Security

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.

(Credit: Google)

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.

First, the good news for consumers: the U.S. government's investigation into how dozens of well-known online stores worked with controversial marketers to "deceive" customers out of $1.4 billion has prompted some retailers, including Continental Airlines, to sever ties with the marketers.

Mark Goldston, chairman and CEO of United Online, parent company of Classmates.com, which banked $70 million from marketing practices now under investigation by the Senate Commerce committee.

(Credit: United Online)

Now, the bad news: the marketers--Affinion, Vertrue, and Webloyalty--are still in business and judging from the responses of many of the retailers involved, such as Priceline, Classmates.com, FTD, Shutterfly, and Orbitz, it will be business as usual. They see nothing wrong with the marketing practices that millions of angry online shoppers and members of the U.S. Senate have called a "scam," "robbery" and "theft."

While the U.S. Senate Commerce committee produced a staggering amount of documentation during a hearing last week that appears to show consumers are misled into signing up for so-called loyalty programs, the retailers continue to suggest it's their customers who are at fault.

The controversy began last May, when the Commerce committee launched an investigation into the practices employed by Vertrue, Affinion, and Webloyalty. The committee's investigators found thousands of complaints going back years from people who said they discovered "mysterious charges" on their credit cards and struggled to discover how they got there.

The Senate's investigators said they learned that the retailers had made an unholy alliance with the marketers. Under most of the agreements between the marketing firms and retailers, an advertising page is presented to a shopper while they complete a transaction at the retailer's online store. Many shoppers say they entered their e-mail address and pushed a large "Yes" button on the ad because it appears to be a $10 cash-back offer or coupon. Many of those that complain say they thought they were being rewarded by the retailer for making a purchase.

Written in much smaller print within the ad are the full terms of the deal. A customer is notified there that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20.

Despite being blasted last week by members of the Commerce committee, most of the retailers involved haven't done much repenting.

Orbitz "does not pass on any personally identifiable customer information to third party vendors without their permission," the travel site said in a statement.

United Online, parent company of FTD and Classmates.com, a company that the government said banked $70 million via the three marketers said: "We believe that our marketing practices provide clear disclosure. We do not transfer our customer's credit or debit card information to third parties without our customer's consent."

Priceline said the terms of the deal have "been clearly and fully explained."

It's all your fault
The inference is clear: The people complaining about this are the ones who screwed up. The terms of the deal were all in the ad so that means anyone who was charged the monthly fee either wanted it at the time or was negligent.

I can start by listing all the information that the government has found that shows that as many as 30 million consumers were unaware that they were signing up for the loyalty programs. But first, let's look at the obvious.

Webloyalty, Affinion and Vertrue all say they do their best to make it clear to consumers what they're signing up for. That's nonsense of course. If their claim was true, they would simply insert the following graph or something like it high up into their ads:

BY ENTERING YOUR CREDIT CARD NUMBER YOU ARE REGISTERING FOR MEMBERSHIP PROGRAM AND YOUR CREDIT CARD WILL BE CHARGED $12 PER MONTH FOR THIS SERVICE UNTIL YOU CANCEL YOUR MEMBERSHIP. ENTER CARD NUMBER HERE:________. EXPIRATION DATE HERE:________.

Voila. End of confusion.

This simple fact was presented in a Jan. 8, 2007, court filing that was part a class-action lawsuit filed against Webloyalty, one of several suits filed against the three marketing companies over the years. In this case, the attorneys representing plaintiff Joe Kuefler sized up why they believed Webloyalty doesn't display its terms in this clear way or ask consumers to input their credit card information themselves.

"The answer is nefarious," the lawyers wrote. "If customers had to retype their credit card numbers, they would know that they were registering for a monthly fee-based service and defendants would not be able to get rich by fooling people into signing up."

Confusion breeds deception
Here's the next obvious fact that readers should know: burying important contractual information deep inside big blocks of text isn't new. Creating confusion around a purchasing experience and then obtaining a consumer's credit card information from someone other than the owner to make charges isn't novel. These ideas have been around in some form or another for decades and are outlawed in many parts of the brick-and-mortar world. These tactics won't fool everyone, but they will mislead enough consumers for the companies to profit.

In the court filing against Webloyalty, Kuefler's lawyers said that if they could get their hands on the company's internal documents they could prove Webloyalty knew that most "members" were duped into signing up. Well, the government did obtain documents.

According to the Senate Commerce committee's report a Vertrue employee once wrote that "cancellation calls represent approximately 98 percent of call volume" to the company's customer service operations. One Webloyalty employee said in an e-mail that "90 percent of our members don't know anything about the membership."

