Background
The sophistication
of IT crime increases as technology advances. Widespread of
scams are rampaged through the popular use of the Internet
and email. Among all IT crimes, they are dominated by phishing
and identity theft activities[1]. Phishing is a
high-tech scam that uses spam email or fake web pages to deceive
consumers into disclosing their credit card numbers, bank
account information, identity numbers, passwords, and other
sensitive personal information[2]. It is the fastest
growing Internet attack and everyone is at risk as the unsolicited
email and fake web sites are now encountered almost on a daily
basis. Phishing attackers are getting more sophisticated in
adopting social engineering skills, and reaching every corner
where there is Internet users.
This
article tries to summarize all resources related to phishing
attacks and suggests something that you can do to minimize
your risks.
How
Serious It Is
"By
the end of December 2004, Symantec Brightmail AntiSpam antifraud
filters were blocking an average of 33 million phishing attempts
per week, up from an average of 9 million per week in July
2004. This represents an increase of over 366 percent."[3]
As reported by AntiPhishing.org (APWG), just within the month
of October 2005, the number of unique phishing reports received
is 15820 and the number of brands hijacked by phishing campaigns
is 96[4]. Gartner has estimated that phishing cost
banks and credit card companies $1.2 billion in direct losses
in 2004, and that nearly 1 million users have suffered identity
theft from these activities[5]. Phishing attack
is the highest in US (around 28%) and China (around 32%) as
reported by APWG based on information collected by WS Labs
in December[6].
Phishing
is attractive to scammers because of the high financial gain[7],
the ease to deploy, the ease to reach the mass and it is relatively
low risk.
Know
the Way Phishers Launch an Attack
There
are millions of unprotected PCs or poorly managed servers
that phishers can take advantage of. Once being seized, scammers
can implant malicious codes, start spam tools to broadcast
spam and start web utilities to serve fake pages. It's too
easy to fake a web site by copying all the graphics and codes
from a genuine site. These web sites deceive the visitors
by obtaining their personal information.
More
sophisticated scammers will implant malicious programs such
as key-loggers or similar Trojan programs to the victims'
PCs to collect information stored and log their activities.
Others will use instant messaging to lure its users, exploit
software vulnerabilities on its users' computers, or cache-poison
a weakly protected DNS server so that the network connection
originally between the two parties now routes through the
attacker's computer and thus all data being sent or received
through that network connection become equally accessible
by the attacker. Scammers are even refining their attack methodologies
with bot nets where a bot (a short form of Robot) is a compromised
computer with automated software installed by the hacker.
Many bots can logically form a bot network (bot net) by connecting
to a single computer which serves as a controller. They can
simultaneously launch one or more attacks using the automated
software already installed to one or more networks on Internet
via the controller.
Phishing
not just relies on technology. In most cases, social engineering
techniques are being used instead. To list a few of them:
messages that seem to be legitimate or using Internet addresses
that closely resemble legitimate ones; sending messages that
look urgent, important and highly confidential; messages that
claim to verify your identity or provide security updates.
Sometimes they also bet their success on victims' greed or
fear[8].
We will
not go into the details of all these techniques. Interested
readers can consult the two very good articles available at
NGSSoftware titled "The Phishing Guide" and the
"The Pharming Guide"[9].
To
Protect Oneself
News
on identity theft and phishing attempts not only appear in
technical reports, they also appear in many newspapers, broadcasts,
government announcements, and warnings from commercial firms
and banks. Despite all these effort and increased awareness,
the number of incidents still increases dramatically. Through
social engineering techniques, phishing still catches people
out of unexpectedness. Some are even unaware that they were
the victims of a phishing activity. Reasons for falling into
a phishing trap are numerous; people tend to give up security
protection for convenience.
If you
do care to lower the risks, here are some of the tips: