Home Office: Booming Web Scam

If it's not spyware we have to worry about, it's phishing (no, not pishing). Phishing is when scammers send e-mails cleverly disguised as coming from a real company--but are actually from someone trying to snarf up credit card numbers or passwords. The word is a metaphor for fishing, with the scammer offering you authentic-looking bait and hoping you'll bite. Unfortunately, too many of you grab the hook.

As a buddy said to me recently, it's a scammer's paradise out there.

It Almost Happened to Me

Don't feel bad if you fell for a phishing scam. They're on the increase; see "Phishing Attacks Skyrocket."

I got a brilliant e-mail from a PayPal phisher the day before I started writing this column. Unlike most of the poorly written, typo-laden, bizarrely formatted phishing e-mails I get, this one looked so real that it almost fooled me. In fact, part of the message--"We recently reviewed your account, and suspect that your PayPal account may have been accessed by an unauthorized third party"--kinda made sense.

For the sake of research, I broke one of my cardinal rules and clicked on the link in the e-mail. This isn't something I encourage you to do: I had special protection (more on that later).

But first, I want to show you how phishing is done so you'll have a better sense of why you never want to click a link in a suspicious-looking e-mail.

Pull Back the Curtain

When I clicked on the link that appeared in the e-mail, I was brought to a site that appeared to be PayPal, but wasn't. Instead, it was the scammer's site designed to look like PayPal. (The site was closed at press time.)

The Java coding on the fake site, and in the message I received, is really good (says my Java expert, David Jung). Basically, the person behind the message copied a PayPal screen to get all the right links and the appearance, and then added the fields that capture your user ID and password.

Feeling Curious?

Some of you may be interested in seeing the guts of a phishing message. If you view the source code, you'll see the mysterious workings of an HTML coder. Here's how: In Eudora, right-click on the message, choose View Source; in Outlook Express, right-click on Message and choose Properties, click the Details tab, click Message Source, and click the maximize button on the right hand corner of the message; in Outlook, open the message, right-click anywhere in the message, and choose View Source.

If you viewed the source code, what you'd see in my e-mail--and on the fake PayPal page--is where the phisher actually took me when I clicked on the link. Here's the long-winded, disguised URL: HREF="https://%32%31%31%2E%32%38%2E%31%35%35%2E%32%31%30/ %2E%76%65%72%69%66%69%63%61%74%69%6F%6E/%68%69%64%65/ %69%6E%64%65%78%32%2E%68%74%6D"

It was easy to translate the bogus URL in the source code: I just copied and pasted it into Karen's URL Discombobulator, a free utility with a great name that reminds me of something out of a Woody Allen flick. What I got was very interesting--and didn't have anything to do with PayPal.

Remember: This phishing site isn't around anymore, so the info that the Discombobulator gives you isn't very useful now. But if you want to try the program on code in suspicious e-mail you receive, you can grab a copy from Karen Kenworthy's Web site.

BTW, if you're interested in Java coding, you'll like this: The phisher used "OnMouseOver," to fake you out--and they've used it well. In some e-mail programs, when you open the phishing message and scroll your cursor over the bogus link, this code makes a yellow tool tip appear that shows the PayPal URL, creating the warm illusion that clicking on the link will lead you to a safe page.

Dig This: I've been so caught up in figuring out the Crimson Room, I almost didn't get this column in on time. It's a really, really difficult puzzle, a Flash game that I doubt even the brightest of you will get through in short order. So go kill a little time. (One clue that's not cheating: Use the Tab key to find out where to click.) BTW, it took me over 2 hours, on and off, but I finally got to the end. In two weeks I'll provide a page with clues--and spoilers.

Protect Yourself Against Phishers

I've found two free tools you can download, both easy to install and use. The browser extensions help you detect spoofed Web sites by showing you the actual site that you're on. For instance, when I clicked the link in my phishing e-mail, the resulting screen looked like PayPal--but the tools showed me that I was actually at, and PayPal would never show you a raw IP address when you're logging in. That's very cool.

The first tool is EarthLink's ScamBlocker, which the ISP makes available for free to everyone, not just its members. ScamBlocker is available on an Internet Explorer-compatible toolbar that includes a Google search engine and a very effective pop-up blocker. The one downside is that the EarthLink Toolbar is larger (from top to bottom) than the other IE toolbars I use. There's a complete review in "EarthLink Readies Anti-Phishing Tool." You can download the EarthLink Toolbar with ScamBlocker from PC World's Downloads site.

The other tool is SpoofStick. This is nice and simple, and works just like the EarthLink Toolbar but without its other features. Once nice touch: The height of the toolbar is adjustable. BTW, the author, a forthright guy, says on his Web site, "it's not a comprehensive solution, but it's a good start." There are versions for IE and for Mozilla's Firefox. [With thanks to PC Mechanic's Daron L. Olesch-Williams for telling me about SpoofStick.] We have a copy for you at PC World's Downloads site.

Good Book: You may be surprised that I still read books. One I'm recommending is There Must Be A Pony In Here Somewhere (Crown Publishing Group, 2003, 800/733-3000), Kara Swisher's 300-page saga of AOL. I got a kick out of how Swisher talks about AOL's early years (I can't imagine how the company ever got off the ground), unravels the AOL Time Warner merger (what a fiasco), and provides insight into where AOL will end up in the next few years. (The title refers to the punch line of an old joke; and no, I'm not going to give it away. Read it on page 3.) It's available on Amazon.com for about $17 or under $10, used.

Bass's Cardinal Phishing Rules

I have two simple rules:

  1. Be paranoid. I suspect any message asking for info such as credit card numbers, passwords, sexual proclivities--anything of consequence.
  2. Play it safe. Don't click on a link in a suspicious e-mail. Instead, open your browser and head for the page by typing the link in yourself (for instance, http://www.paypal.com). My sense (and my experience) tells me that if, say, your credit card's expiration date needs an update, the official site will notify you as you log on.

I also encourage you to look at the Anti-Phishing Working Group's site. It's got valuable info, including specific advice on how to steer clear of phishing expeditions.

Sign up to have Steve Bass's Home Office Newsletter e-mailed to you each week.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon