Preface: I happened to get an odd message (trough IM app) from a friend, that wasn't obviously sent by him, but by something else - a program, I take it. The short content was: "visit this site [url] and find out who have blocked or removed you from their messaging application list". Out of curiosity I loaded the site, which was just blank white page with a few lines of text and a web form to fill. It instructed that you should give (and if you would, you would accept some terms and conditions, which in short told that you'll only be giving the information to the site owner and not to 3rd parties, and such) your messaging application login name and password, after which the site would display who from your messaging app list have blocked you or removed you from their lists. Well, smelled like a rat..but they had bought a real domain for it, had stated (though very shortly and in an ugly fashion) a few terms and conditions, and didn't deny they were going to discover and be able to use your messaging (+email) account. I told another friend what I had bumped into, saying "I wonder who's stupid enough to go forward with that..", and got a reply that a friend of his had seen it too, tried out - and wondered if it was broken, as it didn't tell anybody who would have blocked/removed that guy.. "surprisingly", yeah.

Now that's plain ugly cheating. I don't know what they use the IM/email account informations for, but obviously they shouldn't be collecting them - not sure if and which laws would prohibit that, taken into account that they have some sort of poem telling the user what's happening, but cheating it is nonetheless.

Have you bumped into this sort of sites? Where (don't need to name the sites explicitly, but describe a little), or in what situation? Did they look clearly cheating, or were they almost impressive (or even more "ok"-looking)?

And lastly - do you think some user groups are more probable to fall into those traps than others - and which groups?

I myself find at times such attempts as the one I described above, and most of them seem to be aimed at Windows users - towards services Windows users are known to use. Does that imply that the folks who are fishing for others' account information consider certain users less "wise" in that aspect than others, or have I just been 'lucky'?

I'd like to hear your comments too. I used to see different kinds of information-fishing attempts at IRC in the past, nowadays not so much, but this was something brand new, a site directly asking for a password..

Thanks for your thoughts - I'd especially like to read comments from users that have used computers for a long time, compared to the age of the world wide web. And in case somebody wonders, I'm not doing a study or anything, I'm just curious (and a little mad at the people who do these things)..

Surprisingly, I've only run across something like this one time. An email that appeared to be our IT department (but there were subtle differences that made it clear it was spoofed) came and was one of those "Please verify your username/password" type sites. It sounded fishy, so naturally I went to visit the site and check the headers and html code underneath. After a little digging it turned out that our IT department spoofed the message on purpose to do a security audit on the employees. I guess around 10% of the people who got the email failed the exam by entering their username and password.

Normally you see this sort of thing when you receive an email from a bank. If you use webmail simply hovering over the link shows you that it's a spoofed site. Another test I use is that my bank is the only bank in the whole world that doesn't email me!

I heard about a site not too long ago that was advertised as a way to measure how strong your password is. After you entered it, it would tell you it was insecure because you gave it to someone else.

i had a problem related to this last week i think. i d/loaded a .rar, and inside there was also a 'checker.exe'. i did a bit of googling around and it said the same as you have found, it affects your instant messenger and asks you to give your user/pass to a website.

It's a classic internet scam by phishers of various sorts. They are busy collecting accounts and password info for whatever troublemaking they have in mind (identity theft, among other things).

Usually this stuff arrives by email. Since it is possible to do it using IM, they use IM too. Also, scammer sites with names similiar to bank sites (and others) will "iframe" another site - or just replicate the bank site and and suck up your account information. All these things are very common.

It is very economical for the scammers. $8 or less gets you the domain name. Add some free hosting courtesy of 'botting someone elses machine (or pay the $4 a month). All they need is one $3,000 hit on someone's CC or bank account to make the effort intensely profitable. It is also relatively low risk, and this makes the internet (and all travellers on it including IM, Facebook and everything else) a risky place.

Don't trust that you can look at the source html of a web page and think it will be easy to spot. They do everything from minimilist pages such as the one you described to exact copies - down to the last line of html and even javascript - of sites they are spoofing. This is where things like the Netcraft toolbar (and others) are going to be helpful, but not the only answer.

You should be more than angry. You should educate yourself, and as you learn what to watch out for, tell your friends.

pljvaldez commented that his IT department set up something like this. A valuable educational tool. I hope it made a difference.

As to Windows users being targetted, why would that not be the case? But these people are OS agnostic. Sure, the average linux user is more technically saavy than most Windows or Mac users. But unless you have done your homework, all your abilities to install from source or set up a DNS will not help you recognize a phishing scam.

A collary is people like James Randi - magicians and illusionists - are much better at spotting scams by those who feast on the woo-woo crowd than scientists. They know how to fool people, it is their area of expertise.

You don't have to become a phishing / internet scam expert. But you should take your online identity and it's protection very seriously. The garbage is out there, and more than happy to rob you. Before you start up your computer, leave your trust in another room.

Here's a cautionary tale: a few years ago I read of a computer security test which took place in Victoria Station (London) around Easter time. A group of researchers stood on the concourse and asked people a few questions:
where do you work?
what is your user name?
what is your password?
For participating, you gained an Easter Egg.

Frighteningly, most of these people were execs and most of them gave out the answers. One guy said, "I'm not allowed to tell you but it's easy to gues, it's my daughter's name".

Be as secure as you like in the office, feel free to be suspicious of every email or IM and have a 256 character password. These measures are useless against human stupidity and gullibility.

Fools and money... What's worst! Anyone can attempt!

Buy your own Messenger spammer for $97,-





There should be laws against this sort of thing.

Ask someone on the street for their PIN and they'll look at you funny. Ask someone for their password on a website and they'll happily punch it in without wondering who's asking. Most people just aren't knowledgeable about security, how it can be defeated, and how much damage it can do when it is.

