This awareness campaign has the support of:

Identity Theft

Identity theft on the Internet is when someone will steal your virtual identity to access your information online. That can be done in order to access your mail, your social networks, or your bank account. There are several ways to steal your information some of these methods are Phishing, taking over your computer and social engineering.

The Australian Federal Police has a site explaining various Internet Scams and links to sites with more information. In another report, it is estimated that AUD 1 Million was lost in 2003 in Australia due to Internet Fraud and that it was expected that AUD 30 Million would be lost in 2008 if nothing was done.

The Consumer Fraud Reporting organisation of the USA is reporting that nearly USD 200 million were lost in 2006 in the USA. They indicate that the most common vector of these frauds are via e-mail.

Phishing

In addition to looking out for viruses other dangerous software which arrive via email attachments, computer users in the Pacific Region need to beware of an increasingly common method of identity theft known as 'phishing'.

What is Phishing?

Here is how the Anti-phishing Working Group defines phishing:

"Phishing attacks use 'spoofed' (i.e. faked) e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them."

A typical scenario starts when someone receives an email, apparently from a reputable source like a bank or online shopping site, asking them to visit a website. The website is designed to look just like the
company's official site, but is located on a computer controlled by criminals. Typically the site states that something has happened involving the person's money of personal information, and asks them to
confirm it. If this person doesn't realise that they are not on the true website, they might submit sensitive information such as their password, bank account or credit card number. Criminals can then get access to this person's money and steal it.



In the above example, the e-mail seems genuine, the from address comes from the normal domain in Westpac, but if you look at the link carefully, you will see the display of the link in the e-mail is not where the link will take you. This web site will look like strangely a genuine web page, may be even protected by a Secure Certificate, but you will be on someone else site. To be noted, loading images in the e-mail, may give you away as you have opened the e-mail and you should be contacted more often...

You can find some recent examples of phishing attacks on the anti-phishing website:

http://www.antiphishing.org/

Here are a couple more links concerning recent phishing activity:

Ciphertrust Online Statistics Page

Ciphertrust Downloadable PDF

The following story reminds us that although phishing is still in its infancy on the Internet, it's becoming more and more sophisticated all the time:

Phishers develop sophisticated lure

Who is Vulnerable to Phishing Attacks?

Anyone who has an Email account is at risk, but those who also have bank accounts and credit cards are at an even greater risk, because they have information that others would like to steal.

Your bank will never ask you for your password or account details by Email. Typically they will never even ask you to update those details via Email. Be very suspicious of any email that asks for your passwords or that you update financial details via the web.

How do I Protect Myself From a Phishing Attack?

The Internet is no different from any other place in the world. These same tricks have been played before by people using telephones, fax machines and even showing up at your door. The only thing new is that the Internet allows these fraudsters to reach more people more easily.

The best defence in every case is common sense. If you don't recognise the person requesting the information, find a way to independantly verify their identity first. If someone offers you free credit or a prize, be suspicious. As the saying goes, there's no such thing as a free lunch.

Everybody who works in computer security knows never to send or request sensitive information via email. Email is not like a letter sealed inside an envelope. It's more like a postcard - because it's transmitted in plain text, anyone with access to the network can read it.

Therefore, banks, credit companies, online shopping sites and other services that provide financial services over the Internet will never use email to ask for your personal information. Nor do they ever announce security or software changes except through trusted pathways. These include their own websites and in some cases the software that they run.

Links in phishing emails are often not encrypted. This means that the link will start with 'http://' rather than 'https://' (the 's' stands for 'secure'). Often these fake links point to a web address that is an IP number rather than a name.

Here is an example of a link that is almost certainly fake:

http://66.96.239.101/

And here is one that is more likely to be legitimate:

https://www.commbank.com.au/

When you move your mouse over a link, the address is usually displayed in the bottom left hand corner of your window. Make a habit of checking the address *every* time before you click. And please, read the carefully. Some recent attacks used a tiny mis-spelling of a domain name to fool people into thinking they are on the right website.

Can you spot which of the following addresses is the right one?

http://www.g00gle.com/
http://www.google.com/

The first address uses zeroes instead of the letter 'o' to spell 'google'. Now imagine if I had written the address in capital letters:

http://WWW.G00GLE.COM/
http://WWW.GOOGLE.COM/

If you are at all suspicious about a message you've received, have someone else look at it. If you believe that someone is trying a phishing attack on you, report it to your systems administrator, or to your Internet provider.

Where Can I Learn More About Protecting Myself From Phishing?

The United States Federal Trade Commission (FTC) has a useful guide on their website:

http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

Computer Attack

Gone are the old days when people would attack your computer just for the fun of it. There is a whole underground economy, which wants access to your computer for monetary gains. They will try to access your computer via several means:

• Exploit a know vulnerability - Keep your software up to date
• Trojan, trick you in executing an application (usually sent via e-mail as an attachment or by clicking on a link in the e-mail) - think before you click on anything, ensure that iit is what your requested and even so a nice slide presentation sent by your friends may contain harmful code!
• Lead you to a website that will encourage you to download a file and run it - Go only to reputable sites, and download only what you need.

