Orcmid's Lair

Welcome to Orcmid's Lair, the playground for family connections, pastimes, and scholarly vocation -- the collected professional and recreational work of Dennis E. Hamilton

Archives

Click for Atom feed
Atom Feed

This page is powered by Blogger. Isn't yours?

2004-05-29

 

And the little phish have bigger phish to bite them

ACM News Service: Gone Phishing - Web Scam Takes Dangerous Turn.  This blurb points out that phishing is becoming increasingly-aggressive, and the installation of keystroke loggers and similar programs is becoming increasingly stealthy.  You need to be a Wall Street Journal subscriber to see the full article.

I caught a fraudulent MSN Billing e-mail in my Outlook Express this past week.  The message from Billing@Мsn.com was recognized as spam by MSN Hotmail (!) and it was placed in my "Bulk Mail" quarantine.  (You will recognize another tip-off if you look at that e-mail address while telling your browser to try different language character sets.  That's harder to do in Outlook Express.)  I noticed the message when I reviewed the folder for false positives a few days later.  I'm not going to describe all of the tip-offs by which the scam was obvious and the e-mail was recognized as fraudulent, but I caution people to avoid anything that suggests they fax credit-card account information to an 800-number.  Beside the MSN Hotmail segregation into "Bulk Mail," I also had Norton Antivirus and Outlook Express watching out for dangerous attachments.  OE suppressed the HTML attachment that might have gone beyond inviting me to do something stupid manually as the plaintext version of the message did.



I managed to report this incident to MSN, although it was a chore to find a contact point -- I finally gave up searching on-line and used a known contact at Microsoft.  As in many aspects of life, it sometimes comes down to knowing someone (or at least knowing their name and, in this case, their blog page).

It is my experience that web sites and web-commerce organizations rarely provide a recognizable way for users and customers to notify the company that there is a security or fraud matter that they need to know about.  Microsoft, in providing comprehensive technical security support, has a page for notifying them of a security vulnerability that is discovered about a Microsoft product or service, but MSN doesn't nor do the MSN links provided on the Microsoft vulnerability-notification page.

This experience reminds me of Bruce Schneier's discussion of agendas in Chapter 3 of Beyond Fear.  It is clear to me that, while the MSNs, Yahoos, and Googles and eCommerce services of the world are after my eyeballs and clicks, they don't want me to be worrying my pretty little head over security incidents about them.  They are not operating from a "security and anti-fraud is a matter of visible vigilence for us and we welcome your shared concern for our mutual, safe participation in the Internet community" stance.  So there is not much a Boy Scout can provide as a cyber-civics contribution.  I now have more than enough reported incidents to qualify for the merit badge, though.

My benchmark for how to handle fraud and security issues is at amazon.com, which has reasonable transparent operation and is aggressive about learning of imposters and squashing them.  Who do you nominate for best-of-breed in welcoming feedback on security and fraud incidents that you notice?
I haven't used my MSN account as my e-mail address for several (at least 6) years since spam became a problem.  Someone (perhaps many someones) mined the MSN membership list and it drowned out my ordinary use of that address.  The spam and klez.h from address books that still have that address keep on coming.  I retain the address for Passport and MSN Messenger usage, and it is the name of my back-up dial-up account that, at one time, I could use to roam in Japan and Italy (via the UK).  Sometimes, some long-lost-sight-of acquaintance tracks me down by that address.  I have no intention of abandoning that account and e-mail, but it is becoming less and less useful as time goes on.  I can no longer use its secure SMTP provisions to send mail while I am on another service, using another identity that I want people to remember and reply to.  These privacy/security-oriented interventions have been more inconvenient than effective since spammers find a way and I have to play nice in a game that just makes me work too hard.
posted by orcmid at 5/29/2004 08:46:18 AM
Comments:
It occured to me that most users of MSN Hotmail do not read their mail via Outlook Express.  I am one of those who prefers to work through mail offline, and who does not find browser-accessed mail either convenient or appealing.  And once-upon-a-time I could make POP3 access to MSN mail via Outlook (from the 97-level beta to 2000).  Nowadays, access via Outlook Express is my best, and most-secure way to retrieve from MSN Hotmail.

For those who see their Hotmail messages in a browser, the scam may have fewer visible tip-offs. Either way, the greatest resistance to this sort of attack is to avoid surrendering to social engineering -- anything that asks you to do something that you cannot verify independently. I repeat, independently. Trust nothing provided in the message itself.
# posted by orcmid : 6/1/2004 06:40:02 AM
Post a Comment
Hard Hat Area

an nfoCentrale.net site

created 2002-10-28-07:25 -0800 (pst) by orcmid
$$Author: Orcmid $
$$Date: 04-11-25 22:44 $
$$Revision: 2 $
Home