Halloween has just passed as I write this so it seems appropriate that I’m writing about zombies. But these aren’t the “Night of the Living Dead” zombies, these zombies are the constructions of computer hackers. Along with zombies, I’m going to look at different type of attacking PC menace, the phishing scam.
As I mentioned in the “Hackers” article, one of the boons to the hacking explosion is the huge growth in numbers of targets (networked computers) to attack. But what’s a poor hacker with just one or two computers to do when there are hundreds of millions of networked computers to attack? With this dilema, hackers have written software to create zombie armies of other people’s computers to do their dirty work for them.
The typical zombie is created by a worm program. The worm has two missions. The first is to install itself on the attacked computer and allow the attacker to run the code of their choice. The second is to help the attacker attack additional computers. Zombies can infiltrate computers through either email, or a more direct attack over other internet protocols.
Once the worm is in place, and has spread to many other computers, the attacker has a zombie army that can be used for many malicious acts. And, because the zombies are running on other people’s computers, the attacker is more difficult to track down. If authorities identify a zombie attacker, all they’d really found is another victim, not the original hacker. While the hacker can be traced, it’s difficult.
The malicious acts a zombie army carries out are unfortunately varied. First, the zombie army will probably always look for other computers to turn into additional zombies. Some zombie armies are used to send bulk email spam, preventing the real spammer from having to find a way to send millions of illegal messages from their own PC or network. Other zombie armies might be used to launch denial of service attacks on web sites, launching so many simultaneous web page requests on a server that it overloads. Or zombies can be used to run scripts to attempt to find vulnerable systems and break into them, reporting vulnerabilities back to the attacker who can then look for more specific information to steal or damage. The list goes on and new uses arise every day.
Zombies are a technical kind of attack. A more social attack, that depends on gaining people’s trust has evolved recently called phishing. A phishing attack attempts to get someone to give you personal (usually financial) method by convincing the potential victim the attacker is really someone they trust.
This is usually done by sending the victim a fake email from a credit card company, bank, or other financial or corporate institution asking the person to respond to the email or click on a link to the web site to “verify” account information. The email looks real because the internet email protocol is easily tricked and most common end-user internet email programs are not set up to display enough details about the email for the recipient to see the real sender. So, the real sender could be firstname.lastname@example.org but the internet email application is easily tricked into showing that the message is from email@example.com.
The attacker then further tricks the recipient by using the bank’s real logo (easily copies from their web site) and other identifying characteristics (the style, format, and layout of real emails from the bank) to trick the user into thinking the email is legitimate. The email text will inform the recipient they need to click on a link in the email to verify their account information. And the link in the email will read www.yourbigbank.com.
But if you click on that link, your web browser will open into a page that while it looks like your banks, is located on a server at www.hackersrus.ru or some other illegitimate site. The phisher will have copied the entire look of the site, the login page, down to the legal disclaimers, but if you enter your account number and password, instead of opening your account info, the phisher will now have your online account information they can use to get into your account at the real site, transferring money to other accounts, buying things, seeing anything you could see.
So, how do you protect yourself from phishing attacks? First, NEVER, respond to any request in an email for account information by emailing back to the sender.
Second, if you get an email that looks like it is from a bank, credit card company, online auction site (these are favorite phisher scams), or other company asking for you to verify your account, NEVER provide the verification by clicking on the link in the email. Open a new browser window and type in the company’s main web site address and log in from there if you want to check your account. Or, pick up the phone and call their customer service department to see if there really is a problem.
I’ve seen a third solution offered elsewhere that I’d warn you against following. That idea is to first click on the link in the email and enter in a fake username and password. If the site responds like it’s “accepted” the fake information, you can be pretty sure it’s not legitimate and you shouldn’t enter your own information. The two problems with this are, first, as soon as you click the link, the illegitimate site can capture your computer IP address, maybe even your name depending how your computer is configured. With that and the knowledge that you are gullible enough to click on a fake link, the phisher may decide you are worthy of attempting follow-up attacks on, maybe including direct hack attacks at your IP address.
Second, even if the site returns “login unsuccessful,” “site temporarily unavailable,” or some other failure message, what have you learned or gained by entering a fake username or password? Nothing. it certainly isn’t proof that you should accept the site as real and try again with your own information.
Many companies in their attempts to find and prosecute phishers encourage you to forward any suspicious emails to their fraud or scams departments. If you have the time and energy, do this to help try to stem this problem. Otherwise, just delete them or relegate them to die in your junk email folder.
Jim Minatel is a freelance writer for Developer.com in addition to working with Wiley and WROX publishing.