April 6, 2011

The recent massive data leak from email services provider Epsilon means that it is likely that many consumers will be exposed to an unusually high number of email-based scams in the coming weeks and months. So this is an excellent time to point out some useful resources and tips that can help readers defend against phishing attacks and other nastygrams.

Don’t take the bait: Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email. Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window. Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.  Want to learn more cool stuff about links? Check out this guy’s site and you’ll be a link ninja in no time.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged. If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers. Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

When in doubt, type it out: If you’re not sure about the validity of an email, don’t click on the link in the message. Instead, take a moment to visit the Web site of the sender in question by typing the URL into a Web browser, and access your account normally.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a Trojan that steals all of the sensitive data on victim PCs. So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it. Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.

Think Ahead: While this may be of little help to folks who received multiple warnings from companies impacted by the Epsilon breach, the best way to avoid dealing with email scams is to be very selective in giving out your email address. If you don’t already have one, consider creating a second email address to use when signing up for any services that require an email. Alternatively, if you’re sure you won’t need a specific service or site more than once or for more than a few minutes, you can take advantage of a free service like 10 Minute mail; as its name suggests, 10minutemail.com lets you create throwaway addresses that give you just enough time to sign up for something and then check your inbox for the message containing the obligatory confirmation link.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

Let’s summarize with a few quick rules:

1. Don’t open emails if you don’t recognize the sender’s name or domain.

2.  Take a moment to check that the sender is really the one whose name appears as “From.”

3.  Don’t click on links in emails or open attachments unless you are sure the sender is trustworthy.

4. When in doubt, go to the senders’ websites  by typing their addresses  in your browser bar.  Or call the senders – they probably need to know that spam is being sent in their names.

5.  Your  email address should be kept private if possible. Consider using a second or throwaway address if you are required to provide it.

6. Be extremely cautious when a website tells you that you need to install an add-on or download of any sort.


70 thoughts on “After Epsilon: Avoiding Phishing Scams & Malware

  1. Dave Green

    Re:

    For example, if I were signing up at example.com, I might give my email address as example+krebsonsecurity.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

    Is this right? My test with a googleID without dots did not. I know googleID+text string@gmail.com works so the concept can be implemented.

    Dave

    1. Dave Green

      The textstring should not have spaces in the above — my autocorrect software helped too much.

      1. BrianKrebs Post author

        Yeah, you’re right Dave. I wrote this tutorial waaay too late last night and mixed that part up. I’ve amended the text above to reflect that. Thanks!

  2. Rob

    IE9 handles the “backwardsfromtheretothesecond.dot” URL really nicely. It just shows that base URL in the link address. No matter how much I shrink the window width — IE9 shows that.

    Firefox 4 uses a “…” in the middle to show “bankofamerica.com.so…sfromtheretothesecond.dot” Kindof more useful but not amazing. Shrink the window right down and you can get: “b…nd.dot”

    Chrome 10 displays “bankofamerica.com.so…” at first and then .5seconds later expands it out to the full URL all the way to the “.dot”. But I’ve got a wide screen. Bring the width down and you can get it to exactly show “bankofamerica.com…”

    1. -

      urlbar? my urlbars (op,ff, ie as far back as i recall) begin with http(s|) and continue with true url until ‘disappearing’ behind right end or urlbox.
      you’re commenting on the abridged url of hovered href as browser show in statusbar, yes?
      ideally, mouse hovers should show full info. even if the href is the proverbial 13mb javascript (which would run off below display, but that should dissuade)

      my whine: software is cgf wrong oob.
      eg, always turn off js gui foolery in browser options. ff eg, https://www.blogtechnika.com/wp-content/uploads/2010/11/firefox-javascript-settings.png ( bottom img on http://www.blogtechnika.com/how-to-enable-or-disable-javascript-in-firefox)

  3. JC

    Thanks for this. As one who tries to keep up with PC security issues, it is really good to review the basics from time to time. I send your piece to those close to me who are not as aware of the bad things that can happen if you are not careful.

  4. TheGeezer

    Good tips. clearly explained, Brian.
    Although the people who really need the tips are probably not reading your blog, I will pass a reference to this report along to a lot of people I know who need it. It will save me a lot of time trying to explain when they should be suspicious and what to look for.
    I had to do this last month with two acquaintances who obviously had installed bots and have unknowingly been sending out Pharma ads to everyone in their address books!

