Protection against Phishing

by: Zarex dela Cruz, CISSP, CISA on Friday, December 5, 2008 12:46 PM


PHISHING is a social engineering technique, which means to trick someone into believing something but different to what it really means, with a full purpose of obtaining personal information, credit card information and credentials.

The word phishing has been around since 1996. It was originally coined by hackers who started stealing AOL passwords by posing as a staff member and sending email messages to victims asking them their account information to verify their billing information and other information about their AOL accounts. The attacker lure, or fish the victims. This is when the word phishing began.

Although this social engineering technique had been around since the ’90’s it did not hit its popularity until the mid-2003. Phishing attackers, also called phishers creates very convincing emails requesting victims to click on links to update their account information. These emails and the redirecting website looks very closely similar to the actual website. Too convincing enough, a typical user would not spot the differences.

Some of the few tricks that these phishers would manipulate is to ask you to click on the link inside the email with a link almost the same as the actual website. For example, if you have an account with Bank of Alaska and their website is bankofalaska.com, they would create a site something like backofalaska.com. Or they would place @ symbol like bankofalaska.com@oursite.com. Before the @ sign would be the username following the http protocol. The actual website is oursite.com, which is a bad site. Depending on the way the site is written, the username can be ignored if it is not required.

Nowadays, there are so many newer techniques that phishers have developed in trying to convince potential victims into going into their trap. Some smart developers have found some ways to create java script to hide their actual URL or web address and show something else. So if someone checks the web address showing bankofalaska.com, it shows just that, but the script actually hiding the actual phishing site. Newer browsers should be able to detect these and warn you.

Other attacks come in the form of pop ups and the exploit of cookies. Phishers, who have developed a strict code to find if you are surfing, say, your bank account, will automatically trigger a pop up window that appears as it comes from your real bank. Unknowingly it was generated from the pop up script. That pop up dialog window would then ask you for your personal account information and other important things.

Phishing is still rising and staying on top. The Q1 2008 report from APWG (www.anti-phishing.org) shows there are still an average of 30,000 unique URL’s in that quarter report.

One of the countermeasures that we really need to start doing from within ourselves is “self-awareness”. There those small contributions that we can do to protect ourselves from phishing. Things like not clicking, or even opening emails, that came from some unknown sender. Or even if someone emailed you with a link, it is better to copy the URL and access it manually. Links on the email may direct you to somewhere else. And as always, DO NOT believe emails asking you to update your Account information or ask you for a password. Or even telling you that they will send you money to transfer from an African bank. These are all scams. It is a rule of thumb not to give out your password or critical account information via email or anyone who asked you for it.

Next time, I will extend the discussion of phishing to a wider scope such as attackers redirecting you to what appears to be a legitimate traffic, yet fake, with the techinique such as DNS poisoning. This is also called PHARMING.

1 Response to Protection against Phishing

  1. Anand says:

    July 5th, 2009 at 9:50 AM

    It is true, Did you know !! ..”it comes from the analogy that Internet scammers are using e-mails lures to fish for passwords and financial data from the sea of Internet users”. Since hackers have a tenancy to replace “f” with “ph” the term phishing was derived”

    Phishing is one of the fastest growing problem within internet which creates billions of dollars of damage each year. Any internet user can be at the risk of being phished, having an Instant message-id or email address. Those users who blindly trust “emails from unknown sources” or “receive unknown links in IMs” can become an easy prey to this fraudulent attempts. Motive behind such attempts are to make easy money, access sensitive information, wide-spread marketing, cause damage etc.

Leave a comment