Saturday, October 16, 2004

Gone Phishing

Is that a typo, you would ask? Well its not. According to wikipedia, phishing stands for password harvesting fishing. It is a type of social engineering attack.

Here is a brief summary from Wikipedia:
Phishers usually work by sending out spam e-mail to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the phisher's use.

Typically the email will appear to come from a trustworthy company and contain a subject and message intended to alarm the recipient into taking action. A common approach is to tell the recipient that their account has been de-activated due to a problem and inform them that they must take action to re-activate their account. The user is provided with a convenient link in the same email that takes the email recipient to a fake webpage appearing to be that of a trustworthy company. Once at that page, the user enters her personal information which is then captured by the fraudster
.

Whenever you get an email that asks you about personal, financial or some kind of online account details, fire up your browser and type out the URL yourself (it is preferrable to bookmark it and use the same link everytime). Better still try and use the good old telephone and contact the company directly.

Unfortunately, like the offline world even the online world is full of scamsters, predators, con artists. Dont assume that things are safe here.

Also check out the FTC's consumer alert on spoofing: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm


Saturday, October 09, 2004

GMail account as a windows filesystem

Read on Slashdot that someone had created a virtual filesystem for windows using GMail. That means that your spare GMail account space is going to show up as a separate drive under 'My Computer' and then you can upload/download files and use it pretty much as any other filesystem.

I downloaded the executable and installed it. It works pretty much as advertised. I even saw a new GMailFS drive under 'My Computer'. Tried to upload a couple of files, create a directory, delete a file and everything works perfectly fine. Heck, even the installation was super smooth - under 60 seconds.

How does Google get impacted? Well, they created GMail so that they could serve you ads side by side your email conversation. They make their moolah from ad revenue. Any attempt to bypass that mechanism is going to draw their attention. Sooner or later, they are going to stop/thwart these kind of attempts that want to capitalize on the 1 GB of space offered by Google. But this is the second cool hack, based upon using GMail as the filesystem, that I come across in the past 1 month. Sure, GMail hacks are gaining momentum.

Saturday, October 02, 2004

How scammers use craigslist to mint money

This morning, while browsing some classified ads on craigslist, I came across an interesting post. The subject of the post read "New, used and refurbished Dell Laptops". Inside the post, there was a just a hyperlink. Normally, when people do post their stuff on craigslist, they sometimes add links to other sites that either contain the description or the photographs of the item they are selling.

Hoping to find more info on the laptops, I clicked on the link inside the posting. The link took me to eBay's website on a page showing a bunch of Dell laptops put up for sale. Okay.. so what makes that interesting, you would wonder?

Well, the interesting part is my quick eye caught a couple of things: First, the link originally didnt point to eBay. Second, between the time I clicked on that link and ebay appeared on my browser, I was redirected a couple of times. In an instant, I realized that someone just make a few cents through my click. The more people click on that link, the more money the scammer makes.

Here is how it works: Some scammer (lets say ABC) goes ahead and registers for a pay per click program that is provided by some leading search engines like Overture and Google. If ABC was hosting some website and people click on those ad links, then ABC makes some money per click. So ABC decides to post an ad on craigslist, advertising Dell laptops, with a link that points back to ABC's website. The moment someone clicks on the link mentioned in the craigslist ad, s/he is transferred over to ABC's website, which again redirects the user (deceptively and instantly via Javascript) to Overture's or Google's site and they inturn redirect you to eBay. It all happens so fast that you are led to believe that the link from craigslist directly took you to eBay.

Now because craigslist is a popular destination, a lot of people visit it daily. Lets say craigslist receives about 100,000 hits per day on a particular city site for a particular category - tech (lets say Seattle - http://seattle.craigslist.org/sys/). Assuming that 1/10th of those visitors open the post and click on the link provided by ABC, then ABC tends to make around 10000 * 0.05 = $500 per day per posting. What if ABC decides to perform the trick on users of other cities also? The scam could run into thousands of dollars.

I sent couple of emails to the folks that run craigslist and they deleted these kind of fraudelent posts, but how can they ensure that the scammer ABC doesnt post the same kind of ad again? If they cannot stop these kind of posts, then they risk a serious threat to the character of their site.

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.
Webmaster