Select Articles

Select Projects

ChartAttack.com CMS
Content Management System for Canada's largest music news website.

KickInTheHead.com Messenger
Beta-verion of a MSN Instant Messenger tab service

Digital Youth
Integrated DY store with Moneris server for secure credit card transactions; Also, extensive revisions to site's framework.

Smart & Biggar
Extended Content Management System to include WYSIWYG HTML editor

Intranet Development
Posted excerpt from recent book

Web Properties

KickInTheHead.com
For the Canadian music community.

MusicJoke.com
A music joke Compendium.

Google Ads

A shorter, edited version of this article originally appeared in NOW Magazine's November 25, 2004 issue. It can be accessed at www.nowtoronto.com/issues/2004-11-25/goods_next.php
Phishing Evolves in a Scary Way

Malevolent geniuses are trying to steal from us through the Internet. They're devious little Lex Luthors planning theft and fraud on a massive scale, and their primary strategy is to go Phishing.

Phishing scams have been around for years. They're official-looking but fake e-mails and websites designed to lure you into revealing personal financial information or the keys to access that information (a login name and password). They appear to come from a trusted source (your bank, PayPal, eBay, etc.) and tend to use a logical call-to-action that is hard to resist.

In June, during the two-week-long hemorrhaging of RBC's national IT infrastructure due to some bad code and an even worse code-review process, a "Dear RBC Royal Bank Customer" e-mail started arriving in in-boxes. It looked like an official request asking for card numbers & passwords in order to verify customers' standing due to "increased fraudulent activity." If people didn't follow-through, said the e-mail, their "account will not be verified and your access to the account will be blocked."

When a person clicked a link in the e-mail, they were directed to a slickly-designed website (complete with RBC corporate branding) where they were asked to enter their account information. It all appeared legitimate until a close look revealed the URL wasn't quite right.

A properly-skeptical, jaded and distrusting 21st century Internet user would obviously recognize this e-mail as stinking like dog feces in Parkdale on an August afternoon, but some people didn't. Instead, they ended up among the rapidly-growing number of phishing scam victims who should have known better than to trust their e-mail.

The Anti-Phishing Working Group announced last week that they received 6,597 new, unique phishing email messages in October. This was more than three times the number of reports received in August (2,158) and shows a 45% monthly growth in the variety of scams. When you factor in that each unique message is sent to millions of people, the quantity of phishing scam e-mail in circulation is staggering.

Just like the ubiquitous Viagra, Cialis and penis-enlargement product spam, these phishing scams wouldn't exist if they weren't profitable.

The message you need to hear clearly and bluntly is: DO NOT TRUST YOUR E-MAIL! If you receive an unsolicited e-mail request asking you to verify personal information by clicking a link, don't do it. If you're tempted, ask a friend to put on some boots and kick you in the genitals instead as it will likely hurt less in the long run than being a victim of identity theft or financial fraud.

Being aware of phishing scams is becoming more important lately due to their increasing level of sophistication. This isn't just in respect to their timing and manipulative nature, but also to their technical virulence.

Some scams emerging in Brazil during the last few weeks are particularly frightening.

The cryptically-named JS/QHosts21 scam is a "blended threat" (hybrid virus/phishing scam) that was discovered by antivirus vendor Sophos PLC. It arrives in an HTML e-mail that takes advantage of security holes in Microsoft Windows to install a Trojan horse that changes your Hosts file (a component of Windows that your web browser refers to when it looks for the IP address of a web page URL you request).

By entering their own IP address into your Hosts file and associating it with the domain name of a bank site, the phishers can transparently (to you) redirect your web browser to their own website (made to look like the bank site) when you attempt to reach the real bank site. Then, when you try to log in, the phisher has your username and password and you, as the l33t-speakers might say, have been own3d.

Another of the Brazilian "blended threats" involves a Trojan horse that launches a keylogger which records every keystroke you make on your keyboard when you visit certain bank sites. This allows the evil people who live on the dark side of the Internet to get your log-in information when you visit a real bank site while you remain oblivious to being a victim until your life and financial well-being turn upside-down.

These are next-generation phishing scams that take advantage of successful virus-writing techniques. While good security settings would prevent Microsoft's undocumented software features (security holes) from being exploited and a good, current-version of a security program (like Norton Antivirus or McAfee VirusScan) would easily filter out these e-mails from your in-box in the first place, this assumes that you aren't a security-unconscious nincompoop.

Now that you're being attacked from all sides by smart people who are trying to either manipulate you or your machine into giving up all your secrets, protect yourself. This doesn't just mean being aware of potential scams as well as installing and updating anti-virus software, anti-spy-ware programs, e-mail filters, and firewall programs. It also means regularly changing your passwords and pressuring your financial institutions to start issuing one-time-use passwords or other two-factor authentication methods (like a RSA key fob with a password that changes every thirty seconds). That way, if you are successfully fished, it won't matter because one of the passwords will be useless.

The age of static usernames and passwords is dead and anyone who continues to depend on them will pay a heavy price.