Saturday, June 14, 2008

Phishing: Examples & It's prevention methods


Phishing Facts

  • 13,776 phishing attacks linked to 5,259 Web sites took place in August of 2005.
  • They targeted 84 different businesses, but three businesses received 80 percent of the attacks.
  • 85 percent of the attacks targeted banks and other financial institutions.


Introductions:

Phishing is the practice of sending out fake emails, written to appear as if they have been sent by banks or other reputable organisations, with the intent of luring the recipient into revealing sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details. Typically, phishing attacks will direct the recipient to a web page designed to imitate a target organisation's own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack. Obtaining this type of personal data is attractive to attacker as it allows an attacker to impersonate their victims and make fraudulent financial transactions. Victims often suffer significant financial losses or have their entire identity stolen, usually for criminal purposes. A phishing technique was described in detail as early as 1987, while the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, and alludes to the use of increasingly sophisticated baits used in the hope of a "catch" of financial information and passwords.

Moreover, there are a numbers of cases of phishing that occurred throughout the well known website. As instances, in the case of Paypal, spelling mistakes in the e-mail and the presence of an IP address in the link (visible in the tooltip under the yellow box) are both clues that this is a phishing attempt. Another giveaway is the lack of a personal greeting, although the presence of personal details would not be a guarantee of legitimacy. Other signs that the message is a fraud are misspellings of simple words and the threat of consequences such as account suspension if the recipient fails to comply with the message's requests. Moreover, phone phishing are quite common in our environment nowadays at where messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization. On the other hand, Link manipulation are also one of the most popular method in phishing activity. As examples, the phishers use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. URLs were disabled in Internet Explorer, while Mozilla and Opera present a warning message and give the option of continuing to the site or cancelling. A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks have yet taken advantage of it. Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.

How to prevent phishing:

Phishing is not a security problem; it is user education that is the issue. Why do the majority of phishing attacks fail? Simple. Because users are clever enough to realise it is not the site that is sending the email.

So if the majority of phishing attacks fail, why do some users fall for the scams? They don’t know the difference between the scam site and the real site, what we need to do is solve that problem so that the user knows they are receiving an email from their trusted site.

Enter VP - Visual Passphrase

My idea to solve this problem is to create a visual passphrase for each user that logs onto a site as a form of identification for that particular site. So when a user creates an account with the trusted site, they create a passphrase that can be anything they like and that will appear on every email from that site. This would enable the user to instantly recognise the site because of the familiar passphrase.

How it works…

The user signs up to the web site and provides their VP for example “My dog is called Rover” the user can then instantly identify the email/site and know if they can trust it and enter their credentials. Now an added benefit of knowing that an a trusted site contains a certain phrase is that all other sites can be automatically filtered and deleted by their email client.

Recommendations for VP

1. A VP should contain at least 5 words.
2. Only alphanumeric characters should be allowed strictly, all other characters should be removed.
3. The VP should be enclosed by brackets in emails for example: - [My dog is called Rover], which would enable automatic email filters to be configured.
4. The VP should only be present on the login screen or emails.
5. An explanation of VP should be included next to the input box or link provided.


Examples: (adapted from the websites)

example of the anti-phishing softwares:



Posted by Cham at 8:47 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)