137. Tips to avoid spear-phishers
By Andrew D. Wright
Spear-phishing brings to mind images of sun-soaked Pacific Islanders
catching their breakfast, but it's really just a new twist to an old
con-job.
A popular con artist ploy is to assume some sort of authority over the
prospective victim. Your bank needs you to sign on to a system upgrade
site to register your PIN number, a parcel carrier says you need to
download something from their website to get some parcel tracking number.
They seem to know what they're saying so you do what they want.
Spear-phishing is spam that's been targeted to a specific sub-group.
Lawyers get things that look like contracts, small businesses get tricked
with fake delivery emails, sometimes the stuff even knows you by name.
Here are some rules of thumb to avoid getting tricked.
In email, don't trust things you click on. Hold your
mouse over something you can click on in the email but don't click. Email
programs will show what the link goes to on the bottom of the email
window.
Real organizations never ask you to give them private
information over email. When you are holding the mouse over the link in an
email, see where the link goes. Real organizations don't use anonymous
mail accounts like hotmail.com, yahoo.anything, gmail or live.com. If the
last bit of a domain name like http://example.ru/ is two
letters, it's a country code. So .ca is Canada: and far away
.cn (China), or .ru (Russia) addresses are unlikely to be
your local bank.
On a website, the idea is to make you download something
that causes you grief or to make an older insecure web browser silently do
it using some exploit. Rule of thumb is that anything on your computer
that talks to the Internet always has to be the latest version. Around two
thirds of computer users are using unsafe older versions of their web
browsers for example.
Update Internet Explorer with Windows Update in Control Panel. Other
software like Mozilla Firefox has a "Check for Updates" item on the Help
menu.
If you are supposed to run some program, check the
Publisher of the program before letting it install. Digitally signed
programs can only come from the real source since any changes would break
the signature. The source has to verify their identity to get a valid
program code signing secure certificate. Sometimes real software isn't
signed so this rule has exceptions but signed software always has to come
from where it says it does. Check the name.
![[Graphic: Program publisher verification using digital certificate.]](http://beacon.chebucto.info/Mousepad/img/2008/137publishersignature.jpg)
Never trust the contact information in any email that
you are not sure about. Don't believe any phone numbers in the email.
Contact the organization directly by phone using a number you looked up in
the phone book. Email addresses and web page links can be forged to look
like they are going to places they are not. Check the organization's real
web site, don't get to it from clicking on any links in the suspicious
email.
The trend is for more specific targeting of individual people so keep
these tips in mind next time you get an email wanting you to do something.
Always be suspicious of any email that for any reason wants you to give
them a password, credit card or any other private information or visit an
unfamiliar web address that doesn't seem to be correct for what it says it
is.
Look up web domains:
http://samspade.org
List of Internet address country codes:
http://ftp.ics.uci.edu/pub/websoft/wwwstat/country-codes.txt
RCMP latest scams page:
http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca or
click here. If we use your question
in a column, we'll send you a free mousepad.
Originally published 29 August 2008
