Tuesday, January 29, 2008
Beware of Spoofing, Phishing and Link Altering
A growing rank of Internet crooks are now using new tricks called "phishing" and "spoofing" to steal your identity. Bogus e-mails that attempt to trick customers into giving out personal information are the hottest new scam on the Internet.
"Spoofing" or "phishing" frauds attempt to make internet users believe that they are receiving e-mail from a specific, trusted source, or that they are securely connected to a trusted web site, when that's not the case at all, far from it. Spoofing is generally used as a means to convince individuals to divulge personal or financial information which enables the perpetrators to commit credit card bank fraud or other forms of identity theft.
In "email spoofing" the header of an e-mail appears to originate from someone or somewhere other than the actual source. Spam distributors often use email spoofing in an attempt to get their recipients to open the message and possibly even respond to their solicitations.
"IP spoofing" is a technique used to gain unauthorized access to computers. In this instance the unscrupulous intruder sends a message to a computer with an IP address indicating that the message is coming from a trusted source.
"Link alteration" involves the altering of a return internet address of a web page that's emailed to a consumer in order to redirect the recipient to a hacker's site rather than the legitimate site. This is accomplished by adding the hacker's ip address before the actual address in an e-mail which has a request going back to the original site.
If an individual unsuspectingly receives a spoofed e-mail and proceeds to "click here to update" account information, for example, and is redirected to a site that looks exactly like a commercial site such as EBay or PayPal, there is a good chance that the individual will follow through in submitting personal and/or credit information. And that's exactly what the hacker is counting on.
How to Protect Yourself
1. If you need to update your information online, use the same procedure you've used before, or open a new browser window and type in the website address of the legitimate company's page.
2. If a website's address is unfamiliar, it's probably not authentic. Only use the address that you've used before, or better yet, start at the normal homepage.
3. Most companies require you to log in to a secure site. Look for the lock at the bottom of your browser and "https" in front of the website address.
4. If you encounter an unsolicited e-mail that requests, either directly or through a web site, for personal financial or identity information, such as Social Security number, passwords, or other identifiers, exercise extreme caution.
5. Take note of the header address on the web site. Most legitimate sites will have a relatively short internet address that usually depicts the business name followed by ".com," or possibly ".org." Spoof sites are more likely to have an excessively long strong of characters in the header, with the legitimate business name somewhere in the string, or possibly not at all.
6. If you have any doubts about an e-mail or website, contact the legitimate company directly. Make a copy of the questionable web site's URL address, send it to the legitimate business and ask if the request is authentic.
7. Always report fraudulent or suspicious e-mail to your ISP.
8. Lastly, if you've been victimized, you should file a complaint with the FBI's Internet Crime Complaint Center at http://www.ic3.gov.