6. Avoiding Phishing Scams
Phishing
refers to creating a replica of an existing web page to fool a user
into submitting personal, financial, or password data. The term comes
from the fact that Internet scammers are using increasingly
sophisticated lures as they “fish” for users’ financial information and
password data. The most common ploy is to copy the web page code from a
major site—such as AOL or eBay—and use it to set up a replica page that
appears to be part of the company’s site. (This is why another name for
phishing is spoofing.) Phishers send
out a fake email with a link to this page, which solicits the user’s
credit card data or password. When a recipient submits the form, it
sends the data to the scammer and leaves the user on an actual page
from the company’s site so that he doesn’t suspect a thing.
A phishing page looks identical to a legitimate page
from the company because the phisher has simply copied the underlying
source code from the original page. However, no spoof page can be a
perfect replica of the original. Here are five things to look for:
The URL in the address bar— A legitimate page will have the correct domain—such as aol.com or ebay.com—whereas a spoofed page will have only something similar—such as aol.whatever.com or blah.com/ebay. Note
The URL in the address bar is usually the easiest
way to tell whether a site is trustworthy. For this reason, Internet
Explorer 8 makes it impossible to hide the address bar in almost all
browser windows, even simple pop-ups.
The URLs associated with page links—
Most links on the page probably point to legitimate pages on the
original site. However, some links might point to pages on the
phisher’s site. The form-submittal address—
Almost all spoof pages contain a form into which you’re supposed to
type whatever sensitive data the phisher seeks from you. Select View,
Source, and look at the value of the <form> tag’s action attribute—the form submits
your data to this address. Clearly, if the form is not sending your
data to the legitimate domain, you’re dealing with a phisher. Text or images that aren’t associated with the trustworthy site—
Many phishing sites are housed on free web hosting services. However,
many of these services place an advertisement on each page, so look for
an ad or other content from the hosting provider. Internet Explorer’s lock icon in the status bar and Security Report area—
A legitimate site would transmit sensitive financial data only using a
secure HTTPS connection, which Internet Explorer indicates by placing a
lock icon in the status bar and in the address bar’s new Security
Report area. If you don’t see the lock icon on a page that asks for
financial data, the page is almost certainly a spoof.
If you watch for these things, you’ll probably never
be fooled into giving up sensitive data to a phisher. However, it’s
often not as easy as it sounds. For example, some phishers employ
easily overlooked domain-spoofing tricks such as replacing the
lowercase letter L with the number 1, or the uppercase letter O with the number 0. Still, phishing sites don’t fool most experienced users, so this isn’t a big problem for them.
Novice users, on the other hand, need all the help
they can get. They tend to assume that if everything they see on the
Web looks legitimate and trustworthy, it probably is. And even if
they’re aware that scam sites exist, they don’t know how to check for
telltale phishing signs. To help these users, Internet Explorer 8 comes
with a tool called the SmartScreen Filter. This filter alerts you to potential phishing scams by doing two things each time you visit a site:
Analyzes the site content to look for known phishing techniques (that is, to see whether the site is phishy). The most common of these is a check for domain spoofing. This common scam also goes by the names homograph spoofing and the lookalike attack.
Internet Explorer 8 also supports Internationalized Domain Names (IDN),
which refers to domain names written in languages other than English,
and it checks for IDN spoofing, domain name ambiguities in the user’s chosen browser language. Checks
a global database of known phishing sites to see whether it lists the
site. This database is maintained by a network of providers, such as
Cyota, Inc., Internet Identity, and MarkMonitor, as well as by reports
from users who find phishing sites while surfing. According to
Microsoft, this “URL reputation service” updates several times an hour
with new data.
Here’s how the SmartScreen Filter works:
If you visit a site that Internet Explorer knows is a phishing scam, it changes the background color of the address bar to red and displays an Unsafe WebsiteFigure 7.
It also blocks navigation to the site by displaying a separate page
telling you that the site is a known phishing scam. A link is provided
to navigate to the site, if you so choose. message in the Security Report area, as shown in
Note
The
Security Report area is another Internet Explorer security innovation.
Clicking whatever text or icon appears in this area produces a report
on the security of the site. For example, if you navigate to a secure
site, you see the lock icon in this area. Click the lock to see a
report that shows the site’s digital certificate information.
If you visit a site that Internet Explorer thinks is a potential phishing scam, it changes the background color of the address bar to yellow and displays a Suspicious Website message in the Security Report area.
7. Sharing a Computer Securely
If you’re the only person who uses your computer,
you don’t have to worry all that much about the security of your user
profile—that is, your files and Windows settings. However, if you share
your computer with other people, either at home or at the office, you
need to set up some kind of security to ensure that each user has his
“own” Windows and can’t mess with anyone else’s (either purposely or
accidentally). Here’s a list of security precautions to set up when
sharing your computer:
Create an account for each user— All
those who use the computer, even if they use it only occasionally,
should have their own user account. (If a user needs to access the
computer rarely, or only once, activate the Guest account and let him
use that. You should disable the Guest account after the user finishes
his session.) Note
To activate the Guest account in Windows 7 or Vista,
select Start, Control Panel, Add or Remove User Accounts, and enter
your UAC credentials. In the Manage Accounts window, click Guest, and
then click Turn On. To activate the Guest account in Windows XP, select
Start, Control Panel, User Accounts. In the User Accounts window, click
Guest, and then click Turn On the Guest Account.
Remove unused accounts— If you have accounts set up for users who no longer require access to the computer, you should delete those accounts. Limit the number of administrators— Members of the Administrators group can do anything
in Windows 7 or Vista simply by clicking Continue in the User Account
Control dialog box. These powerful accounts should be kept to a
minimum. Ideally, your system should have just one (besides the
built-in Administrator account). Rename the Administrator account— Renaming the Administrator account ensures that no other user can be certain of the name of the computer’s top-level user. Put all other accounts in the Users (Standard users) group—
Users can perform almost all their everyday chores with the permissions
and rights assigned to the Users group, so that’s the group you should
use for all other accounts. Use strong passwords on all accounts—
Supply each account with a strong password so that no user can access
another’s account by logging on with a blank or simple password. Set up each account with a screensaver, and be sure the screensaver resumes to the Welcome screen—
To do this, right-click the desktop, click Personalize (in Windows 7 or
Vista) or Properties (in XP), and then click Screen Saver. Choose an
item in the Screen Saver list, and then activate the On Resume, Display
Welcome Screen check box. Lock your computer—
When you leave your desk for any length of time, be sure to lock your
computer; either select Start, Lock in Windows 7 or Vista, or press
Windows Logo+L in Windows 7, Vista, or XP. This displays the Welcome
screen; no one else can use your computer without entering your
password.
|
