Today in my email, I received a notice from Ebay Security that my account had been suspended because of suspicious activity. In order to reactivate my account, I had to click on the Ebay Security link in the email, and reenter my personal data.
The link took me to an Ebay website that looked authentic, and asked me to enter my username and password. After entering that information, I was asked to enter a lot of personal information, including full name, address, telephone, email address used for the PayPal electronic payments system, PayPal password, social security number, mother’s maiden name, driver’s license number and state, date of birth, credit or debit card number and security code, checking account number, PIN, bank name, and bank routing number.
Since the site looks authentic, and in my unpatched version of Internet Explorer, the URL (internet address) in the address bar says "http://www.ebay.com/security" it must really be authentic, so there is no risk in entering the information.
Unfortunately, this is but one of the thousands of different "Phishing" attempts currently circulating around the internet, with 750 to 1000 new scams appearing every week (source: www.antiphishing.org). It is not unusual for millions of each of these frauds to be emailed. If I would have fallen for this trick, and entered all of my personal data, I would have likely ended up as one of the millions of victims of identity theft, and had my bank account emptied, my credit card charged to its limit, items purchased in my name on Ebay and charged to my PayPal account, and a host of other nasty things would have likely happened to me. According to a recent report by the Federal Trade Commission, about 12% of the victims of identity theft last year, or over one million people, fell victim to this type of fraud. This phishing is a form of "human engineering" where a startling email causes the victim to enter his own information such that the crook can capitalize on it.
In today's Ebay email above, be assured that it did not come from Ebay, even though the reply address appeared to be a legitimate Ebay address and the URL in the email also appeared authentic. Fortunately, I knew better, and did not fall for this scam. I mostly use Firefox for my browser, and it showed the real URL as an IP address (a series of numbers such as 213.213.192.44), rather than an unpatched Internet Explorer which would have shown the spoofed address of Ebay. Some time ago Microsoft released an Internet Explorer patch to show the real address, rather than the spoofed URL, but many users have never installed that patch. I did run a quick forensic analysis on the email and found that it did not come from Ebay in California, but instead it came from Africa, probably Nigeria, a country rampant as a home for many of these scams. Other countries commonly hosting phishing scams are Korea, Pakistan, China, Russia, and other countries in the mid-east, as well as several eastern European countries. It is likely that any money lost to such scams will never be recovered. In 2002, according to the FTC, over $47 billion was lost to identity theft of all types in the United States.
Phishing attacks typically arrive in an email appearing to be from a financial service company, retailer, popular internet site, or some other source of mass appeal. The "Anti-Phishing Working Group" (antiphishing.org), Trend Micro (www.trendmicro.com), and other security related websites are now compiling information on phishing attacks in order to warn users about the threats.
Some of the more widespread recent attacks were: Wells Fargo Bank, Debit Card Theft; Washington Mutual Bank; CharterOne Bank, "Restore Your Account Access"; Regions Bank, "Please Verify Your E-Mail Address"; Bank of the West; Earthlink, "Important Information Regarding Your Account"; Yahoo, "Your Bank Card Linking To @yahoo.com"; Washington Mutual, "WARNING: CONFIRM YOUR ONLINE BANKING RECORDS"; MSN, "Members Support"; Visa, "Notice from Visa" and "Enroll your card with verified by Visa program"; AOL, "Verify your account"; and many others. Other recent attacks targeted PayPal users, BestBuy credit card holders, E-Gold and E-Bullion online payment services, and other such institutions.
Another similar form of identity theft is not dependent on clicking on an email link, but accomplished by means of a spyware program of the key logging type that captures keystrokes, such as account numbers and passwords, and sends that information to persons unknown. Antivirus software and firewalls may not stop this form of attack, but most good anti-spyware products will detect and kill key loggers.
One of the newest types of this scam do not email links or key loggers, but may be much more nefarious. A new type of attack, "DNS Poisoning" actually attacks the DNS, or "Domain Name Server" that converts the typed name, such as the bank name, to the IP address used by internet servers. If the DNS is poisoned, typing the legitimate name of the bank, for example, will connect to the fraud site rather than the legitimate website. That is scary because the user will likely never know that this happened, until it is too late.
BE ADVISED that financial service companies, retailers, and other legitimate companies will never ask for personal information via an email. When in doubt contact the company directly by its 800 number (NOT an 800 number listed in the scam email), and inquire about the email.
For more information on the Tulsa Computer Society click here