Categories

Phishing and Pharming

Whether you’re a casual web surfer or immersed in a cyber lifestyle, all internet users are under assault by phishing emails, pharming sites, and crime ware. Financial services are by far the most targeted industry. Indeed, cyber prowlers frequently build fraudulent websites that closely mimic legitimate banking sites, tricking users to turn over their online account names, passwords, National Insurance numbers, and other personal information.

What do you mean by phishing?

Phishing (fĭsh’ĭng) n. A method of fraudulently obtaining personal information by sending spoofed emails that look like they come from trusted sources.

Phishing is an identity-theft scheme in which fraudulent emails solicit confidential information by impersonating banks and other institutions. Phishing scams are on the rise.
Typically, they purport to be about security updates or fraud prevention issues, and ask you to update or verify your personal details. This can take the form of an email sent to you, apparently from a genuine organisation such as your bank or credit card company. These emails will contain familiar logos and be written very convincingly. A link – that looks similar, say, to the real website link for your bank – will take you to a website that again has been specially built to imitate the real thing. There, you will be asked to enter your account details, password and other personal information. The fraudster can then use these to access your accounts. You should avoid clicking on links within these emails as doing so may result in further spam (as you’ll have confirmed to them that your email address is frequently used by a real person.)

Phishing tricks and trends

When they set up a fake website, phishers attract users through spam or targeted emails, hoping to get lucky and find real customers of the hijacked bank, e-retailer, or credit card company. The emails can be extremely convincing, such as a message from eBay saying that your credit card has been declined, or from a bank saying that they have detected unauthorised activity on your account. The messages frequently feature logos, colouring schemes, and company mottos that seem legitimate.

By all accounts, phishing attacks are on a steep rise. Tens of thousands of unique phishing cases surface each year, and these numbers are growing exponentially. New phishing sites are also seeing a similar growth trend, as well as password-stealing malicious-code URLs. The United States hosts the most phishing sites, followed by China and the Republic of Korea.

So what’s the difference from pharming?

Pharming (färm’ing) n. A method of redirecting internet traffic to a fake website through domain spoofing.

‘Pharmers’ don’t send you emails. Instead, when you try to access a genuine website, they automatically re-direct you to their imitation one. Pharming uses DNS (Domain Name Service) hijacking to misdirect users to a fake site by altering the DNS for the target website. Or, the system redirects users to authentic websites through phisher-controlled proxies that can be used to monitor and intercept keystrokes. The spoofed sites collect credit card numbers, account names, passwords, and National Insurance numbers. They may do this by displaying a pop-up to steal the information before sending the user to the real site. Or they could use a self-signed certificate to fake authentication and get the user to trust it enough to enter personal data on the spoofed site. Or they may paint over the address and status bar of the browser, to trick the user into thinking they’re on the legitimate site, so that they enter their information.

To avoid such scams, be vigilant about what you’re accessing and only provide your details if you’re sure. Most bona fide organisations won’t ask you for your whole password, only random characters from it. As an extra precaution, you should always type web addresses directly into the browser bar. Or if you’re sure of the site you are at, create a bookmark so you can return in confidence.

So how do I protect myself?

  • Keep your operating system patched to stop known software vulnerabilities from being exploited. Install patches from software manufacturers as soon as they’re distributed, since hackers can quickly assemble malware using pre-made components to exploit the weakness before the majority of people download the fix. A fully patched computer behind a firewall is the best defense against Trojan and spyware installation.
     
  • Download the latest version of your browser to ensure that it’s fully updated and utilises the latest technologies. Internet Explorer 7 and other browsers include an anti-phishing toolbar to add another layer of protection. They use whitelists and blacklists of known sites, URL checks, and advanced heuristics to identify and filter out phishing sites.
     
  • The origin of an email, the location of a page, and the use of SSL encryption can all be spoofed. Browser lock icons can also be spoofed. You should ensure SSL is being used (look for “https:” in the URL) and check the domain name of the site as an indicator of whether the site is legitimate. Watch out for similar sounding domains that a phisher can register for a fake website, such as cred1tusa.com for creditusa.com. Because of hacker tricks, though, you can’t rely on these checks as an absolute indicator that the communication or site is safe.
     
  • Protect your computer with strong security software and keep it up to date. Hackers have databases containing millions of email addresses. They target vulnerabilities in email applications and web browsers, and design weaknesses in targeted website programmes. You can defend against phishing, though, because it blends existing techniques of spam and software exploitation. The McAfee® Internet Security Suite guarantees trusted PC protection from viruses, hackers, and spyware. Its cutting-edge features include X-Ray for Windows®, which detects and kills rootkits and other malicious applications that hide from Windows and other anti-virus programmes. Its integrated anti-virus, anti-spyware, firewall, anti-spam, anti-phishing, and back-up technologies work together to combat today’s sophisticated, multi-pronged attacks.
     
  • Never click on links in an unsolicited email, and ignore call-to-action emails such as “Your account will be terminated”. Call the company on the phone instead, using a phone number that you verify outside of the email.
     
  • Check the validity of individual web addresses (URLs) with a WHOIS search such as www.geektools.com, which has a search tool that displays the contact information for a domain/IP based in almost any country.
     
  • Be an early adopter of new technologies. New validation techniques are being used by banks and credit card companies to make online transactions more secure, so make sure to take advantage of them. The computer industry is also working on authentication technologies such as Sender ID, Domain Name, and S/MIME, which will greatly reduce the effectiveness of phishing attacks.
     
  • Give an incorrect password on the first try. A phishing site will often accept an incorrect password, while a legitimate site won’t. Be pre-emptive. But before you even open your email box and attempt to outwit the phishing experts, always update your virus protection.

Anything else I should do?

It’s key to remember that banks and reputable financial institutions will never email asking you to provide account numbers, passwords and the like. If you do receive an email and are unsure, contact the organisation concerned and ask them. They’ll be able to tell you if it’s genuine. In such cases, remember not to use the telephone number provided in any emails you’ve received – always look the number up yourself. In the same way, if you’re asked to visit your bank’s website, open your browser and type in the normal link to your bank.

However genuine these bogus emails and websites look, there are tell-tale signs you can pick out if you’re careful:

  • Major professional organisations are very careful to produce polished customer communications. Spelling mistakes, poor grammar, or simply amateurish graphics or layouts may all indicate a fake email or website.
     
  • If you do click on a link, look in the bottom right-hand corner for the yellow padlock symbol. If you click on this it should show you a security certificate that matches the name of the website you’re in. If it doesn’t, the site is probably bogus, and even if it does, you still need to be careful.

What’s being done about phishing?

Legislation can provide a supporting role, but technological solutions are still the best way to fight phishing. This requires several simple tasks, such as downloading the latest version of your browser, patching your operating system, and always running up-to-date security software.

New anti-phishing legislation is in the works worldwide. Legislators are tailoring laws to cyberspace; for example, by allowing prosecutors to pursue phishers without the normal burden of proof of showing specific damages to a victim. This is important since most phishers disappear in the time it takes to collect this evidence. Enforcing cyber legislation has hurdles, though. First, it’s difficult to find the criminal, since most can fake their whereabouts. Next, it’s challenging to obtain jurisdiction to investigate and prosecute hackers – especially in other countries. Finally, it’s difficult to enforce a guilty judgment, since the defendant can easily disappear or transfer their assets offshore.