  5. David Shroyer

    Great Job Brian! This is a great reminder that this is the type of breach that will lead to more “APT” attacks. Even industry folks who should know better can fall for these attacks (as pRoven in the laSt few weeks, Again…). If I was responsible for data protection behind a significant domain that could have been breached by Epsilon, I think I would be passing this post to my employees…. via paper copy.

    1. BrianKrebs Post author

      Yeah, except technically I don’t own that content. But you’re right. I’ve been meaning to re-write it and update it, so thanks for the prodding.

      1. AlphaMack

        I always pass that article around to friends who I fix PCs for, but with Ubuntu Natty around the corner it may be time for an update since the UI is just a wee bit different. 😉

  6. Jim E

    Brian, the “Bank of America” sample will not open. We’d like to see it because my bride has an account with them and she does get regular communications from them.
    Also, just in passing, as a ret. Financial Advisor, my two favorite sites are yours and “www.FBI. gov” for their excellent daily notices on these scams and other related subjects.
    I am continually surprised by the amount of fraudulant financial scams that are constantly being uncovered involving millions of dollars primarily from “Ponzi” schemes.
    What a crazy world we live in. Thanks for your good advice.
    JimE

    1. Heron

      Jim, that B of A link isn’t supposed to open. It’s simply an example of how links can be manipulated so they won’t take you to the sites you expect to go to if you click on them.

      Any message from a bank asking you for your personal information or bank account information, is fraudulent. If the bank wants to verify something with you, you’ll get a letter in the mail.

      Emails saying your account has been suspended and they need you to reauthorize your account access by typing in your account information are fake, too.

      As BK mentioned, be especially careful of messages containing attachments you aren’t expecting to receive.

      If your wife is careful, and uses common sense, she should be fine.

      1. Jim E

        Heron,

        Thank you for update…I passed it along to my bride. Then I called her and she hung up on me. I called back and asked why? She said, “well, I have to keep in practice, don’t I”?

        Let’s just hope the next trick isn’t to create matching voice synthesizing programs that will make you think you are talking to someone you aren’t. Oh, well, then we’ll just have to use passwords whenever someone calls you. “Hi honey, ‘Rover4’ calling from ‘UCLA’, ‘1948’, how are you….?” hahaha.

        1. -

          uhoh, *she* is supposed to phone *you*, by dialing your known good number.

        2. -

          great passphrsae: “you g$#!#@!$$#@! telemarketers!! stop calling me!! (followed by foghorn blast).
          nobody would guess that passphrase?

  7. Jay Goldstein

    Brian,
    ABSOLUTELY THE BEST OVERALL SUMMARIZATION OF EMAIL SECURITY
    I HAVE EVER SEEN!!!!!!.Congratulations.

  8. StillFiguring

    Nice report.

    Advising users to not trust email is less than a complete solution.
    This solution suggests that users can detect malware and scams by observation. It is highly unlikely that users can be trained to “sense” malware effectively.
    Still, I appreciate the efforts to educate users to identify scams.

    We all hope for the malware resistant computer. This would protect users without the need for super perceptive mutant senses.

    This malware resistance exists right now. If separate Administrator and User accounts were standard, then huge amounts of malware would not work.

    Not all malware, but most malware would fail to have an effect. I like to guess that 90% of malware will bounce off a computer that uses separate Administrator and User accounts.

    This is a big gain in protection for a small amount of work.

    1. TheGeezer

      I think anyone who has kept up with Brian’s reports is aware that he never considered this to be a complete solution. It is, however, a very timely reminder for being cautious now that so many banking customers’ emails have been stolen.

    2. Terry Ritter

      @StillFiguring: “We all hope for the malware resistant computer.”

      It is convenient for analysis to distinguish between “front-end” (network, browser) threats, and the “back end” infection of the boot drive.

      A general lack of overall security design in the Internet argues against anything other than the current piecemeal approach to the front end.

      On the other hand, since most people run Microsoft Windows, almost all malware is designed to run on Microsoft Windows (or, now, Java). So any OS other than Windows is much less exposed to malware and at far less risk. The malware-resistant computer exists now, and is any non-Windows computer.

      For the back end, it clearly is possible to protect the current system (that is, boot and start up data) from infection so that malware which does get in is not re-started on every subsequent session. We have an example of that in the Linux LiveCD / DVDs, which are difficult or impossible to infect. If Microsoft would produce a practical Windows LiveCD for Banking, that could be very welcome.

      In fact, if Microsoft would just produce a program to check an arbitrary Windows installation and certify that it was uninfected and ready for online banking, we would have a whole new ballgame.

      “If separate Administrator and User accounts were standard, then huge amounts of malware would not work.”

