Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords.
The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.
Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.
The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.
Updated Tuesday at 9:10 a.m. with Google comment.
A few months ago, spam came to Google Calendar. Now phishing has arrived.
Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.
He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as "customer care," and it asked him to verify his account by supplying his username and password.
"We are having congestions (sic) due to the anonymous registration of Gmail accounts, so we are shutting down some Gmail accounts, and your account was among those to be deleted. We are sending you this email to so that you can verify and let us know if you still want to use this account," the e-mail said, complete with grammatical and spelling mistakes that can tip people off to phishing attempts.
On May 28, a Google Talk Guide addressed the issue in a Google Groups thread, urging users to click the "Report Phishing" link if they receive suspicious e-mails and not to click on links within the e-mails or open attachments.
Late on Monday, a Google representative e-mailed this statement: "Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Calendar, or any Google product, to send spam is a violation of our product policies. We are actively identifying Calendar accounts that send spam and disabling them."
Google has more information on how to protect against e-mail fraud on its Official Google Blog Web site.
Philipp Lenssen of Google Blogoscope writes about how phishers targeted him via Google Calendar. This is a screenshot of the e-mail he received.
(Credit: Blogoscoped)Yahoo has filed suit against unnamed "lottery spammers" who tried to fool people into thinking that they won a prize from Yahoo so they'd share passwords, credit card numbers, or other sensitive information.
The Internet company on Tuesday said it filed the suit in the U.S. District Court for the Southern District of New York, citing the Federal Trademark Act, the Can-Spam Act, and related state laws.
"The unauthorized use of Yahoo's trademarks is misleading, fraudulent, and has actually confused, misled, and deceived the public," Joe Siino, Yahoo's senior vice president for global intellectual property and business strategy, said in a statement.
According to Barracuda Networks, 90 percent to 95 percent of e-mail sent in 2007 was spam. Phishing, one activity associated with spam, involves sending e-mail masquerading as authentic messages designed to fool users into parting with personal information.
Phomance might sound like some hip new description of a romantic phone conversation, but Symantec's senior information developer says there's nothing sexy about it.
Phomance, writes Ben Nahorney, is actually the foreboding cross-section between phishing and online dating--and he should know, as he recently received a suspicious e-mail from a hot Russian nurse who seemed unusually interested in corresponding despite the paltry details in his online dating profile.
Why, out of the multitude of members on the site, had this woman decided to contact me? Did I seem open-minded, having stated that my ideal partner would have "Any" hair/eye/body type? Was I mysterious due to my lack of a picture? Was it that we had "All of the above" in common when it came to the hobbies section? Obviously my skeleton of a personal ad was picked from the site for other purposes.
Little did that most-likely apocryphal Slavic beauty know who she was dealing with when she contacted Nahorney. He immediately saw the telltale signs of a con and went about investigating his potential suitor (who, he noted from her photo, was "I'll wire her money just to take care of her sick puppy" gorgeous).
The Wall Street Journal pointed us to Nahorney's quite funny blog about the occurence, which is both a darn good read and a darn good cautionary tale (consumer tips included) about what can happen when scammers slowly win open-hearted victims' trust and then attempt to start bilking them.
A new IRS Web site that allows taxpayers to check on the status of their refund checks could lead to users being phished.
The new "Where's my stimulus payment?" site asks taxpayers to enter in their Social Security number, and a few other trivial bits of information before informing the user of the amount of their refund, and the date it will be sent out.
While no doubt useful, this Web site sets a horrible example, and encourages dangerous behavior by users. Furthermore, in the hands of someone who knows the last four digits of a taxpayer's Social Security number, it could be used as an oracle (by submitting multiple requests) to determine the full SSN of a taxpayer.
Screenshot of the IRS Stimulus Website
(Credit: Christopher Soghoian)The IRS is frequently mimicked by phishers. The agency even goes so far as to offer advice on its site, debunking many common phishing attacks. Furthermore, agency has shut down more than 1,600 phishing sites claiming to be the IRS in the past few years.
From a security education perspective, it is a really bad idea to have such a form on the official IRS Web site. The IRS should not be training users (via positive reinforcement) to enter their full Social Security numbers into Web sites. It is bad enough that credit cards and banks require us to do so when signing up. The IRS has an existing relationship with every tax-paying citizen. It does not need to use our SSN to authenticate us, and could use one of many other bits of information.
Secondly, the URL, http://sa2.www4.irs.gov/irfof/IRServlet?app=IRACTC is simply horrible. The vast majority of users will have no idea if this is a legitimate Web site or not. Why could they not select something a bit more readable, such as "www.irs.gov/stimulus".
At the very least, the IRS should authenticate users with additional information (such as the amount of federal taxes paid in 2008). It already does this for users who wish to e-file. This would at least stop the site being used as an oracle to confirm/guess someone else's SSN.
To see why this is such a bad idea--look at the image below of a phishing scam claiming to be an IRS refund Web site. Now look at the image above, the IRS's new refund status site. Can we really expect most users to tell the difference?
Phishing Site targetting IRS
(Credit: Laughing Squid / Flickr)Google is warning people about the dangers of phishing e-mails that ask for sensitive information and appear to come from a legitimate trusted source, like your bank, but are really scams to steal your data.
You would think that with all the publicity phishing attacks have had over the years there wouldn't need to be a public education campaign. But so many people still get lured by these spam e-mails every day that the warning is merited.
"Millions of people have gotten 'urgent' e-mails asking them to take immediate action to prevent some impending disaster. 'Our bank has a new security system. Update your information now or you won't be able to access your account,' or 'We couldn't verify your information; click here to update your account,'" Ian Fette of Google's Security Team wrote in a posting on Tuesday on the Official Google Blog. The post, titled "How to avoid getting hooked," is one in a series on online security.
