CopsAlive was on the wrong side of a phishing trip two weeks ago when we were hacked by a phishing scheme that used our server to host a false web page for a well known bank. It is believed that the hackers were trying to collect personal information from customers of that bank and used our domain to hide their scheme. Then yesterday we were hacked by a group that make a game of taking over sites and leaving nasty messages in place of the actual site. We’ve learned a few things from all this albeit the hard way. Let us share some tips for you.
We mention this here because if any of our fellow cops are operating or thinking of starting an internet business there are lots of things to think about. We wondered if we were targeted just because we were police officers and the hackers were just being bold or if we were randomly selected like so many victims are just because they found a weakness in our security.
Either way we still encourage cops to consider starting your own business and doing business online can be easy to manage and easily worked around anyone’s schedule.
Phishing is a technique where criminals use emails or webpages they have created to “fish” for passwords, pin numbers, social security numbers and any other personal info they can get from unsuspecting people who think they are dealing with a reputable organization or website. This information is then used as part of an identity theft crime that is usually done completely online by international criminals working outside of the borders of the victims country.
We believe that an ounce of prevention is worth a pound of cure so here are some things we have learned from this experience.
1. As a business, never take security lightly and always keep a close eye on what is happening within your business. In the online world that means keeping an eye out for unexplained spikes in your stats and traffic or changes in the appearance of your site.
2. As an individual, never give any personal information to an unsolicited source whether that is a person, phone call, email or link to a website. You can easily look up the true phone number, email address or website url without being suckered by a “pfalse” one.
3. Finally, lots of these phishing sites look real and try to mask the security measures you might be looking for so take some time right now to learn more about a problem that is growing exponentially.
We don’t pretend to be experts so here are some resources you might consider or just “Google” search the terms you want to learn about. We recommend reading the Google Security Blog which has some great advice and here are some of their suggestions dealing with phishing:
“Be careful about responding to emails that ask you for sensitive information. You should be wary of clicking on links in emails or responding to emails that are asking for things like account numbers, user names and passwords, or other personal information such as social security numbers. Most legitimate businesses will never ask for this information via email. Google doesn’t.
Go to the site yourself, rather than clicking on links in suspicious emails. If you receive a communication asking for sensitive information but think it could be legitimate, open a new browser window and go to the organization’s website as you normally would (for instance, by using a bookmark or by typing out the address of the organization’s website). This will improve the chances that you’re dealing with the organization’s website rather than with a phisher’s website, and if there’s actually something you need to do, there will usually be a notification on the site. Also, if you’re not sure about a request you’ve received, don’t be afraid to contact the organization directly to ask. It takes just a few minutes to go to the organization’s website, find an email address or phone number for customer support, and reach out to confirm whether the request is legitimate.
If you’re on a site that’s asking you to enter sensitive information, check for signs of anything suspicious. If you’re on a site that’s asking for sensitive information — no matter how you got there — check for the signs that it’s really the official website for the organization. For example, check the URL to make sure the page is actually part of the organization’s website, and not a fraudulent page on a different domain (such as mybankk.com or g00gle.com.) If you’re on a page that should be secured (like one asking you to enter in your credit card information) look for “https” at the beginning of the URL and the padlock icon in the browser. (In Firefox and Internet Explorer 6, the padlock appears in the bottom right-hand corner, while in Internet Explorer 7 the padlock appears on the right-hand side of the address bar.) These signs aren’t infallible, but they’re a good place to start.
Be wary of the “fabulous offers” and “fantastic prizes” that you’ll sometimes come across on the web. If something seems too good to be true, it probably is, and it could be a phisher trying to steal your information. Whenever you come across an offer online that requires you to share personal or other sensitive information to take advantage of it, be sure to ask lots of questions and check the site asking for your information for signs of anything suspicious.
Use a browser that has a phishing filter. The latest versions of most browsers — including Firefox, Internet Explorer, and Opera — include phishing filters that can help you spot potential phishing attacks.”
They mention Mozilla Firefox which is our browser of choice and we recommend that you learn more about the security features of Firefox.
The Mozilla site tells you: “Shop and do business safely on the Internet. Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site that’s pretending to be a site you trust (like your bank), a browser message—big as life—will stop you.”
Firefox has a direct popup feature where as I believe that MS Internet Explorer 7 requires that you opt in for their phishing pop up, so if you are using Explorer you need to look into this further.
I found this on the Microsoft website: “This filter warns you about and helps to protect you against potential or known fraudulent websites, and blocks the sites if appropriate. This opt-in filter is updated several times per hour using the latest security information from Microsoft and several industry partners.”
If you trust Wikipedia here are some interesting stats: “It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.[42] In 2007 phishing attacks escalated. 3.6 million adults lost US $ 3.2 billion in the 12 months ending in August 2007.[43] In the United Kingdom losses from web banking fraud—mostly from phishing—almost doubled to £23.2m in 2005, from £12.2m in 2004,[44] while 1 in 20 computer users claimed to have lost out to phishing in 2005.[45]”
For general information about protecting your computer and network check out the identity theft expert John Sileo’s Identity Blog specifically the “Identity Theft Prevention Tool Box“.
You might also check out the site “How Stuff Works” to learn more about how phishing works.
For information about what to do if Identity theft happens to you visit Privacy Rights for some excellent resources.
or The Anti-Phishing Work Group (APWG) is an organization of law enforcement and associated security professionals working together and can be an excellent resource.
Finally, for the cop in all of us there are two excellent research sources in the area of identity theft and phishing. Check out the resources offered by the APWG and US Federal Trade Commission.
Good luck and I hope you don’t get “hooked” like we did!
Sources:
http://googleblog.blogspot.com/2008/04/how-to-avoid-getting-hooked.html
http://www.mozilla.com/en-US/firefox/features/#security
http://en.wikipedia.org/wiki/Phishing
http://www.thinklikeaspy.com/identity-theft-resources.php#top
http://computer.howstuffworks.com/phishing.htm
http://www.antiphishing.org/consumer_recs.html
http://www.privacyrights.org/fs/fs17a.htm
http://www.antiphishing.org/resources.html#sponsors
http://www.ftc.gov/bcp/edu/microsites/idtheft/