information on over a dozen such scams directed at Citibank customers, as well as 800 numbers and email links to report such attempts.

During recent weeks, similar attempts have been made to gather financial information from the customers of many other companies. It is imperative for all computer users to be aware that reputable companies will never use such a technique to gather or verify your personal information. New varieties of the Mimail worm, as well as copycats, are appearing at an alarming rate, trying to bait a victim into disclosing his information, the victim being unaware until he finds that his bank account is empty, or his credit card has been charged to the limit. The personal information thus acquired can also be used in other forms of identity theft.

According to the cyber security company Kaspersky, and corroborated by some in the law enforcement community, these identity stealing websites are in Eastern Europe, mostly Russia, and are believed to have ties to organized crime in those countries.

NEVER give out ANY personal information in response to an email, PERIOD!



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 2/01/2004
Don Singleton, President