As a follow-up to my previous post about creating good passwords, I thought it would be helpful to mention an article that shows some of the bad habits in password creation.  In Note to MySpace Users: Get Better Passwords, Brian Krebs discusses a phishing website that targeted MySpace users.  The site was used to obtain the usernames (which in MySpace’s case are email addresses) and passwords of close to 60,000 people.

On top of that, the list of usernames and passwords was stored as a text file on the phishing website, which security researchers were able to grab and analyze.  Here is the list of the most common passwords used:

password1 (106)
abc123 (73)
swimmer1(43)
iloveyou1 (41)
monkey1 (40)
****you (37)
123456 (33)
myspace1 (32)
****you1 (32)
i(32)
password (27)
babygirl1 (25)
iloveyou2 (24)
football1 (24)
danny12031986 (23)
blink182 (23)
princess1 (22)
freesh**4me (22)
16188s (22)
123abc (22)

This is revealing for a number of reasons.  First of all, the most common passwords used on MySpace are far from unique, and far from complex.  Most of these passwords would be easily guessed or cracked.  Since this post is a few months old, these people obviously haven’t been following my advice, as they wouldn’t have seen it yet.

 Secondly, it shows how easily people can be fooled by phishing websites that look authentic.  As this was from a few months ago, hopefully the introduction of in-browser anti-phishing tools in Internet Explorer  7 and Firefox 2.0 should help reduce the likelihood of this happening again.

And lastly, it provides a good justification for using different passwords on different sites.  If someone is able to get your MySpace password, no big deal, right?  It’s not exactly a critical site (to most of us, anyway).  But many people use the same password on many sites, including online banking sites.  So obtaining your MySpace password could be the key to all the sites that you share that password between.

Hopefully this scares you enough into making sure those passwords are strong, unique between sites, and that you pay attention to potential phishing scams.  Soon, I’ll give you some ways to help manage your passwords.

For me, the most important thing to be protected against phishing is incredulity. Simply don’t believe everything you receive by e-mail. E-mail can be forged very easily and the sender of the message might not be who it seems.

Also, take into account that most companies will never contact you by e-mail to ask for information. Well, there are some companies which do this, but if you follow these rules that won’t be a problem.

• Don’t reply with personal information. If you ever get any kind of message from anyone asking for personal information, never reply to it. If you think this is legitimate it’s always better to call by telephone and give this data. Take into consideration the fact that e-mails travels as plain text through the net, so anyone can see it.
• Don’t click in hyperlinks within emails. Although they might look legitimate, there are techniques for redirecting you to another site controlled by the attacker. If you think the mail is real and you have to input information, it’s better to open a new browser windows and and type the URL in the location bar, to make sure you are going to the site you intended.
• Check for Secure HTTP. Once you have gone to the site, check it’s legitimate by looking at the location bar, checking it uses Secure HTTP (the URL begins with https). If it does, then check the certificate of the site by clicking on the lock that appears and have a look at the information in the popup windows to see if it’s the same that you expected. 
• Check your bank accounts and report to authorities. It’s really convenient to check your accounts from time to time to see if there’s any unusual or suspicious activity. If there’s something unexpected, you should better contact your bank and if they confirm it’s fraudulent, report it to the local autorithies so they can investigate the case.
• Use antiphishing toolbars. This is a convenient software to know if a site is a suspect of being a phishing site.

You can either use Google Toolbar for Firefox which shows an icon indicating if a site is forged or not.

You can also use Netcraft Toolbar which can tell even the country where the server is located, so if you access an american bank and the server is located in Russia, you can get really suspicious.

With all these measures you should be quite safe against phishing.

So, first of all, what is phishing? It’s a technique used to steal private data from the user by tricking him to give it away. This private data is usually passwords for sensitive sites, credit-card numbers or PIN codes for bank accounts.

How do phishers trick the user? The most common way to ask for the data is through email. Phishers send emails which look legitimate, usually mimicking the look of real ones but pointing to their own servers instead of legitimate ones.

Most phishing tells the users that account might have been compromised and they need to authenticate again to confirm the account. They give a link which looks like a legitimate one, but points to another site controlled by the phisher. This site also looks like the original one, as they steal images and layout from the legitimate one and upload them to another server.

So, when the user enters the username and the password in this site, the data gets stored in a database controlled by the attacker, who will be able to retrieve it later and use the data in his own profit.

This is an example of a phishing email I received:

The link seems to point to cards.fleet.com but, in reality, it goes to 4.60.21.232:34,a link which doesn’t work by now but which was under the control of the phisher.

Lately, the sophistication of this kind of e-mail has increased, every time looking more credible and using new techniques to trick the user, like emails looking like a question from a possible buyer from eBay which points to another site or even targeting e-mail to users depending on the bank they use.

In the next post, we will see how to protect against phishing.

Criminals are trying to find other ways to get your money and, in a “clever” movement, they are not asking your password anymore, but wait until you login into your bank account and then use your credentials to get the money transfered.

If we make a simile with the real world, until now the thieves were spying us when we were entering our PIN into the ATM and, when we left they used this PIN to get money. Now, they wait besides the ATM for us to come and try to get money and when we are doing this they transfer the funds to their account without the need of the PIN.

As always, we should have a good antivirus, a good antispyware and never trust links embedded in an email.

From | Truston Identity Theft Blog.

This is really dangerous, at it shows that phishing really works. We must remember never to open a link received in an email, especially if it’s from a bank or a highly sensitive site. It’s always better to write the URL in the browser bar manually.

Remember most banks will never send email asking for personal data like your PIN, your SSN,… Take care with this as you could lose pretty money.

From | Shell Security.
More info | Sophos results.