"Phishing" continues to be one of the most fraudulent activities happening on the Internet. A lot of people are still not aware of phishing and, more alarming, a non-trivial number of people are being caught off guard by it and providing their personal and finananical information to perpetrators of fraud . According to the Anti-Phishing Working Group, there are nearly 1,000 web sites which use "social engineering and technical subterfuge" to steal consumers’ personal identity data and financial account credentials. I have shared some examples of phishing attacks I have seen personally (see the PKI category of patrickWeb). Basically, phishing attacks are emails which "spoof" the identity of eBay, Citibank, or other legitimate organizations; i.e. . they make the email look as though it had come from the legitimate organization. In the earlier days of phishing attacks, you could see telltale signs such as misspellings or grammatical errors. However, the phishers are getting more sophisticated — and perhaps using spell checkers and grammar checkers.
This week I received an attack that looked and sounded quite legitimate. The following is the email I received, what actions I took, and what I learned about validating such emails.
Recently, our Account Review Team identified some unusual activity in your account.
In accordance with eBay User Agreement and to ensure that your account has not been compromised, access to your account has been limited.
Your account access will remain limited until this alert has been resolved.
Protecting the security of your eBay account is our primary concern, and we apologize for any inconvenience this may cause.
In order to secure your account and quickly restore full access, we may require some specific information from you. To restore your account to its regular status, you must complete the following steps:
1. Verify your primary e-mail address by clicking the verification link
2. Confirm your identity by completing the account verification process
Once you have updated your account records, your eBay session will not be interrupted and will continue as normal.
To verify your eBay records click on the following link (I left out the link).
(Depending on your e-mail provide you may need to copy and paste this
link in your browser)
We encourage you to log in and restore full access as soon as possible.
Should access to your account remain limited for an extended period of
time, it may result in further limitations on the use of your account
or may result in eventual account closure.
Thank you for your prompt attention to this matter. Please understand
that this is a security measure meant to help protect you and your
account.
We apologize for any inconvenience.
Sincerely,
eBay Account Review Department
The link was very long as many are today and it started with https://signin.ebay.com which certainly looks legitimate. In fact when I clicked on it, I was taken to an eBay login page. The s after http means that the server it is connecting to is a secure server which in turn means that information exchanged between your PC and the server are encrypted. This is a good thing and more and more web sites are taking advantage of it. (One of the security features in the new Opera 8 browser is that it will allow you to actually see the security certificate of the server and see who issued it). (See the Opera 8 review for more on this). I examined the certificate and sure enough it was legitimate — it was in fact the eBay server. The catch is that if I had provided my login information I would then have been diverted to a different server — not belonging to eBay — which would then ask for my various personal and financial information.
The obvious question is how do you know if an email such as the one I received is legitimate or not? The simple answer is that if you have no reason to believe that anything has changed with your account, then ignore the email. Delete it. If your curiosity gets the best of you, in the case of eBay, forward the email to [email protected] and ask if what you received was legitimate. That is what I did. Here is eBay’s reply…
Hello,
Thank you for writing to eBay regarding the email you received.
Emails such as this, commonly referred to as "spoof" or "phished"
messages, are sent in an attempt to collect sensitive personal or financial information from the recipients.
The email you reported was not sent by eBay. We have reported this email to the appropriate authorities.
In the future, be very cautious of any email that asks you to submit information such as your credit card number or your email password. If you are ever concerned about an email you receive from eBay, open a new Web browser, type www.ebay.com into your browser address field, and click on the "site map" link located at the top the page to access the eBay page you need.
If you have any doubt about whether an email message is from eBay, please forward it immediately to [email protected]. Do not respond to it or click any of the links. Do not remove the original subject line or change the email in any way when you forward it to us.
If you have already entered sensitive financial information or your password into a and all of your online accounts. We have developed an eBay Help page with valuable information regarding the steps you should take to protect yourself.
http://pages.ebay.com/help/tp/isgw-account-theft-reporting.html
To review eBay’s new tutorial about Spoof Emails, please see the following Web page:
http://pages.ebay.com/help/account/recognizing-spoof.html
To help you better protect yourself from fake eBay and PayPal Web sites, we have developed a feature for the eBay Toolbar called "Account Guard."
Account Guard includes an indicator of when you are on an eBay or PayPal Web site or a known spoof (or "phishing") site, buttons to report fake eBay Web sites, and a password notification feature that warns you when you may be entering your eBay password on an unverified site.
To learn more about the eBay Toolbar with Account Guard go to www.ebay.com, click on "Downloads" at the bottom of the page, and then click on the "eBay Toolbar" link.
Once again, thank you for alerting us to the spoof email you received.
Your efforts help keep eBay a safe and fair place to trade.
Regards,
Ande
eBay SafeHarbor
Investigations Team
As you can see, eBay takes phishing very seriously. I am confident they are doing everything they can to find the phishers, shut down their activities, and pursue prosecution. How does a phisher develop a url that leads to capturing your personal information? I am not sure precisely how it was done but increasingly, I expect that User JavaScript and Greasemonkey scripts will become a tool for them. Scripting is an extremely powerful capability which allows you to add, remove, fix, or totally redesign web sites that you visit. For example, you could modify your favorite news page to also show you local weather or to include an interactive game. You could enable a visit to Amazon to look for an item you want to buy and also have prices from eBay appear on the Amazon page. There is no end to what can be done. Needless to say, some will find ways to use this power to do malicious things such as phishing. I am optimistic that we will see many useful scripts introduced that will enhance our browsing experience and make things easier and more personalized. At the same time we all have to careful and skeptical with regard to emails that we receive.
The ultimate solution to phishing and other security and privacy issues is authentication. Simply put, to have a way to establish that we are who we say we are and to enable us to know that the sender of an email or software download, etc. is who they say they are. The technology to do this is available. It takes will and leadership by the major banks, insurance companies, healthcare organizations along with cooperation and leadership by governments. There is much more on this in the PKI category and the Public Policy category here at patrickWeb.
- ‘Spoof Emails’ tutorial at eBay
- More about scripting at Opera
- patrickWeb stories about PKI
- patrickWeb stories about Public Policy
