Spam alert: don't go
on any Internet phishing expeditions
by
Alan Zisman
(c) 2004 First published in Business
in Vancouver May 26-31, 2004;
issue #761-- High Tech
Office column
As
I write this, news headlines report the arrest of an 18-year-old German
accused of authoring the Sasser computer worm. This won't stop the
spread of Sasser or other computer infections, however.
Sasser
infects Windows NT, 2000, XP and 2003 server systems, and unlike most
recent infections, isn't spread via e-mail attachments; it spreads to
unprotected computers across the Internet and computer networks.
At-risk computers are protected if they've been patched with the latest
Microsoft critical updates or if they are behind software or hardware
firewalls.
Despite the seeming
ease of
protection, many home users were infected, as were a wide range of
organizations, including American Express, the British
Coast Guard, and the B.C. Ministry of Education's PLNet.
How to explain the
infections at
large organizations?
Many
IT departments are wary of being quick off the mark to install Windows
patches, and with good reason. Windows Hotfix - KB835732, released in
mid-April, prior to the Sasser outbreak, for instance, causes problems
for users of the popular Oracle database. IT
managers are
forced to choose between risking infection and installing patches that
may cause other problems with their systems. There's no easy answer to
this dilemma.
With
most business networks protected behind firewalls, the most common
point of vulnerability is notebooks carried from work to home and back.
It's no coincidence that many worms and viruses, like Sasser, are
released on a Friday afternoon, infecting users working on the weekend.
Monday morning, the now-infected notebooks are plugged into the
network; they then spread the infection from within the firewall.
Organizations need
to mandate
standards for software firewalls for notebook users.
Spam
has been estimated to account for 60 per cent of the e-mail messages
being transmitted. Despite that growth, many users are seeing less of
it in their in-boxes. This is due to increased use of spam filtering
both by individual e-mail client software, and more effectively, by
network managers and Internet Service Providers.
Shaw,
for instance, recently began quietly offering junk mail filtering to
users of their cable Internet service. As a Shaw customer I didn't
become aware of it until I logged onto webmail.shaw.ca.
Options
available from the webmail toolbar include tagging, holding for 14
days, or immediately deleting suspected junk mail. I picked the "hold"
option, enabling me to periodically check the Junk folder for valid
messages falsely tagged as spam.
After
a month or so of use, I'm pretty pleased. Shaw's filters seem to be
catching most of the spam coming my way; most of what's left is caught
by the filters built into the e-mail clients I prefer: Apple's
OS X Mail and Eudora
Mail. Outlook 2003 also has spam filtering, though the popular Outlook
Express doesn't. I haven't found a single message falsely labelled in
my Shaw junk mail folder. Between the two levels of spam filtering, I'm
getting a mere handful of junk messages a week.
Shaw's filtering is
off by default;
turn it on.
While
most spam is merely annoying, so-called phishing messages can cost you.
Phishing refers to e-mail messages that appear to be from a financial
institution or other corporation to try to get readers to go to a
website and divulge account numbers and passwords (see my column in BIV
735). Personally, I've received messages appearing to come from
Internet companies eBay and PayPal
and from the TD
Bank.
In all cases, links in the messages went to web pages appearing to be
for those companies, but residing on computers in Russia.
The latest
generation of phishing
messages makes it harder to track the location of the destination
website.
Security firm MessageLabs
recently reported that between September 2003 and January 2004, the
number of phishing e-mail messages they monitored grew over 1,000-fold,
from 279 to 337,050. Protection is simple. Don't ever give out
personal, especially financial information in response to an e-mail
message.