Please Update Your Info with Our Bank

Nope, I’m not a victim; but I have been receiving phishing emails asking me to update my account information “from” a bank with whom I have no relationship. I sent the emails on to the bank and they’ve confirmed that it’s a phishing scheme. Here, I offer a few tidbits from the email to give you an idea of how this stuff works.

In the past week I’ve received two emails directed toward the same bank. (I have obscured the bank identification in this post, as it’s irrelevant to the discussion). One has subject line “IMPORTANT Upgrade to New Security System” and the other says simply “Account Update.” Both emails appear to come from the bank, and both have “Reply-To” addresses that appear legitimate (that is, both reference <bank>.com). Both explain that the bank has instituted new security measures, and request that I update my information through their new, secure server. Then they provide a convenient link to do just that. The link looks like this:

http://www.bank.com/secure/update/ssl.cfm

Sounds good, right? It even looks secure, what with that “ssl” and the word “secure” in the URL. But, looking “under the hood” (by way of examining the “page source”), the link really goes here:

http://xylus.ca/labradale/images/.www/onlineservices.bank.com/auth/

Now, I’m not sure who xylus.ca and the various subdirectories are, but I’m pretty sure they’re NOT my bank.com. It could be somebody’s website that is being victimized by the redirect, so I can’t even assert that xylus.ca is a bad guy. But the redirect is certainly cause for concern.

The rest of the email even grabs images and page reference from the bank.com site, to make things look more legit. And they offer you the phone number and email address for verification.

What purpose does this serve the bad guys? By using their site as an intermediary, they can either request information from you that you wouldn’t want others to know (like account numbers, usernames, passwords), or, more disturbing, they can simply “watch” your interaction with your bank to obtain the same information without you knowing your information has leaked. Then THEY have your username, account information, passwords, etc., to use as they wish. I doubt they’re planning on making deposits to your account.

This explains the experts’ advice that you NEVER click a link contained in an email. That is, assume any link in emails is suspect – especially if it concerns your finances, your accounts with anyone/anywhere, etc. CALL the bank or company ON THE PHONE. Use their published phone number, NOT the one provided in the email. Ask questions, and never assume an email is what it claims to be.

Caveat emailer.

Information Leakage

The following story was emailed to me. While I generally don’t publish stuff that’s been forwarded numerous times, this particular one teaches some valuable lessons to those who aren’t aware of how easy it is to inadvertently leak information online.  The story came to me unattributed.

“After tossing her books on the sofa, she decided to grab a snack and get on-line . She logged on under her screen name ByAngel213. She checked her Buddy List and saw GoTo123 was on. She sent him an instant message:

ByAngel213:
Hi. I’m glad you are on! I thought someone was following me home today. It was really weird!

GoTo123:
LOL You watch too much TV. Why would someone be following you?
Don’t you live in a safe neighborhood?

ByAngel213:
Of course I do. LOL I guess it was my imagination cuz’ I didn’t see anybody when I looked out.

GoTo123:
Unless you gave your name out on-line. You haven’t done that have you?

ByAngel213:
Of course not. I’m not stupid you know.

GoTo123:
Did you have a softball game after school today?

ByAngel213:
Yes and we won!!

GoTo123:
That’s great! Who did you play?

ByAngel213:
We played the Hornets. LOL. Their uniforms are so gross! They look like bees. LOL

GoTo123:
What is your team called?

ByAngel213:
We are the Canton Cats. We have tiger paws on our uniforms. They are really cool.

GoTo123:
Did you pitch?

ByAngel213:
No I play second base. I got to go. My homework has to be done before my parents get home. I don’t want them mad at me. Bye!

GoTo123:
Catch you later. Bye

Meanwhile……GoTo123 went to the member menu and began to search for her profile. When it came up, he highlighted it and printed it out. He took out a pen and began to write down what he knew about Angel so far.

Her name: Shannon
Birthday: Jan. 3, 1985< BR>Age: 13
State where she lived: North Carolina

Hobbies: softball, chorus, skating and going to the mall. Besides this information, he knew she lived in Canton because she had just told him.  He knew she stayed by herself until 6:30 p.m. every afternoon until her parents came home from work. He knew she played softball on Thursday afternoons on the school team, and the team was named the Canton Cats. Her favorite number 7 was printed on her jersey. He knew she was in the eighth grade at the Canton Junior High School. She had told him all this in the conversations they had on- line. He had enough information to find her now.

Shannon didn’t tell her parents about the incident on the way home from the ballpark that day. She didn’t want them to make a scene and stop her from walking home from the softball games. Parents were always overreacting and hers were the worst. It made her wish she was not an only child. Maybe if she had brothers and sisters, her parents wouldn’t be so overprotective.

By Thursday, Shannon had forgotten about the footsteps following her.

Her game was in full swing when suddenly she felt someone staring at her. It was then that the memory came back. She glanced up from her second base position to see a man watching her closely.

He was leaning against the fence behind first base and he smiled when she looked at him. He didn’t look scary and she quickly dismissed the sudden fear she had felt.

After the game, he sat on a bleacher while she talked to the coach. She noticed his smile once again as she walked past him. He nodded and she smiled back. He noticed her name on the back of her shirt. He knew he had found her.

Quietly, he walked a safe distance behind her. It was only a few blocks to Shannon’s home, and once he saw where she lived he quickly returned to the park to get his car.

