President's Corner: Buzz Words
by Bill James,
President OKCPCUG June 2004
There seems to be
no end to buzz words associated with the internet. Last month I discovered
‘Malware’ This month I recently came across a new one, or at least it is to me –
phishing.
(pronounced like ‘fishing’) What
is ‘phishing’ you ask? Phishing is spoofed' e-mails and fraudulent
websites designed to fool recipients into divulging personal financial data such
as credit card numbers, account usernames and passwords, social security
numbers, etc. By hijacking the trusted brands of well-known banks, online
retailers and credit card companies, phishers are able to convince up to 5% of
recipients to respond to them.
You may not even be aware that you are on a bogus site.
These sites look genuine and you can see from the above statistics that they
victimize some folks. I use my computer for bill paying and other online
services. So I am cautious to make sure that I am on a real site. But I have
received e-mails asking me to verify my account information and these are the
ones that you should be concerned about. Here are some tips that I found on
Brian’s Buzz on Windows (Brain Livingston, editor of Briansbuzz.com), what to
look for, and what could help you if you feel unsure that the site you are on
might not be authentic. In this instance the readers Host file had been
compromised. A Host file is a component of the Windows operating system. It is a
standard Windows file (it has no extension) that finds a requested remote
computer — on the Internet or on a local network — as an alternative to using a
domain name server (DNS). A detail explanation can be found here:
More info. But here is what you need to know if you are on a suspect
site. The writer found to his horror that his Hosts file had been quietly
corrupted in an attempt to phish for his password at a site called E-gold. This
is an e-commerce service that, according to a Wired.com
article, is a
legitimate way for individuals to send each other payments in shares of gold
bullion.
Please read this important cautionary tale:
- "The
article on hijacking the address bar really caught my interest, because I was
the near-victim of such a thing just a couple of months ago. However, my
experience was slightly different: The hijacker somehow altered my Hosts file
to redirect requests for www.e-gold.com to a fake e-gold site at his own IP
address.
"I never fall for the normal kinds of phishing e-mails. But this
scam was so smoothly executed that I actually had my password typed into the
password box at the fake site. All that was left was to click 'Log in.' But, a
few things made me uncomfortable enough to contact e-gold first, and I was
glad I did!
"The 'clues' I noticed were several. First of all, I was getting numerous
'page not found' errors while clicking around the fake site. Some pages were
there, some weren't. That seemed strange for a professionally run site.
"The fake site actually did have an SSL certificate — but I got an IE warning
that the name on the certificate did not match the name of the site. Another
red flag. And, when logging into e-gold, your account number is automatically
filled in for you, via a cookie. When I attempted to log into the fake site, I
had to fill in the account number myself.
"All very subtle 'weirdness,' however. And only because I am very
paranoid and very aware of scams did I hesitate — and only then,
at the very last second. I'm convinced that most 'normal' users would have
just clicked right through. 'Oh, e-gold is having a bit of a problem today—'
"I am still not sure how the culprits could have edited my Hosts file. I had
received an e-mail earlier that day, apparently from someone at a gold-related
message board I belong to, warning of a 'financial problem' with e-gold and
containing a link to a 'news article' on the subject. I was curious, so I
clicked the link. The 'article' did not seem convincing, so I wrote it off as
a crank e-mail, deleted the mail, and forgot all about the Web site. A few
hours later, however, when attempting to log into my e-gold account, the
weirdness began.
"So, unfortunately, I was not able to examine any code or see exactly how
altering my Hosts file was accomplished. But I am convinced that it was this
particular e-mail/Web site that did it.
"E-gold customer support told me immediately that it sounded like I was
accessing a fake site, and that I should check my Hosts file — and sure
enough, as soon as I looked, there it was.
"This exploit scared the dickens out of me — because it appears to me that, if
the Hosts file is altered without one's knowledge, then even the most secure
system and most paranoid person is susceptible to this. The address bar shows
'http://www.e-gold.com,' but you are actually accessing '255.255.255.255'
[some anonymous hacker site obscured by the dotted-decimal format].
"Are there any virus- or integrity-checkers that guard the Hosts file? I think
not.
"My solution was to make my Hosts file read-only. I also now have a shortcut
on my desktop and check the Hosts file every time I am going to a financial
site (PayPal, e-gold, etc.). But are normal users going to do this? Have you
ever heard of an exploit of this type?
But, Brian Livingston states in his article and I quote
“that marking the Hosts file as read-only is not an effective way to prevent
this file from being hijacked by malware. Yes, this might prevent the current
version of the worm from writing to the file. But it's not difficult to develop
a worm that can remove the read-only flag, change the Hosts file, then mark the
file as read-only again so you wouldn't notice that the status had ever changed.
A better form of protection is to use a major antivirus program and configure it
to update its antivirus signatures automatically and as frequently as possible.”
You cannot be too careful, again keep current with your
security patches from Microsoft and up-to-date anti-virus software definitions.
Bill James is President of the OKC PC Users Group. Bill
can be reached at
james@qns.com