      I am dubious. The actual experience from years of past privilege escalation attacks argues that this defense is overrated:

      December 8th, 2010. “New Complex Rootkit Variant Leverages Stuxnet 0-Day Vulnerability.” “The flaw, which is identified as CVE-2010-3888, is being leveraged to escalate privileges to Local System level in order to bypass UAC (User Access Control)”
      http://news.softpedia.com/news/New-Complex-Rootkit-Variant-Leverages-Stuxnet-0-Day-Vulnerability-171255.shtml

      24th November 2010. “Windows 0day allows malicious code execution.”
      “the flaw allows even users or processes with limited privileges to execute code will elevated rights.”
      http://www.theregister.co.uk/2010/11/24/windows_0day_report/

      August 11th, 2010. “Microsoft Confirms Local Privilege Escalation Bug.” “Microsoft has confirmed a vulnerability in the win32k.sys kernel-mode driver, which affects all supported versions of the Windows operating system and can be exploited by local attackers to escalate privileges.”
      http://news.softpedia.com/news/Microsoft-Confirms-Local-Privilege-Escalation-Bug-151643.shtml

      19th January 2010. “Windows plagued by 17-year-old privilege escalation bug.” “All 32-bit versions vulnerable.”
      http://www.theregister.co.uk/2010/01/19/microsoft_escalation_bug/

      1. Louis Leahy

        Terry Ritter there is a JV between UNSW NICTA & MS they claim they have developed a proof of concept kernel that is mathematically checked for integrity, perhaps what you are suggesting may well become reality.

        1. JCitizen

          This comes as a bold statement for me as I know little about virtual machines; but I was encouraged by MS’s research into a micro-kernel design, and I hoped they would implement it in some fashion that included built in VM support, that would make it easy for newbies to add applications and previous OS support without all the complexity and exposure to a high profile for malware.

          This would include and truly enclose drivers as well, in my not-so-educated response. The whole idea would at least temporarily solve allot of problems for MS and their clients; especially since backward compatibility is the source of many vulnerabilities in Microsoft’s OS and applications.

  9. Steve

    Brian,

    “To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.”

    Firefox 4 shows links on both sides. Have you figured out the algorithm? In light of phishing scams, I don’t know that this was such a good idea.

  10. kurt wismer

    ““From” Fields can be forged”

    but shared secrets cannot. that’s why i use unique, randomly generated disposable email addresses for signing up to things.

    “When in doubt, type it out”

    or better yet, follow a bookmark and eliminate the chance of falling prey to a typo-squatter.

    “If you don’t already have one, consider creating a second email address to use when signing up for any services that require an email.”

    unfortunately, using the same secondary email address for all those sign-ups means that you have a lot of address changing to do when that one secondary email address gets compromised. creating a new real email address for each sign-up is likewise onerous and also a pain to monitor. i find disposable addresses (the kind that forward to a real address) to be the most convenient option – easy to make, easy to monitor, and easy to segment so that compromising the address i give to company A doesn’t mean i have to do anything at companies B-Z when i recover.

    “Lay traps”

    good advice, but gmail’s sub-address trick (the + trick) is well known and easy to reverse, reveals the root address, and requires no authorization to create new sub-addresses. disposable email addresses provided by dedicated disposable email providers generally don’t have those problems.

    1. Maureen

      Hi, Kurt. When you say gmail’s +trick is “easy to reverse”, what do you mean?

      Thanks.

      1. kurt wismer

        what i mean is that you can turn admin+whatever@gmail DOT com back into yourid@gmail DOT com very easily.

        in fact, it’s easy to do algorithmically, and i’d be surprised if tools used by attackers don’t have that built in as a minor feature.

    2. Conrad Longmore

      But the problem with this breach is that whatever secret email address you might be using has been compromised.. so even if you have a disposable or unique address for one of these Epsilon clients then they can still send spear phish emails directly to you that will look very credible.

      1. kurt wismer

        you’re right, with this specific breach the phishers would be able to use the right disposable email address to create a convincing phish – up until i receive the breach notification and disable/delete that address.

        so long as the breach notification emails are sent out diligently, the window of opportunity for targeted attacks should be small.

        1. LC

          I’m not sure how you can say that the window of opportunity for targeted attacks should be small with this breach. Do you believe that the mainstream internet users has a different disposable email address for each account they’ve signed up with? That seems very unlikely. Most people don’t, and they’ll keep using the same account they’ve been using for years, is my guess.

