Network Computing | ||
Issue
46 - December 2005
|
||
Background The sophistication of IT crime increases as technology advances. Widespread of scams are rampaged through the popular use of the Internet and email. Among all IT crimes, they are dominated by phishing and identity theft activities[1]. Phishing is a high-tech scam that uses spam email or fake web pages to deceive consumers into disclosing their credit card numbers, bank account information, identity numbers, passwords, and other sensitive personal information[2]. It is the fastest growing Internet attack and everyone is at risk as the unsolicited email and fake web sites are now encountered almost on a daily basis. Phishing attackers are getting more sophisticated in adopting social engineering skills, and reaching every corner where there is Internet users. This article tries to summarize all resources related to phishing attacks and suggests something that you can do to minimize your risks.
How Serious It Is "By
the end of December 2004, Symantec Brightmail
AntiSpam antifraud filters were blocking an average
of 33 million phishing attempts per week, up from
an average of 9 million per week in July 2004.
This represents an increase of over 366 percent."[3] Phishing is attractive to scammers because of the high financial gain[7], the ease to deploy, the ease to reach the mass and it is relatively low risk. Know the Way Phishers Launch an Attack There are millions of unprotected PCs or poorly managed servers that phishers can take advantage of. Once being seized, scammers can implant malicious codes, start spam tools to broadcast spam and start web utilities to serve fake pages. It's too easy to fake a web site by copying all the graphics and codes from a genuine site. These web sites deceive the visitors by obtaining their personal information. More sophisticated scammers will implant malicious programs such as key-loggers or similar Trojan programs to the victims' PCs to collect information stored and log their activities. Others will use instant messaging to lure its users, exploit software vulnerabilities on its users' computers, or cache-poison a weakly protected DNS server so that the network connection originally between the two parties now routes through the attacker's computer and thus all data being sent or received through that network connection become equally accessible by the attacker. Scammers are even refining their attack methodologies with bot nets where a bot (a short form of Robot) is a compromised computer with automated software installed by the hacker. Many bots can logically form a bot network (bot net) by connecting to a single computer which serves as a controller. They can simultaneously launch one or more attacks using the automated software already installed to one or more networks on Internet via the controller. Phishing not just relies on technology. In most cases, social engineering techniques are being used instead. To list a few of them: messages that seem to be legitimate or using Internet addresses that closely resemble legitimate ones; sending messages that look urgent, important and highly confidential; messages that claim to verify your identity or provide security updates. Sometimes they also bet their success on victims' greed or fear[8]. We will not go into the details of all these techniques. Interested readers can consult the two very good articles available at NGSSoftware titled "The Phishing Guide" and the "The Pharming Guide"[9]. To Protect Oneself News on identity theft and phishing attempts not only appear in technical reports, they also appear in many newspapers, broadcasts, government announcements, and warnings from commercial firms and banks. Despite all these effort and increased awareness, the number of incidents still increases dramatically. Through social engineering techniques, phishing still catches people out of unexpectedness. Some are even unaware that they were the victims of a phishing activity. Reasons for falling into a phishing trap are numerous; people tend to give up security protection for convenience. If you do care to lower the risks, here are some of the tips:
Tips described above merely serve as guidelines and are not bulletproof against phishing activities. As an Internet user, you should adopt a healthy skepticism and a seriously prudent approach. If you suspect that you have become a victim, make every effort to report your case while minimizing your loss. Notify your e-Commerce company or bank immediately if you are aware of any suspicious transaction and report an identified case to the police. Reference [1]
McAfee AVERT Reports on the Top Threats and Potentially
Unwanted Programs for Q1 2005 Other Resources
|
||