Phishing? What on earth is that! Was that a misspelling?
Well, actually, no. Phishing is one of the latest internet
phenomenon in which some criminal out there in cyper-
space creates a "photocopy" website of a genuine one
and lures his victim into volunteering sensitive personal
info, convinced he is actually on the legitimate website.
Let's look at a classic example. I repeatedly see emails
popping up in my bulk folder claiming that Paypal has
identified an attempted fraud on my account. It then goes
on to say that it is critical that I log into my account via
link provided and change my personal details, making
sure to stress that urgency of the change to avert further
compromise.
Now here's the catch. After you unsuspectingly enter
your password and other sensitive data, the phishing
website then captures your password and all your
personal particulars and what do you know: you just
got hooked! You are suddenly no longer the only
"authorized" person who has access to your account.
There is also the "telephone phisher" who calls and
claims to be a customer service agent of Visacard
or Mastercard. He will claim that there has been some
fraudulent activity on your credit card, already having,
in this scenario, your card number, but trying to phish
your CVC (card verification code-last three numbers
on the reverse of your card).
According to a case study released last November by
Gartner Inc., of the 5000 adults who took theeir online
survey in August, the average loss per phishing victim
nearly quintupled from $257 in 2005 to $1,244 in 2006.
Pretty frightening eh.
To compound this problem, only 54% were able to
recover in 2006 compared to 80% in 2005, due largely
to a change in tactics by the scammers. While financial
institutions remain prime targets, less traditional brands
such as fictitious sweepstake contest are being employed.
Ebay and Paypal Are Primary Phishing Tanks
According to The Register, a number of Bank of Ireland
customers had lost €113,000 through a fraudulent email
scam. One customer is believed to have lost €49,000 after
responding to a fake email, while other clients lost between
€5,000 and €16,900. They have even conceded to compenate
some of it's customers who together lost some €160,000,
according to Irish Independent.
Gartner Inc. say that Ebay and Paypal are the top phishing
targets., a release corroborated by Phishtank, a community-
based anti-phishing network. Phishtank goes on the say that
some 1,493 distinct scam sites impersonated PayPal last
October alone, with another 1,210 phishing sites targeting
eBay.
Because of my online experience, I have a keen sense of
scamming tactics and was able to avert an attempted attack
on my identity. Using a Paypal website "image" the phisher
tried to get me to login under the guise that my Paypal account
has been compromised. I forward the email to Paypal and they
justified my suspicions.
PayPal will never send you an email with the greeting "Dear
PayPal User" or "Dear PayPal Member". Emails initiated by
PayPal will address you by your first and last name, or the
business name associated with your PayPal account.
For security purposes, PayPal will never ask you to re-enter
your full bank account, credit, or debit card number without
providing you with at least the last two digits of the nuimber.
Look Out! A 'Next Generation' Phishing Strategy Is On The Rise
Have you heard about the DIY man-in-the-middle phishing kits?
Well, if not, hold on to your chair because this one is out
and bad. If you are a seasoned webmaster, pay close
attention to this breaking news.
Security experts at RSA Security reveal that the so-called
"universal phishing kit" allows fraudsters to configure attacks
for any target web site without the need for customisation and
add that once fraudsters acquire and operate this kit, an
attack can be configured to "import" pages from any target
Web site.
The kit creates a fake URL that communicates with
both the end user and a legitimate company web site.
Spam e-mail is used to trick customers into entering
account data at the bogus site, which phishes account
details and multi-factor authentication information.
This data is then autmatically forward to the legitimate
site to access accounts. Any data submitted to the site after
the victim has logged into their account can also be stolen.
I know the above info can be a bit scary but don't throw
your hands in the air and destroy your credit card, I have
a few things to share with you on how you can help to
hook the phisher.
Firstly, once you "smell" a phishing bait, don't hide, tell it.
Go to Castlecops at http://www.castlecops.com/pirt and
paste in full email source of phish. Castecops and Sunbelt
Software have teamed up to launch a global phishing
termination operation through a volunteer PIRT (Phishing
Incident Reporting Termination) squad, funded by Castecops.
Your report is then fed to more than 50 organisations across
the web including Fraud Watch Int'l, Internet Crime Com-
plaint Center, (IC3)Korea Internet Security Center etc.
Observe the following do’s and don’ts:
>Do not click on the link in an email that asks for
your personal information.
>Do look for "https" and a padlock on a site
that requests personal information.
>Do pay attention to your statements
>Don’t download attachments, software updates
or any application to your computer via a link
you received in an email.
>Do report any suspected phishing activity to
CastleCops at http://www.castlecops.com/pirt
That’s my 2 cents for today. I hope I have helped
to make you more aware of those phishing baits around
you while you swim in the cyber ocean.
Swim carefully!
Michael
Friday, January 26, 2007
Subscribe to:
Posts (Atom)
