Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• Training
• Uncategorized
• Viruses
• Wireless Security

Don’t Get Phished

By Ian Scott

During the 1990’s, crackers came up with a technique in an attempt to steal usernames and passwords from naive internet users. Phishing, which stands for Password Harvesting fishing, and pronounced like fishing, has now become an effective way for criminals to obtain your banking information, credit card numbers, usernames and passwords, and any other information you may unwittingly provide them.

The technique involves sending out spam email to people, that appear to be from legitimate businesses and organizations such as E-Bay, CitiBank, Sun Bank, Washington Mutual, Pay Pal and of course others. The content of the email claims that there is a problem with your account, and requests you to log in using the link they provide. Because the link is in html, it can be written to appear to be linking to the legitimate company’s website. But, the link actually takes you to a fake website which looks exactly like the real company’s website.

This website will have some forms on it, asking you to fill in your details, including name, password, account number and other information. Once you’ve clicked the submit button, all the information is now available to some criminal.

Another attack that is being used against customers of a Brazilian bank is even more dangerous. Instead of an email that asks you to log on to a fake website, it comes with an attachment, that if you click on it, it will rewrite your hosts file. This will affect Windows users, but Linux/UNIX users are immune to this, generally speaking. We’ll talk about why, later.

Your hosts file is is the first file that is looked at when you are connecting to a website. If the IP address for a domain name is listed in your hosts file, then that is the IP address your browser will go to, instead of the real IP address for the domain name. For example, if your banks domain name is mybank.com, and it’s real IP address is something like 209.135.104.8, but your hosts file lists mybank.com has having an IP address of 204.135.104.121, then that is the server your browser will connect to instead of the real mybank.com.

And of course, the site at this faked IP address will appear just like your bank’s site at mybank.com. Although this particular attack has only surfaced for customers of Brazilian banks, it is only a matter of time before it spreads.

Recognizing Phishing Email

It’s not that hard really to recognize most phishing email. First of all, financial instutions will probably never send you an email to advise you of a problem with banking information, and ask that you log in to their website. As well, PayPal and E-Bay do not send these types of messages either. If you get any such message, that’s your first hint that someone’s gone phishing, and you’re the phish! Ignore the bait. Delete it. Or if you want to do something before you delete it, you can report the email to http://spamcop.net as well as to the Anti-Phishing Working Group.

As well, you should never open any attachments, especially if you are a MS Windows user, that you don’t recognize. To be totally secure when using MS Windows, you really should contact the sender (by telephone is best) and ask them if in fact they did send you an attachment. It is very easy to spoof the sender’s name and email address in email, so you really cannot trust that either.

Losses From Phishing

Some suggest that losses as a result of succesful phishing expeditions could approach 500 million US dollars by the end of 2005. However, an article that appeared in Dev Hardware reports that consulting firm TowerGroup says “global losses from email phishing attacks will reach $137 million for 2004.”

That’s still a lot of money. The average amount that is stolen per occurrence of victims to phishing schemes is $1,200.00. There is really not much you can do either as more and more banks are taking the view that they are not responsible for your actions. For the average person, $1,200.00 is no small potatoes.

Don’t Be A Victim

You don’t have to be a victim to any Internet scam or fraudulent program. When you receive an email that appears to be legitimate, but ask you to log in where you will provide your personal details, simply don’t do it! Your bank will never ask you to visit their site to provide personal details!

Be vigilant about your personal information and to whom you provide any details to. No matter what any law says, ultimately you are responsible for the information you give out. Laws might give you a degree of trust, and perhaps the perpetrator might be punished - but who wants to depend on that? Who wants to even go through that? Always accept and be 100% responsible for the information you give out about yourself.

Sources
http://www.antiphishing.org/
http://www.devhardware.com/showblog/1928/Phishing-Not-as-Profitable-as-Some-Estimates-Say
http://www.securityfocus.com/columnists/274
http://www.securityfocus.com/news/9859

Read more in: Personal Security, Spam/Anti-Spam |

© SecPriv.com | About/Disclaimer | Privacy Policy