Top phishing sites
by Elizabeth Rogers, 50Plus.com
Wednesday, August 4, 2010

Your account has been blocked because of multiple log-in attempts. Your credit card is about to expire or has expired. We need your help to clear up fraudulent activity on your account. We couldn't process your transaction or deliver your shipment. Please confirm your password.

Can you spot a phishing attack when you see one? Some messages we laugh off, but others look a little too real -- and they're netting more victims.

If you're not familiar with the term, phishing is an apt metaphor for the crime. The bait: an email or instant message containing an urgent message, usually involving exciting or troublesome news and a request to provide information.

The hook: the legitimate-looking email links you to a legitimate-looking website or web form where you enter sensitive data which can later be sold and used to commit identity fraud.

What makes this crime tricky to spot is that the emails and websites can't easily be distinguished from legitimate organizations. That's because scammers can forge the look and feel of real websites and communications -- a process known as spoofing.

And the waters may be getting a little rougher, according to experts. With growing internet use, there are always more fish to catch and more places to catch them. Secure content management solutions provider Kaspersky Lab recently released it's list of top targets for phishing attacks worldwide.

Here are the top 10 places to watch out for predators:

PayPal
eBay
HSBC (an international banking company)
Facebook
Google
IRS
RAPIDSHARE (A German webhosting company)
Bank of America
UBI (United Bank of India)
Bradesco (One of the four leading banks in Brazil)

(con'd (http://ca.finance.yahoo.com/print/personal-finance/article/yfinance/1766/top-phishing-sites))

As I have come to find out, Craig's List should be included on that list too. I wasn't a victim because I was smarter than to fall victim to it but I've never experienced fake warnings of all kinds of things like I did (and continue to) when I placed an ad on Craig's List.

If you're bound and determined to place potentially sensitive information like your email address or your mailing address on a site like this (Craig's List, eBay, etc.) then it's best to use a throw-away email address like Yahoo, Gmail, etc. and spell out the numbers. For instance, if your going to put your actual mailing address there then spell it out.

An address of "123 WhatsItsWay" would be "one two three WhatsItsWay" or a phone number of "123-4567" would be a similar "one two three - four five six seven".

I know it's a pain to do things that way but it prevents "bots" from harvesting those things for nefarious purposes and it keeps your spam to a more manageable level. It also means that only genuinely interested parties will respond rather than you having wasted a lot of time dealing with people that only want your information so they can send you a lot of CRAP.

From AARP:

Scam Alert
Watch That Watch

Copycat websites mean that your designer purchase could be made in Mongolia
by: Sid Kirchheimer | from: AARP Bulletin (http://www.aarp.org/bulletin/) | May 24, 2010

Debbie Hughes was doing some very early online Christmas shopping when she typed “Tiffany & Company” into the search bar.

“Up came a website called Tiffany & Company On Sale and I thought, wow!” says the 57-year-old Ohioan. “They were selling a sterling silver necklace and bracelet for $228–what it usually costs for just the bracelet.”


But the website didn’t belong to the famous New York jeweler, despite looking quite a bit like the one that does. Its address—www.tiffanyco.mn—was (http://www.tiffanyco.mn%E2%80%94was) a tweak of the real Tiffany website, www.tiffany.com (http://www.tiffany.com), and the .mn meant it was registered as a Mongolian site.
And the discount designer jewelry that Hughes ordered? It did arrive—in a package with a Chinese postmark. “It was chrome-like junk,” she tells Scam Alert. But the gift box was a very clever copy of a Tiffany box.


It took Hughes, who operates a home-based business selling books and DVDs over the Internet, nearly four months to get a refund from her credit card company. The fake Tiffany company ignored her e-mails requesting a refund, and its website had no telephone number.


Popular brands make prime targets

The scam here is called “cybersquatting.” It occurs when a dishonest business steals or alters the website domain name of a well-known company and launches a copycat site to deceive online shoppers.


“There are many, many websites out there counterfeiting high-end, well-known brand names—Tiffany, Nike, Ray-Ban and others,” says Sue McConnell of the Better Business Bureau in Cleveland, which investigated Hughes’ case. “Anything that is popular and pricey is ripe for these counterfeiters, who lure you in with bargain prices."


“They often simply copy and steal pages from the real website and place them on their own,” says McConnell. The merchandise, if it’s delivered at all, is usually poorly made knockoffs.

The BBB has fought an uphill battle against these sites. “When you’re dealing with scammers in foreign countries—as is the case with many cybersquatters—it’s tough,” says McConnell.


“You don’t get a lot of cooperation from those governments or other authorities, who don’t care [about protecting American customers]. And it’s not as though a company in Mongolia is interested in resolving BBB consumer complaints.”


How to recognize a counterfeit website


Carefully read the address, or domain name, that appears in the line at the top of your browser. Beware of any website whose address has even the slightest change from the company’s name. That includes extra words, such as TiffanyonSale or SterlingTiffany, says McConnell, or anything but the usual .com or .org ending.



Call first. Some cybersquatting customer service telephone numbers are outright bogus; others connect to fax machines (so you can’t reach a person). Avoid any website that has no posted phone number.



Verify any brand-touting “bargain” website at the corporate headquarters of the real company. A phone call by the BBB to the authentic Tiffany & Co. revealed that it neither operates nor sanctions any sale or overstock websites. Also check with the BBB (http://www.bbb.org/) for past complaints about specific websites.

Check the domain name registration. Websites such as WhoIs.net (http://www.whois.net/) can reveal who owns a website’s name. Avoid sites that shield that information behind a proxy registration service. Another red flag: a familiar American brand name being sold at an Internet address that ends with the ID letters of a foreign country (http://www.checkdomain.com/list.html)—as did the fake Tiffany site. MN is the abbreviation for Mongolia.