Friends, Colleagues, Clients:

I'm writing to alert you to a growing problem that I feel is serious enough that you should take immediate steps to protect yourself and those you care about.

Many of you already know that the internet is rife with fraud and nasty tricks.  The scam I want to describe has been around for a while, but has thus far never been done this well.

Today I received an email purporting to be from Wells Fargo, my bank. The email was in HTML format, meaning that when opened it looks like a web page with links you can click on, graphics, etc.  This is a common format for commercial email, but it also permits a multitude of bad things to happen.

In this specific case, the web page looked *exactly* like the Wells Fargo Bank login page.  In fact, the scammers had created their HTML so it called the same graphics that Wells Fargo uses on their web pages, not just the same graphics, the scammers had even gone so far as to call the graphics directly from Wells Fargo's own servers!

The net effect of the email is that it looked exactly as a genuine Wells Fargo Bank email would have looked, had they sent it to me. The page wanted me to log in to receive a notice of "changes in their policy", a not-unexpected sort of message for Wells Fargo to be sending out.  The frightening part is that had I logged in, I would have given my user name (by default at Wells Fargo this is your Social Security number) and my password.  This would have given the scammers complete access to my accounts, including the ability to transfer money from my account to any other account in the world.

Traditionally there are usually clues that these email scams are fakes; sometimes there are spelling errors, mail headers are incorrect or graphics don't work correctly.  In this case the mail appeared to be completely genuine in almost every aspect!

To help you protect yourself, I'd like to list a few things you can pay attention to that will help keep you safe.

1.  Know that email can be faked.  The From: header in a mail message can be faked, making a message appear genuine.  You may not see a clue that indicates a message is a likely fake, so keep in mind that it is possible to make a very convincing fake and be suspicious of what you find in your mailbox.

2.  HTML mail carries with it the potential to do a variety of nasty things.  Be more suspicious of HTML mail than regular text mail. HTML mail is a text message that includes code that your email program interprets as commands to load graphics from machines located elsewhere on the internet.  Essentially, your computer goes to a web page and renders it in your email window instead of a browser window.

3.  Consider turning off HTML mail in your mail program.  Even opening an HTML message has the potential to expose you in ways you might not want, and turning off this feature stops your machine from having conversations with servers you might not want it talking to.

A typical SPAMmer trick is to include a "web bug" in a message.  A web bug is a usually invisible graphic that your mail program is told to request from a server elsewhere on the internet.  Since you don't even see the graphic, you have no idea that it has been requested. What has happened behind the scenes is that the SPAMmer has sent mail to hundreds of thousands of email addresses, completely unaware of which ones are valid and which ones are not.  Your opening of the message triggered a request from your machine for a graphic unique to your address.  By requesting it, your machine has now confirmed that your email address is valid, that you opened the message and it has also told the SPAMmer's server what IP address your machine is located at.

At the most basic level, you've told a SPAMmer that your email address works, so you're going to get more SPAM.  At the worst, you may have communicated your interest in a new mortgage, told the SPAMmer where to find you or even given away a critical password.

4.  Don't follow any link in an email pertaining to your money, it's just not worth the risk.  If you bank online or have access to your bank accounts online, take the time to type the address of your financial institution into your browser or create a bookmark.  One of the longest-running and most damaging scams around is one in which people are sent messages that seem to come from either PayPal or E-Bay and attempt to get you to login.  The experience most people have is that something goes wrong and the login fails.  The link fails because their login information wasn't sent to E-Bay or PayPal, it went to a scammer's server and it will be used to commit fraud on the account as soon as possible.

5.  Learn to read email headers.  Okay, so they're basically Greek, but email headers are intended to show everything about how an email got to your email box, from the originating person's email address and mail program, through the servers that handled the mail on its way to you.  Headers can be faked, but very few SPAMmers and scammers do a convincing job when falsifying the information.  Most of the time there are still clues that a message is a fake.

6.  Be very careful with your typing.  Scammers often buy domains that are common misspellings of legitimate businesses on the internet, then either put up their own content or try to fake the content of the legitimate site.

7.  Use a junk mail filter.  At least this can help reduce the incredible load of scams and SPAM.  I get an average of 650 messages a day and my junk mail filter removes about 98% of the junk.

8.  When in doubt, use the telephone.  Seriously, if you receive mail from a financial institution, the government or anything else that seems important but raises some concern then pick up the phone and call to verify the mail.

9.  Unsolicited attachments should go straight into your trash.  If you don't know the sender or you didn't ask for the file then it's most likely a virus, worm or something else that you don't want on your system.  If you're using a PC make certain that you do not permit auto-launching of email attachments.

10.  Be smart about password usage.  Because we don't want to be bothered with the hassle of dealing with lots of passwords, we choose to use the same one over and over again.  If you use the same password for your bank, credit card company, and also for happyfisherman.com then you're trusting happyfisherman.com to not employ any unscrupulous characters and to run a tight ship with their servers.  After all, if happyfisherman.com gets hacked then your name, address (they sent your lures somewhere, right?), credit card number and the password for your account are all exposed.  Consider using a variety of levels for your passwords depending on the level of security needed for the item you're protecting.  Mac OS X's Keychain feature can keep much of password and site information for you, and there are a number of really good password managers out there.

Don't use real words or names for passwords, the simplest password cracker can guess your password in minutes unless you choose something difficult, and that includes foreign languages.  Choose passwords that make no sense in any language and can't be guessed. To further obfuscate, change letters and numbers around.  For instance, you might select or create a phrase that means something to you:  "Kind Of Blue Is The Greatest Album Of All Time" might become k0bitga0at.  It's simple enough for you to remember and you can be pretty certain it's not going to be guessed.

You should develop a healthy mistrust.  Remember that scammers are assuming that they'll find someone too dumb or trusting to protect themselves; don't be that person.

I hope this helps to educate and protect you and make you a little more aware and careful out there.  The internet can be great, but there are some really awful things that can go wrong.  If you want to discuss any of this further, or need help implementing anything I've talked about, please don't hesitate to let me know.

Feel free to forward this to anyone you think would benefit, but please be sure to leave my contact information intact in case someone has questions.

Best wishes,

Ben

--
Benjamin G. Levy
Solutions Consulting
2723 Canfield Avenue, Los Angeles, CA  90034
benlevy@rockinbeat.com/iChat AV: blevy@mac.com
Apple Certified Technical Coordinator
Apple Consultants Network Advisory Council Member

Message initiated on 3/19/04