The recent massive data leak from email services provider Epsilon means that it is likely that many consumers will be exposed to an unusually high number of email-based scams in the coming weeks and months. So this is an excellent time to point out some useful resources and tips that can help readers defend against phishing attacks and other nastygrams.

Don’t take the bait: Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email. Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window. Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.  Want to learn more cool stuff about links? Check out this guy’s site and you’ll be a link ninja in no time.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged. If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers. Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

When in doubt, type it out: If you’re not sure about the validity of an email, don’t click on the link in the message. Instead, take a moment to visit the Web site of the sender in question by typing the URL into a Web browser, and access your account normally.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a Trojan that steals all of the sensitive data on victim PCs. So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it. Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.

Think Ahead: While this may be of little help to folks who received multiple warnings from companies impacted by the Epsilon breach, the best way to avoid dealing with email scams is to be very selective in giving out your email address. If you don’t already have one, consider creating a second email address to use when signing up for any services that require an email. Alternatively, if you’re sure you won’t need a specific service or site more than once or for more than a few minutes, you can take advantage of a free service like 10 Minute mail; as its name suggests, 10minutemail.com lets you create throwaway addresses that give you just enough time to sign up for something and then check your inbox for the message containing the obligatory confirmation link.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

Let’s summarize with a few quick rules:

1. Don’t open emails if you don’t recognize the sender’s name or domain.

2.  Take a moment to check that the sender is really the one whose name appears as “From.”

3.  Don’t click on links in emails or open attachments unless you are sure the sender is trustworthy.

4. When in doubt, go to the senders’ websites  by typing their addresses  in your browser bar.  Or call the senders – they probably need to know that spam is being sent in their names.

5.  Your  email address should be kept private if possible. Consider using a second or throwaway address if you are required to provide it.

6. Be extremely cautious when a website tells you that you need to install an add-on or download of any sort.

Scammers typically kick into high gear during tax season in the United States, which tends to bring with it a spike in phishing attacks that spoof the Internal Revenue Service.   Take, for example, a new scam making the rounds via email, which warns of discrepancies on the recipient’s income tax return and requests that personal information be sent via fax to a toll-free number.

A new phishing campaign that began sometime in the last 24 hours is made to look like it was sent from irs@irsonline.gov, and urges recipients to fill out, print, and fax an attached PDF tax form. From the scam email:

*This is in reference to your 2010 U.S. Individual Income Tax Return we seem to have some discrepancies with your filing. If you have already filed for your 2010  tax refund please get hold of a new form 1040 and
mail it to the  Department of the Treasury in your region.*

*If for any reason you have not yet filed for your 2010  Individual
Income Tax Return please print out the attached PDF form, fill it and
fax it to the IRS data center on (866) 513-7982 within 24 hours.*

*This has no bearing on your 2010 U.S. Individual Income Tax Return,
this to update our data and survey while we prepare to close the 2010
tax filing season.*

*Thank you *

That 866- phone number is currently returning a fast-busy signal, which suggests either that a lot of people are falling for this scam, or that anti-scammers are speed-dialing the number in a bid to prevent would-be victims from faxing in their forms. My guess is that this scam is tied to some kind of automated service that scans faxes and then emails the phishers copies of the scanned images.

It’s worth noting that the data requested in this bogus IRS form includes the Social Security number, e-File PIN and adjusted gross income, all of which are crucial pieces of information that the IRS uses to authenticate taxpayers.

The IRS has been careful to note that while it may conduct follow-up correspondence with taxpayers via email if the taxpayer chooses to communicate that way, it will never reach out to taxpayers via email. Consumers can report any tax-related phishing scams to phishing@irs.gov.

Google has added a new security feature to its search engine that promises to increase the number of Web page results that are flagged as potentially having been compromised by hackers.

The move is an expansion of a program Google has had in place for years, which appends a “This site may harm your computer” link in search results for sites that Google has determined are hosting malicious software. The new notation – a warning that reads “This site may be compromised” – is designed to include pages that may not be malicious but which indicate that the site might not be completely under the control of the legitimate site owner — such as when spammers inject invisible links or redirects to pharmacy Web sites.

Google also will be singling out sites that have had pages quietly added by phishers. While spam usually is routed through hacked personal computers, phishing Web pages most often are added to hacked, legitimate sites: The Anti-Phishing Working Group, an industry consortium,  estimates that between 75 and 80 percent of phishing sites are legitimate sites that have been hacked and seeded with phishing kits designed to mimic established e-commerce and banking sites.

