Go to the bitwise magazine home page...

 

 
Rants & Raves Home
bitwise Home
Archives...
About...
 
Need a writer?
Contact me...
 

SapphireSteeel Software

 

 


Huw Collingbourne is the direct descendant of Count Hugo von Collingbourne, whose circus of trained vampire fleas entertained the Crowned Heads of Europe.

July 2004

This month Huw Collingbourne has intimate contact with the International Criminal Fraternity and is nearly conned out of the Collingbourne millions… This column first appeared in PC Plus issue 218.

 

Today I received a worrying message from eBay notifying me that my account could be suspended unless I logged in at once. This was due to a security issue which was explained thus:

“Per the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.”

Fortunately, I was told, all this hassle could be avoided with almost no effort on my behalf. All I needed to do was to login by entering all my user information and password. The email message thoughtfully provided a form for me to do this. One click of the button and my details would be sent back to eBay. Or would they? Call me suspicious but I am always wary of being taken for a sucker. First thing I did was check the origin of the email. It purported to come from aw-confirm@eBay.com, which certainly looks tickety-boo. The body of the message contains a typical yellow eBay style graphic and logo, which once again adds to the appearance of authenticity.


Is this a PayPal page or isn’t it? When it asked for my PIN number I started to get suspicious

GONE PHISHING

Ultimately, the only way to verify whether or not this is legitimate is to take a look at the HTML source code of the message. Unfortunately, I received this on AOL and there is no simple ‘View Source’ option on the AOL system. I therefore saved the email message to disk and opened the source using the Windows Notepad. I now searched for web addresses, beginning with ‘http://’. It turns out that there are a few real eBay addresses. These reference eBay graphics and various Help pages. However, the only really important address is the one to which any data I enter is sent when the button is clicked. That is, the address that follows the code ‘FORM action=’. This, surprise, surprise! is not an eBay address at all. The email address to which my data is sent (the part that follows ‘value=’ in a section of code starting with ‘INPUT’) is a private individual’s address on yahoo.com. So it looks as though, had I entered my private data and clicked the button, this individual would have gained all the information necessary to access my account on eBay.

In fact, there are a couple of other clues to the fraudulent nature of this message. First of all, the fraudster refers me to section 9 of the eBay User Agreement. When I checked this, I found that this section in the UK User Agreement has nothing to do with suspension of membership. Only in the US User Agreement does section 9 discuss security.

But the real give-away of this scam is quite simply that eBay does not send emails to people asking for their passwords or any other sensitive information. Nor does AOL, Amazon, your bank or any other reputable company. Email is inherently insecure. If you hunt around in the eBay help system – and unfortunately, this information is far from prominently displayed – you will eventually find this advice: “Some members have reported attempts to gain access to their personal information through email solicitations that are made to appear as having come from eBay. These solicitations will often contain links to web pages that will request that you sign-in and submit information. At eBay, we identify these as 'spoofed' emails or websites. Remember, eBay employees will never ask you for your password.

The email I’d received was part of a so-called ‘phishing’ scam. The term ‘phishing’ describes emails or web sites which fraudulently purport to represent some reputable organisation. The fraudsters behind these scams attempt to ‘fish’ for your personal details in much the same way that ‘phone phreakers’ used to break into telephone systems to make fraudulent long-distance calls in the days before email was commonplace. For more information on email scams aimed at users of eBay, PayPal and a variety of banks, refer to the Millersmiles spoof alerts (www.millersmiles.co.uk).

WEB OF DECEIT

I had thought that the eBay phishing scam to which I’d been subjected was pretty convincing. But by comparison with another scam which arrived in my in-box a few days later, it was really quite crude. Indeed, this second scam was so convincing that I very, very nearly fell for it. This one purported to come from PayPal. It informed me that there was reason to believe that my PayPal account might have been accessed by an unauthorized third party. “Protecting the security of your account and of the PayPal network is our primary concern,” it said. For that reason, it wanted me to re-enter my security details. As with the fake eBay email, this one contained authentic PayPal graphics. It also contained a text link to a secure page at https://www.paypal.com. Now, as we all know, secure login sites always begin with https:// rather than plain http:// so all looked well and good. When I clicked the link in the email, my browser opened on a convincing PayPal login page with https://www.paypal.com displayed in the address bar. So far as I could see, everything was above board.

