Wednesday, April 15, 2009

How to handle suspicious e-mail

Phishing dos and dont's

Phishing, pronounced "fishing," is a type of online identity theft that uses e-mail and fraudulent Web sites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information.
Follow these guidelines to help protect yourself from phishing scams sent through e-mail.


1. If you think you've received a phishing e-mail message, do not respond to it.
If an e-mail looks suspicious, don't risk your personal information by responding to it.


2. Approach links in e-mail messages with caution.
Links in phishing e-mail messages often take you to phony sites that encourage you to transmit personal or financial information to con artists. Avoid clicking a link in an e-mail message unless you are sure of the real target address, or URL.

Most e-mail programs show you the real target address of a link when you hover the mouse over the link.

Before you click a link, make sure to read the target address. If the e-mail message appears to come from your bank, but the target address is just a meaningless series of numbers, do not click the link.

Make sure that the spelling of words in the link matches what you expect. Fraudsters often use URLs with typos in them that are easy to overlook, such as "micosoft." For more information, see Typos can cost you.


3. Don't trust the sender information in an e-mail message.

Even if the e-mail message appears to come from a sender that you know and trust, use the same precautions that you would use with any other e-mail message.
Fraudsters can easily spoof the identity information in an e-mail message.


4. Verify the identity and security of the Web site.

Some sites feature verified identity and security information. When you visit a verified site using Internet Explorer 7, the browser address bar turns green and the identity information appears on the right-hand side of the address bar. This makes it easy to check the identity information and ensure that it matches the site that you expected to see.

Make sure the site is secure before you type. You can do this by checking the yellow lock icon on the status bar, as shown in the following example.
Example of a secure site lock icon. If the lock is closed, then the site uses encryption.

Example of a secure site lock icon. If the lock is closed, then the site uses encryption.

The closed lock icon signifies that the Web site uses encryption to help protect any sensitive, personal information that you enter, such as your credit card number, Social Security number, or payment details.

Note that this symbol doesn't need to appear on every page of a site, only on those pages that request personal information.

Unfortunately, even the lock symbol can be faked. To help increase your safety, double-click the lock icon to display the security certificate for the site. The name following Issued to should match the name of the site.

If the name differs, you may be on a fake site, also called a "spoofed" site. If you're not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave.

Tip: If you don't see the status bar at the bottom of your browser window, click View at the top of the browser, and then select Status Bar to activate it.

5. Type addresses directly into your browser or use your personal bookmarks.


If you need to update your account information or change your password, visit the Web site by using your personal bookmark or by typing the URL directly into your browser.


6. Use an updated browser

Regularly updated Web browsers incorporate an ever-expanding set of features, such as the , Phishing Filter, designed to help protect you when you click links in e-mail messages.


7. Don't trust offers that seem too good to be true

If a deal or offer in an e-mail message looks too good to be true, it probably is. Exercise your common sense when you read and respond to e-mail messages.

8. Report suspicious e-mail.

Forward a copy of the e-mail to the faked or "spoofed" organization. In Australia contact the Australian Communications and Media Authority on sub-111383-DB892846EB0E3F9BFF6B@submit.spam.acma.gov.au


9. Don't enter personal or financial information into pop-up windows.

One common phishing technique is to launch a fake pop-up window when someone clicks a link in a phishing e-mail message. To make the pop-up window look more convincing, it might be displayed over a window you trust. Even if the pop-up window looks official or claims to be secure, avoid entering sensitive information, because there is no way to check the security certificate. Close pop-up windows by clicking the red X in the top right corner (a "Cancel"button may not work as you'd expect).


10. Update your computer software.

Visit Microsoft Update to scan your computer and install any high-priority updates that are offered to you.

Thursday, April 9, 2009

Criminals extort money from users, through 'scareware'

Criminals are continuing to extort money from vulnerable users, through 'scareware' practices that trick users with bogus security threats.

The threat of rogue security software, or 'scareware', has risen dramatically over the past year or so, according to a new report from Microsoft, but there was good news for the industry after a fall in the number of vulnerability disclosures.

Scareware is used by criminals to extort money from vulnerable users by persuading them that their PC is at risk or infected, and urging them to buy bogus security software.

The Microsoft Security Intelligence Report Volume 6 claimed that these threats are now among the most prevalent in the computing world.

The report highlighted Win32/FakeXPA and Win32/FakeSecSen, which Microsoft has detected on more than 1.5 million computers, pushing them into the top 10 threats in the second half of the year.

Win32/Renos, meanwhile, which is used to deliver rogue security software, was detected on 4.4 million unique computers, an increase of 66.6 per cent over the first half of 2008.

"The criminals are playing on people's fears. People are aware of security, and these guys want to prey on that," said Microsoft security and privacy lead Cliff Evans.

"We are not seeing a whole new attack vector, but things are changing. There is a different emphasis on rogue software now, and a shift from operating system to third-party application vulnerabilities."

This continuing trend of attacking the application layer means that users should always keep application versions up to date, apply new patches as soon as possible and keep anti-malware software current, Evans advised.

While the "vast majority" of corporates understand the importance of these precautions, education is still required for many consumers who do not understand the value of automatic updates and the like, according to Microsoft chief security advisor Ed Gibson.

"The report shows again that, because of the steps we're taking to make the operating systems more secure, and working with partners and suppliers to improve their [security] processes, [criminal] organisations are moving towards the weakest link: you and me," he said.

There was a note of optimism in the report, however. Industry-wide figures for unique vulnerability disclosures were down by 12 per cent from 2007, while high severity vulnerabilities were down 16 per cent.

Graham Titterington of analyst firm Ovum agreed that the drive to improve standards is having an effect on the quality of applications and systems being built.

"To win the battle IT systems need to be engineered to be significantly less vulnerable, and we are making progress on that," he explained. "Much is being done to improve the standards in the engineering of systems and security products."

Jay Abbott, threat and vulnerability leader at consultancy PricewaterhouseCoopers, praised Microsoft for the work it had done in improving the security of its products. But he warned that major risks still exist in web applications and browsers.

"People are focused on delivering the product, and security is a secondary problem so the code is often weak," he said. "Certainly we need better coding practices, but even secure code can have holes picked in it."