          1. kurt wismer

            in the previous paragraph i explicitly stated “until i recieve the breach notification”.

            the window of opportunity for targeted attacks should be small for people who do as i do.

            many people don’t do as i do, but perhaps they should. we can wring our hands over what companies should be doing to make everyone safer, but you might be surprised how valuable self-reliance can be.

  11. Heron

    I’m going to show my Internet students this post on Saturday. Thanks.

  12. xAdmin

    Awesome information! I wish more people would take this type of advice to heart. Unfortunately, many of them just don’t care. I try time and again to lead the horse to water so to speak. But they just won’t drink. Ok, so you don’t care about yourself, but what about how your actions may affect others. Your bot infected system is spamming people or hosting malware! I had a former boss who ran a small business with about half a dozen computers connected to the Internet without any type of firewall or security. When I pointed this out to him, his response was that there is nothing important on any of the systems, so why try to protect them. :::smack forehead!::::: D’OH! He still balked after I explained how any of the systems could be part of a botnet. He really paid attention when I mentioned bad guys could put something like child porn on his systems and he could be held liable for it. He allowed me to make a few changes, but no where near enough.

    Point being: many just don’t realize or care how their actions or inactions can affect others. Even if they don’t care about protecting themselves, what about the rest of the Internet community? Each of us has a responsibility. It’s kind of like our roadways that we share with every other driver. In either case, there are many that shouldn’t be allowed on the road period! Grrrr!

  13. Rick

    I have found the “disposable address” option at Yahoo easy to use.

  14. Wabasso

    Great article!

    For disposable addresses, I have found http://www.spamgourmet.com/ extremely useful. I’ve been using it for years now. Some sites that are greedy for information (or more optimistically, wary of disposable addresses being used by spammers) have blocked the spamgourmet.com domain. There is also an alternate “@inboxclean.com” that you can use for the same service.

    Is there an additional threat to clicking links received in emails compared to random links while surfing the web? (i.e. can anything protected by my email login be released if I click a link sent to me in an email)

    1. JCitizen

      Thanks Wabasso;

      Pretty cool – I’m amazed they’ve been going since 2000! I see SourceForge has some of their software as well.

    2. -

      tracking /stalking links.
      afaik:
      associated to your ip. (not useful if (perhaps) thru your proxy?)
      clicked links send referer, unless you block or disable referer.

      bonus info to scoundrel/corporate-stalker if link arrived by email:
      unique (scoundrel-generated) url ids your email address. (those ‘legit’ confirm forum registration links use same method.)

  15. Maureen

    Thank you for the excellent summary, and also for pointing out 10 Minute Mail. Although I am not the official IT person for our larger organization, I am the “administrator” for our department, including being the first response when people download the bad stuff or, if I am lucky, when they get the message prompting them to download the bad stuff. I often use your posts to advise people, not only for the protection of the office but for their home computers (and especially their children’s use of computers and social media). It’s disappointing, then, when someone comes to me and admits that they have done the very thing they were cautioned not to do just the day before. I hide my disbelief, because I want them to feel comfortable coming to me. But, really, what important information are they storing in their brain that prevents them from remembering things like, “don’t click on links in an email that has no other text or a subject,” or “the company will never ask for your password in an email”? Is this because people are too busy, and are clicking and opening before the caution fully develops in their minds?

    It’s like when you hear on the news that someone was robbed or hurt by a criminal who got in an unopened window. Some people check their windows; others don’t and become the next victim.

    Sorry for venting…

  16. AlphaMack

    I can confirm that Verizon and Ralphs are two companies among those listed in the Epsilon breach who do not allow the ‘+’ modification in an e-mail address. In those cases I resorted to using a personal throwaway e-mail address.

    Also it should be worth mentioning that you should never the same login password for every site you sign up with. Use a cross-platform password manager like KeePassX and store your passwords in it or create several levels of passwords based on strength and salt them with characters related to the web sites you visit.