Documents obtained by the government show Affinion estimated that the chances of obtaining money from a consumer would be four times higher if a retailer handed over a customer's credit-card information to the marketing firm than if the firm had to get it from the actual cardholder.

Prentiss Cox, a former assistant attorney general and now a Minnesota law professor, says that in his decade-long experience studying the marketing practices employed by Affinion, Vertrue and Webloyalty, it's clear to him that those who voluntarily sign up for the loyalty memberships run by those companies is less than 5 percent.

Since I began writing about this in July, I've seen a lot of reader feedback from people who don't believe they could ever be misled into signing up for the membership programs. But I've also read thousands of complaints, which can be found here, here, and here. Among those that have claimed to have been duped are lawyers, computer programmers, vice presidents, U.S. Army veterans, and journalists.

The government wrote that more than 35 million people have been enrolled in Affinion, Vertrue, and Webloyalty's clubs.

Cox says the marketing techniques used by Affinion, Webloyalty, and Vertue work because shoppers have been conditioned to believe that on the Web they can't be charged without entering their credit card information. He notes the ads that Affinion, Vertrue and Webloyalty stick in the faces of consumers come late in the transaction process, when a consumer might think they need to click the "yes" button and enter their e-mail address to verify their identities. In addition, the ads "are sold as free offers," Cox said. This lowers a shopper's guard.

Another effective technique employed by the marketing companies is that they know many people will be embarrassed. Many consumers will hear that they entered their e-mail address and will assume they erred. Some won't make a stink because they don't want to admit that they don't check their bank statements well enough.

By saying, "we never release credit card information without the consumers authorization," the marketing companies and their retail partners imply that the money their customers lost was caused by their own negligence.

Affinion, Vertrue, Webloyalty, and their retail partners are all profiting from their customers' shame, when it is they who should be ashamed.

Webloyalty illustrated for potential clients how much easier it is to generate "high revenue" from a consumer when the firm can get their credit card information from a retailer ('card on file') instead of the card owner. Members of a Senate committee have called such practices a 'scam.'

(Credit: U.S. Senate Commerce committee)

Retailers aren't the only ones gearing up for the holiday season. Criminals are also out in force.

To highlight the increased crime during the holidays, security company McAfee has come up with the "12 Scams of Christmas" ranging from bogus electronic greeting cards that deliver malware instead of cheer to fake charities that steal your money and your identity.

It's especially important to be extra careful this time of year, says McAfee's David Marcus. "The bad guys know people are spending more time online, they're paying more bills online so [the criminals] stand a chance of being a bit more successful this time of year.

In a podcast interview (scroll down to listen), Marcus counted down the 12 scams of Christmas starting with:

1. Charitable phishing scams: Marcus warns consumers to be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.


2. Fake invoices from delivery services: During this period, scammers will send out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the U.S. Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.


3. Social networking friend requests: Bad guys take advantage of this social time of year by sending out authentic looking friend requests via e-mail. Marcus recommends that you not click on those links but sign into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.


4. Holiday e-cards: Be careful before clicking on a holiday e-card, especially if it's from a site you haven't heard of. This is a way to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know. If you're going to send an e-card, be sure you're dealing with a reputable service lest you risk infecting yourself and your friends.


5. Fake "luxury" jewelry: If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money or merchandise that will probably never arrive (or be fake if it does). Some of these sites, according to McAfee, even display the logos of the Better Business Bureau.


6. Practice safe holiday shopping. Make sure your wireless network is secure and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https. The "s" stands for "secure."


7. Christmas carol lyrics can be dangerous: Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.


8. Job search related scams: With the unemployment rate at 10.2 percent, there are plenty of job seekers looking for work. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too. Marcus said that some "get rich quick" sites are all about money laundering, asking you to accept an inbound financial transfer and pay them.


9. Auction site fraud: McAfee has observed a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with.


10. Password stealing scams: Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.


11. E-mail banking scams: A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's Web address manually if you need to access your account.


12. Files for ransom: Hackers use malware to gain control of your computer and lock your data files. To access your own data you have to pay them ransom.

Listen to Larry's interview with McAfee's David Marcus

Listen now: Download today's podcast

Cisco is offering a free iPhone app that will allow people to get customized alerts on new security threats and other information for safe Web browsing.

The app, which will be available on Friday in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular Web sites are compromised, as well as links to podcasts and videos.

The Cisco SIO To Go iPhone app gets its information from the company's Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world. The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.

The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.

"I can make it applicable to my needs and the security needs of my [enterprise] network," he said.