It will be interesting to see if Google can speed up the process of re-vetting sites that were flagged as compromised, once they have been cleaned up by the site owners. In years past, many people who have had their sites flagged by Google for malware infections have complained that the search results warnings persist for weeks after sites have been scrubbed.

Denis Sinegubko, founder and developer at Unmask Parasites, said Google has a lot of room for improvement on this front.

“They know about it, and probably work internally on the improvements but they don’t disclose such info,” Sinegubko said. “This process is tricky. In some cases it may be very fast. But in others it may take unreasonably long. It uses the same form for reconsideration requests, but [Google says] it should be faster…less than two weeks for normal reconsideration requests.”

But Maxim Weinstein, executive director of StopBadware, an independent non-profit anti-malware organization, said if Google delays de-listing a flagged site, it is usually because the site’s owner hasn’t fully eliminated the problem that caused the alert, or that site owner has skipped a step in Google’s reconsideration process.

“If someone doesn’t know to request a review, it can be a while before Google’s system will on its own rescan the site and remove the warning,” Weinstein said.

Google says it will be rolling out the new system slowly. As a result, not all of the sites that deserve to be flagged as compromised are listed that way yet.

“For example, 90 percent of search results for this search should be labeled as ‘compromised,’ but I don’t see any warnings,” Sinegubko said.

Web site administrators who find their pages flagged with “this site may harm your computer” warnings can get relatively speedy assistance at Badwarebusters.org, which maintains a fairly active and responsive help forum. Google also has a Webmaster Help Forum that includes a malware and hacked sites section, which already contains a few interesting threads about this new warning system. In one thread, John Mueller, a Webmaster trends analyst with Google Zurich, sheds a bit more light on the alert and cleanup process.

“As mentioned by the others, this is triggered when we determine that your site has likely been compromised by an unauthorized third party. Once it’s shown that this is possible, it’s hard to predict what else may have been modified. For instance, it might be that in addition to hidden links, someone has changed the phone number or is redirecting orders to the wrong website — everything is possible once third parties are able to modify a website.”

“Once you’ve reverted the compromise and – hopefully – taken steps to prevent this from happening again, you can submit a normal reconsideration request through Webmaster Tools. These requests are processed fairly quickly (usually within a day, though it’s not possible to give an exact timeframe).”

A couple of readers have written in to say they recently received automated telephone calls warning about fraud on their credit card accounts and directing them to call a phone number to “verify” their credit card numbers. These voice phishing attacks, sometimes called “vishing,” are a good reminder that today’s scam artists often abuse a range of modern technologies to perpetrate old-fashioned fraud.

Graphic courtesy Internet Identity

Phone phishing schemes often begin with a pre-recorded message that prompts the recipient to call a supplied telephone number — frequently a toll-free line. Usually, the calls will be answered by an interactive voice response system designed to coax account credentials and other personal information from the caller.

Lures for these telephone phishing attacks also are sent via text message, a variant also known as smishing. Indeed, the Sacramento Bee warned last week that residents in the area were receiving text messages spoofing the Yolo Federal Credit Union.

A new report (PDF) from anti-phishing vendor Internet Identity found that credit unions continue to be a favorite target of smishing attacks, and that text-to-phone scams used a toll-free number in about half of the lures sent in the first quarter of 2010.

Internet Identity also tracked at least 118 smishing attacks in the first quarter of 2010, although the company said that number represents a 40 percent drop in these scams over the last three months of 2009.

It may be hard to imagine how many people actually fall for these scams, but you might be surprised. In March 2008, I wrote about an extremely complex vishing attack that targeted customers of multiple credit unions. A source I interviewed for that story later managed to make a copy of one of the servers that these crooks used to accept incoming calls for this scam, which ran uninterrupted from Jan. 13, 2008 to Feb. 21. From that story: “During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN.”

Have you or someone you know recently received one of these scam phone calls or texts? Sound off in the comments below.

Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those who decide to make it their day jobs. Indeed, data secretly collected from an international phishing operation over  18 months suggests that criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.

Phishers often set up their fraudulent sites using ready-made “phish kits” — collections of HTML, text and images that mimic the content found at major banks and e-commerce sites. Typically, phishers stitch the kits into the fabric of hacked, legitimate sites, which they then outfit with a “backdoor” that allows them to get back into the site at any time.

About a year and a half ago, investigators at Charleston, S.C. based PhishLabs found that one particular backdoor that showed up time and again in phishing attacks referenced an image at a domain name that was about to expire. When that domain finally came up for grabs, PhishLabs registered it, hoping that they could use it to keep tabs on new phishing sites being set up with the same kit.

