Tuesday, September 15, 2009

PC SECURITY - The Danger of Phishing

One of the most dangerous Internet related security issues is Phishing:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Recent phishing attempts

Phishers are targeting the customers of banks and online payment services. E-mails, supposedly from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers. While the first such examples were sent indiscriminately in the expectation that some would be received by customers of a given bank or service, recent research has shown that phishers may in principle be able to determine which banks potential victims use, and target bogus e-mails accordingly. Targeted versions of phishing have been termed spear phishing. Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.

Social networking sites are now a prime target of phishing, since the personal details in such sites can be used in identity theft; in late 2006 a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details. Experiments show a success rate of over 70% for phishing attacks on social networks.

The RapidShare file sharing site has been targeted by phishing to obtain a premium account, which removes speed caps on downloads, auto-removal of uploads, waits on downloads, and cooldown times between downloads.

Attackers who broke into TD Ameritrade's database (containing all 6.3 million customers' social security numbers, account numbers and email addresses as well as their names, addresses, dates of birth, phone numbers and trading activity) also wanted the account usernames and passwords, so they launched a follow-up spear phishing attack.

Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network based in St. Petersburg.

1) As I've said before, the thing to remember is that legitimate financial intuitions will NOT ask for personal information, certifications, etc., via email with a direct link. They will tell you to logon to their site when necessary using your normal method (not email) using your Browser.

2) If you suspect something is "fishy" with a web-page reference to a site you use, again use your normal method to contact the site NOT the email link.

3) Verify a email link before using it. This can be done easily using something as simple as the ping command from the Command Prompt......

Ping a Domain
(click for larger view)

....and verify it is the same location as you would normally use via your Browser, the IP in the above example for google.com.

Even better, use a WHOIS site, examples:

Just copy/paste the full email link into a WHOIS and see who actually owns it.

Note that many WHOIS sites are intended for those who wish to register their own private Domain. Example, you have a small business "Toreno Real Estate" and wish to have your own WEB site "torenorealestate.com" you would us a WHOIS to verify that it is NOT being used, then register your site with a Domain Name Registrar for a fee of course. You then can use a WEB Page Host to put up your page, in fact such hosts also provide Domain Name Registration as part of their service.

No comments: