BT E-mail Scam

The very best email client that allows you to preview the email sender, is Mozilla Thunderbird. It's a program that you can run from a USB key, instead of loading it onto your PC. MT has a very good anti-spam filter and once it's set to bin anything you choose as being spam, it goes straight into the bin.

Where viruses are concerned, there is always a point when the viruses are ahead of those writing the anti-virus software. As far as I'm aware, the crooks have not yet been able to embed viruses into Jpegs just yet. The greatest danger lies in convincing the email recipient to double-click on any dot exe attatchment that is sent with an email. This, in fact, was where the 'I love you' virus came into its own and spread so fast. Unfortunately, a PC still relys upon us to use it carefully and hopefully wisely too.

With phishing being so rampant, one could be forgiven for wondering why the banks don't come down heavily on those who use their name to rip off their customers? Again, I think it's just that they don't care. It's easier, and therefore cheaper for them to ignore these phishing attacks and let us pay the price for our own stupidity.

 

some great points there my friends, a lot of things go directly into my spam folder and i delete them but when i first got that bt e-mail i must admit i opened it up and saw that they were asking for updates on my account and my bank numbers so i spammed it, had one last week it was in my spam folder and i deleted it and not had one since, also bt know about this now so they could be looking it up.

 

I believe you are correct in that viruses can't be embedded in a jpeg (although I'm sure someone will figure out a way at some point). However the risk with viewing an image in a spam email is more to do with the fact that it is a common trick for confirming that the email address is in regular use.

Consider for example if I embed a picture in an email and send it to you (not as an attachment, but as an ebedded pic). You view that email and allow it to show you the image. Your email client downloads that image from my server (because the image was never actually sent, it was just a url to the image that was embedded in the message). My webserver now knows that it has served up that image to your IP address.

But an IP address does not equal an email address. So this is where I get a bit clever in my email with the pic in it. Instead of making the url point straight at the image on my server, like this:

Code:

htttp://myserver.com/picture.jpg

I make the url point to a little program on my server, like this:

Code:

http://myserver.com/[email protected]

The script 'confirmvalidemail.php' takes your email address as a parameter, so as soon as you view that image, that script runs on my server and updates my database to indicate that the email address is valid and in use. With yours and thousands of others, I would then have a big list of in use email addresses that I can sell to spammers.

From that simple action of viewing the image, I have also learnt something else I can use. I know your IP address.

I can also make an assumption. Because you viewed my image I can assume your knowledge of computer security is not as good as it could be, and from that I can assume you don't have a well configured firewall etc. So now in my database I have the IP address of a machine that is probably not well protected, and the email address of someone who reads spam messages. An arsenal of other nasty little programs then work down the entries I've collected in my database, and start talking to your IP address, testing which ports are open on your machine, what services and running, and how I might get in.

In addition to all I've learned about you so far, I also know what email client you used. And from that I make further assumptions. If you used Outlook Express or Outlook, it is a safe bet that your browser is IE, so I can put you down as a target for anything that exploits known vulnerabilities in these applications.

So, to summarise, from the simple act of viewing an image in a spam email, you effectively tell the spammer lots of useful information that will help them to target you in unimaginable ways.

Oh, and where I kept referring to 'I', I wouldn't do any of that, I was being hypothetical

 

Wow Clueless - what a fantastic explanation of how we can so easily get duped into providing information, that until now, I'm sure most of us weren't aware! I've always known not to open anything, or if anything does actually get opened, if I don't know the sender, we don't click on the link - and so far.......so good.....but who knows what's being collected and who by? Thanks again Clueless - great post!

In terms of illicit type spam email, alot of that will come from actually visiting those types of sites. If you have a bug on your system that will track what type of sites you visit, you will of course be targeted with that type of email. That's the idea behind the tracking bugs!

 

Thanks Clueless, very informative.
I think my son has made sure I am fairly safe here and he drums into me not to open anything at all I am unsure about. Have you noticed how these spammers use variations of your name too? My protection shoves most of them all in the rubbish bin.
It's true what NatalieB says about being careful what sites you visit too. I sometimes visit health sites purely to research my condition and that has resulted in a few spam emails from medical sites.

I take my privacy very seriously and unfortunately there are people who will stop at nothing and even broadcast your details on other forums for all to see :(

 

This type of attack is, as far as I'm aware, rarely used against an individual. It is a technique used by the more hardcore dodgy folks, as a means to gather data in volume, often with the intent of committing more serious crimes of a fraudulent nature.

