Combating Phishing Attacks

Phishing or brand spoofing is a technique used by hackers to gain access to vital information from gullible Internet users. Hackers are cyber criminals who fool users into revealing information about themselves such as bank account numbers, passwords, credit card data and other financial data.

Internet scammers literally “fish” for information by launching their own web sites which are exact replicas of the web sites of even major companies. Requests in the form of fake emails are sent to unsuspecting customers asking for passwords etc. to be entered in official looking forms. The data is siphoned off to the hacker who can use it to draw money from the customer’s account.

Recent attacks involved Charlotte’s Bank of America, Best Buy and eBay. Internet users are warned against responding to emails which state that that his/her account will expire soon. Before answering to such emails users are advised to verify the authenticity of the email from the company itself or not answer at all.

Internet users should know how to spot a fraudulent email even if it includes authentic looking marks like trademarks, logos, graphics and URLs. But the copied web page will not have details like the user’s name, account number etc. The user may be addressed as sir or madam or cardholder. The HTML tags in the URL should be noted, which also indicates the authenticity of the site. A lock image on the URL also shows that the Web site is a safe one.

Clicking on the link in a fraudulent email exposes the computer or network to a Trojan program. These programs install themselves on the PC and keep track of every keystroke made by the user. This gives the hacker full access to all the personal information.

Proactive Protection of the PC

Internet users have to fortify their computers against Trojans and other attacks by erecting Internet firewalls against them.

Anti-virus software detects and removes the latest viruses. The operating system and Internet browser should be armed with the latest antidote to the newest virus. Users are requested to keep themselves informed about latest viruses, reviews of anti-virus software and employ steps to protect the computer proactively.

When giving personal or financial information on web sites users have to look for the padlock icon on the status bar of the browser. Double-clicking on the icon should reveal a security certificate which should be from an authentic firm. If any doubt arises regarding the authenticity of a web site then it is best to leave the site immediately. It is always best to type the full web site address in the URL while accessing a financial institution’s site rather than clicking on a link which appears in an email.

Phishing for passwords is the favourite game of hackers. A password such as that of Paypal is enough to siphon off money from a victim’s account. Passwords have to be well chosen and should not be names of family members, important numbers etc. It should be a mix of lower and upper case letters with numbers and other characters and more than 6 characters in length. It is best to change passwords from time to time to secure it, say security experts.

To keep one step ahead of hackers, credit card and bank account statements should be scrutinized carefully to check for unauthorised transactions. Also the billing address and account balance should be checked in case there is a delay in receipt of the transaction statement. Consumers should avoid using computers in Internet cafés and other public terminals for financial transactions.

Again it is wise to double check the source of any email requisitioning vital information before revealing any details. The bank or any other organisation can be contacted over phone to cross check the authenticity of an email. Most web sites offer an email address to which doubtful emails can be forwarded. In case there are doubts that account details are in the danger of being given away to a phishing site, the customer service number must be contacted to stop any fraudulent transaction.

Social Networking Sites under Attack

Social Networking sites seem to be the source of all the information required by hackers. One can find all information like name of home towns, birth dates, spouse names, addresses, offices, businesses, names of pets and alternate email accounts. Social networking is a new threat as reported by security firm Websense.

Leakage of vital information is actually more profound through social Web sites than was imagined before. US-based information security consultancy Intrepidus found that about 23 percent of the 500,000 sites tested by it have been victims of a social engineered phishing attack.

Intrepidus co-founder Aaron Higbee said, “Attackers are bypassing all layers of security and are going after the soft targets – social network users - with targeted phishing. And it’s very effective,” he added.

Financial institutions under phishing attack

Recently there were reports that local banks in Singapore have been victims of phishing attacks. The new Trojan directed users to an authentic looking fake bank portal. The log-in information stolen from the fake site can be used for fund transfers. Warnings against the cyber criminals were issued by the Singapore Banks to alert customers from threats to their online banking accounts and activities. Online Banking users were given a two-factor authentication step to make their transactions as reliable as possible.

Security companies McAfee and Symantec identified the Trojan and it was categorised as low-risk type. The Trojan affected users irrespective of their geographical location and the damage level was low and was soon contained by the security agencies. However United Overseas Bank, Singapore sites were not targeted, according to reports.

