"Phishing" is made all too easy by Microsoft Explorer browser
By Jeff Gelles
Date: February 03, 2004
Source: Fort Wayne.com
(KRT) - The e-mail on Friday was urgent and direct.
The header said it came from the Federal Deposit Insurance Corp. The subject field said it contained "Important News" about my bank account.
The message itself said authorities were looking into suspected "currency violations" and "violations of the Patriot Act." As a result, the FDIC was temporarily suspending my deposit insurance.
The good news, though, was that I could fix this. All I needed to do was verify my identity and account information through the "IDVerify" procedure, by clicking on the official-looking link that began: "http://www.fdic.gov/."
Many of my eagle-eyed colleagues throughout the newspaper immediately recognized this as a scam. So, one hopes, did the vast majority of other people around the country who got this insidious bit of e-mail. Certainly enough of them notified the FDIC that the agency issued a fraud alert in near-record time.
Is this just the latest example of the Internet scam known as "phishing," in which con artists troll for personal and financial information by mimicking the Web sites of companies such as eBay or AOL?
It certainly is a classic case: Whoever sent the e-mail is after the same thing - a way to steal your money - even if the FBI is presumably investigating this one more aggressively than most, given the e-mail's invocation of Tom Ridge and the Department of Homeland Security.
But it's a welcome development if the brazenness of the FDIC e-mail raises the profile of this scam, and draws more attention to the flaws in Internet browser design that make it so treacherous.
Where did that "FDIC" link take you, if you clicked on it?
To a page that a casual Internet user would swear was an FDIC page.
In the address field of my Internet Explorer browser, the URL, or Web address, began with "www.FDIC."
All the buttons at the top of the page - to "Deposit Insurance," "Consumer Protection," "Regulation & Examinations" - worked just as they should. So did the ones at the bottom. Each brought you to the genuine FDIC page.
For the scam to work, only one section of the page - the field that asked me to type in my name and the "Continue" button alongside it - had to be phony. And it was.
Phishing works for two reasons.
One is that some proportion of us are inherently gullible. If the con artists send out a few million e-mails with bait, especially bait salted with Official Allegations of Wrongdoing, they can probably hook a few hundred or thousand people.
The other is that the leading browser, Microsoft's ubiquitous Internet Explorer, allows a phony Web address to appear in its address field, vastly increasing the chances that some Internet users will be fooled. Microsoft just makes this too easy.
How many Internet users were harmed is hard to tell, though millions were clearly put at risk.
Brightmail, which provides spam-blocking services to corporations and Internet service providers, said Friday that it had intercepted the FDIC e-mail 3.5 million times since about 1 p.m. EST that afternoon, when it updated its system to stop it.
By then, the phishers had no doubt done plenty of damage. And cons like theirs aren't a minor problem.
A day before the FDIC phishing attack, the Federal Trade Commission released its annual list of the most common consumer complaints. For the fourth year in a row, identity theft topped the list, generating 215,000 reports - 42 percent of all the complaints handled by the agency.
Phishing isn't the only way that identity thieves can obtain your personal and financial information, of course. But there's little question that it's a useful ploy, and a lot less messy than dumpster-diving. Recent attacks have also targeted AOL subscribers, eBay users and customers of Best Buy.
As with any spam, the first line of defense is your own vigilance:
Be skeptical of anything you get in e-mail from unfamiliar sources, and "never respond to an e-mail that asks you to provide personal or financial data by clicking on a link.
If you believe the request might be legitimate, contact the company on your own, either by phone (using a number you obtain independently of the e-mail) or by entering the company's Web address on a fresh browser page.
Activate the "Status" bar on your browser screen (from the View menu in Internet Explorer). Located at the bottom of the browser, it displays the actual Web addresses of elements on a Web page, and can be a key to identifying a link - like that "Continue" button on the phony FDIC page - that isn't what it claims to be.
Watch your credit-card bills and bank statements closely - they're a first line of defense against identity theft. (For more information, go to www.ftc.gov/idtheft, or call 1-877-382-4357).
Those steps can help you avoid being fooled, but users' vigilance isn't enough to stop the toll of damage from phishing.
It's time for Microsoft to quit helping bait the hook.
^macro[showdigestcomments;^uri;"Phishing" is made all too easy by Microsoft Explorer browser]