It is only once I got to the page in which I was prompted to enter my details that things started to look really suspicious. I mean, did PayPal really need to know the PIN number of my credit card? I really don’t recall being asked for that number before. Then again, people are asking for more and more information these days. Nobody used to ask for the three numbers on the back of my credit card but now that is quite normal. So, who knows, maybe PIN numbers are the latest thing…?

No, no, no! Don’t fall for it! PayPal does not ask for your PIN number. Nobody but you should ever need to know your PIN number. Nor does PayPal send emails with direct links to secure pages. A closer look at the email message reveals what is really going on. The text link may state https://www.paypal.com but the actual link, which is invisibly coded beneath this, directs you to quite a different address at a site in Korea.


The fraudulent PayPal site displays a fake address bar. Here I’ve also displayed the real address bar which show a url in Korea!

But what about the login page with the https:// url in its address bar? As long as I end up at the genuine PayPal site all is well, surely. Nope, the address is another fake. Some code in the web page hides the real address bar and displays a phoney one in its place. The only real giveaway is that the status bar at the bottom of the browser does not display the lock symbol that indicates a secure site. But no doubt some other phisher will add a fake lock in the next scam to come my way.

In brief, don’t believe anything you see in your web browser. If that browser has been displayed as a result of following an email link, the page you arrive at could be almost anywhere. Only ever log onto a secure site by entering its address yourself. Emails scams are getting more and more deceptive. I was nearly fooled. make sure you aren’t.


FREE FOR ALL

If you spend a fortune on books, save some money by downloading some for free....

I never cease to be amazed at the quality of books that can be downloaded freely from the Internet. Many of these are out-of-print and out-of-copyright works which have been converted to PDF by dedicated enthusiasts. For example, many serious artists will tell you that some of the best books on figure drawing are those written by Andrew Loomis in the 1930s. While they are no longer in print, they are freely available in PDF format at www.pinwire.com.

Drawing is just one of my leisure activities. Another is learning languages. While I have a smattering of several modern languages I have, until recently, had no knowledge at all of Latin. Embarrassed by my inability to tell my ipso from my facto and my prima from my facie, I finally decided to do battle with all those gerunds, conjugations and declensions which my dear old teachers of long ago rather neglectfully forgot to teach me (a Classical Education being something which was not much in evidence at my alma mater in the depths of the Rhondda valleys).


Wouldbe Classical scholars are well served by the Textkit site which provides some excellent eBooks for students of Latin and Greek.

I have previously mentioned in this column the truly excellent Cambridge Latin web site (www.cambridgescp.com) which I recommend to all Latin learners. I have since discovered some other fine resources, notable among which are a handy downloadable Lexicon (cheiron.humanities.mcmaster.ca/~barrette/latin/lexicon.html) and a fine collection of out-of-copyright Latin and Greek tutorials and grammars (www.textkit.com). All of which are mightily impressive, considering the decline in classical studies.

I have also recently embarked on a study of the Chinese language and I am currently reading the English translation of that greatest of Chinese epics, The Romance of The Three Kingdoms. This may be better known to some readers as the inspiration for several popular role playing games. Not only is the entire English text of this work online (www.threekingdoms.com) but so too are several respected books on the period by the historian, Rafe de Crespigny (www.anu.edu.au/asianstudies/decrespigny). If anyone tries to tell you that there’s nowt but rubbish on the Web, I suggest you direct them to some of these sites.


Going Further

If you are seriously hunting for books on the web, take a look at the excellent Blackmask site (www.blackmask.com). This has books ranging from David Copperfield to The Insidious Dr Fu Manchu. The University of Virginia is another great site for eBooks (etext.lib.virginia.edu). These include numerous English language and translated classics from Aesop to Oscar Wilde. For legends, mythology, esoteric and religious works, try the Sacred Text Archive (www.sacred-texts.com). And if you still can’t find what you are looking for, the EBooks4Free links site (www.ebooks4free.net) may be able to guide you to the right place.

 


Copyright © 2009 Dark Neon Ltd. Not to be reproduced without permission.


Go to the bitwise magazine home page...