The Cisco SIO To Go iPhone app offers information about the safety of particular Web sites.

(Credit: Cisco)

Tiburon, Calif., is a twee little place. If you aren't familiar with the old-country colloquialism "twee," it means, well, something like "precious." Like one of those dogs Paris Hilton used to carry in her purse.

When one wanders through its little streets, just north of San Francisco, one gets the sense that a few of the residents, on seeing someone who appears not to be from around those parts, reach for their handkerchief and hand sanitizer.

How can one, therefore, be surprised that a meeting of the Tiburon Town Council voted on Wednesday by 4 to 0 to install cameras to photograph every single car that enters or leaves this little Disneyland?

The San Francisco Chronicle reported that this may be the first community in the country to have defended itself with cameras in such a way. The idea is to photograph the license plates of every car that treads Tiburon's hallowed roads and compare the information with the police's list of the stolen and nefarious.

Tiburon. Such a tranquil place.

(Credit: CC Stewart/Flickr)

The Tiburon police chief, Michael Cronin, told the Chronicle: "I think it makes the community safer."

There are certainly even more definitions of the word "safety" than of the word "twee." However, it is heartwarming that the Tiburon police--inspired, perhaps, by Google--promise that the information will be kept for only 30 days.

The strange thing is that Tiburon, a northern suburb of San Francisco, isn't exactly Oakland. It doesn't enjoy high crime figures. Indeed, some might say that the most criminal elements in the place are to be seen on the racks of its clothes stores.

The town is fortunate, however, in that it is on a peninsula, from which there are only two roads. So the total cost of putting up six cameras is estimated to be no more than $200,000, which works out at something near $20 per resident. (Tiburon residents enjoy, by the way, a median income somewhere above $125,000.)

I know there will be some who believe you can never have enough security cameras in this heinous and half-witted world. But perhaps some will worry that the police might make rather instinctive judgments about the provenance of certain cars and their intentions.

Others will wonder whether this decision might affect businesses in Tiburon. Still others will ponder whether the police might be willing to offer a Web site showing the movements of all its officers.

I merely wonder how many people, knowing they might have to go to Tiburon for a meal of organic Kobe beef, rosemary ice cream, and plenty of Stags Leap cabernet, will choose to remove their front license plates. You know, just to be on the safe side.

Earlier in November, Firefox surpassed 25 percent usage share of Web browsers, according to Net Applications.

(Credit: Net Applications)

Mozilla released a third beta of Firefox 3.6 on Wednesday, adding stability and performance features, and said it hopes to lock down the code soon for its first release candidate.

The new beta, for Windows, Mac, and Linux, includes a component directory lockdown that makes it harder for other software to meddle with the open-source browser's state by preventing that software from sidling into the same folder as the browser's own components. The result should be fewer crashes, said Mozilla's Johnathan Nightingale in a blog post, and Firefox still is open to third-party extensions via its official add-on mechanism.

The change should improve security, too, added another Mozilla programmer, Vladimir Vukecevic, who wrote in his own blog post that Mozilla is considering bringing the change to Firefox 3.5, too.

"Creating binary components to interface with the operating system or with other applications is fairly straightforward, though ultimately dangerous. Binary components have full access to the application and OS, and so can impact stability, security, and performance," Vukecevic said.

Also in the latest beta of 3.6 is a feature that lets the browser run some Web-based JavaScript programs asynchronously, which is to say without being so picky about the order the scripts run. This can improve the speed that Web pages load, Mozilla said.

The biggest Firefox 3.6 feature most folks will notice is Personas, the reskinning add-on that's now being built in. More than 10 million Personas have been downloaded so far, Suneel Gupta and Myk Melez of the Personas team said Wednesday.

Mozilla is working to release a final version of Firefox 3.6 before the end of the year, and one sign the project is wrapping up is that the developers are locking down the features and changes that can be added into the release candidate 1. Code freeze for RC1 is scheduled for Wednesday but might be at risk, a Mozilla planning site said this week.

Firefox is steadily gaining in use. Last week, Web traffic monitoring firm Net Applications announced Firefox cleared 25 percent share of those using browsers worldwide--not dethroning Internet Explorer by any means but still winning over new users. Mozilla estimates there are more than 300 million Firefox users total, and this week said there are more than 300,000 testers using the Firefox 3.6 beta

Google's Chrome, meanwhile, is appealing to some of the same browser enthusiasts who were Firefox's first users. One of its big selling points is speed, and Google is working on other ways to make the Web faster, too. Chrome gives it a vehicle to test such ideas out in the real world, a strategy that Apple, Opera, and Firefox have employed to advance the Web state of the art.

