Phishing FAQs
Phishing is the term for phony email messages in which the sender hopes to fish personal information out of the recipient. The more official the email scam appears, the greater the chance that victims will believe the hoax and give away their personal identification information and/or passwords to the criminal behind the fraud. Today, with email users' increasing awareness of Internet fraud, phishers typically utilize fear to elicit the response they want. Typical email hoaxes threaten account closure if the recipient of the message doesn't give up their personal identification information or password.
Make no mistake; no legitimate institution will contact you to request your personal information or passwords or threaten to close your account if you do not give up this information.
The following links and answers to frequently asked questions (FAQs) provide additional information on this rapidly growing threat .
Phishing victim - why me?
The majority of phishing targets are just random selections, but some phishing victims may be repeatedly targeted. Anyone who gave away personal information once may be identified as an "easy" target and have their email address passed from spammer to spammer with the hope that the victim will fall for another email hoax.
http://www.spywareremove.com/phishing/faq.php
How did the phishers get my email address/name?
Do you publish your email address anywhere on the Internet? Does your department publish your email contact information on their web site? Do you use your email address when you chat on the Internet or when you participate in social networking? Scammers also trawl the web for valid addresses they can use, and swap this information with each other.
But the majority of "hits" are just a matter of luck (good or bad, depending on your perspective). If thousands of scam emails to randomly generated email addresses are sent out by the hacker, a few may be successfully delivered.
HINT: if you publish web pages with contact information or lists of email addresses for your organization, remove the hyperlinks and replace the @ sign with the word "at" separated by a spaces and similarly replace any periods with the letters "dot" (example: carlyn at rice dot edu). Although a hacker can manually re-work a list of email addresses in this format, they prefer easier targets.
http://www.crime-research.org/news/26.04.2005/1183/
Backscatter - I didn't send that email, why did I get a bounce-back message?
Backscatter is just more junk email for you to deal with. This time, a spammer is using your legitimate email address as the 'From' address for their junk mail, making it appear you sent the message - very much like the return address on a letter. Two lines of logic feed the use of other people's email addresses to distribute junk email. First, by using your legitimate email return address, there is a greater likelihood of getting the real sender's spam into an email system. Second, if the spam message is accepted into an email system, hits a closed email account and is bounced back to you as undeliverable, there is the possibility that you will respond to the junk mail or at least open it.
http://blogs.computerworld.com/the_bounceback_backscatter_blues
A third, more malicious reason also initiates backscatter: it can overwhelm your email system; thousands of bounceback messages delivered simultaneously can cause your email server to crash.
Spear Phishing - personalizing phishing attacks
If it looks authentic, includes your institution's logo, is sent from a high-ranking official at your organization, and contains working links to your organization's web sites, it's the real deal, right?
Wrong.
Spear phishing is the newest trend in illegal attempts to collect your personal identity information and passwords. Consider the purpose of a spear as opposed to that of a shotgun. Shotgun blasts scatter a lot of small pellets over a wide trajectory path. Someone's probably going to get hit by at least one of the pellets and it's likely that multiple hits will be scored by a spammer who sends out shotgun-type blasts of phishing messages. But a spear, now that's a personalized weapon; spears are directed at a specific target: you.
Spear phishing messages are polished up to look as official as possible and may include your company or institutional logo (easy enough to collect if your organization publishes a branded web site). Spear phishing messages use authentic-appearing return email addresses, contain few typo's, and often end with a signature block that mimics an administrative department in your organization. Spear messages may even go so far as to include a working web site address sponsored by your own organization. And unfortunately, spear phishing messages are usually directed to a specific population of valid email addresses acquired through hacking or other illegal means.
http://www.pcworld.com/article/id,122497-page,1/article.html
Spear phishing messages have even been distributed masked as federal subpoenas to CEOs. Spear phishing messages are still spam. Do not reply to or take any action if an email message requests your personal or organizational information or passwords.
Cyberwarfare
Although it seems too bizarre to warrant even skimming the article, cyberwarfare is real. What if you could eliminate your competitor's edge by completely filling all their employees email inboxes with spam on a daily basis? Or what if you disabled their retail web site or redirected traffic from their web site to yours?
These proposals may be fiction, but you can read about real cyberwarfare online:
http://www.cfr.org/publication/15577/evolution_of_cyber_warfare.html
For a look at the cyber battlefield, see: http://www.ftc.gov/bcp/workshops/proofpositive/Battlefield_Overview.pdf
Why Does Rice allow delivery of emails claiming to be from Rice groups (but sent from outside Rice) to other Rice email adresses?
The way email works: most email is actually forged because the sender determines the "reply-to" address instead of the mail server processing the transaction.
Use snail mail as an example: when a letter carrier picks up an envelope from your home, if you wrote "The White House, 1600 Pennsylvania Ave, Washington, DC 20500" as your return address, the carrier's job is just to pick up mail and send it on. The first post office it reaches may stamp it "Houston, Texas" and the recipient might wonder why a letter from the White House was sent from a Houston, Texas post office, but no one enforces the validity of return addresses in the mail system. Unless the addressee's letter carrier is enforcing their own private rules about "don't deliver anything where the original post office stamp doesn't match the return address," his or her job is just to deliver the mail that comes in for the addresses in their route.
Back to Rice email: if we blocked outside email senders from sending email to Rice eecipients while using an @rice.edu reply-to, we'd actually end up blocking Rice people sending email from their homes.
There was a big push in 2007 to make everyone authenticate with SSL for sending email. Shouldn't most Rice people have their SMTP server set to Rice's?
Off-campus, we require SMTP authentication in order to permit people to send email THROUGH our servers (also known as relaying email). However, we do not (and do not want to) prevent other mail servers from sending email TO Rice servers.
Is there a program that will take non-Rice emails set to Rice addresses and bounce them back to the sender with a link to confirm their identity with a netid?
That sounds like a phishing message!
"You sent an email to someone at rice.edu. Please provide your NetID so that we can deliver the mail to them."
Since we have made a promise never to ask you for your username or password we can't justify using any type of program that might ask you for verification when sending email from a non-Rice address. However, IT continues to research spam-reducing applications and tools.
What is stopping Rice from taking a more aggressive stance on these hoaxes?
We have generally been very hesitant to "block email". However, as the harshness of the ouside environment increases, we clearly need to re-think our strategy. This is especially true when the campus is blacklisted. In an effort to "get the mail through rain or shine" we may actually end up "losing it in the blizzard" when we can't get mail out to Yahoo, MSN, Google, etc.
Remember, none of the protections that IT can envision or offer will make any difference as long as people share their Rice NetID and login password information. Once the spammers collect valid password and login information, they use it to "authenticate" to the Rice systems. Their presence in the system appears legitimate and the malicious attacks they initiate are committed under the identity of the Rice community member who shared their NetID.
