This is part 2 in a series on Internet Safety.
How You Get Owned, Part 2
In Part 1 of this series, I told you that the Internet, for all its glory and cat photos, is a very creepy place full of creeps. I also told you that if you don't want to get "owned", meaning, if you don't want someone taking control of your stuff, you should use strong passwords. That's among the very least you can do to protect yourself. But having a strong password sometimes isn't enough - sometimes you just need to be aware of your surroundings.
Phishing has been a media buzzword for quite some time now. Phishing doesn't refer to the Birkenstock-wearing jam band; rather, it refers to an attempt by an attacker to steal your information by pretending that they're a trustworthy source.
Example: Your "Bank"
The most common thing seen is when someone claiming to be your bank or credit card company, or other person who says they want your money sends you something like this:
Dear Valued Member of BigBancorp,
We received word that your account might be hacked.
To resolve this, please log into http://bigbancorp-owned.com/v/verify/login.shtml
Thank you kindly,
BigBancorp Security Department
What's wrong with that?
Right away I can tell a few things wrong with this. For one, I don't bank with BigBancorp - but maybe millions of people do. If the attacker sends this out to a million people and just .01% are suckered into giving their info, now this attacker has 100 accounts to work with.
- None of my personal info is in that e-mail
Check any legitimate e-mail you've gotten and you'll notice that most financial institutions will usually at least say, "ACCOUNT ENDING IN XXXX".
Here, there is no specific account information about me from "BigBancorp". That's because attackers don't have that info about me at this stage, but they will try to make it look as believable as possible to dupe me into giving them the keys to the castle.
- The link to their login page is using HTTP instead of HTTPS.
This is one that still slips in unnoticed.
'https' creates a secure connection between you and the server that you're performing a transaction on. So your passwords and your information are generally pretty safe while going over that type of connection.
When a site uses the standard "http" prefix on their site's URL, that means that every bit of information flowing from your computer and over the wire to its destination is happening in open plaintext for the world to see.
"What does that mean," you might ask? It means if I were capturing traffic on your network while you put your password in on a site that used 'http' instead of 'https', I could then analyze your traffic afterwards and read your password in plaintext from one of the packets that got sent.
Scary, right? That complex password we talked about last time won't mean jack if you're just willing to give it up to me that easily.
For giggles, check your bank's website. If their login page is not using https, consider banking elsewhere.
- Phishing is when an attacker sends you something to make you think they're really your bank, or Chase, Amazon.com, (insert any other retailer, credit card organization, etc)
- Phishing can lead to an attacker getting your username and password combinations for whatever site they're pretending to be
- Phishing can also send you to a site where malware will be installed on your computer without you knowing anything about it
- People get owned by phishing scams EVERY DAY.
The good news? In many cases your web browser knows what a phishing site looks like, so it will try to save you from yourself. But your browser can't do all of your thinking for you -- you need to be smart, and be aware of what you're doing online.
Links can very easily be forged. Just because it LOOKS legit, doesn't necessarily mean it IS legit. Hover your mouse over the link and check out the bottom left of your browser. It should give you the TRUE link location.
What can I do about it?
Yes folks, you too can avoid being a statistic for phishing scams!
- Don't click on links from people you don't know, especially shortened links from places like 'bit.ly' or 'tinyurl'.
- If you think an e-mail from your bank/merchant is fishy - well, it probably is. Check with them directly - never be afraid to ask.
- Always check for https when you're sending passwords, credit card info, financial info, or anything else that's sensitive.
- Keep your browser, and your operating system up-to-date with security patches.
- BE SMART. Use your best judgment, and common sense.
Stay tuned for Part 3 of "How You Get Owned" - as always, questions, comments and suggestions are welcome! Thanks for reading.