One Mozilla programmer, Alexander Limi, revealed a speedup technology called Resource Package for Mozilla, too, on Tuesday. His proposal calls for bundling many Web page elements up into a single compressed file that can be retrieved in a single Web-page request action. Browsers are limited in the number of such actions they can take in parallel, so consolidating the interactions can make pages load faster. The approach is backwards compatible with existing browsers that don't support the feature, he added.

"If the feedback is good we're likely to try and get this implemented for Firefox 3.7," said Mozilla evangelist Christopher Blizzard in a blog post Tuesday.

Facebook on Tuesday announced that it has decided to adopt a revised privacy policy designed to be more accessible and easier to understand.

The social network had just completed a weeklong comment period for the new revision and, though "a lot of people participated," less than 7,000 members commented. According to Facebook's rules, this meant that a vote was unnecessary, Michael Richter, Facebook deputy general counsel, wrote in a company blog.

Overall, members supported the proposed changes, including the simplification of the language used to describe the policy and the document's new structure, Richter said.

The site also plans to add visual resources designed to make the document more accessible, such as a glossary of important terms and informational "learn more" videos. Facebook expects to post the revision in English, French, Italian, German, and Spanish soon.

The revision is the latest chapter in Facebook's privacy saga. In July, an investigation by Canada's privacy commissioner suggested that Facebook is unconcerned with members' privacy and called on it to do more. Commissioner Jennifer Stoddart expressed concern that while it's easy for members to deactivate their accounts, the process of actually deleting them is less clear. Facebook could therefore retain member data from deactivated accounts for an indefinite period of time, in violation of Canadian privacy law.

The social network went through a user backlash over the introduction of its News Feed in 2006, and a bigger one over the controversial Beacon advertising program in 2007. More recently, a revision to Facebook's terms of use prompted consumer advocacy blog The Consumerist to highlight language that it said meant that Facebook claimed ownership of user profile data and photos.

Updated November 18 at 11:19 a.m. PST to clarify that the data was sold by workers at T-Mobile UK, which is operated separately from T-Mobile USA.

British Information Commissioner Christopher Graham says penalties aren't strong enough to deter the sale of private consumer data.

(Credit: BBC)

T-Mobile workers sold personal data on thousands of customers to third parties who then called the individuals as their wireless contracts were due to expire, a T-Mobile UK spokesman has confirmed.

T-Mobile notified England's Information Commission, the watchdog agency responsible for safeguarding consumer privacy, and said the activity was done "without our knowledge," according to the BBC.

Information Commissioner Christopher Graham told the news agency his office will prosecute the individuals responsible.

It's the latest black eye for the T-Mobile brand in recent months. (T-Mobile UK and T-Mobile USA are operated separately.)

Last month an outage with T-Mobile USA network left Sidekick users unable to access the Web or their address books for several days.

And earlier this month T-Mobile's network in the U.S. suffered a major outage that left customers unable to send or receive text messages and access voice messages for part of a day. The outage was due to a software error in the back end system that generated abnormal congestion on the network, the company said in a statement.

If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.

Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.

And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.

Here is some basic information that can help people avoid being tricked by phishing attacks.

What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.

Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.

Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.

This phishing e-mail looks legitimate and even offers to provide tips on how to avoid fraud and spoof e-mails.

(Credit: Screenshot by Elinor Mills/CNETNews.)

What are other recent examples of phishing attacks?

• A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"

• E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.

• E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.

• A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.

What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.

What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.

The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.

Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."

Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.

In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.

If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.

Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.

How can phishing attacks be avoided?

• Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.

• If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.

• Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.

• Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.

• Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.

• Make sure you are using a secure Web site when submitting financial and sensitive information.

• Change passwords frequently. Don't use the same password on multiple sites.

• Regularly log into online accounts to monitor the activity and check statements.

• Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.

What can I do if I think I've been victimized by phishing?
The Anti-Phishing Working Group has a comprehensive site explaining exactly what steps people should take based on what type of information they have given out.

Where can I report phishing attempts?
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov. Companies typically have an address to forward phishing examples to, such as "spoof@company.com." Always include the entire phishing e-mail. Complaints can be lodged with the Internet Crime Complaint Center at the FBI.

Here are additional resources.

http://apwg.org/consumer_recs.html

http://www.irs.gov/newsroom/article/0,,id=154848,00.html

http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx

This phishing e-mail includes a sender e-mail address and link that are obviously not associated with Facebook.

(Credit: Screenshot by Elinor Mills/CNETNews.)