    1. -

      “salt them with characters related to the web sites you visit.”
      fooling miscreants into assuming all your passes are the same except for (eg) prepended clue? 😉
      verizon754et5g4eg
      ralphs754et5g4eg
      hotmail754et5g4eg
      epsilon754et5g4eg
      b1nladen754et5g4eg
      enron754et5g4eg
      byelorussky-L0tt0-claims754et5g4eg
      freeV14gra754et5g4eg

  17. Louis Leahy

    That’s a good list however unfortunately sophisticated attackers have systems that address all of the suggestions listed. At indicated by StillFiguring and matter that I have been pillared for on this blog previously systems relying on observation as part of the protection mechanism have become extremely problematic. This is principally because of the pace at which systems are evolving. Long gone are the days of common place consistency. The cycles of product and system revisions are now very short perhaps partly because of the prevalence of agile development methodologies. The reason attackers are persistent in phishing attacks is because it is just too easy to access the login credentials in a multitude of ways and the knowledge about how to do that is spreading exponentially. The way to stop phishing attacks is to deploy an authentication topology that contains elements that are not in the public domain that test who the user is that is seeking to access a system. As highlighted by kurt wismer protection mechanisms that are in the public domain can easily be accounted for in programming logic.

    1. BrianKrebs Post author

      Yep. It’s easy to shoot holes in all of the methods I suggested. All security is an arms race and a cat and mouse game. But that doesn’t mean the methods above have no value. The problem with the “yeah but crooks can always find a way around that” viewpoint is that people read that and end up doing nothing.

      In this case, it really is like the old joke about outrunning the bear: You don’t have to outrun the bear, just the other guy. If you take steps to keep yourself out of the low-hanging fruit area, you’re probably going to encounter far fewer threats and problems than the next guy.

      1. Louis Leahy

        It’s a nice analogy but the issue is your are not outrunning the bear by implementing such tactics a better analogy would be a bear standing in the headlights waiting for the truck that while a long way away it will eventually roll the bear over if he doesn’t move. These suggestions give end users the false impression that they are safe if they adopt such principles the sad truth is that is not the case because of the ubiquitous use of 40 year old authentication topology. Also with some of the attack vectors for phishing now it is not a matter of how well you protect your systems but how well others protect systems with information about you and as your blog bears testament unfortunately this is occurring all to frequently to some who would be viewed as being in a far superior position to most end users. Don’t get me wrong I agree with you and I think every precaution that can be taken the better however the issue is that there are so many now that it is resulting in an inordinate and ultimately for most end uses unworkable and even un-executable number of configuration and environmental settings and requirements. This is a good blog you raise good issues for example the MitB threats which are very serious and which are being largely ignored by mainstream media. You treat them in depth and don’t sensor comments and that is a very valuable service to the community which is why I persist in coming back despite being more often than not on the wrong end of comments from your fans but I still will speak up about what I believe to be the correct approach as long as you run an open blog and when our product is released I hope I can run some advertising here if your not too famous by then and we can afford it!

    2. JBV

      @ Louis Leahy: You say that “sophisticated attackers have systems that address all of the suggestions listed.”

      I have not heard of any system that addresses Brian’s rule #1 – not opening suspect emails. If any attacker has figured our a way to make emails open automatically, I’d certainly like to know about it and so would my mail service.

      1. Louis Leahy

        Its pretty straight forward JBV they just send emails that look like legitimate emails. The OTA have some very good guidelines on how to prevent spoofing of email addresses which will stop most however the career criminals have worked out ways to send legitimate emails despite this. According to the results of police investigations I have read they plant or bribe insiders to establish legitimate accounts for them. In any case I have an email account that has been around since 1994 and it gets all manner of paraphernalia many of which appear legitimate in every aspect. I collect these to include in my research and presentations. Wow someone who collects spam! Maybe I am a little off skew.

      2. AlphaCentauri

        In business, it’s common for a contact of a coworker to send something to you as an attachment. If even Word and Excel attachments are dangerous, it’s a stupid practice. But many times the people sending them are the ones with all the money, and it’s not good business to tell them that they are a threat to civilization.

        1. -

          best to return the email with a trojan inside attachment that sends their money to you 😉

          win-win

      3. InfoSec Pro

        @JBV, it depends on your environment. I’ve not analyzed all the details but there are a couple of attacks that I believe could be effective without requiring any user action, under at least some client configuration options. The .LNK vector is one that I recall appeared to have potential for drive-by exploits, possibly dependent on clients that had a preview functionality enabled (MS Outlook can do that for you). Nowadays even browsers like Firefox do some prefetching to speed things up, and it seems only a matter of time before there’s an exploit that takes advantage of those features to infect users with no action required on their part at all.

        1. -

          i think i used a capability policy pref to turn off prefetch?? (i don’t recall). if so, still an example of poor oob settings.

          maybe browser (and as updated) should restrict prefetch to large files that have no ‘executable’ ability. but i don’t know how a browser could determine a fake mimetype? prefetch then check *only* file header? then reject based on whitelist.

