\"Social engineering\" on the Internet

I received two e-mails today to my own account which are similar in content but radically different in nature and I'll use them to illustrate the nature of "PHISHING" - or using what appears to be legitimate information to lure you into giving away real information that can be used to hurt you (or others)

The first came from PayPal, and was legitimate. Here is the text:
--------------- e-mail from PayPal -------------
>Dear Richard Pitt,
>
>Your credit card ending in 9003 will expire soon.
>
>To avoid any interruption to your service, please update your
>credit card
>expiration date by following the steps below. If you do not
>update your >credit card expiration date
>
>- You will no longer be able to fund payments with this card
>
>To update your credit card expiration date:
>
>1. Log in to your PayPal account
>2. Go to the Profile subtab
>3. Click on the 'Credit Cards' link in the Financial >Information column
>4. Choose the radio button next to the credit card you would >like to
>update and click 'Edit'
>5. Enter your credit card verification number
>6. Enter the new credit card expiration date
>7. Click 'Save'
>
>
>Thank you for using PayPal!
>The PayPal Team
>
>
>----------------------------------------------------------------
> PROTECT YOUR PASSWORD
>
> NEVER give your password to anyone and ONLY log in at
>https://www.paypal.com/. Protect yourself against fraudulent
>websites by
>opening a new web browser (e.g. Internet Explorer or
>Netscape) and typing
>in the PayPal URL every time you log in to your account.
>
>---------------------------------------------------------
>
>Please do not reply to this e-mail. Mail sent to this address
>cannot be
>answered. For assistance, log in to your PayPal account and
>choose the
>"Help" link in the header of any page.
>
>PayPal Email ID PP031
------------------------------ end of Paypal e-mail ---------

The second was allegedly from CitiBank - and is absolutely NOT legitimate!!!
----------------- Start of bogus Citibank e-mail -----------
Dear Customer:

Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately.

This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information.

This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension.

Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand.

Please use our secure counter server to indicate that you have signed on, please click the link bellow:

http://192.168.1.1/citifi/ (I've obfuscated this - it won't work - richard)

!! Note that we have no particular indications that your details have been compromised in any way.

Thank you for your prompt attention to this matter and thank you for using Citibank(R)

Regards,

Citibank(R) Card Department

(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc Design is a registered service mark of Citicorp.

---------------------- end of bogus Citibank e-mail ---------

NOTE: I have changed the IP address in the link - it will not work.

The first thing to note is that the PayPal mail addressed me by name, something that PHishers don't typically do because they don't know my name, only my e-mail address.

The second thing to note is that the PayPal mail included a small portion of something else they know about me - the last 4 digits of the credit card I used when I signed up with them - useless to anyone, but an easily verified (by me) authentication item to let me know they know me.

The Citibank e-mail, aside from having some questionable English in it, didn't provide anything like this but certainly could have if it were legitimate (the last few digits of the account number or some similar info for instance - especially valid if I had more than one account with them since how else would I know which account they meant?)

The third thing to note is that the Paypal e-mail didn't include any direct links to themselves. They know that you already know how to get to them.

The Citibank e-mail not only provided a direct link to their alleged site, in my copy (since I use something other than a Microsoft product to view mail) it showed up as an IP address, not a typical URL. In other e-mail programs it is possible that the URL you see is not what really underlies the viewable link - it can be obfuscated through the use of non-printing characters and other chicanery so that even if it looks like a "real" citibank link you in fact would go somewhere completely different. Your web browser and e-mail program can LIE to you!

Paypal knows this and so they don't play the game. You have to figure out where to go to do what they want, and enter the URL yourself, guaranteeing that your browser will go where you think it will - their page.

The URL in the Citibank e-mail would probably have gone to a page that would look exactly like what you think it should look like - the PHishers would have copied the look and feel graphics exactly from the correct page (or a similar one) on the real site. Fortunately, the page seems to have been taken down now - but likely not before some unsuspecting people have entered their account name and password into the PHishers' site and potentially lost it all.

So... to cap it all off:

1 - don't just do what some e-mail suggests you do - check via other means:

send a separate e-mail, not a "reply" to the person and ask if they really meant to send the first one - or phone them. A phone call across the world is at most a dollar or two, and the cost of losing your computer and data is measured in hundreds or thousands of dollars.

2 - be suspicious of anything that urges you to do something quickly (as the bogus Citibank e-mail does) and that does not suggest some means other than a supplied URL to do what they want you to do.

3 - understand that any financial institution dealing with you via the Internet knows 1 and 2 above and they know that PHishers are out there trying to abuse you

They will not send anything to you via E-mail (or phone you, or send you snail-mail) asking you to provide information about your accounts or passwords - they already know all this!!!

If they do anything, they'll send you a new password or tell you to visit their branch or call their number (which they'll tell you to get from your Yellow Pages or from your last statement - not from their e-mail) or go to the usual URL you use to access your account - which you already know and should be entering each time into a fresh web browser windo whenever you want to go there.

If you do receive an e-mail, call your institution yourself. If they call you, ask what local the person is calling from and tell them you'll call them back via the main number, then do so (don't ask them for the main number).

When you do, note that it is entirely legitimate for them to ask you to identify yourself by providing something that they know about you but (hopefully) others don't. We'll get into whether your mother's maiden name is such an item of information in another newsletter.

The bottom line is - be suspicious of anything that wants to know anything about you - whether it is e-mail or phone call or fill-in forms from snail-mail or the local supermarket's "Win a Trip" sweepstakes contest.

Be safe, check it out before you sign up or sign in.