Now he had to wait. He decided to get a bite to eat until the time came to go to Shannon’s hous e. He dr ove to a fast food restaurant and sat there until time to make his move.

Shannon was in her room later that evening when she heard voices in the living room.

“Shannon, come here,” her father called. He sounded upset and she couldn’t imagine why. She went into the room to see the man from the ballpark sitting on the sofa.

“Sit down,” her father began, “this man has just told us a most interesting story about you.”

Shannon sat back. How could he tell her parents anything? She had never seen him before today!

“Do you know who I am, Shannon?” the man asked.

“No,” Shannon answered.

“I am a police officer and your online friend, GoTo123.”

Shannon was stunn ed. “That’s impossible! GoTo is a kid my age! He’s 14. And he lives in Michigan!”

The man smiled. “I know I told you all that, but it wasn’t true You see, Shannon, there are people on-line who pretend to be kids; I was one of them. But while others do it to injure kids and hurt them, I belong to a group of parents who do it to protect kids from predators. I came here to find you to teach you how dangerous it is to talk to people on-line. You told me enough about yourself to make it easy for me to find you. You named the school you went to, the name of your ball team and the position you played. The number and name on your jersey just made finding you a breeze.”

Shannon was stunned. “You mean you don’t live in Michigan?”

He laughed. “No, I live in Raleigh. It made you feel safe to think I was so far away, didn’t it?”

She nodded.

“I had a friend whose daughter was like you. Only she wasn’t as lucky. The guy found her and murdered her while she was home alone. Kids are taught not to tell anyone when they are alone, yet they do it all the time on-line. The wrong people trick you into giving out information a little here and there on-line.. Before you know it, you have told them enough for them to find you without even realizing you have done it. I hope you’ve learned a lesson from this and won’t do it again. Tell others about this so they will be safe too?”

“It’s a promise!”

<end of story>

Like Crosby, Stills, Nash and Young once sang: “Teach your children well.”

Home network security – one perspective

Daily Cup of Tech (one of my favorite blogs) recently posted an article about home network security, and making your home (wireless) network less attractive to casual snoopers, responding to criticism received in a comment to a previous posting. The suggestions he provides aren’t designed to make your network hacker-proof – as even he discusses.

They do, however, help lower your network’s profile in a potential sea of available access points. Good advice he offers: disable SSID broadcast, use encryption, employ standard security measures (like changing administator password) available on your router, etc.

Experts will argue about whether one kind of encryption is superior to another (yes, WPA is better than WEP, etc., etc.), whether disabling SSID broadcast represents any measure of security at all (only nominal), etc., but the bottom line is that any measures you employ to improve your security are better than what you had before. It is, as they say, a step in the right direction. And it might just be enough to discourage a snoop… you never know.

Router vulnerability (potential)

A new attack approach was documented in February by researchers at Indiana University and Symantec in which an Internet user need only visit a bad guy’s web site to become a potential victim for a variety of crimes, including possibly identity theft. At the very least, it exposes any and all information that you send over the Internet to snooping by unknown parties. The attack uses Javascript to change settings in your router so that all of your Internet traffic is sent through the bad guys’ computer system. Once your router has been compromised, it is very difficult to detect the problem, since everything will appear to act normally. The various antivirus, antispyware, etc. measures cannot detect this attack at present, and will be unlikely to detect a compromised router in the future.
The fix: MAKE SURE YOU HAVE CHANGED YOUR ROUTER’S ADMINISTRATOR PASSWORD FROM ITS FACTORY DEFAULT SETTING!! While you’re at it, be sure you’ve enabled encryption on your wireless.
Of course, you should also check the DNS settings in your router to be certain they belong to your ISP. If this doesn’t make sense to you, get a professional involved.
Technical reference: http://www.cs.indiana.edu/pub/techreports/TR641.pdf (checked 2/27/07)

Routers and ISPs

A certain DSL ISP (who shall remain nameless) recently was “helping” one of my customers. The customer had trouble getting a connection, so called the ISP’s tech support for help.

It seems the ISP’s tech support decided that the best course of action would be to reset the router to its factory settings, so they could set up auto-login to their system. This means any and all security settings I had in place for my customer went out the window. (I co-posted a note on router security and default admin passwords here.)

There was no attempt to reinstitute ANY security settings once the ISP had reestablished the customer’s connection.

This is very bad news, for several reasons:

1) wireless security measures were completely disabled;

2) any other measures I may have had in place were now gone; and,

3) the router’s admin password was set to factory default.

Another of my customers called their cable ISP provider with a problem, and that company’s tech support had the customer bypass the router to get things working again… and never had the customer reconnect the router. A day later I got the call that the wireless was down… only to discover that the router wasn’t even in the loop!

For the ISP to throw away all security settings and place the router in a vulnerable configuration simply to reestablish their service is certainly unacceptable – perhaps negligent. To disconnect the router and never reconnect is downright incompetent.

Unfortunately, first-level tech support at many ISPs is a relatively untrained person who is stepping through a checklist – and has no idea as to the ramifications of the changes (s)he is making to the customer’s equipment. Once the ISP’s problem is solved (i.e., the customer’s original complaint is fixed), the ISP hangs up with a “see ya’ later” with an unspoken “good luck!”

Moral of the story: have your customers contact you when they’ve dealt with their ISP, so you can clean up the mess that gets left behind.

Is this commonplace? Your comments are welcome!