Goodbye, Cash -- And More …
Online scams are not only becoming more sophisticated -- they're becoming increasingly sinister, too, as scammers steal not just your money but your very identity.
A few weeks ago I talked about the dangers of "phishing" e-mails (Look Out! It's a Scam) that fool you into thinking that they are from your bank or from a transaction-oriented Web site like eBay Inc., then lure you to a Web site where they get you to give away your private data, such as passwords and log-on profiles. I wish I could say that since writing things have improved. Sadly they haven't.
The Anti-Phishing Working Group, an industry body set up a few months ago, reported 176 new unique phishing attacks in January, a 52% increase over December. In the time it's taken me to write this column I've received nine phishing e-mails, all of them good enough to keep me guessing about whether they're legit or not.
And now there's something new to worry about: viruses that take a short-cut through this process by insinuating their way into your computer, then recording all your keystrokes when you type in passwords to access Web sites such as your Internet bank account. So far, there are not too many of these viruses -- or more accurately, Trojans -- but expect to see more of them: Asian and Australian banks seem to be a particularly popular target.
These Trojans work like this: You receive an e-mail that could appear to be anything, from a letter suggesting you have received some Valentine e-greetings to one from a mysterious "friend" who tells you your name has been mentioned in a police investigation. Whatever the method, the e-mail will then persuade you to visit a Web site, which looks harmless but will in fact quietly load the Trojan virus into your computer. The software will then wait until you try to access your bank account, then swipe your passwords and mail them to someone, possibly in Russia, which is where security experts suspect many of these Trojans originate. The Anti-Phishing Working Group saw only one of these attacks in December. In January there were five. No figures are available for this month, but it shows no sign of getting better. "Unequivocally, it's going to get worse," says Doreen Pooler, antifraud product manager for MailFrontier, a California-based security company. "The combination of the monetary incentive is now coupled with the power-rush thrill associated with hacking."
Take, for example, U.S.-based student Aman Gupta, who received an e-mail the day after Valentine's Day informing him he had been sent an e-card by someone at 123greetings.com. (An e-card is the on-line equivalent of a greeting card; the recipient will usually receive it via e-mail containing a link to a Web page where he or she can view the all-singing, all-dancing greetings.) Mr. Gupta writes on his Web site: "The e-mail looked a little bit suspicious … However, being the lonely geek I am, I clicked on the link hoping that I had a secret admirer who had e-mailed me a card for Valentines Day …"
Mr. Gupta was lucky: He wasn't using Microsoft's Internet Explorer browser. If he had been, a whole lot of sleazy things would have gone on with his computer, all of them designed to log whatever he typed into his computer when he accessed certain Web sites. These Web sites are mostly banks, including ones in Hong Kong, Japan, Malaysia, Spain, Thailand, the Netherlands, Italy, Ireland, the U.S., Britain, Singapore, Australia, France and Italy. It will capture the relevant keystrokes -- passwords, etc.-- and then e-mail them to a Web site somewhere.
Mr. Gupta's tale reveals how complex and tricky these Trojans are. Phishing e-mails are becoming more and more sophisticated, both in terms of how they try to trick you into doing what they want -- what's called social engineering -- and in what they do once you've fallen for them. No longer are phishing e-mails just pretending to be from your bank or on-line payment company, PayPal. Some recent Australian e-mails appeared to be from a friend informing the recipient that their name had been mentioned in a police investigation. Clever: Who wouldn't want to find out more, by clicking on the Web site conveniently given in the e-mail?
But what are the people behind these scams after, exactly? A few weeks back the answer would have been simple: Your money. That's not good news, of course, but at least there's a limit to what they can take, and, chances are, your bank will make sure you see your money again. But more recent phishing scams have gone further: A very believable e-mail that purports to come from PayPal -- recently purchased by the Internet's largest auction house eBay -- tries to get you to hand over not only your name and account details but your entire identity, including your address, credit-card details, Social Security Number, ATM card PIN, your mother's maiden name, your date of birth and driver's license number.
As Daniel McNamara, an Australian who has tracked most of the main phishing scams, says: "This goes beyond the standard 'wanting to access your money' phishing scam. The information gained from this would allow the phishers to totally assume the identity of their victims and use it for other frauds."
What to do? If you think your computer may contain a keylogger, don't waste time. Download SpyCop ($50 or more) from
www.spycop.com and run a sweep of your computer. Then, if you're sure you're in the clear, be very careful about any e-mail you receive that you're less than certain about. Remember, Trojans can get into your computer just by visiting a Web site, so think hard before you click on any link in an e-mail. That click could take you to a Web site that may look empty, but is probably loading some nefarious code onto your computer.
If you're not 100% sure about anything, whether it's a greeting card, an e-mail from your bank, or even a Web site link from someone you don't recognize, don't click on anything. Even, I'm sorry to say, a Valentine card.
