Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Guarding against phishing

Derek Manky | June 3, 2011
Google has recommended that Gmail users begin using a two-step verification process that requires users to enter a code, sent to their phone, after they have entered their password and here are some more tips about combating the threats.

There are many dangerous threats lurking in cyberspace today, from software vulnerabilities and exploits, to viruses and botnets. Among these threats are phishing attacks, an electronic communication scam that attempts to secure highly personal information such as credit card info, user names and passwords by assuming the identity of a trustworthy entity. The trustworthy entity can be anything from a friend, whose e-mail account has been compromised, to large legitimate corporations such as banks and online retailers such as Amazon and eBay. A typical phisher's tackle box usually consists of bait, a hook and sometimes a phishing kit.

Laying the bait

 To lure victims into disclosing sensitive information, phishers exploit the human mind through the art of social engineering. They do this by baiting individuals using electronic messages that contain popular and/or relevant material. The bait may be laid through e-mails, social networking and instant or mobile text messages.

For example, a phisher may spoof an e-mail from the victim's bank claiming their account needs to be updated. These e-mails can look VERY realistic and official, up to and including the bank's logo and a URL that looks like it's pointing to a legitimate URL. Or, the phish could come from a social networking site where the body of the message asks the victim to view updated photos or a 'funny video' after logging in with their username and password. Online gaming accounts are also frequently targeted through gaming forum invite messages.

Identifying the bait

 Most phishing messages arrive unsolicited. Always be aware of such messages, especially if an action or response is required on your part - no matter how urgent it seems to be. Whenever possible, attempt to identify the sender. If the source of a questionable message is coming from someone you know, send a message back asking a specific question. For any confidential material that is e-mail bound, PGP encryption and digital signing is recommended to confirm the identity of both parties.

The hook

After supplying the bait, the attacker needs to hook information from the victim. In the simplest way, this is done purely through e-mail - asking the user to respond to the e-mail with the requested information, or call a given number. The latter case is known as 'Vishing' (see below for a definition). Scams such as advance fee fraud (aka the 419 Nigerian scam) follow this response methodology.

Usually, the hook is provided in the form of a link (URL). Links are commonly spoofed. Their text will seem to link to the proper site (http://www.validbank.com) but in reality the link goes to a completely different site. Typo-squatting is also popular: attackers will slightly change the link to seem legitimate on first glance (e.g, http://www.val1dbank.com).

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.