"People who click on the links in these e-mails may see a Web page that looks like a legitimate site they've visited before. Because the page looks familiar, these people enter their username, password, or other private information on the site," Fette writes. "What they've actually done is given an unknown third party all the information needed to hijack their account, steal their money, or open up new lines of credit in their name. They just fell for a phishing attack."
According to the posting, here are some things to remember: Be wary of responding to e-mails or clicking on links that ask for information, particularly because legitimate businesses don't ask for that type of data via e-mail. Type in the purported organization's Web address in a browser rather than clicking on the link. Double check that the URL looks legitimate if you are already on the site. Be wary of promises of "fantastic prizes" and other too-good-to-be-true offers, and use an updated browser with a phishing filter.
You get an e-mail not only addressed to you, but it includes your company name and phone number and appears to come from the U.S. District Court.
It looks like a subpoena to appear in court on a civil case and it instructs you to download the document from a Web site.
What should you do?
Whatever you do, don't click on the hyperlink to the Web site, warns Web security services firm MX Logic. It's probably a malicious Web site that will download malicious software, such as a keystroke logger, to your machine.
The social engineering attack is similar to others, including phishing e-mails that purport to come from the Internal Revenue Service. But this attack goes a step further by including your company phone number, which makes it seem even more legitimate.
If you're an executive, chances are you're the intended victim of a so-called whaling attack. While phishing attacks are aimed at anyone with an e-mail address, whaling attacks target big fish at companies where knowing a top executive's password opens a back door to sensitive insider information.
Remember, courts communicate via regular mail, not e-mail. In addition to some spelling errors in a sample whaling e-mail making the rounds this week, MX Logic found that the link went to a top-level domain other than ".gov" which was registered a few days earlier to someone in the U.K.
A new phishing e-mail targeting CEOs looks like a subpoena and includes a company name and number. This shows the top part of the e-mail.
(Credit: MX Logic)The battle for your in-box shows no signs of waning.
Despite the efforts of software companies large and small, spammers and phishers continue to find and exploit weaknesses in junk-mail filters at the server and client levels. After years of foil and parry between these two forces, you would think that Microsoft Outlook, the most widely used e-mail program in the world, would be a paragon of in-box defenses.
Then again, this is Microsoft we're talking about, a company not noted for being the paragon of anything more than profitability.
A few years back, Service Pack 2 for Office 2003 added phishing filters for Outlook that move suspicious messages to your Junk E-mail folder automatically and turn off links in the messages. Outlook 2007 was released about a year-and-a-half later with only a few new junk-mail defenses. In fact, the Junk E-mail Options screens of the two versions are nearly identical.
The junk e-mail options in Outlook 2003 don't offer many options.
(Credit: Microsoft)
The only difference between the Junk E-mail Options in Outlook 2007 and its predecessor are the bottom two options.
(Credit: Microsoft)In the past, I have created a series of Outlook rules to stem the flow of junk to my in-box. The process is straightforward though somewhat time-consuming: Click Tools > Rules and Alerts > New Rule, and step through the Rules Wizard. You can also right-click a message you want to base the rule on and choose Create Rule, and then either make your selections, or click Advanced Options to open the Rules Wizard.
If you find yourself spending an inordinate amount of time dealing with junk e-mail, your best solution is a third-party spam and phishing filter. There are lots of free versions available for download, but the freebies either require too much work on your part to make them effective, or they work with only a single mail account, place text ads on your outgoing messages, or come up short in some other way.
Your best bet may be to bite the bullet and pay for a commercial junk-mail filter. My favorite is one that has been around for a long time: Cloudmark Desktop, which comes in versions for Outlook and Outlook Express, as well as for Mozilla Thunderbird. The program is available for a 15-day free trial. A one-year subscription for two PCs costs $40 (multiple licenses and volume discounts are available).
Cloudmark adds a toolbar to Outlook that lets you scan a folder for junk with a couple of clicks. It places spam and phishing attempts in a Spam folder and lets you block and unblock mail from specific senders. The program works quickly: It scanned a folder with more than 2,000 messages in just a couple of minutes, and I didn't notice any slowdown when I sent and received mail.
The Cloudmark Desktop junk-mail filter adds a toolbar to Outlook that lets you scan a folder for spam, and block or unblock specific senders.
(Credit: Cloudmark)You get more control over how junk mail is treated via the program's Options menus, which let you scan for junk selectively rather than automatically, and change the location of your junk-mail folder. You can choose to delete the junk immediately, after a week, or after a month. Your Outlook contacts can be added to your trusted list with a single click, and you can see how many messages have been checked, how many were identified as spam automatically, and how many spam and phishing messages you've blocked.
Cloudmark Desktop's options let you change the folder your junk mail is stored in, and decide when to delete the junk.
(Credit: Cloudmark)When you're ready to get serious about locking spammers and phishers out of your Outlook in-box, Cloudmark is ready to do the heavy lifting.
Monday: simple ways to speed up Windows shutdowns.
In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.
While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.
Google Checkout for Political Contributions
(Credit: Google)In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.
The phishing problem is a particular threat to campaign sites, for a number of reasons:
- The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
- Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
- While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
- Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.
In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.
A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.
I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.
Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.
The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.
First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.
Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.
Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.
With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.
It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.
Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.
A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.
F-Secure cites a Halifax bank as one of the phishing targets, while Trend Micro identifies the Royal Bank of Scotland as another. What connects these sites are the server domains hosting the pages. Trend Micro said Tuesday it detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities."
The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will celebrate its first anniversary next week, on or around January 19.