诈骗邮件陷阱多
几周以前,我曾经谈到过"诈骗"邮件(phishing e-mail,当心,这是垃圾邮件)的危险。这类邮件通常会让你误以为它们是银行或者eBay Inc.之类的电子交易网站发出的,然后诱使你登陆一个网站,骗你在那里泄露你的私人信息,比如口令和登陆身份等。诈骗邮件的花样不断翻新,我希望能在文中涵盖一切,但遗憾的是难以做到。
Anti-Phishing Working Group是在几个月前成立的业内反诈骗邮件组织。据该组织称,在1月份新出现的邮件诈骗案件多达176起,较去年12月份增长52%。在我决定写这篇专栏文章之前,我已经收到了9封诈骗邮件,全部都伪装得很好,以至于让我不停地在猜测它们是否是合法邮件。 现在,新的烦恼又应运而生:通过这种方式,有些病毒能够抄捷径曲折地侵入你的电脑,然后记录下你登陆网上银行账户输入口令时所敲击的按键。迄今为止,这类病毒(或者说得更精确点--"特洛伊人"病毒Trojans)还不是很多,但预计将来会大量出现--亚洲和澳洲的一些银行看上去是颇为常见的袭击目标。
这种"特洛伊人"病毒是这样发作的:你首先收到一封可能以任何形式出现的电子邮件,或者通知你收到了某些情人节电子贺卡,或者是一个神秘的"朋友"告诉你,你的名字被卷入了一桩警局的调查中。形式不一而足,但不管方式怎样,最终这封邮件会说服你登陆一个网站。这看上去似乎没什么害处,但实际上已经悄悄地把"特洛伊人"病毒下载到你的电脑中。这个病毒程序会潜伏下来,一直等到你试图登陆银行账户的时候,它就会记录下你的密码,并用邮件转发给也许远在俄罗斯的某个人。安全专家们怀疑大多数"特洛伊人"病毒都是源自俄罗斯。Anti-Phishing Working Group在去年12月份只遭受了一次这种病毒的袭击,而在今年1月份则发现了5例。2月份的数据还没有统计出来,但毫无迹象表明情况有所好转。位于加利福尼亚州的网络安全公司MailFrontier的反诈骗邮件产品经理多琳?普尔(Doreen Pooler)表示,无庸置疑,情况将越变越糟。金钱方面的刺激,与骇客袭击相关的兴奋感已经共同成为诈骗邮件泛滥的原因。
让我们拿美国学生阿曼?古普塔(Aman Gupta)的遭遇为例。他在情人节翌日收到一封电子邮件,告诉他有人给他发送了一张电子贺卡,到123greetings.com上收取。(电子贺卡是一种在网上收取的祝贺卡片;收件人一般是收到附有链接网址的邮件,登陆链接的页面可以观看带有声音和动画的贺卡。)古普塔在自己的网站上这样写道:"这封邮件看上去有一点可疑,但我是个很孤独的人,我点击了随信链接的网址,希望真的有个偷偷爱慕我的人在情人节给我发送了贺卡"。
古普塔非常幸运,因为他用的不是微软的Internet Explorer浏览器。如若不然,一大堆病毒就会渗透到他的电脑里。所有这些病毒都是为了记录他在登陆某些网址时所敲入的按键。这些网址大部份是银行,包括香港、日本、马来西亚、西班牙、泰国、荷兰、意大利、爱尔兰、美国、英国、新加坡、澳大利亚、法国等国家和地区的银行。所有相关的按键--比如密码什么的--都将被这个程序记录下来,并通过电子邮件发到远在别处的网站。
古普塔的遭遇说明了这些"特洛伊人"病毒是多么复杂和险恶。诈骗邮件正变得越来越狡猾,不仅表现在它们如何吸引你按照他们所期望的那样做(这被称作社会工程学),而且表现在一旦你上了他们的当后,他们会怎样对付你。诈骗邮件不再仅仅假装是发自银行或者网上支付公司PayPal的信件。最近,一些澳大利亚的电子邮件假装是朋友发来的,告诉收件人他的名字出现在了警察正在调查的案件中。真是聪明,谁不想通过顺手点击信后的网址来进一步查看个究竟呢?
不过,这些垃圾邮件背后的操纵者究竟想要什么呢?几周以后,答案就会变得一目了然:你的钱。当然,这并不是个好消息。但至少这说明他们能从你这里偷走的东西是有限的,而且结果很可能是你的银行向你保证你还能再拿到自己的钱。但最近一些诈骗邮件则做得更过火:一封看上去非常可信的邮件声称来自PayPal(PayPal最近被最大的互联网拍卖公司eBay收购),不仅让你提交你的名字和银行账户的细节,而且让你提供全部身份证明,包括住址、信用卡的详情、社会保障基金号码、自动取款机密码、你母亲的婚前姓氏、你的生日以及你的驾驶证号码。
正如丹尼尔?麦克纳马拉(Daniel McNamara)所说,这种诈骗邮件已经超出了那些"我想骗你的钱"一类标准垃圾邮件的范围。通过这些邮件获得的信息能够让诈骗者完全假冒受害人的身份,并利用这些信息进行其他诈骗活动。麦克纳马拉是一位澳大利亚人,他最近追踪了诈骗性垃圾邮件的大部份活动。 怎么防范呢?如果你认为你的电脑可能已经感染了这种病毒,那么就不要浪费时间了,赶快去
www.spycop.com下载SpyCop (大约50美元或者更高),然后将电脑扫描一遍。如果你确信电脑没有被感染,那么以后你要对你收到的任何不确定的邮件保持警惕。记著,仅仅是访问一个页面就可能导致"特洛伊人"病毒侵入你的电脑,所以,当你点击任何邮件链接的网址时,都要三思而行。点击了包含病毒的网址后,你看似被带到一个空空如也的网站,但实际上,一些病毒源代码正在被下载到你的电脑里。
如果你对某个邮件不是百分之百地有把握,不管它是贺卡、银行的电子邮件,或者某个你不认识的人提供的网址链接,那么你千万不要点击。我很遗憾地告诉你,即使是情人节贺卡也动不得。
