Chapter 4 : Phishing & Identity Theft

Who hasn’t received an email directing them to visit a familiar website where they are being asked to update their personal information? The website needs you to verify or update your passwords, credit card numbers, social security number, or even your bank account number. You recognize the business name as one that you’ve conducted business with in the past.

So, you click on the convenient “take me there” link and proceed to provide all the information they have requested. Unfortunately, you find out much later that the website is bogus. It was created with the sole intent to steal your personal information.

You, my friend, have just been “phished”.

Phishing (pronounced as “fishing”) is defined as the act of sending an email to a recipient falsely claiming to have an established, legitimate business. The intent of the phisher is to scam the recipient into surrendering their private information, and ultimately steal your identity.

It is not at easy as you think to spot an email phishing for information. At first glance, the email may look like it is from a legitimate company. The "From" field of the e-mail may have the .com address of the company mentioned in the e-mail. The clickable link even appears to take you to the company's website, when in fact, it is a fake website built to replicate the legitimate site.

Many of these people are professional criminals. They have spent a lot of time in creating emails that look authentic. Users need to review all emails requesting personal information carefully. When reviewing your email remember that the "From Field" can be easily changed by the sender. While it may look like it is coming from a .com you do business with, looks can be deceiving.

Also keep in mind that the phisher will go all out in trying to make their email look as legitimate as possible. They will even copy logos or images from the official site to use in their emails. Finally, they like to include a clickable link that the recipient can follow to conveniently update their information.

A great way to check the legitimacy of the link is to point at the link with your mouse. Then, look in the bottom left hand screen of your computer. The actual website address to which you are being directed will show up for you to view. It is a very quick and easy way to check if you are being directed to a legitimate site.

Follow the golden rule: never, ever, click the links within the text of the e-mail, and always delete the e-mail immediately. Once you have deleted the e-mail, empty the trash box in your e-mail accounts as well. If you are truly concerned that you are missing an important notice regarding one of your accounts, then type the full URL address of the website into your browser. At least then you can be confident that you are, in fact, being directed to the true and legitimate website.

The Advancement of the Keyloggers

A keylogger is a program that runs in your computer’s background secretly recording all your keystrokes. Once your keystrokes are logged, they are hidden away for later retrieval by the attacker. The attacker then carefully reviews the information in hopes of finding passwords or other information that would prove useful to them.

For example, a keylogger can easily obtain confidential emails and reveal them to any interested outside party willing to pay for the information.

Keyloggers can be either software or hardware based.

Software-based keyloggers are easy to distribute and infect, but at the same time are more easily detectable.

Hardware-based keyloggers are more complex and harder to detect. For all that you know, your keyboard could have a keylogger chip attached and anything being typed is recorded into a flash memory sitting inside your keyboard. Keyloggers have become one of the most powerful applications used for gathering information in a world where encrypted traffic is becoming more and more common.

As keyloggers become more advanced, the ability to detect them becomes more difficult. They can violate a user’s privacy for months, or even years, without being noticed.  During that time frame, a keylogger can collect a lot of information about the user it is monitoring. A keylogger can potential obtain not only passwords and log-in names, but credit card numbers, bank account details, contacts, interests, web browsing habits, and much more. All this collected information can be used to steal user’s personal documents, money, or even their identity.

A keylogger might be as simple as an .exe and a .dll that is placed in a computer and activated upon boot up via an entry in the registry. Or, the more sophisticated keyloggers, such as the Perfect Keylogger or ProBot Activity Monitor have developed a full line of nasty abilities including:

  • Undetectable in the process list and invisible in operation
  • A kernel keylogger driver that captures keystrokes even when the user is logged off
  • A remote deployment wizard
  • The ability to create text snapshots of active applications
  • The ability to capture http post data (including log-ins/passwords)
  • The ability to timestamp record workstation usage
  • HTML and text log file export
  • Automatic e-mail log file delivery

All keyloggers are NOT used for illegal purposes. A variety of other uses have surfaced. Keyloggers have been used to monitor web sites visited as a means of parental control over children. They have been actively used to prevent child pornography and avoid children coming in contact with dangerous elements on the web.

What are Intrusion Detection Systems?

Intrusion Detection System (IDS) are a necessary part of any strategy for enterprise security. What are Intrusion Detection systems? CERIAS, The Center for Education and Research in Information Assurance and Security, defines it this way:

"The purpose of an intrusion detection system (or IDS) is to detect unauthorized access or misuse of a computer system. Intrusion detection systems are kind of like burglar alarms for computers. They sound alarms and sometimes even take corrective action when an intruder or abuser is detected.

Many different intrusion detection systems have been developed but the detection schemes generally fall into one of two categories, anomaly detection or misuse detection.

