May 5, 2005 — (WEB HOST INDUSTRY REVIEW) — Established in 2003, The Anti-Phishing Working Group (apwg.org) is an industry association focused on the elimination of identity theft and fraud developing as a result of the growing phishing and email spoofing problems. The APWG provides a forum for the discussion of phishing issues and testing of potential solutions. Archives of phishing scams and other valuable information and resources are available through the organization’s Web site.
The link given above doesn’t appear to be the correct one, or at least not ready yet, but the APWG does have a website at http://www.antiphishing.org
It has some good resources for checking for known Phishing Scams as well as an address where you can report suspect phishing emails.
For those of you who still don’t know what ‘Phishing’ is all about, the above site will have more information, but here is my basic interpretation of it.
A scammer will copy the code from a sites webpage and change it to include some maliscous code that will ask you to enter some personal information. This usually takes the form of asking you for your ATM card number and the password, or your paypal log in ID and password. To most web savvy people this should seem quite wrong, but to those less familiar with online shopping or banking, the fact that the spoofed site exactly mimics the real site makes it more believable to them.
After you have entered your personal information, the spoof site will forward you to the real site and in theory you shouldn’t notice anything different. (Apart from perhaps a sudden dwindling of funds from your account!!!).
A simple rule to avoid becoming the victim of phishing, is there will NEVER be a case where someone will ask you for passwords or pin numbers or anything else of that nature. Not even your credit card company are aware of your PIN. Those little envelopes that are printed when sealed have never been seen by anyone, other than yourself on the day that you opened it. With passwords, this might not be the case, since in theory the bank could retrieve those, but still, they would never ever ask you for your password, EVER.
I often get annoyed with the sites that are the subject of a phishing attempt, because they often make it easier to achieve. Most of the paypal phishing attempts that I have seen, are HTML based emails, (that is to say that they look like a web page rather than just plain text). All of the images in the emails are actually linked from PayPals own sites. And when you click on the email and are taken to the phishing site itself, it too has been built with code robbed off the genuine paypal site and modified. But again, the images and stylesheets are again linked back to the original content on paypals own sites. So even if you did have a quick glance at the HTML code, you would see mostly legitimate paypal links. Phishers will often obfuscate the links to the code that grabs your personal data, so you might not even notice it. This adds to the air of authenticity of the scam.
Another simple example, is somewhere on this page I have posted an image. If you liked that image, you could display it on your site, but rather than download it, store it on your web server, and then link to it on your machine, why don’t you just use a link to the one already on my site. It saves your bandwidth?
Most if not all websites can switch off this feature (called hot linking) and that prevents people from using content on your site. True, they would just download it and have it on their site, but then it would be more obvious when looking at the scamming sites source code.
It might also be the case that the legitimate websites are using their access logs to trace back referrals. When your computer requests a webpage, your details are sent to the web server, so it knows who you are, where you are from, where you came from, what search word you used if any to get there, what search engine you used, etc etc. In theory, sites could examine their web logs and see if there is a spike in referrals for say the “paypal’ logo from a site not within their network.
But other than that, I see no reason why sites should not disable hot linking.
Either way, I repeat what I have said above. No one, repeat, no one will ever ask you for access information whether it be credit cards, ATM cards, account passwords and usernames. Your account will never be suspended if you don’t supply something. What is certain, and what most people are not aware of, is that if you do submit your details to a phishing site, it is you, the consumer who is responsible for the loss of funds. By giving out your personal data, you have broken the terms and conditions set my almost all institutions. Legally, you would not have a leg to stand on by blaming the legal site. (I would like to see this tested in a court though, by using my example above where the legal site is helping the phishing attempt by providing them a helping hand and supplying them the content required to make it look legit!).
For my next rant, I’ll talk about those damn pesky Lottery Scams. For goodness sake, you don’t ever ever get something for nothing, but people will always reply to them when they think they are going to get something… When will we learn…