The following message appeared in my Junk Mail box today. (These are only the first few lines… it looked complete and quite official)
Security Center Advisory!
PayPal is constantly working to ensure security by screening accounts daily in our system. We recently reviewed your account, and we need you to verify information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited or terminated. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?
Your account access has been limited for the following reason(s):
· February 27, 2008: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have placed limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.
Click Here to Remove Account Limitations (http://188.8.131.52/blocks/19483.paypal.com/webscr_cmd_login-run.php?%3c-*-%3ez%5b3,$0%20dAN%5b=iz%5b3|As0,d%3c-*-%3e)
It went on to include warnings about security, never sharing your password, protecting your account, and so on. It looks, on the surface, to have come from PayPal. Of course it also includes a convenient link to change you password, and will remind you again that for security reasons, you must enter your account name and existing password to proceed. Gotcha!
This is a relatively common scheme called phishing. A play on the word fishing, phishing schemes send out millions of e-mails that in almost every way look like they came from eBay, Paypal, or your financial institution. They show up in your e-mail with a warning that you need to stay safe, starting with changing your password immediately. Of course they include a convenient click-here link which takes you to the login page. You enter your credentials and you are done… literally. What you have done is given a bogus site your real credentials to the real financial institution, which they will use to take your money and ruin your good name.
Microsoft has gone to great lengths over the years to protect its users from these schemes, but because they are inexpensive and simple to operate they keep coming. Users who use the latest and greatest operating system and e-mail client from Microsoft and keep them properly patched are less at-risk than those who do not… as stated in the first line this e-mail showed up in my Junk Mail folder, and in order to even see the graphics (let alone click on a link) I had to proactively move the message to a safe location, and mark it as safe. That is because different components of my network – starting with my mail server but including Windows Vista (with Internet Explorer 8.0 and Microsoft Office Outlook 2007) are regularly patched with phishing definitions. These definitions do their best to keep up with the various cutting-edge methods of treachery used in these scams. However a user on an older, un-patched OS using an older mail client will not have the same security… and will usually not know it.
When you are unsure of an e-mail, the first rule is DO NOT click on anything. Do not even download the graphics if your mail client allows for that option. If you are absolutely convinced that your account has been compromised then rather than clicking within the message, open an Internet Explorer browser and type in the URL of your site manually. That is the surest way to know that you are where you belong.
Here are a couple of tips you can look for to be 100% sure that someone is trying to scam you:
- E-mail from any institution that you regularly do business with will end with their domain name, so PayPal will be from @paypal.com… never paypal@<anything else>.com
- Legitimate URLs (Universal Resource Locators) – or web addresses – follow simple rules; it is only what follows the domain name that can look like gibberish. The click-through link included in this message is designed to look like it comes from 19483.paypal.com… it is right there in bold; of course, this is hidden from you within the Link itself – you are meant to simply click on the words Remove Account Limitations which will open the Internet browser. So in the address bar of that Internet browser look at the address… the site name is what is found between the http:// and the first forward slash (/). So in the address above the site is located at 184.108.40.206… an IP address. No legitimate business in the world – certainly no reputable one – uses IP addresses in their sites in place of domain names.
Of course all of that is interesting technically, but from a social engineering point of view there are several telltale signs within the message that prove its illegitimacy:
- Neither my name nor my account is in the e-mail anywhere. Legitimate e-mail from proper sites will generally be addressed to me: Dear Mr. Garvis, and so on;
- In much the same way, legitimate e-mail will usually be signed by a person.
- According to the e-mail my account was compromised on February 27, 2008. If it was a legitimate threat it would not come ten months late.
- Financial sites do not limit access… they block it until you change your password.
In November I got a call from my bank informing me that my bank card might have been compromised, and asked me to go into the nearest bank at my convenience to have the card replaced. They cancelled the card on the spot of course, and they called me (slightly early on a Saturday morning if I recall) apologizing for the inconvenience. I found this a bit inconvenient, but quite secure. Had they sent me an e-mail I would have been immediately suspicious, and would have called anyways. Notice that this e-mail does not have a phone number to call.
Phishing is scary because of its prevalence and anonymity. Although it is a simple crime to avoid (imagine muggers asking you to click here before they stole your wallet!) it is also astoundingly easy to get caught… simply lower your guard for a minute and they have you. If you suspect that you have been targeted, you should contact the legitimate institution immediately; if you fall victim to a scheme then your first step is to contact your local law enforcement agency who will guide you… although because of the international nature of these crimes it might be years before you ever see progress – if ever.