There was a case a while ago of someone getting caught and going to jail for a long time. If I could remember the timing of the case I'd look it up. Basically what happened was this:

First up, you use the technique I described to build up a huge database of details of people's machines. We are talking tens or hundreds of thousands. Then a program works down the list of IP addresses (the unique number that your machine uses to talk to the internet) and tests for vulnerabilities at each address. Each time it finds a vulnerable machine, that machine is hacked and is loaded with a nasty little program that would typically send a message back to say it was in, and then sit there waiting for further commands. The ultimate goal of this type of attack is not to target someone personally, but to use them as a convenient diversion. With a huge chain of computers all under someone else's control, they then begin their real attack, often against a big corporation or such like. Alternatively the nasty little program will simply be used to send spam, so that no one ISP cottons on to the fact that thousands upon thousands of emails are going out in one go. The idea being that it is very hard to trace. An ISP or or a targeted business will trace the IP address(s) that is hassling them fairly quickly, but then discover it is ordinary Joe Blogs down the road who is probably unaware of what's happening. They ask his ISP to trace the IP address that was hassling ordinary Joe, and they find out it is plain Jane, so they ask her ISP who was hassling her and find it was someone in India, Uzbekistan or wherever, and so and and so on. By the time they eventually trace it all the way back to source, the perpetrator has long gone. I know it sounds like something from a sci fi movie or something, but it really happens.

The gathering up of email addresses en-masse may be done by the same initial process, but is used in an entirely different way. This is where 'phishing' attacks come into it, and plain old spam. The email address lists are illegally sold. 'Phishing' is so commonplace purely because it is cheap and easy. Having sent out maybe 100,000 emails asking someone to confirm their account details, if they gain access to just one bank account, the operation has paid for itself.

There has been some goings on in the news for the last day or so about this type of thing. Hotmail got hacked and the account details got published on the internet. Google have just announced that they too have been hacked, as has Yahoo. So I guess we can all expect a bit of spam over the next few weeks. On the news tonight it quoted the case of one lad who'd come off worst from it. His identity was stolen and he ended up bankrupt. He fell for a phishing attack, so let that be a lesson to us all.

It all sounds pretty scary, and I guess it is in a way, but the plus side is we are unlikely to be individually bothered, we just happen to be one of many thousands and so on, and so it is not worth a hacker's trouble to give us lots of individual attention. That makes it relatively easy to safeguard ourselves a bit. Here's some pointers:

* Install a firewall. This is crucial really. It a little application that watches your network activity, both incoming and outgoing, and makes sure nothing untoward happens if your IP address happens to be in the hacker's list. It is not the same as antivirus or spyware software, both of which are important too, but a firewall is a must. You can get free ones that are pretty good. ZoneAlarm is one that I used to use when I ran Windows. Basically a firewall lets YOU decide what sort of thing can connect to your computer. It stops your machine from being the ever polite, willing to talk to anyone, to only talking to who or what you said it can talk to and ignore everything else. For example, when you start IE after installing ZoneAlarm, it will pop up and tell you that IE is trying to connect and ask you if it is allowed. If you say yes, then its fine. If you say no, then that application will simply believe there is no network connection. Same with incoming stuff. If say I was to try to connect to your machine, your firewall would just pretend you didn't exist until my program gave up and reported that the IP address was invalid or not responding. If you run Windows XP with Service Pack 2 or later, you will be firewalled by default, but it doesn't hurt to add a third party one. Same with Vista.

*Install the usual antivirus and anti-spyware gubbins.

*Never open attachments to emails unless you know for certain that they are genuine. This is a tricky one too. A virus on your mate's machine might send the virus from his/her computer, so you think its ok as you recognise the sender. If you weren't expecting it, a quick phone call to check they did it might be wise if you are unsure.

*Never view images that are embedded in emails. This can confirm your email address is in use and give away your IP address as I mentioned earlier. Most email clients nowadays don't download images by default for this very reason.

*Any reputable organisation knows that they are bound by law (Data Protection Act) not to ask you for sensitive data via a medium that is not secure, and they know that email is not secure. The would get absolutely hammered if they breached the Data Protection act, so for that reason they will never ask you for such details in an email. Also most corporate websites will never ask for all of your login credentials in one go. You must have seen the internet banking stuff where you get asked the first, third and fifth (for example) digits from your security number. They don't usually ask for it in full, and if they ever do, don't give it.

*If an email comes and it looks genuine, and from a business you deal with, don't simply follow the link in the email. It takes a matter of minutes to copy the appearance of someone else's website, modify the background functionality to steal your details, and upload it to a different server. Always put the company's actual address in the address bar rather following an emailed link to them.

*If you see a well known logo on a website like the VeriSign one, or ATOL and ABTA in the case of holiday companies for example, don't trust that unless you know the site is genuine. Anyone can copy those logos and put them on their site. Most certificate providers etc will have a searchable directory on their own website where you can check up on the other website. So for example if I saw a nice looking website that I'd not previously heard of, and it was called 'Honest Bob's Ten Pence Holidays" for example, and had the reassuring logos, I could go to the ATOL and ABTA websites and check if they've registered Honest Bob's. Also, any limited company can be checked up on at the Companies House website, and a website address can be checked up on via Nominet's 'WhoIs' function. All available for free online. Obviously it is not necessary to check up every time if you know something is genuine, but worth bearing in mind that stuff can be checked up on.

*The age old one, don't choose passwords that your associates will easily guess, and don't use the same username and password for everything.

I realise I've painted a pretty grim picture of the internet. Its not all bad, fortunately I believe that the more serious issues are quite rare, but if we're just a little bit careful, we can make them rarer still