My father once told me about a web page that asked him for a password (that likely shouldn't have) and that he entered it. I said, "you probably just compromised that account". His reply was, "It's not important. The most they can do is impersonate me on a message board." I said, "Okay, but how many other accounts did you use that password with?" Silence. I said, "If I were you, I'd get busy changing my passwords. And make them all different this time."

ETA: Although, I think my favorite lapse in judgment security-wise has to be the guy who tells you what his password is to brag about how nobody would be able to figure it out.

I remember back in the mid 90s when I was first on AOL. I encountered all these fake online im's sometimes, telling me that there was a problem with my account, and I needed to give my password. Pff, yea right! I was much younger in those days, in my mid-teens , but even back then I considered myself rather savvy when it came to computers, plus I remember disctintly that the IM windows on AOL were clearly labeled stating that no AOL staff will ask for such information online. AOL back in those days (maybe they have them still?) would have staff online so you could chat to.

Anyways, with all these phishers around I have kind of been wondering. Why not the next time someone (hopefully people like us that are more savvy in this area), encounter such things as bogus im messages and such, just give out false information? This is just a thought, but assuming that if these 'sites' essentially don't verify, and only collect data, why not try to saturate them with as much bogus information as possible? It would have to be in such a quantity that perhaps the phisher would be forced to just dump the information, in assuming that all of the data collected was unusuable. Just a thought anyways.

On a lighter note: I did have a really cool dos program, it was called nag.exe. If you are nag.exe in dos, it would come up with an instruction on how to use it, and essentially you had to give it the command 'nag me' in the same directory as nag.exe, which would result in a blue screen and light bluish text, with a nagging comment. I used to edit my friend's autoexec.bat and include that nice little command, and each time he booted his computer, that program would come up. It was pretty funny at the time.

[edit]

Well, that last part may have been off topic, but I consider it a harmless and funny hoax.

Yeah it can be scary. Surely nobody here responds to the Nigerian princess needing help getting her father's money out of the country. The lottery you won, but don't remember entering? I recently received an email from ''somebody I knew'' It was some tale that he was visiting Africa and locked out of his hotel without his wallet, and could I send money.

Since very few people fall for such schemes, they really have to target high volumes.

Regularly around here, the newspaper has a story of someone sucked into the 419 (Nigerian) scam, or yet another fake lottery.

They often publish a picture of the victim. May they should (but don't) put a caption under it like "This man isn't very bright and he has money for you", or "Don't end up like Ed. Get a clue".

I do my best to tell people what to watch out for, which is mostly 3 things:

• Don't click on stuff in emails, especially if related to financial stuff.
  
• If at all possible, get hi speed so a "dialler" cannot be used to rob you (with the telco's unspoken consent usually).
  
• Get a Netcraft or other good anti-phishing toolbar, and pay attention to it.

And then the Big Two:

• Use your brain.
• Get educated at least a bit on this stuff.

There isn't much else possible. Despite the US categorizing some of that stuff as terrorism, the bad guys are pretty much immune. Every so often, one gets taken down and given what we in Manitoba call "sweet sweet house arrest", but there are so many more it's like picking up a grain of sand at the beach.

Of course they target Windows users ... they are "WinFodder" and we are "Linjas," skilled in the art of "Code-Fu."



But yes, I have encountered something along those lines before. 2 of them, actually. They were both by the same person and were for 2 different IM clients. They were 'widgets.' They would supposedly do what you had described.

And as to your questions on why they would do that -- Say there's someone you want to be malicious towards, for whatever reason. If you log in as someone else and lash out at them, or perhaps send a virus or whatever, then there would be no consequences to you -- supposing you covered your tracks well enough. If you were amoral enough, you could do that.

Or, if you worded the EULA a certain way, you could even make it legal and have no consequences whatsoever -- or if the person did not read the EULA, you could boldly proclaim it.

I know someone who does that, saying that no one can even remember it.

It's his account spelled backwards.

Well that sounds like a lesson..

In addition to humans being fools and some of them telling their passwords when asked, I also consider today's PIN/password input methods dangerous: yesterday I bought shoes and paid with a card that has an electronic chip (and is thus pushed into the reader, which then asks for PIN and to press the green button). Lined up after me were several people, waiting to pay and get home from the crowded store. Around me were even more folks, about a couple dozen who were close enough to see what I typed into the card reader box. Some of those boxes do actually have high "walls" around the keypad, preventing people from seeing which buttons you push when, but that was one of the lousy ones with 3mm high walls (or close to that - nothing at all, practically). The only way to hide your PIN from anybody who might want to see it, or just see it without actually looking at it, is to stand very close to the device and hide the keypad with your other hand - looks very odd and everybody seems to look at you angry when you're doing it ("why is that guy standing there so long, just punch the damn numbers..") That's not actually phishing, but I'm waiting to see when some small shops start popping up selling stuff at low prices, just to see you typing your card's PIN..

Another sort of scam I bumped into a few days ago, this time trough e-mail, was a story like those that ask for money, want to give you a huge sum of money or tell you've won something. Only it wasn't about money (not directly, at least); it was a story of a poor girl that needed justice and the sender wanted me to take part in some web list (along with name and e-mail) whose subscribers want to express their symphaties, and then send that message forward to a few more people. Written in my native language, not much errors in the text or anything, so it looked perfectly normal. Only I doubt that girl doesn't exist, and that the subscribe list was only a means of collecting loads of email addresses from people..and since this wasn't asking for money, I guess more people are apt to "participating" - feeling good for 'doing something good'.

A security audit like the one mentioned in a previous post (by pljvaldez) would really do good for a lot of people (well, in the case they were later told about the results). Maybe I'll use that - thanks for the idea - at my work this year

Thanks for your posts and opinions!