Beware of Spoofing and Phishing

March 2005

I’ve been falsely accused! I received this e-mail from a colleague: “Even YOU get caught sometimes in the virus web! But don't worry, I didn't open it, because you just aren't a ‘hi’ kind of person, and neither am I. This does drive me crazy, though! I've already deleted it.”

The nerve! Accusing me of sending a virus. Well, I supposed it could be possible, but it seemed unlikely. So I checked the particular virus that she had received: W32/Netsky.d@MM.  According the authoritative information online, this virus doesn’t affect Macintoshes. And I use a Mac. Couldn’t have been me.

I didn’t get caught up in the “virus web” after all. I sent an e-mail back saying, “The nerve of you, accusing me of sending you a virus. Even YOU can be duped by heinous jerks . . . “

No, I didn’t say that. I graciously thanked her for alerting me. And I explained about a practice called “spoofing.” Viruses or worms typically not only send themselves to every e-mail address in someone's address book who computer is infected, but also they will often use one of the addresses to appear as the sender.

And why do virus writers do this? Probably to conceal whose computer the virus is coming from in order to make it harder to trace to problem.

Lesson #1: Don’t assume that the sender of an e-mail is the one listed in the “From” field.

There is a virus going around now that not only uses spoofing but also the content of an e-mail that you’ve sent someone. Let’s say Joe gets this virus on his computer. It replies to every e-mail message in his Inbox, and includes itself in the reply. You get the reply from Joe in response to an e-mail you’ve sent him, and when you see the familiar subject line, etc., you naturally assume it’s legitimate.

Another insidious spoof is when you receive an e-mail that appears to be from your system administrator. One such instance involved an e-mail that asked users to change their password to a new password provided in the message. Of course, the scoundrels behind the ruse were simply trying to break into people’s accounts.

Spammers also use spoofing, as you’ve surely noticed. You’ve likely received spam that actually has your own address as the sender. Because my e-mail address is so very available on the Internet, lots of spam goes out in my name. Once I received scores of bounced messages from Asia because a spammer had used my e-mail address to send thousands of messages. And those that went to accounts that weren’t valid ended up bouncing back to my e-mail.

Which brings us to the topic of “phishing.” No it doesn’t, but I couldn’t think of a transition. Let’s talk about phishing.

Phishing is similar to spoofing and seems to be getting worse by the day. Here’s the scam: you receive a very official-looking e-mail from eBay or PayPal or your bank saying that there’s a problem with your account and asking you to click on a link to verify your information. Someone I know received such a message and entered in every last bit of personal data: credit card number, Social Security Number, mother’s maiden name, password — everything.

The problem is that the e-mail isn’t originating from one of these companies but is coming from a thief wanting to steal your personal information. I get a number of these every day.

Lesson #2: Whenever you get an e-mail message saying there’s a problem with your account or your account needs to be updated, DON’T click on the link in the e-mail. It will take you to a phony site. Simply go to eBay or PayPal or your bank and login the way you ordinarily would. If there’s a problem with your account, you will be notified at that point.

I hope I haven’t scared you. It’s a dangerous Net out there. But I think that we’re all starting to develop a natural sense wariness that will serve us well, as with my colleague who immediately recognized that I’m “not a ‘hi’ kind of person.”

One of the best resources for keeping on top of this is Scambusters.com. They also have a weekly e-mail newsletter that alerts you to the latest scams.

OK, now you know all about spoofing. Don’t be accusing me of sending you a virus.

© 2005 by Jim Karpen, Ph.D

E-mail Jim Karpen