This will not upgrade your Microsoft software, go to the Microsoft site instead and get your updates from there.

It is all about taking control

What is new in these attacks, is that the people do not want to harm your computer, but take control of it. Everything will look like working normally, even your anti-virus, However a remote person will have control of your computer. Some people have in their control millions of computers and sell the use of this computers to other miscreants. The simple software that will be installed on your computer is a key logger. It will record everything you type including your logins and passwords. Unknown to you you will have given access to many of your secure resources (online bank account, professional e-mail and servers,...). You may be liable for the misuse of some systems because of your login has been used. Read the fine print!

It is usually very difficult to get rid of these Trojans and root kits. Your anti-virus is usually inefective in removing them. They may be effective in stopping the infection, but when infected they will be disabled in such a way you will not notice. Sometimes the only solution is to reformat and re-install everything. There are some professional solutions and you should seek professional help if you suspect anything.

How to detect an attack

You may notice something by an unusual Internet activity of your computers, sometimes your ISP will contact you and inform you your computer has been compromised. Take this information seriously!
Running a firewall, may protect you against attack, but may also control which application has access to the Internet. You may see some unknown application accessing the Internet. Learn about which application is running on your computer. Any unknown application is suspect.

Another protection method is to use Mc Afee Site Advisor, which is a plugin for numerous browser that will indicate to you if a web site is safe or not. They run some tests on the website and also collect information about the security of the website. If for instance it is involved in SPAM or fraud, or contains files with viruses and trojans. However this may not enough as miscreants try to take over well known sites to be able to attack your computer via your web browser as it was discovered in this attack on the Sydney Opera web site.

How to protect your customers

More and more business is happening online. Be it, Hotel reservation or online banking. Depending of the level of things to steal, you need to protects your customers. A few don'ts:

• Do not leave Credit card details insecure on your website. Send this information always via encrypted methods. Do not store this information on the same computer used to collect the information.
• Do not allow keyloggers to collect your customers logins. Most online banks in the Pacific Islands have simple login mechanism. It is childplay for a key logger.
• Do not inform your customers of unusual activity. Keep track who is login and when, and alert the customer of unusual activity: last login from a different place, last transaction out of the ordinary, email for items ordered, ...

Social Engineering

What it is?

Social Engineering is the art in putting people in trust so they reveal information. Phishing is one of the techniques, you receive an e-mail that seems genuine and you feel compelled to respond to it. This could also take the form of a phone call from your bank that need to identify you by your secure code before revealing important information. This could be the call from your ICT department that needs your login to be able to install a new antivirus on your computer.

In general any information that is linked to you and give you access to services should not be communicated to any third person, even to the entity that gave you this info. The major security risk a company faces is its own employees because they have knowledge of procedures and system. You would not give your credit card number and pin code to your bank. If they are your bank they have it already. If it is an employee of the bank, either he has privileges to access this information or he is not authorised for good reasons.

Another case of social engineering, is to get you to perform certain actions: shut down computers and services, forward money to another account. Some e-mails invite you to work from home for little work, where mainly your job will be to forward money you receive, laundering it by de-facto. Ensure that any action you take is legal, even if you are duped, you will be still liable for your actions.

Here is an example of such emails to work from home, see the links, and how the remove me is spelled to avoid detection by anti-spamming engines.

franck

I'm making a special offer for new members only!

"Rated the #1 New 'Work at Home' Job Opportunity for 2008"
Visit: http://shmyl.com/dgqqson

YOU CAN MAKE $200 - $1000+ A DAY

How you can help us? Spread The Word!

Shirley B. Jackson
40 Henry Moss Court
Parham SA 5501

------
Cannot attend please "remo! ve me" send it to d0.n0t.reply.this.letter@gmail.com

Shirley B. Jackson
www.collegefund.org

Apply the cooling period

Never rush into doing things, take a breathe on the phone, or before answering an e-mail. Speak to a friend about what you have received. Do another activity for 5mn and re-read the e-mail. If someone rushes you in giving information on the phone, do not! Take the contact details to call back and check via the phone book, the Internet, that these contact details correspond to what is publicly advertised. Call back, or respond to the person, via the public and published phone numbers or emails. This will ensure the person is really calling from the organisation he claims to belong to.

Another tip, is to pick a few unique sentences from the e-mails and do an Internet Search. You are not likely the first one to receive this type of e-mail, so it will show quickly on the Internet with some advice. In doubt seek assistance from an ICT specialist.

Report to your bank report to the police

It is important to report Internet Fraud where there has been loss of money, or actual identity theft to your bank or to the Police. If the fraud happened on your bank account report it to your bank they will advise you what to do and very often pay you back this money. This will serve to know the extent of the problem in each country and take appropriate measures. By also knowing the cases, better protection, can be implemented.

Conclusion

Thank you for taking the time to carefully read this message. Awareness is the best weapon we can use to fight these kinds of fraud.

---