TELECOM Digest OnLine - Sorted: New Twist on 'Phishing' Scam - 'Pharming'


New Twist on 'Phishing' Scam - 'Pharming'


Lisa Minter (lisa_minter2001@yahoo.com)
Thu, 5 May 2005 12:42:06 -0400

http://www.csmonitor.com/2005/0505/p13s01-stin.html

by Gregory M. Lamb Staff writer of The Christian Science Monitor

"The pharmers are coming! The pharmers are coming!" Hang warning
lanterns all over the Internet: It's under attack by a new scam.

For two years users have been hearing about "phishing," the sending of
bogus e-mails -- allegedly from a bank or other online business - by
criminals who hope to hook the unwary. Those who bite by clicking on a
hyperlink in the e-mail are shipped off to a phony but authentic-
looking website and asked to enter sensitive information. If they type
in their passwords or account numbers, thieves have that data.

Now phishers have been joined by "pharmers," who have made the ruse
more sophisticated by planting a seed of malicious software in the
user's own computer -- or poisoning servers that direct traffic on the
Internet. The result: Even if you type in the correct address of a
website, the software can send you to a bogus one.

"It's a rapidly growing threat, and one we've been seeing a lot more
discussion about" among Internet security experts and people in the
banking industry, says Lance Cottrell, founder and president of
Anonymizer Inc. in San Diego, an Internet privacy and security firm.
Phishing attacks "rely on some gullibility of and participation by the
victims," Mr. Cottrell says, since they must be persuaded to click on a
link within the e-mail. -But not clicking on such links "is no
protection against a pharming attack.-"

Here's how the scam works. The thieves rely on the fact that the word
address you use, such as www.my-bank.com, is connected to a distinct
numerical address, like a browser to the right website. Pharming
replaces the number with a fraudulent one, sending you to a criminal
site instead of the real one.

Besides keeping antivirus and antispyware programming up to date on
their PC, users have few other ways to defend themselves from pharming.

But any website that is conducting financial transactions should be
able to maintain a secure website, Internet security experts say. The
corner of the browser should display a padlock symbol, and the address
in the address bar should begin with "https," not simply "http."

Are you being scammed?

To determine if you're at the real site, click on the lock symbol and
make sure it displays the address you are expecting to be at, says
Mikko Hyppoenen, chief research officer of F-Secure, an Internet
security company in Helsinki, Finland.

But another kind of pharming, sometimes called "domain spoofing,"
"domain poisoning," or "cache poisoning," attacks the servers that
route traffic around the Internet. These so-called domain name system
(DNS) servers also link the word address to its underlying numerical
address.

To corrupt a DNS "takes significantly more expertise, more access"
than attacking PCs, says Peter Cassidy, secretary-general of the
Anti-Phishing Working Group, which has offices in Cambridge, Mass.,
and Menlo Park, Calif. That's why thieves first will try to get into
individual computers.

"They're the low-hanging fruit," he says. But "they'll try anything
that works." Some servers are hard to crack, he says, but others don't
keep their defenses up-to-date.

Unlike the traditional landline telephone system, which was built from
the outset to be a commercial enterprise, the Internet was designed to
make sharing of information between scholars and researchers fast and
easy, not for secure financial transactions.

"It was built in a laboratory by guys who knew each other and married
each other's sisters," Mr. Cassidy says. Now new layers of security
continually must be added, as criminals probe for weak points.

Spreading fraud

The Anti-Phishing Working Group reports that the number of new
phishing messages rose by an average 38 percent per month in the last
six months of 2004.

And pharming was one of the top five Internet scams in March 2005,
says a recent report from the National Cyber-Forensics & Training
Alliance, a nonprofit arm of the Direct Marketing Association.
Internet fraud in general, which includes phishing and pharming, cost
merchants $2.6 billion in 2004, $700 million more than in 2003,
according to CyberSource Corp., which processes Internet financial
transactions.

While Cassidy has seen some disturbing pharming attack reports from
Britain, "we haven't seen it taking over the universe," he says. "We
have seen significant attacks, but not rapid proliferation, partly
because it does take a little more expertise."

One pharming technique is to flood the DNS server with messages to
trick it into saving false information that will send users to a phony
website, Cottrell says. "Then in many cases [the criminals] try to
bounce you back to the real bank's website, so that you're not aware
that anything has happened."

Phishers and pharmers set up their fake websites for only a few days or
even a few hours, then move on before they can be found out.

Cottrell's company, Anonymizer, runs all its clients' Internet traffic
through its own secure DNS servers, which he says can protect clients
from pharming.

Keyboard trouble:

But even if crooks can't get at your PC or the DNS server, they can
always hope that you just can't spell.

Early last week, F-Secure discovered that a malicious website had been
set up at www.googkle.com, just one keystroke away from the famous
www.google.com site. Users who accidentally went to the site using the
popular Internet Explorer browser immediately were inundated with
spyware, adware, and other malicious software that tried to secretly
load itself onto their PCs.

By the end of last week, the site had disappeared. But Mr. Hyppoenen
still warns people not to try to visit it out of curiosity. "These
things sometimes pop up again," he says.

The technique isn't new. Similar attack sites have been created just a
slip of the finger away from sites such as CNN.com, AOL.com, and
MSN.com, Hyppoenen says.

The people behind the malicious sites can be anywhere from South Korea
to Brazil to Russia. The PC operating the site could be "somebody's
grandmother's computer in Canada" being remotely controlled without
her knowledge, he adds.

Gone 'phishing':

"Phishing" means sending out official-looking e-mails to tempt users
to visit a bogus website and type in personal or financial data. Here
are key points from a March report:

* Since July 2004, the number of websites linked to the scam rose an
average 28 percent a month.

* The United States hosted a third of the phishing sites -- more than
any other nation -- followed by China (12 percent) and South Korea (9
percent).

* Financial services are the most frequent target, with 4 of 5 phishers
appropriating the brand of a bank or some other financial institution.

* Such sites only last an average 5.8 days before they're taken down.

* A new version of the scam -- "pharming" -- plants malicious software on
PCs to direct users to bogus sites.

Source: Anti-Phishing Working Group

Copyright 2005 The Christian Science Monitor.

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. Read the Christian Science Monitor on line here each
day also: http://telecom-digest.org/td-extra/nytimes.html (then scan
the far right column).

*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Christian Science Publishing Society.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

Path: telecom-digest.org!ptownson
Date: Thu, 5 May 2005 12:44:10 -0400
From: Lisa Minter <lisa_minter2001@yahoo.com>
Newsgroups: comp.dcom.telecom
Subject: Who Gets to See the E-mail of the Deceased?
Message-ID: <telecom24.198.2@telecom-digest.org>
Organization: TELECOM Digest
Sender: editor@telecom-digest.org
X-URL: http://telecom-digest.org/
X-Submissions-To: editor@telecom-digest.org
X-Administrivia-To: telecom-request@telecom-digest.org
X-Telecom-Digest: Volume 24, Issue 198, Message 2 of 18
Lines: 130

http://www.csmonitor.com/2005/0502/p12s02-usju.html

by Susan Llewelyn Leach Staff writer of The Christian Science Monitor

It's an old story with a heart breaking twist. A young marine is
killed in the line of duty in Iraq and his parents, in their sorrow,
request all his belongings, including his correspondence -- in this
case, his e-mail.

The Internet company refuses to give out the marine's password, saying
that would violate its privacy rules. The parents go to court, causing
a storm of discussion on the Net and in the media.

This small episode involving Yahoo! and the parents of US marine Justin
Ellsworth raises new and tricky questions about the nature of e-mail.
Should it be treated as paper correspondence or as something new? And
how much access should relatives have to a record of the thoughts of a
loved one who has passed away, especially ones that can be as
extensive, intimate, -- and even embarrassing -- as in e-mail?

