Happy Trails Computer Club

home > security > overview > attack vectors > email
Email Hazards
Your own wits and good sense are your best peripheral defense against bogus email. Simply discard any messages that look suspicious -- even those that appear to be from someone you know.
step 2 > safe email practices   
related page > hazards of attachments   

Email as an attack vector

Email messages themselves have become a serious attack vector. Email attachments are still the biggest hazard, but new malicious "technology" is now used directly in messages. Just reading -- or even "pre-viewing" -- the message launches the attack. Combined attacks are also used. If reading the message doesn't get you because your protection is effective, opening the attachment will. Malware writers and scammers are also adopting the tricks used by spammers, which is making email an even more potent attack vehicle.

Hostile email can be easily hide a malicious attack. For example an email in HTML format can contain computer code that accomplishes the same thing that a malicious attachment would. Reading the message, or simply pre-viewing can activate any hidden malicious content. You can defeat malicious messages by setting up your email client (program) properly though.

A new kind of malicious email uses an indirect appproach. The practice is called "Phishing" These messages are designed to entice you to do something that initiates the attack. It may link you to a malicious Web site. You may be asked to reply with personal information to fix a problem, or the messaage may offer something too good to be true. As soon as you click a link, you've triggered the hidden agenda. The only way to avoid these problems is to be on the lookout for bogus messages.

These scams can be very convincing. Many phishing scams have been designed to look like urgent messages from PayPal, banks, credit card companies and other financial entities. They often lead to fake Web sites which look just like the real ones. All they want is your account details to straighten out some problem. A legitimate business will never send such a message.

Don't follow the instructions or links given in any email message that appears to come from your bank or other business, even though it looks urgent and legitimate. Start your browser, and go to the web site directly. Use you own "favorites" (bookmarks) or type their address in yourself. If there’s no information about the alleged problem at their site, you may want to contact the business directly if you're still concerned.

Key facts about email messages

1. A legitimate business will *never* ask you to reply to an email with your date of birth, credit card data, password, or other personal data. Never reply to one that does. If an email directs you to a Web site to supply the information, make sure that you don't end up at a fake Web site, for example, www.my-bank.com, or www.mybank.bus instead of www.mybank.com.

2. Almost anything in the "headers" of an email message can be "spoofed", including the "From" and "Reply To" addresses. A bogus message may thus appear to come from a legitimate business, or from someone you know. Be a little paranoid about any message you wouldn't have expected to receive.

3. You will never get email warnings about viruses and worms unless you have subscribed to an alert service or a newsletter. Bogus warnings often direct you to do something that damages your computer. Other's have attachments that are supposed to protect you against the threat, but install Trojan-horses instead. Do not fall for them, and do not forward them. I've captured an alert from Symantec so you can what a legitimate one looks like. If I didn't know for sure that I was subscribed, even if it looked as good as this one, I'd just delete it though.

3. Many bogus email messages are disguised as solutions to problems that are plausible or in the news -- charge account problems, investigations, loss of benefits, identity theft, anthrax, computer viruses, etc. They usually call for urgent action. Of course, they don't have your best interest in mind.

4. "Clicking on a link in a spam email is the equivalent of handing a burglar the keys to your house." -- David Roberts, chief executive at The Corporate IT Forum -- http://www.vnunet.com/News/1142716

This is the Internet version of "The old one, two punch." The link in the spam takes you to a Web page that downloads and installs malicious code in the background. You won't find out about it until later, if ever. If it's a key logger (silently emails everything you enter from the keyboard) for example, you could suffer major damage.

Stories

Horror Story: What would you do if there was a $600, $1,500 or an even larger charge on your phone bill? If you're the victim of "modem hijacking", that's what you'd see. Never mind that the charge is obviously fradulent -- these kinds of charges are very tough to reverse. This nasty trick is quasi legal but egregiously deceptive.

How does it happen? When you click the wrong link in an email or on a trick Web page, a program called a "dialer" is installed. At some point in time the dialer makes a call using your modem without you knowing it. The call is billed at a horrendous rate and you get stuck with the bill.

This "ActiveX" security hole unpluggable, and it's one reason I use Mozilla instead of Internet Explorer for browsing, and Courier instead of Outlook Express for email. Only Internet Explorer and Outlook Express are effected (OE uses the IE engine to render HTML). You can test Internet Explorer online.

"New way to steal passwords. A Discover credit card customer receives an e-mail telling him that his account is on hold due to inactivity, and that in order to reactivate his account, he must log in to this phony Web site.

The information collected includes plenty of data that would enable identity theft: Social Security number, mother's maiden name, account number, and passwords. Similar scams have targeted PayPal and eBay [and BestBuy] customers."
-- an excerpt from CRYPTO-GRAM

Someone tried a similar scam on Earthlink customers too.
http://www.msnbc.com/news/884810.asp
http://tinyurl.com/7mgh
http://www.gripe2ed.com/scoop/story/2003/6/19/114611/346

This greeting card scam isn't hypothetical. It's happening to HTCC members. It has nothing to do with Blue Mountain, Hallmark or any of the *reputable* greeting card sites. And it's not the only scam like this that's going to come around. Be careful out there this holiday season.

The scam: You get an email from someone you know, maybe very well. The email invites you to pick up a greeting card on the Web. When you read the message and click to go to the Web site, there's a long EULA) (user agreement). You're required to click "I Agree" to get the card.
http://www.pcmag.com/article2/0,4149,661694,00.asp
http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html

You don't have time to fully parse the EULA (who reads those things anyway?), so you just click "I Agree". The greeting card then downloads. Later on you find that the greeting card has been sent to everyone in your address book. Some Web sites also secretly but "legally" install a spy program on your computer. This program captures passwords, keystrokes, email, instant messages, etc., and sends them by email to the originator of the greeting card. It's marketed as a way for people to spy on other people.

This greeting card scam is not a virus or worm, at least not in the usual sense. There's no attachment, and you gave your permission when you clicked "I Agree". Never mind that they intended to fool you by making it obscure. That's just good "social engineering" -- don't send worms -- just get people to do it to themselves. It didn't help to have antivirus program and a firewall. They just came in the open door called credulity.
http://www.msnbc.com/news/826033.asp

You get an email from someone you know, maybe very closely. The email invites you to pick up a greeting card on the Web. When you get the message and go to the Web, there's a long user's agreement that you have to OK to get the card, but who reads those, right?

So you click OK and get the greeting card. The Web page also instantly installs a spy program on your computer. This program captures your passwords, keystrokes, email, instant messages, etc., and sends them by email to the originator of the greeting card.

This is technically not a virus or worm, at least not in the usual sense. You gave them permission to install the spyware yourself. Never mind that they made what was going to happen very obscure. That's called "social engineering" -- getting people to do unto themselves. [more]

Scams and Fraud  >>

The Internet is a natural breeding ground for Scam Artists. The internet is anonymous by nature. The perpetrators can hide very effectively by "spoofing" their address. Just like other scammers, they come and go before anybody can catch them. "If it's too good to be true, it ain't." That's the one thing you need to know to protect yourself from scams online.

Hoaxes  >>

Hoaxes can cause a lot of damage too, even though they aren't real viruses. Some are designed to get you to delete legitimate files from your own computer. The damage from others is caused by the vast amount of chain (e)mail they create. The exponentially growing number of messages can bog down entire email systems.

step 2 > safe email practices   
related page > hazards of attachments   
"Never underestimate the power of human stupidity." -- Sam Spade
club stuff
help
topics
computers
software
hardware
internet
security
overview
   lost? > index
attack vectors
   attachments
   deception
   email
   hackers
   web sites
   worms
defenses
   #  2  3
safe settings
   system
   browser
   email client
safe practices
   patching
   email
   attachments
   surfing
   file handling
defense tools
   malware
   antivirus
   anti-trojan
   firewalls
defense tests
privacy
resources