[IS&T Security-FYI] SFYI Newsletter, Recognizing Phishing
Monique Yeaton
myeaton at MIT.EDU
Mon Nov 2 14:38:35 EST 2009
In this issue:
-------------------------------------
Recognizing Phishing Attacks
-------------------------------------
The Smart Response
There have been many reports and warnings about phishing attacks these
days. This makes it difficult to keep track of all of them or to
respond to each one appropriately. At MIT we put so much emphasis on
not giving out password information in response to an email, that we
can forget about all the other stuff we should not give out either,
such as our social security number, medical information, credit card
number, bank account number and date of birth.
Our common sense should tell us how to respond to "fishy" email
requests. If you aren't sure who is on the receiving end of the
information, or think the requester may not be legitimate, ignore them
and delete them. You can feel safe in assuming that you will suffer no
dire consequences (such as your email accounts or financial accounts
being suspended) by doing so.
Through experience you may have learned how to recognize a fake email
from a real one: spelling mistakes, grammatical errors, dire warnings
given if you don't reply, a fake "from" email address, a link within
the email that looks iffy, and promises of money.
Other Variations
Some phishing attacks are harder to recognize. Making users aware of
these takes more than just a one-line warning such as "don't ever give
out your password or personal information in an email."
These phishing attacks may seem harmless because they don't require
you to provide anyone with information. All they ask is that you open
the attachment they sent.
Recent examples came from Facebook and DHL. Many of us are on Facebook
and at MIT we use DHL for shipping. So receiving an email from these
sources seems feasible. Except for the fact that the messages aren't
really coming from these places at all, and the attachment (often
a .zip file) will do scary things to your computer.
Would you know better than to click on the attachment if you saw an
email from Facebook with this message: "Because of measures taken to
provide safety to our clients, your password has been changed. You can
find your new password in attached document."?
See an example here: <http://blogs.zdnet.com/security/?p=4724>
Some of the messages seemingly coming from Facebook did not have an
attachment, but had a link to click. See examples here: <http://ddanchev.blogspot.com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.html
>
Or how about this one from DHL: "Dear Customer! The courier company
was not able to deliver your parcel by your address. Cause: Error in
shipping address. You may pick the parcel at our post office personaly
(oops there's a spelling error)! Please attention! (broken English)
The shipping label is attached to this e-mail. Print this label to get
this package at our post office."
That second one has a few clues revealing a scam, such as the language
and spelling. The use of exclamation points are also a clue. But some
of the recipients may not be English speakers themselves and not catch
these clues.
DHL's response: <http://www.dhl-usa.com/custserv/servicealert.asp?id=1>
What could happen if you clicked the .zip attachments? The .zip file
contains an .exe file that connects to servers to download additional
malicious files and joins the Bredolab botnet. Attackers now have full
control of the PC and can send spam emails or steal information on the
PC.
Lessons We Can Learn
1. File attachments can be dangerous.
Do not click on a .zip file when sent as an email attachment and to be
skeptical of any business who sends an email with an attachment. (A
Facebook spokesperson: "Facebook will never send you a new password as
an attachment.")
Other file types that can be dangerous include .html, .pdf, and .exe.
See a full list of them here: <http://webfreebies4u.blogspot.com/2009/06/dangerous-email-file-attachments-you.html
>
MIT's email server automatically blocks many dangerous file attachments.
2. Be skeptical of any emails you receive that you were not expecting.
If anything in an email seems at all off-kilter, you ought to be
suspicious. For instance, why would Facebook send you a new password
rather than allow you to change it yourself? And did you actually ship
something using DHL recently?
3. Trust your spam filter.
If the emails ended up in your spam/junk folder, you can assume it's
really junk. About 8% of users who received the fake Facebook message
pulled the message out of their junk file to open it. Set your filters
up so that legitimate emails do not end up there by adding them to
your good senders list.
3. Using a business computer for personal use might be dangerous.
Chances are, if you keep a computer solely for business use and do not
visit web sites or receive emails for personal use on that computer,
the computer has a better chance of not becoming infected with a
virus. Especially as more and more attacks are targeting Facebook and
other social networking sites. However, this will complicate matters
for those who use social networking for work.
These latest attacks in the news:
<http://www.computerworld.com/s/article/9140058/Massive_bot_attack_spoofs_Facebook_password_messages
>
<http://www.securitymanagement.com/news/two-new-fraudulent-e-mails-pose-facebook-and-federal-deposit-insurance-corporation-006378
>
<http://www.computerworld.com.au/article/324082/symantec_threat_bulletin_-_28_october_2009
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091102/0dd1d861/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091102/0dd1d861/attachment-0001.bin
More information about the ist-security-fyi
mailing list