by Mark Aaron Murnahan, CEO
YourNew.com / SnappyISP
You probably don't know much about computer security or how to avoid hackers. I say this because most people do not. Why would you learn about securing computers and Microsoft vulnerabilities?
Computer fraud only happens to big companies and computer people, right? If you had this notion, you are sadly mistaken.
There is not a day that passes when I don't shake my head in disbelief at just how vulnerable the general computing public leave themselves. Let me tell you, though, if you are reading this, you can probably read enough to avoid the most common computer security mistakes without going blind.
Unfortunately, the means used to steal an identity on the Web, whether a domain name, email address, or your life as you know it, are vast, and very simple. Thieves and hackers prey on ignorance (or call it "innocence" if it makes you feel better). Keeping this in mind, you can really assume two positions on the matter. You can ignore it and be a victim, or you can make yourself just enough harder to scam that the thief goes to the next potential victim. In the next couple of editions, we will address how to become safer on the Internet.
Here is an example of an identity theft
scam that still works very well and is extremely simple for a thief to implement. All that is necessary is a simple log in form designed to match the graphics and overall appearance your provider, and your email address.
The form is then sent out in an email that so conveniently allows the user to log in to their account for a special offer right through the email. Just in case the user is skeptical or using plain text email, the message includes a link to a log in on the Website. If the user logs in using the emailed form, the log in information may be sent to the thief while you are redirected to a legitimate page on the actual site where you thought you were logging in. If you opted for the link to the Website login, let's say the link pointed to an address like http://yahoo.vee6.com/login/85er3.cfm , many users would not have a clue that it was actually a fraud. All it would take is adding a few appearance effects of Yahoo! and many users would not even realize that the address actually points to a vee6.com address.
Amazingly, in many places they give you a license to drive after just a spin or two around the block. You can even buy a firearm pretty easy as long as you are not a convicted felon. Most people who buy a car or firearm have had some minimal training on the use of these items. However, average computer users seldom care to
learn more about the Internet than just enough to be a victim of identity theft and have the FBI visit their doorstep to seize their hard drive for evidence (or worse). If you have not already become aware of what a hacker can do, just pay me a reasonable fee
for vulnerability assessment and penetration testing, and I will let you watch me type a letter on your computer while I sit in my office (or car, boat, plane, public library,
etcetera). If this doesn't frighten you, just imagine if I were an actual criminal using your information, the letter may go a bit like this:
I just got the bank wire transfer and I am planning to head back to the States this afternoon. I wanted to tell you how much I appreciated your letting me use your email to learn about the family, and when they will be getting together for the holiday. Don't worry, I'll look after things while you are away. If you would like, I can pick up Suzy at school for you on Friday. That daughter of yours is a real peach and I sure would like to get to know her. Oh, I am glad I remembered ... this salmon you bought me for lunch is fantastic! Have you ever been to a place in Fiji called Sushi on You?
I hope you are starting to get the picture. Reasons for hacking computers are often not quite so abrupt, but it is common to find home computers being used for distributing illegal software, serving a pornography Website, or added as a drone to forge an attack on another target while you take the initial blame.
by Mark Aaron Murnahan, CEO
YourNew.com / SnappyISP
You may ask "What is Domain Hijacking?" Domain hijacking is just as it sounds, it is taking control over domain names illegally. Wait a minute, before we lose you ... this is not limited to domain names. Email addresses on popular services such as MSN, Yahoo!, SnappyISP, and AOL are all vulnerable to thieves.
You could relate this type of thief to the peddler you saw wearing tar and feathers back in the old west movies as he was chased out of town by the townspeople for selling a bad batch of snake oil or the cure-all pills that never seemed to fix that broken heart. Not unlike this historic thief, the 21st Century domain hijack works on the same principle of preying on the innocent and unknowing.
Hold tight for a moment, because I want to see if this rings any bells ... did you ever see that guy showing how exciting it is how *his* oxygen zaps the iodine right out of a white blouse, or how the guy with *his* waterproofing holds a lighted light bulb under water and never gets shocked? Do I really need to have Bill Nye the Science Guy writing this newsletter? If you thought these displays were amazing, stay away from the Internet and cancel all credit cards! You are the type of Internet user a cyber criminal lives for.
I got a call just yesterday from a valued client who had just made a very bad domain transfer error. The client has several domains hosted and registered with us, and he towers above the average person's Internet and computer understanding. Unfortunately, as he requested domain transfer of a couple of his existing domains to our registry, he made a very simple, but potentially very punishing oversight.
The first domain went through just fine. We sent the transfer request, he approved the domain transfer, his site never blinked. The next domain came through as normal. He received the domain transfer request, and approved the transfer. Things have all gone as normal so far. Within a couple of days following the transfers, he received yet another registry request. At this point they were all starting to look the same, but this one was completely different. It did not ask to transfer a domain from his old registrar to us, but rather to transfer from us to another domain registry. Unfortunately, it all looked like the same old thing to him, as it would to many people, so he went ahead and clicked a link, approved the transfer. *Poof* he no longer owned the domain. In a nutshell, he had approved three transfer requests: one transfer for each of the names he was bringing to us, and one to remove one of the domains from us. He thought nothing of it ... typical email from separate companies he had heard of. Unfortunately the last transfer was somebody else transferring his domain to themselves.
Around renewal time, it is much easier to confuse a victim and hijack their domain. This is because they are already expecting to receive this sort of transfer request or renewal information. For example, we receive many hundreds "domain renewal reminders" from companies reminding us to renew domain registration, with them, of course (unfortunately, their database does not tell them that they are sending this junk to a registration service provider). If you receive this sort of letter or email, it is best to toss them in the trash and renew with whomever your domain is already registered (or transfer to YourNew.com, of course). If the thief, or even legitimate company uses these practices enough times, they will succeed eventually. It is all about numbers, and you want to avoid being one of the unlucky numbers of people scammed on the Internet each day.