Anomaly detectors look for behavior that deviates from normal system use. Misuse detectors look for behavior that matches a known attack scenario. A great deal of time and effort has been invested in intrusion detection, and this list provides links to many sites that discuss some of these efforts"

(http://www.cerias.purdue.edu/about/history/coast_resources/intrusion_detection/)

There is a sub-category of intrusion detection systems called network intrusion detection systems (NIDS). These systems monitors packets on the network wire and looks for suspicious activity. Network intrusion detection systems can monitor many computers at a time over a network, while other intrusion detection systems may monitor only one.

Who is Breaking Into Your System?

One common misconception of software hackers is that it is usually people outside your network who break into your systems and cause mayhem. The reality, especially for corporate workers, is that insiders can and usually do cause the majority of security breaches. Insiders often impersonate people with more privileges then themselves to gain access to sensitive information.

How Do Intruders Break into Your System?

The simplest and easiest way to break in is to let someone have physical access to a system. Despite the best of efforts, it is often impossible to stop someone once they have physical access to a machine.

Also, if someone has an account on a system already, at a low permission level, another way to break in is to use tricks of the trade to be granted higher-level privileges through holes in your system. Finally, there are many ways to gain access to systems even if one is working remotely. Remote intrusion techniques have become harder and more complex to fight.

How Does One Stop Intrusions?

There are several Freeware/shareware Intrusion Detection Systems as well as commercial intrusion detection systems.

Open Source Intrusion Detection Systems

Below are a few of the open source intrusion detection systems:

  • AIDE (http://sourceforge.net/projects/aide) - Self-described as "AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. There are other free replacements available so why build a new one? All the other replacements do not achieve the level of Tripwire. And I wanted a program that would exceed the limitations of Tripwire."
  • File System Saint (http://sourceforge.net/projects/fss) - Self-described as, "File System Saint is a lightweight host-based intrusion detection system with primary focus on speed and ease of use."
  • Snort (www.snort.org) - Self-described as "Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry."

Commercial Intrusion Detection Systems

If you are looking for Commercial Intrusion Detection Systems, here are a few of these as well:

  • Tripwire : http://www.tripwire.com
  • Touch Technology Inc (POLYCENTER Security Intrusion Detector) : http://www.ttinet.com
  • Internet Security Systems (Real Secure Server Sensor) : http://www.iss.net
  • eEye Digital Security (SecureIIS Web Server Protection) : http://www.eeye.com

Surfing the Web Anonymously – Questions to Ask

When you surf the web it is possible to learn information about you even when you don't want to advertise who you are. This is true even if your system contains no virus or malware software.

Specifically information that is easily available online includes your IP address, your country (and often more location information based on IP address), what computer system you are on, what browser you use, your browser history, and other information. It gets worse.

People can get your computer's name and even find out your name if your machine supports programs like finger or identd. Also, cookies can track your habits as you move from machine to machine.

How do people get this basic information about you?

When you visit another web site, information about you can be retrieved. Basically, information is intercepted and used by others to track your Internet activities.

How do you stop this from happening?

First of all, it is possible to serf the web anonymously and thereby stop leaving a trail for others to find. Note that this is not fool-proof, but it makes it much harder for people to know who you are. There are products called anonymous proxy servers that help protect you. The anonymous proxy server replaces your Internet address for its own. This has the effect of hiding your IP address and making it much harder for people to track you.

How do I get an anonymous proxy server?

There are many vendors who sell anonymous proxy servers. There are also free proxy servers available to you. Two such products are ShadowSurf and Guardster. Guardster (http://www.guardster.com/) offers various services for anonymous and secure access to the web, some paid as well as a free service. ShadowSurf (http://www.shadowsurf.com/) ShadowSurf provides anonymous surfing at their site for free. Go to it and you will find a box to enter a URL that you want no one to track. There are many others, but here are two that are frequently used.

Another interesting product, given the recent news about the Google search engine filtering its findings for the Chinese government, is Anonymizer (http://www.anonymizer.com). This company, among others, recently (Feb 1st, 2006) pressed that it "is developing a new anti-censorship solution that will enable Chinese citizens to safely access the entire Internet filter-free" (http://www.anonymizer.com/consumer/media/press_releases/02012006.html).

Does an anonymous proxy server make you 100% safe?

No. Still, you are much better off if you use such technology.

What other things should I be concerned about when trying to keep my private information private?

Three other items come to mind when trying to keep your information private. First, you can use an encrypted connection to hide your surfing. This article does not go into detail on this, but search the web and you will find a lot of information on this. Secondly, delete cookies after each session. Third, you can configure your browser to remove JavaScript, Java, and active content. This actually leads to limitations, so you need to think about the cost/benefit of this course of action.

Join us on Facebook