Other Ways To Connect

Monday, July 29, 2013

Protecting yourself from the phisher

Not a day goes by when you don't receive an odd email, tweet, or Facebook update from a friend or acquaintance imploring you to click a link to see a funny cat video or learn about a hot stock tip. Unless you have a very unusual set of friends, it is unlikely that these are legitimate messages. How does this happen?  How can you protect yourself from becoming a victim and becoming a source of spam messages for your friends?


How does the bad guy hack my account?

Perhaps he blindly guessed your password. Historically, many people have had very weak passwords, but most services impose some strength checks on passwords these days. Or perhaps the service you were using was hacked and your password was released. If this was the case, you either have read about it in the news, or your service was required to notify you. 

Be careful to not get hooked!
It is more likely that you were phished. The bad guy tricked you into clicking on a link that you thought was legitimate but in fact led to a site or software owned by the bad guy. This is primarily a social attack. The email or tweet appears to be from your friend or your bank. Either the message was spoofed (not really sent by the bank or friend), or your friend has already been hacked, and the attacker is using a legitimate account to send you a message.

In the past 5 years, phishing attacks have escalated to more directed attacks called spear phishing. A basic phishing attack is not directed at all. It gets a bunch of email addresses and sends a generic message about their Bank of America account with no knowledge of whether their target has a Bank of America account or not. With spear phishing, the attacker knows something about you, so the message will be more personalized and believable. If the attacker knows you just applied for a loan with Citibank, he can send a message about your loan application, and you will be far more likely to open that link.

What happens when I click on a bad link?

It is possible that the item you are tricked to click on is an executable or an infected word or pdf file. Perhaps it appears that your friend has sent you a MS Word document with the secrets of great riches. By opening that document, you are giving the bad guy the ability to execute code on your machine. That means he can install programs to use your machine later (e.g. to send spam to others) or to gather information from your machine (e.g. tracking your keystrokes to find other passwords and account numbers).

So never open documents, zip files, or executables sent to you when you are not expecting them. Legitimate companies do not send attachments. Most friends are not going to send your attachments either unless you are actively collaborating on something.

The link may just be to another web site. That can harm you in a couple ways. The page may include some malicious javascript. Javascript is limited in what it can do, but it can grab session tracking cookies and potentially take over an active session you have with your bank or credit card company. When accessing sensitive sites like your bank, you want to limit access within the same browser to other sites.

In the classic phishing attack, the link will take you to a web page that looks like the real login page for your bank. So you enter your username and password. The bad guy stores that away, logs in for you, and redirects you to the real bank site. Now the bad guy has your user name and password to login to your account at his convenience. In the case of social media sites, the bad guy may log in as you to propagate the attack to your friends.

While having the bad guy get access to your facebook or twitter account may be embarrassing, it could be worse. Many people use the same password everywhere, and the bad guy knows that. He will be trying more interesting services like banks and credit card sites with the social media login information.

How do I protect myself?

Always be cautious when clicking on links from emails, tweets and facebook. Most email, twitter, facebook, etc. clients will show the actual link as a pop up or at the bottom of the page. Many messages are formatted now to show user friendly names for links. So while the email says "Bank of America Login", the link may well be http://hackmenow.com instead of http://www.bankofamerica.com.

The Wombat Security Technologies group from Carnegie Mellon University has a game called Anti-Phishing Phil which trains you on identifying untrustworthy links. Check out the demo version.

Be skeptical about whether an attractive email is legitimate. Do you have a relationship with the company in question?  If Bank of America sends you an email saying they owe you $10,000, it is probably not legitimate particularly if you don't have an account with Bank of America. Or your Aunt Matilda is probably not going to be sending your links with opportunities to get rich via a hot stock tip.

Do not share passwords between services. At least do not share passwords between services that  have less critical information (e.g. Facebook) and those that have critical information (e.g., your bank). Getting hacked on Facebook is embarrassing. Getting hacked on your bank site can be bad for your financial future.

I clicked on an unsavory link. What should I do now?

The attacks are getting better and more sophisticated. It is likely that at some point you will be tricked into entering your Facebook account information first thing in the morning. What do you do now?

If you downloaded and opened or executed a file (e.g. a pdf, exe, doc, or zip file), run a deep virus scan on your computer. If the scan doesn't reveal anything, don't be too relieved. If it is a new attack, it may not yet be characterized by the scanners. You may want to take your computer to a local computer service company to perform a deeper analysis. Do the scan even if you are running an Apple device. While Windows devices have the bad reputation, Apple devices are also vulnerable to attack, particularly if you execute the program for the attacker.

If you entered your password into a bogus site, change your password now. If you use the same password on other sites, change your passwords there as well. Don't wait for folks to tell your that you are sending odd emails. Do it now!

If your friends start reporting getting odd emails or tweets from you, assume you have been hacked and didn't realize it. Change your passwords for the service sending the odd messages and for any other services that share that password.

Good luck out there! A little vigilance will keep your safe in your Internet travels.
Show Comments: OR