In this case, the probate judge ordered Yahoo! to hand over the
contents of the account. Yahoo obeyed the judge's instruction.

Many bloggers, of course, were horrified.

"We thought we had absolute privacy and now we have learned that after
our death, a family member could possibly wrangle access to [our]
personal space," one blogger lamented on drudge.com.

"If the soldier had wanted his family to read his e-mail, then he would
have CC'd or BCC'd them," another wrote.

Yet many legal experts say Yahoo! acted correctly. It denied the
family's informal request and only yielded under court order. "I would
hope that the Yahoo! position here would become a trade practice -- that
e-mail would only be released if a judge approved it," says Gerald
Ferrera, executive director of the Cyberlaw Center at Bentley College
in Waltham, Mass.

For Yahoo!'s part, the company says it still stands behind its
commitment to treat each user's e-mail as private and
confidential. "We are pleased that the court has issued an order
resolving this matter ... and allowing Yahoo! to continue upholding
our privacy commitment to our users," says Yahoo! spokeswoman Mary
Osako.

But from a legal point of view, e-mail's status is not clear cut. Even
the experts can't agree. One law professor describes it as "a property
interest," but not intellectual property. Another lecturer on law says
absolutely it is intellectual property and is covered by copyright
laws.

What makes these legal distinctions more critical is the growing volume
of e-mail -- and with it rising privacy issues. Free e-mail accounts --
some with storage capacities up to 250 MB -- allow people to pile up
digital photos, documents, and volumes of correspondence without a
second's thought. Few people are thinking through the ramifications,
says Alan Chappell, a privacy and data-collection consultant.

For instance, "You might have a situation where someone is carrying on
an affair and doesn't want his family to know about it if he should
die," says Henry Perritt, dean of Chicago-Kent College of Law at the
Illinois Institute of Technology. Or a confidential exchange of
e-mails might never be meant for a third party's eyes.

The legal solution, Professor Perritt says, is to write a will and
bequeath the e-mail to a trustee who is instructed to destroy
it. "That would leave no doubt in the service provider's mind about
what's supposed to happen," he says, "and it would keep it away from
your family."

But that takes considerable forethought.

Most people leave their privacy in the hands of e-mail providers,
rarely reading through the terms of service and privacy policy before
clicking the "I agree" box. Yahoo! states that its accounts are
nontransferable and that "rights to the Yahoo! I.D. and contents
within the account terminate upon death." Destroying the data once the
contract ends simplifies life for Internet service providers (ISPs),
says Mr. Chappell.

That gatekeeper role of ISPs and the amount of responsibility they
should have in retaining information are among the constant
battlegrounds in Internet law, says John Palfrey, executive director
of the Berkman Center for Internet and Society at Harvard Law
School. For reasons of cost, ISPs are reluctant to keep data
indefinitely and then turn it over at a moment's notice, says
Mr. Palfrey.

Another area of contention in cyberlaw is whether contracts override
other rights such as copyright law, Palfrey adds. The tension here is
between a strict legal construction of the contract, he says, "versus
an equity or fairness analysis which would say, 'We've put a lot of
our personhood and identity into the information we're putting online
and it doesn't much matter what this contract says.' "

"In e-mail," he says, "your identity is wrapped up in it in a way that
your identity is not wrapped up in your car or some other tangible
object."

Copyright 2005 The Christian Science Monitor.

For a free sample copy of the print edition of the Monitor:
http://www.csmonitor.com/aboutus/sample_issue.html

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. To review several good newspapers with no registration
or login requirements, and hear audio news reports from National
Public Radio, please go to URL
http://telecom-digest.org/td-extra/nytimes.html

*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Christian Science Publishing Society.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Lisa Minter: "Yahoo Says its Video Search Now Widely Aavailable"
Go to Previous message: shlichter1@aol.com: "Spam and Scam: E-mail From PayPal and Ebay"
TELECOM Digest: Home Page