United Overseas Bank sources said, “Various security solution providers have confirmed this fact for us. The bank has in place Internet technologies that track and monitor all incoming traffic. This is enforced as part of the bank’s existing suite of security measures and independent of any potential threats like the latest Trojan program. One vital step in our ongoing efforts to ensure a safe online environment for our bank customers is to proactively engage and alert our customers of any potential threats that may surface.”

Asian Banks fight back

ReadMinds, a Singapore-based firm specialising in security software for financial institutions, reveals that Asian banks have realized the importance of online security transaction threats. The study conducted last year covered the countries of Bangladesh, Cambodia Hong Kong, Indonesia, Malaysia, the Philippines, Singapore, Sri Lanka, Taiwan, Thailand and Vietnam.

Most banks in these countries have implemented online security in the form of two-factor authentication or 2FA a software-based mode of second-factor authentication. The percentage of financial institutions which were focused on educating customers on online fraud and identity theft was only 20 percent. The methods used in implementing security in most financial transactions include risk-based transaction authorization, fraud detection and strong user authentication.

War against hackers

With more sophisticated methods of online attacks it is imperative for antis Pam vendors, browser makers and Internet service providers to try and fortify the Internet with new technologies. Phishing web sites have evolved into a new dimension where even frequent Internet users are easily fooled into revealing data and other credentials.

Spam messages have been sources of phishing information for some time now and social networking sites like Twitter, Facebook are being used by phishers to attack unsuspecting victims.

“Whether it is phishing or malware, the one thing we cannot do is blame the victims,” said Mary Landesman, senior security researcher at Web security services vendor ScanSafe Inc. “The world has changed in terms of security risks and I don’t think by and large that people’s perceptions have.”

Phishers are using phishing tool kits to create any number of false domains and phishing URLs. Hackers work on the assumption that if a user presses even one wrong letter key he/she would be taken to one of their phishing sites. Symantec said that over 110 web hosting services were accessed in September amounting to 11 percent of phishing attacks.

Security software vendors try to keep one step ahead of phishers who are getting equally smart. The FBI in America conducted raids to shut down phishing rings and the FTC also closed down an ISP which hosts phishing domains. Yet educating end users and letting ISPs detect and shut down phishing Web sites should be in focus for long term results.

Dave Jevans, founder and chairman of the Anti-Phishing Working Group or APWG said that technology should be used as a tool to fight phishing. Antiphishing measures as suggested by him include extended validation EV SSL certificates and two-factor authentication as part of login procedures. EV SSL features have to be embedded in browsers as they will guide people in detecting legitimate and illegitimate Web sites, he noted.

Recently the FBI and Egyptian authorities caught several people involved in an international phishing ring. APWG is working with Internet Corporation for Assigned Names and Numbers or ICANN for developing a method which will help registrars deal with phishing domains and malware.

Asia domain, a top level registry, has tightened security norms and plans to close down phishing sites. Also DotAsia Organisation will implement a policy to put an end to phishing domain names. When fraudulent domain names similar to well-known brand names are detected or are reported about, they are removed from the Internet by ISPs and registries. But it is a known fact that this does not deter phishers as they simply change hosting providers using same the domain name and repeat their attacks.

They use the “fast faux” technique which ensures that a web site is always available. Using fast faux a web site can resolve to different IP addresses necessitating the removal of all of them from the Internet resulting in a long drawn antiphishing effort. If steps are taken to stop the use of same domain names again and again then phishers can be left in the lurch. Security agencies and their expert teams the world over are working on such a scenario.

Reports that phishing and malware attacks will increase this year are alarming and it has been found that advertising networks will be the delivery wagon for most malware on consumers’ PCs. Research firm Gartner forecasts more trouble unless email providers, advertising networks and other web sites keep malware away from their portals. They suggest incentives for such infection points to stop the Internet disease from reaching consumers.

Anti-Phishing solutions and anti-malware services have to be subscribed by enterprises to prevent the virus spreading its tentacles across the Internet catching consumers unawares. Financial services providers should fortify their systems by implementing fraud prevention solutions, using stronger user authentication and transaction verification.

Online security solutions provider VeriSign conducted a survey of Asian countries including India and Singapore and found that most Internet shoppers were not aware of harmful sites and how to detect them. Their simple advice is to look through the site for spelling errors, unknown domain names, check the browser for the padlock icon and green address bar and double check to verify the offer on the item before giving away credit card numbers and other details.