Request for proof reading
I've been working on an Antivirus Primer for my website and I just put a version of it up now. I was wondering if you could take a look at it when you have a free moment and let me know if you see any glaring errors, omissions, or suggestions.
Thanks!
Darkcyte Antivirus Primer
Phishing Primer For Hylander
I just wrote this one up for my company:
Phishing
(fish´ing) (n.) The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.
Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.
(Webopedia)
Here's an example of an e-mail phishing for private information (I just received this e-mail)
X-Apparently-To: user@yahoo.com via 206.190.39.75; Mon, 11 Oct 2004 02:57:07 -0700
X-YahooFilteredBulk: 221.167.113.207
X-Originating-IP: [221.167.113.207]
Return-Path: <moon_canada_online_service.p@citibank.com>
Received: from 221.167.113.207 (221.167.113.207) by mta397.mail.scd.yahoo.com with SMTP; Mon, 11 Oct 2004 02:57:07 -0700
Date: Mon, 11 Oct 2004 09:42:21 +0000
From: "Citibank" <Moon_Canada_online_service.p@citibank.com> <javascript:document.frmAddAddrs.submit()> FPRIVATE "TYPE=PICT;ALT=Add to Address Book"
To: user@yahoo.com
Subject: Citibank e-mail v erification - user@yahoo.com
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Length: 1333
Top of Form 1
Bottom of Form 1
Dear Citi่bank Member,
Thi่s emailฺ was sฺent by tฺhe Citi่banฺk server to verify your e-mฺaiฺ่l addrฺess. You must complete thi่s procฺess ฺbฺy cli่cking
on the ฺlink below ฺand entering in the ฺsฺmall window your Citibankฺ ATM/Debiฺ่t Card numbeฺr and PIN that youฺ use on ATM.
Thisฺ i่s done for yoฺur protection - because some of our members no lonฺger ฺhave access to theฺir emฺail addresses and
we must veri่fy itฺ.
To verify yฺour e-mai่l addrฺess and access your bank account, cli่ck on the link ฺbelow:
((Link was here. I removed it for this e-mail))
Okay, a couple things to look for: First off, there's no way that Citibank is going to ever, ever ask for this sort of information via an e-mail. In fact, Citibank will never ask for your PIN, via letter, phone call or e-mail; it just won't happen. (More info on Citibank here: http://www.citibank.com/domain/spoof/learn.htm) Next, take a look at the header information in the e-mail. Notice the originating IP Address? Well, let's take a minute and run a 'WHOIS' on that IP address via a great, free tool called SamSpade (http://www.samspade.org)
Server Used: [ whois.krnic.net ]
221.167.113.207 = [ ]
(www.nic.or.kr) Whois
query: 221.167.113.207
ENGLISH
KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the IPv4 address.
IPv4 Address : 221.167.113.0-221.167.113.255
Network Name : KORNET-INFRA000001
Connect ISP Name : KORNET
Connect Date : 20031129
Registration Date : 20031208
[ Organization Information ]
Organization ID : ORG1600
Org Name : Korea Telecom
State : GYUNGGI
Address : 206 Jungja-dong Bundang-gu Sungnam city Gyunggi-do Korea 463-711
Zip Code : 463-711
[ Admin Contact Information]
Name : IP Administrator
Org Name : Korea Telecom
State : GYUNGGI
Address : 206 Jungja-dong Bundang-gu Sungnam city Gyunggi-do Korea 463-711
Zip Code : 463-711
Phone : 82-2-3674-5708
Fax : 82-2-747-8701
E-Mail : ip@ns.kornet.net
Hmm. The IP belongs to a public Korean ISP. Now why exactly would Citibank be sending me a letter via an ISP rather than their own servers? For example if I send a message to my yahoo account from work, then back-track the IP Address, it comes up with ChevronTexaco.
Server Used: [ whois.arin.net ]
136.171.122.10 = [ ctsmtpho1.chevrontexaco.com ]
OrgName: Chevron Oil Field Research Company
OrgID: COFR
Address: 6001 Bollinger Canyon Road
City: San Ramon
StateProv: CA
PostalCode: 94583-2324
Country: US
NetRange: 136.171.0.0 - 136.171.255.255
CIDR: 136.171.0.0/16
NetName: CHEVRONLH
NetHandle: NET-136-171-0-0-1
Parent: NET-136-0-0-0-0
NetType: Direct Assignment
NameServer: BOCFG3.CHEVRONTEXACO.COM
NameServer: BOCFG4.CHEVRONTEXACO.COM
NameServer: CHVPKFG1.CHEVRONTEXACO.COM
NameServer: CHVPKFG2.CHEVRONTEXACO.COM
Comment:
RegDate: 1989-09-05
Updated: 2003-04-07
TechHandle: BB1786-ARIN
TechName: Beach Bob
TechPhone: 1-925-842-3626
TechEmail: hostmaster@chevrontexaco.com
So, a couple of bits of information:
1. Understand what phishing is. Explain it to your friends and families. Our parents and grandparents or those that are not internet savvy are more susceptible to this practice. Be sure that they know to never respond to any e-mail that asks for personal information.
2. When in doubt… delete it. If it sounds legit, looks legit, but there's just something strange about the e-mail, just delete it. Trust me, if it's important enough the requester will contact you directly. You can also contact the company that is requesting the information to verify the authenticity of the e-mail. You can also run a WHOIS to track it back. Spammers and Phishers can mask a lot of information, but the originating IP is hard to remove from the header information. You can turn on header views in both Yahoo and Hotmail. In Outlook, you can display header information by opening the e-mail, click on 'VIEW', 'OPTIONS'.
3. Report it. If you want to go the extra step then notify your ISP of the offending message. Notify the company that is being misrepresented. Hey, you can even notify the FBI at http://www1.ifccfbi.gov/index.asp.
4. A good practice is to have multiple e-mail accounts. One account that you only give to family and friends, one account for business and one account for internet usage. That way when you are asked for an e-mail address on an internet form or website, you'll enter your 3rd account information. It makes it easier to sort through your e-mail and to quickly verify who's sharing your e-mail account information without your consent. And of course, never respond to any spam or e-mail coming from someone that you don't know. This does nothing more than verify that you check your account.
5. Don't click on the 'REMOVE' me option in e-mails. A new virus is being spread my redirecting the URL to a website that launches a malicious JavaScript exploit when you view the page (http://www.theregister.co.uk/2004/09...t-out_exploit/). By providing an opt-out option on their e-mails, spammers are following the new CANSPAM laws, but at they same time they are exploiting the law by coaxing you to a website.
For more Information:
Anti-Phishing Working Group
http://www.antiphishing.org/
Federal Trade Commission Consumer Alert
http://www.ftc.gov/bcp/conline/pubs/...ishingalrt.htm
U.S. Computer Emergency Readiness Team (CERT)
http://www.us-cert.gov/cas/tips/ST04-014.html
Microsoft Security
http://www.microsoft.com/athome/secu.../phishing.mspx
Feel free to modify and use this one as well.