Friends, Colleagues, Clients:
I'm writing to alert you to a growing problem that I feel is serious enough that
you should take immediate steps to protect yourself and those you care about.
Many of you already know that the internet is rife with fraud and nasty tricks.
The scam I want to describe has been around for a while, but has thus far never
been done this well.
Today I received an email purporting to be from Wells Fargo, my bank. The email
was in HTML format, meaning that when opened it looks like a web page with links
you can click on, graphics, etc. This is a common format for commercial email,
but it also permits a multitude of bad things to happen.
In this specific case, the web page looked *exactly* like the Wells Fargo Bank
login page. In fact, the scammers had created their HTML so it called the same
graphics that Wells Fargo uses on their web pages, not just the same graphics,
the scammers had even gone so far as to call the graphics directly from Wells
Fargo's own servers!
The net effect of the email is that it looked exactly as a genuine Wells Fargo
Bank email would have looked, had they sent it to me. The page wanted me to log
in to receive a notice of "changes in their policy", a not-unexpected sort of
message for Wells Fargo to be sending out. The frightening part is that had I
logged in, I would have given my user name (by default at Wells Fargo this is
your Social Security number) and my password. This would have given the
scammers complete access to my accounts, including the ability to transfer money
from my account to any other account in the world.
Traditionally there are usually clues that these email scams are fakes;
sometimes there are spelling errors, mail headers are incorrect or graphics
don't work correctly. In this case the mail appeared to be completely genuine
in almost every aspect!
To help you protect yourself, I'd like to list a few things you can pay
attention to that will help keep you safe.
1. Know that email can be faked. The From: header in a mail message can be
faked, making a message appear genuine. You may not see a clue that indicates a
message is a likely fake, so keep in mind that it is possible to make a very
convincing fake and be suspicious of what you find in your mailbox.
2. HTML mail carries with it the potential to do a variety of nasty things. Be
more suspicious of HTML mail than regular text mail. HTML mail is a text message
that includes code that your email program interprets as commands to load
graphics from machines located elsewhere on the internet. Essentially, your
computer goes to a web page and renders it in your email window instead of a
browser window.
3. Consider turning off HTML mail in your mail program. Even opening an HTML
message has the potential to expose you in ways you might not want, and turning
off this feature stops your machine from having conversations with servers you
might not want it talking to.
A typical SPAMmer trick is to include a "web bug" in a message. A web bug is a
usually invisible graphic that your mail program is told to request from a
server elsewhere on the internet. Since you don't even see the graphic, you
have no idea that it has been requested. What has happened behind the scenes is
that the SPAMmer has sent mail to hundreds of thousands of email addresses,
completely unaware of which ones are valid and which ones are not. Your opening
of the message triggered a request from your machine for a graphic unique to
your address. By requesting it, your machine has now confirmed that your email
address is valid, that you opened the message and it has also told the SPAMmer's
server what IP address your machine is located at.
At the most basic level, you've told a SPAMmer that your email address works, so
you're going to get more SPAM. At the worst, you may have communicated your
interest in a new mortgage, told the SPAMmer where to find you or even given
away a critical password.
4. Don't follow any link in an email pertaining to your money, it's just not
worth the risk. If you bank online or have access to your bank accounts online,
take the time to type the address of your financial institution into your
browser or create a bookmark. One of the longest-running and most damaging
scams around is one in which people are sent messages that seem to come from
either PayPal or E-Bay and attempt to get you to login. The experience most
people have is that something goes wrong and the login fails. The link fails
because their login information wasn't sent to E-Bay or PayPal, it went to a
scammer's server and it will be used to commit fraud on the account as soon as
possible.
5. Learn to read email headers. Okay, so they're basically Greek, but email
headers are intended to show everything about how an email got to your email
box, from the originating person's email address and mail program, through the
servers that handled the mail on its way to you. Headers can be faked, but very
few SPAMmers and scammers do a convincing job when falsifying the information.
Most of the time there are still clues that a message is a fake.
6. Be very careful with your typing. Scammers often buy domains that are
common misspellings of legitimate businesses on the internet, then either put up
their own content or try to fake the content of the legitimate site.
7. Use a junk mail filter. At least this can help reduce the incredible load
of scams and SPAM. I get an average of 650 messages a day and my junk mail
filter removes about 98% of the junk.
8. When in doubt, use the telephone. Seriously, if you receive mail from a
financial institution, the government or anything else that seems important but
raises some concern then pick up the phone and call to verify the mail.
9. Unsolicited attachments should go straight into your trash. If you don't
know the sender or you didn't ask for the file then it's most likely a virus,
worm or something else that you don't want on your system. If you're using a PC
make certain that you do not permit auto-launching of email attachments.
10. Be smart about password usage. Because we don't want to be bothered with
the hassle of dealing with lots of passwords, we choose to use the same one over
and over again. If you use the same password for your bank, credit card
company, and also for happyfisherman.com then you're trusting happyfisherman.com
to not employ any unscrupulous characters and to run a tight ship with their
servers. After all, if happyfisherman.com gets hacked then your name, address
(they sent your lures somewhere, right?), credit card number and the password
for your account are all exposed. Consider using a variety of levels for your
passwords depending on the level of security needed for the item you're
protecting. Mac OS X's Keychain feature can keep much of password and site
information for you, and there are a number of really good password managers out
there.
Don't use real words or names for passwords, the simplest password cracker can
guess your password in minutes unless you choose something difficult, and that
includes foreign languages. Choose passwords that make no sense in any language
and can't be guessed. To further obfuscate, change letters and numbers around.
For instance, you might select or create a phrase that means something to you:
"Kind Of Blue Is The Greatest Album Of All Time" might become k0bitga0at. It's
simple enough for you to remember and you can be pretty certain it's not going
to be guessed.
You should develop a healthy mistrust. Remember that scammers are assuming that
they'll find someone too dumb or trusting to protect themselves; don't be that
person.
I hope this helps to educate and protect you and make you a little more aware
and careful out there. The internet can be great, but there are some really
awful things that can go wrong. If you want to discuss any of this further, or
need help implementing anything I've talked about, please don't hesitate to let
me know.
Feel free to forward this to anyone you think would benefit, but please be sure
to leave my contact information intact in case someone has questions.
Best wishes,
Ben
--
Benjamin G. Levy
Solutions Consulting
2723 Canfield Avenue, Los Angeles, CA 90034
benlevy@rockinbeat.com/iChat
AV: blevy@mac.com
Apple Certified Technical Coordinator
Apple Consultants Network Advisory Council Member
Message initiated on 3/19/04