technology.uaa.alaska.edu
TECHNOLOGY NEWS
 
What is a username?
Find your UA ID
 
 Execute Search 

Knowledge Base Search

Technology News
HOME > TECHNOLOGY NEWS > LET'S GO PHISHING? 

Let's go Phishing?

Internet scams and hoaxes involving emails or viruses have been increasing at an alarming rate over the past few years. Identity thieves now have a new tool to use against you called "phishing".

Identity theft is a real threat that banks, corporations and our government are all taking very seriously. On July 15th, 2004 the Identity Theft Penalty Enhancement Act, H.R. 1731 was signed and increased the punishments for people who are caught stealing someone else's identity. During the signing ceremony of this bill it was noted that in 2003 almost 10 million American identities were stolen, totaling a cost of $50 billion to U.S. businesses. According to the Federal Trade Commission the annual cost of identity theft for consumers is estimated to be $5 billion.

So, what is phishing? The website www.antiphishing.org in their February 2005 "Phishing Activity Trends Report" states:

" Phishing is a form of online identity theft that uses spoofed emails, fraudulent websites, and crimeware of various types to trick consumers into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince recipients to respond to them. As a result of these scams, an increasing number of consumers are suffering credit card fraud, identity theft, and financial loss."

The university community employs a system wide spam filter in an attempt to keep the number of fake emails from reaching their users. This not only decreases the number of wasteful emails a person has to deal with but it also helps in preventing phishing emails from reaching users as well. Because this system sits in between the general internet and UAA's email servers it works whether you know it is there or not. To access your spam filter settings for this system go to the website: aspam.uaa.alaska.edu

This report continues to state that the average monthly growth rate of phishing sites July through February is 26% and that from November 2004 to February 2005 the number of hijacked brands has included Financial Services totaling 74% to 86%. Given these numbers then there is a high probability that your own bank has been targeted for a phishing scam.

For an example of phishing consider this excerpt of a ComputerWorld article, "On Nov. 17, 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. In the message was a hyperlink to what appeared to be an eBay Web page where they could re-register. The top of the page looked just like eBay's home page and incorporated all the eBay internal links. To re-register, the customers were told, they had to provide credit card data, ATM personal identification numbers, Social Security number, date of birth and their mother's maiden name. The problem was, eBay hadn't sent the original e-mail, and the Web page didn't belong to eBay -- it was a prime example of phishing."

Pharming is similar except in that, "Pharming attacks are similar to phishing identity theft attacks, but don't require a 'lure,' such as a Web link that victims must click on to be taken to the attack Website. In [one] attack, a rogue DNS server posed as the authoritative DNS server for the entire .com Web domain. Other DNS servers that were poisoned with this false information redirected all .com requests to the rogue server, which responded to all .com requests with one of two IP addresses. Web pages at those addressed displayed a search engine and an advertisement for a Web site, www.privacycash.com."

What this means is that anyone trying to go to any website ending with a ".com" was potentially vulnerable to being sent to a fake website.

What can you do to protect against it?

  The FTC, the nation’s consumer protection agency, suggests these tips to help you avoid getting hooked by a phishing scam:

    * If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via email. If you are concerned about your account, contact the organization in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address. In any case, don’t cut and paste the link in the message.

    * Don’t email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization’s Web site, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have forged security icons.

    * Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

    * Use anti-virus software and keep it up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.

      A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection. Finally, your operating system (like Windows or Linux) may offer free software “patches” to close holes in the system that hackers or phishers could exploit.

UAA makes use of a system wide firewall in an attempt to protect users from external attacks, however this system does not help make you invisible to the outside world nor is it positioned to protect people already on the inside. Due to many of the unique needs and requirements of the UAA populace it would be detrimental to employ such a tactic. The good news is that Windows XP now includes a firewall built into the operating system to help protect you. It was included as a part of Service Pack 2 and while many people at UAA have already upgraded to Service Pack 2 we still find many who have not. For assistance in upgrading to Service Pack 2 call the UAA Call Center at 786-4646. Service Pack 2 is free and contains many fixes that will prevent you from viruses, worms and phishers.

    * Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.

    * Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. If you believe you’ve been scammed, file your complaint at www.ftc.gov, and then visit the FTC’s Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam.

Another thing to watch for according to a ComputerWorld article:

"If the e-mail refers you to a Web site, look carefully at the URL. It's easy to disguise a link to a site. Beware of the @ symbol in a URL. Most browsers will ignore all characters preceding the @ symbol, so this Web address -- http://www.respectedcompany.com@thisisascam.com -- may look to the unsuspecting user like a page of Respected Company's site. But it actually takes visitors to thisisascam.com. The longer the URL, the easier it is to conceal the true destination address. Other ways to disguise URLs include substituting similar-looking characters, so that paypal.com could be (and has been) spoofed as paypaI.com or paypa1.com. Similarly, a zero can be substituted for the letter O within a URL."

If you become a victim of phishing...

According to the Federal Trade Commission (www.consumer.gov/idtheft) if you are concerned that your identity has been stolen then you need to take a few steps. First, place a fraud alert on your credit file by contacting the fraud department of one of the three major credit bureaus:

Equifax -  www.equifax.com

Experian - www.experian.com

Trans Union - www.transunion.com

Second, you should close the accounts you are concerned have been compromised. Third, make sure and contact the police to file a report and get a copy so you can have proof of the crime. Finally, remember to file your complaint with the FTC. A database is maintained for law enforcement agencies so that in the course of investigations they can connect all the dots and help stop identity thieves faster.

Much of this article was gathered from the Federal Trade Commission's website, http://www.ftc.gov as well as http://www.antiphishing.org, portions have been quoted from http://www.pcworld.com/resource/article/0,aid,120268,pg,1,RSS,RSS,00.asp and from http://www.computerworld.com/securitytopics/security/story/0,10801,89096,00.html

Home    Computer Services    Telephone Services    AV Services    Forms & Requests    Knowledge Base    Administration   

© Copyright 2005, University of Alaska Anchorage | Feedback
3211 Providence Drive • Anchorage, Alaska • 99508
(907) 786-4646 or Toll Free (877) 633-3888
callcenter@uaa.alaska.edu