Arun Marballi

While the "IRS Rebate Checks" make their way through the government machinery, as is to be expected, phishers are out to scam you into parting with your little bounty faster than you can receive it. According to the FBI, there is at least one scam going around in the form of a bogus e-mail purportedly from the IRS asking you to provide your banking information to enable a direct deposit.

To scare recipients into divulging the information, the e-mail further states that not providing the required information would result in significant delay in disbursement of the funds. As always, IRS like all the other financial institutions will never ask you to provide any information of this nature - because they already have your bank information if you e-filed or provided the information on your tax returns. If they don't, they will mail you a check at the address on your tax returns. So, beware these tricksters!

Phishing e-mails can be classified as malicious spam and comprise a smaller percentage of the overall spamming industry; consequently, spamming is more an annoyance than a security risk. I have time and again observed e-mails that show up in my e-mail inbox that look like e-mail bounce-backs (returned e-mail) - the trouble is they are not e-mails that I had sent out and the intended recipients are not someone I know.

It is obvious that since I did not send this e-mail, someone else did and usually that someone is a spam-generating computer in cyber space; and the technical term for the returned e-mail that appears in my in-box is "backscatter spam." The spam-generating computer used my e-mail address as the sender's e-mail address hence the backscatter.

Spam-generators use e-mail addresses that they have gathered from the Internet and they love e-mail addresses in the hotmail, yahoo, Gmail and other widely used e-mail domains; primarily because most e-mail systems do not block these domain addresses because of their wide usage - thereby increasing their success rate for delivery of spam.

In addition to using spoofed sender's e-mail addresses, spammers have started using these widely used e-mail domains for setting up a multitude of e-mail accounts that they can use for generating spam. Since e-mail systems such as hotmail, restrict how many e-mails you can send in an hour as well as in a day, spammers need to use and manage effectively a large number of e-mail accounts.

They do this with fairly sophisticated computer systems. Now, if you have an account on one of these webmail systems, you would have responded to one of the CAPTCHA questions. Spammers have figured out how to bypass CAPTCHA so that they can create all the accounts they need to carry out their nefarious activities. If you recall, CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Human Apart and it is a test many Internet providers use to ensure that a real human being is at the other end of an Internet connection requesting the provider's service.

In a CAPTCHA test you are typically presented with an image of wavy, oddly shaped jumbles of letters and numbers and required to recognize and type them out in the response area. Hitherto only human beings have been able to respond to CAPTCHA. However, according to Websense, a global leader in web data protection technology, the spammers' sophistication has enabled them to develop computer systems that can bypass CAPTCHA in less than six seconds.

Going forward, this means that computers can now masquerade for human beings wherever this technique is widely used. One such Web site that uses CAPTCHA to ensure only humans buy game and show tickets is Ticketmaster. With the acceptance of E-Bay owned website StubHub as a legitimate site for the sale of game and show tickets at market-price, I see the possibility of a vibrant after-market for game and show tickets - a vibrant market indeed!

Finally, since phishing and spamming largely rely on social engineering, which are the modern-day buzzwords to mean being taken by a con artist, wouldn't it help us all if we started thinking like a con artist so we can be forewarned and avoid these social engineering traps? What do you think?

Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].

Home