    3. kurt wismer

      i provided some alternatives to a number of brian’s suggestions. perhaps you’d prefer those.

      the long and the short of it is that my email address practices rival many people’s password best practices.

  18. Jim E

    Hey guys, I’ve got the perfect solution. I’m old, on SS, have lousy credit, not much cash and I know that the barrister who keeps emailing me to call him about my inheritance in whatever country he’s supposedly in is obviously not worth replying to. I also never open the emails from the young, hot blondes who are all tied up in some secret place waiting for me to come over and bail them out or whatever they want. Maybe I could make up some credit card nos. and passwords just to make the crooks think they hit a live one…..but then I just might accidentally give them someone’s ligit no. so, no, I guess I won’t do that either. But back to that blonde……maybe………

  19. brucerealtor

    it really is like the old joke about outrunning the bear: You don’t have to outrun the bear, just the other guy.

    good advice!

    1. -

      Give a bear a fish and you feed him for a day; teach a bear to fish and you feed him for a lifetime.

  20. PC.Tech

    Verizon among hacker victims
    http://news.yahoo.com/s/ibd/20110406/bs_ibd_ibd/568362
    Apr 6, 2011 6:36 pm – “The largest U.S. mobile carrier was among the companies that had the email addresses of customers exposed in a massive online data breach last week… a hacker penetrated online marketer Epsilon… which controls email databases for 50 companies. Verizon… said only email addresses were exposed.”
    .

  21. CK

    Brian – Can you clarify if AMEX was affected or not? Is it only certain cards from AMEX?

  22. Clive Robinson

    OFF Topic,

    @ Brian,

    I don’t know if you’ve seen this one,

    http://uk.reuters.com/article/2011/03/31/uk-zodiac-idUKTRE72U7UK20110331

    Basicaly an employee at a “Secure Cloud” online hosting provider got fired, a month later he loggs on from his parents home and deletes 302GByte of data tentativly belonging to the company that produces the childrens program Zodiac Island.

    I’m not sure of all the in’s and out’s but apparently the data loss has caused the loss of an entire seson of the program that gets syndicated to over 100 TV outlets, and also otherwork going back a couple of years.

    The moral being do not trust anybody else to do your backups… Even if you have a cast iron contract still don’t trust them…

    Oh and always test all your backups properly…

    1. -

      no tv? that’s the worst kind of terrorism yet. what will those terrorists innovate next?

  23. Jason Hong

    Our group at Carnegie Mellon University (and our spinout company Wombat Security Technologies) has been studying how to teach people how to avoid phishing attacks for several years now.

    FYI we have two micro games that you can play to learn how to avoid phishing attacks. Our scientific studies with several thousand people have shown it’s pretty effective. The first two rounds in both games are free to try.

    The first micro game is Anti-Phishing Phil, which teaches people about web browsers, URLs, and fake URLs:
    http://www.wombatsecurity.com/antiphishingphil

    The second micro game is Anti-Phishing Phyllis, which teaches people about bad emails and common techniques the bad guys use to trick you:
    http://www.wombatsecurity.com/antiphishingphyllis

    Lastly, we also helped create the APWG landing page, which also teaches people how to avoid phishing scams. The idea behind this landing page is that once a bad site is taken down, ISPs or web sites can point the bad URL towards this training page.
    http://education.apwg.org/r/en/

  24. Mike B

    Great article, Brian! Another tip as an administrator could be to force one’s organization to except e-mails in plain text. By doing this, users have to switch to HTML manually within each e-mail. This will avoid code running automatically in the background. While one is at it, turn off that preview pane (pain) as part of a standard image.

    1. Louis Leahy

      Mike B reverting to text only actually makes it a lot easier for attackers to imitate communications (presuming that the word except is intended to be accept). Processes such as preview panes in code should have 3 step warning settings for users to establish at the outset so they can determine the level of risk they are prepared to accept and they should be able to be address at a group policy level for corporate lans. Many have none which is why a lot of exploits are being successfully executed such as the flash exploit Krebs & other media wrote about in the last couple of days.

      1. -

        wouldn’t plain text reduce clicking on bad links in imgs?
        and any text links would show the true badlink.

  25. JCitizen

    I thought that was pretty much what Hotmail and Office Outlook did already. At least that seems to be the case with my Hotmail and Office 2003. Both totally (separate accounts.)

  26. jeff

    about the gmail trick with the +
    you can put dots anywhere in your email;
    I give my personal email without dots to friends
    with a dot between first and last to trusted and if its
    first.las.t@gmail then you know it’s probably spam!

Comments are closed.