Online Identity Theft – Don’t Get Scammed

Social engineering is the tactic used to take the con game to the masses.  Today, con artists operate on a large scale using email and other mass communication tactics to dupe unsuspecting people into their traps and out of their money.  Mass communications make it easy to play the numbers.

I am a former computer security officer my training helps keep me out of some trouble.  However, you don’t need to be a professional background to protect your identity.  You just need some common sense to avoid a lot of trouble.

If you have email, sooner or later you will receive correspondence from someone who wants to do you harm.  They may offer you an opportunity to make money or may trick you into believing they have a business relationship with you.  Because this tactic is effective, the con artist continues to use it.

Here is how it works:

1) I NEED YOU HELP (YOUR BANK ACCOUNT) – You receive a message requesting your help. The sender needs to put money into your bank account.  It doesn’t matter who they say they are or why they need to put money into your account. Once you provide the access they seek to deposit funds, they remove your money.  Bank access works both ways – money in and money out. 

2) YOUR ACCOUNT MAY HAVE BEEN TAMPERED WITH (ROBBERY and or ID THEFT) –   You receive a message stating that your account has been tampered with or confirmed.  It doesn’t matter what the account is.  It may be your bank, your stock account, eBay, PayPal, or any number of agencies that conduct online business.  The message shocks and scares people into acting without thinking.  The victim responds by clicking the link to log in and check their account.  To do so, you provide your account and password and then its too late.  The site you went to (via the link provided) looks like the real site.  It may even transfer you to the real site with your account so that the screen says the password is invalid.  You reenter the password and see that you account is OK.  What happened was the first stop you made that looks exactly like the legitimate site collected your account and password, and then passed you on to the real site where you reentered your password and alleviated your fears.  The con artist has your account and password and may account your account without you ever suspecting a thing until it’s too late.

Most of the tactics work using fear of loss and your desire to help (so you were offered 10%) for your help…  Human emotion is used to manipulate your actions by some unknown person who you may just give your account and password to.

So, how do you protect yourself?

1) Don’t respond to email solicitations.  Think twice.  Even if the message looks like its from someone you know and trust.  They may have been duped or your email address book may have been hacked by a virus.  Use the phone to call the organization if it looks familiar to you and you suspect it may be legitimate.  You wouldn’t give a door to door solicitor your back account, SSN, or other private information. Why would you do it online?  Answer: Social Engineering.  People stop thinking and just act in a predictable way.

I do not have a CHASE BANK ACCOUNT, but you might.  I received this email today and will show you how to identify it as a fraud, just in case you think it may be real and feel the need to check you bank account.  And if you do, type in your own URL to get to the bank.  The con artist knows we are lazy and will click the link that was provided.

Here is a copy of the original message (with my highlighting):

 —–Original Message—–
From: Chase bank [mailto:support@chase.com]
Sent: Monday, November 17, 2008 11:30 PM
To: info@hospitalsystemsgroup.com
Subject: please confirm your online banking records <message ref: 3652653936>

Note: This is a service message regarding the Chase Online Form.

Dear customer:

As part of the new security measures, all Chase bank customers are required to complete Chase Online Form. Please complete the form as soon as possible.

To access the form please click on the following link:

http://chaseonline.chase.com/Secure/webform/OSL.aspx?LOB=7435974394465384679081346347874986894 <http://chaseonline.chase.com.http.org.kg/Secure/webform/OSL.aspx?LOB=7435974394465384679081346347874986894>

Thank you for being a valued customer.

 Sincerely,

Online Banking Team

 


In my mail software, I select the view mail headers option.  Software is different. In Microsoft Outlook, it’s a right mouse click on the message and select the  “view options”. 

Here is the “view options” look at the same message with the forgery clues reviled.

1) Received: from  prod-infinitum.com.mx  is not chase.com (the domain in the From: address). Also yahoo.com is in the Received From header.  The mail was forged to say it was from chase and forged again to show that is was from prod-infinitum.com.mx   and sent through yahoo mail to bury the real sending domain tracks.  

—–Original Message Headers—–

Received: (qmail 29842 invoked from network); 17 Nov 2008 20:55:38 -0700

Received: from dsl-189-153-180-170.prod-infinitum.com.mx (189.153.180.170)

  by mail.advancedmediawebs.com with SMTP; 17 Nov 2008 20:55:37 -0700

Received-SPF: none (mail.advancedmediawebs.com: domain at yahoo.com does not designate permitted sender hosts)

Received: from [189.153.180.170] by f.mx.mail.yahoo.com; Mon, 17 Nov 2008 22:30:01 -0600

From: “Chase bank” <support@chase.com>

To: <info@hospitalsystemsgroup.com>

Subject: please confirm your online banking records <message ref: 3652653936>

Date: Mon, 17 Nov 2008 22:30:01 -0600

Message-ID: <01c94904$076c3a80$aab499bd@HRRSL14>

MIME-Version: 1.0

Content-Type: multipart/alternative;

                boundary=”—-=_NextPart_000_0006_01C94904.076C3A80″

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook, Build 10.0.2627

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Importance: Normal

 


The bottom line is that you should never respond by providing any personal information online.  Protect your money and personal identification.  Treat every email that asks for your personal information as suspect.