Linux Today: Linux News On Internet Time.

More on LinuxToday

Editor's Note: Your Account Needs to Be Verified

Apr 09, 2004, 23:30 (18 Talkback[s])
(Other stories by Brian Proffitt)

By Brian Proffitt
Managing Editor

There are many things that bring me joy in my life: my family, my community, my church. And there are some things that bring me downright evil glee, for reasons that I can hardly explain.

One of those gleeful things is consistently thwarting scammers who try to get me to reveal personal information with a fake e-mail. These are just great for me to mess with, primarily because I am secure in the knowledge that I have Mozilla on Linux and I am (probably) smarter than these scammers think.

In case you have never seen these, the e-mails appear to come from a legitimate source--PayPal is a common one--that claims that because of a security audit, or a problem with their servers, or the moon's orbit shifting, they need me, the recipient, to verify my personal information. Sometimes under the potential penalty of my PayPal/eBay/whatever account expiring.

On the very surface, these e-mails look legitimate. They have a sender's address from the appropriate source, all the nifty little logos are in place, and the language is clear, concise, and has that tone which only a corporate cog can seem to generate.

But, as probably many of you know, they are not real. Not one bit.

Putting aside the fact that there is no way PayPal, or eBay, or whomever would ever need to ask you for your information again, these messages are often replete with tell-tale errors that are big flags that should warn you off. Of course, if you are using Windows, these tell-tales might not be so obvious.

Many times, these are sent in multiple batches. I will get one for bproffitt@jupitermedia.com, then webmaster@linuxtoday.com, linkus@linuxtoday.com, and so forth and so on. The obvious problem here is that I know all these latter accounts are not used for outbound mail. They're all redirects to my main bproffitt account. So, unless someone has hijacked webmaster@lt.com for their own private account, this is Big Clue No. 1 that this message is fake.

Not-so-obvious is the fact that I don't use my business account for private transactions on PayPal/eBay/whatever. I don't know if my corporate masters are monitoring my messages, but I don't think they need to know how much I paid for that inflatable--er, never mind.

But the best, the most fun way of finding out if these messages are fake is to just follow the link in the message to see where you actually go. If you happen to be using Internet Explorer, please don't do this. You may still think you are actually going to PayPal/eBay/whatever. The rest of us, using Mozilla or Konqueror or some other sane tool for browsing, will see the actual URL where the "verification form" is. These URLs are vague and obscure, usually with IP addresses instead of domain names. Big Clue No. 2.

So why am I pointing out what should be rudimentary security precautions? Because, unfortunately, there are too many people out there that will blithely accept such messages as a given and just type in all of their credit card and financial information. This is frustrating to me in the extreme, because I know this mindset has been assisted by flaws built into IE.

But it also illustrates another point that concerns me about security. These messages are an example of social engineering, when malicious hackers will use trickery and deception to obtain vital security information. Social engineering is nothing new, but the pervasiveness of the Internet is making it an easier path to take.

Assume there is only a 0.5% success rate for these verification scams. Based on 1 million spammed messages, that means that 5,000 people could take the bait. Figuring an average credit limit of US$10,000 for each credit card, then potentially the scammers have just gotten access to US$50 million. Not a bad haul.

Social engineering worries me because no matter how secure the operating system, it is only as strong as the knucklehead who's administering it. People can be fooled, whether they are using a custom-hardened SE Linux or default-settings Windows NT 4.

However, I do think Linux has a slight security advantage when it comes to such social engineering tricks. Unlike the URL redirect problem in IE, open-source browsers are able to point out things that aren't quite right about pages we visit.

Linux administrators know that this person on the phone pretending to be their district IT manager could not have lost their password in the way they describe.

Using open source and knowing what we know about our applications gives us all a nice advantage against social engineering stunts. Are we invulnerable? No. But we have an edge, and I think it's an edge we should shout from the mountaintops--yet another advantage for using Linux.