The trick worked: PhishLabs collected data on visits to the site for roughly 15 months, and tracked some 1,767 Web sites that were hacked and seeded with the phishing kit that tried to pull content from the domain that PhishLabs had scooped up.

PhishLabs  determined that most of the phishing sites were likely set up by a single person — a man in Lagos, Nigeria that PhishLabs estimates was responsible for about 1,100 of the phishing sites the company tracked over the 15 month experiment.

“This guy was setting up two to three new phishing sites each day,” Phishlabs founder and president John LaCour said. “If you accept conservative estimates, that this guy is stealing about 10 [sets of] banking credentials per phish, and that conservatively each of these stolen credentials causes $500 in losses, we’re talking about more than $4 million a year he’s probably making.”

When PhishLabs plotted the guy’s daily online activity, the resulting graph displayed like a bell curve showing the sort of hourly workload you’d typically see in a regular 9-5 job, LaCour said. “In the middle of the day he’s super busy, and in the mornings and evenings he’s not. So this is very much his day job.”

Successful though he may be, the Nigerian phisher spied on by PhishLabs is a small fry compared to some of the more organized phishing gangs in operation today. According to a report (pdf) released last week by the Anti-Phishing Working Group, an industry consortium, roughly two thirds of all phishing attacks in the second half of last year were the work one organized crime gang known as the “Avalanche” phishing operation. Incidentally, experts believe this is the same gang responsible for spamming out the copies of Zeus and other Trojan horse programs that have been used in the attacks on small businesses I have been chronicling for the past year.

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

Experi-Metal sells metal stampings, trim moldings and specialty items.

The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank’s security technology. The company also alleges that Comerica’s security protections for customers are not commercially reasonable, because the phishing scam routed around the bank’s 2-factor authentication system.

According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used “digital certificates” for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank’s cryptographically signed digital certificate in their browser before the bank’s online system will allow users access.

Once a year from 2000 to 2008, Comerica sent emails to EMI and other customers directing them to click on a link in the email, and then log in at the resulting Web site in order to renew the digital certificate that Comerica required.

The trouble with relying on digital certs, of course, is that phishers have been using the e-mail ruse of “Hey, this is your bank, please update your digital certificate” for several years now in a bid to fool people into giving away their credentials or installing malicious software. Also, several families of malware will steal digital certs from victim PCs.

An RSA token used for multi-factor authentication

Perhaps in response to these fraud trends, Comerica in 2008 began urging customers to adopt a different security solution that supplemented user names and passwords with a security token. These small devices periodically generate a new, random numeric code, which must be entered along with the customer’s user name and password in order to access online banking at many commercial banks.

On Jan. 22, 2009, an EMI employee fell for a phishing e-mail that spoofed Comerica, and claimed the bank needed to carry out scheduled maintenance on its banking software. The e-mail instructed the EMI employee to log in at a linked Web site that mimicked Comerica’s online banking site. The EMI employee provided the site with the company’s online banking credentials, as well as the the code generated by the security token.

Thieves almost immediately began wiring money out of EMI’s account. Between 7:30 a.m. and 10:50 a.m., the attackers initiated 47 wire transfers — to China, Estonia, Finland, Russia and Scotland.

EMI claims Comerica inquired about the transfers at 10:50 a.m., and that EMI asked the banks not to honor any requested wire transfers until future notice. But over the next three hours, thieves would initiate another 38 wires from EMI’s account. EMI also noted that, prior to this burst of fraudulent wires, the company had requested a total of two wire transfers in as many years. EMI says it lost more than $560,000 from the fraud.

In an answer to EMI’s complaint, Comerica denied that the bogus Web sites that lured the EMI employee would appear to be Comerica’s real Web site “to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” The bank also argued that its banking security technologies were commercially reasonable “because they were in general use by other similarly situated customers of other banks.”

As I noted in a first-of-its-kind story back in 2006 about a phishing scam that attacked Citibank business customers, the use of security tokens adds very little — if any — additional protection. For one thing, as in the Citi example and now this case, we can see that tokens work great provided the phishers don’t also ask for the token code as well as the visitor’s banking credentials.

Also, thieves are routinely defeating security tokens through the use of malicious software like the ZeuS Trojan, which can re-write the bank’s actual Web site as displayed in the victim’s browser, so as to inject code asking the victim’s user name, password and security token number. The victim is usually then redirected to a fake maintenance page telling them to try again in a few minutes, while the thieves are submitting that intercepted information on behalf of the victim, and then initiating unauthorized money transfers.

EMI’s complaint is here (.pdf). Comerica’s line-by-line response is available here (.pdf).