Friday, January 5, 2007

Protect yourselves from phishing

Phishing? Haven't heard that...

Phishing is very similar to fishing. In fishing, we put a bait and wait for the fish to catch it. In Phishing, a fraudsters acting as a genuine bank employee or web admin, sents you an email (the bait) asking for confidential and personal data, that could potentially harm you (Its not nice to see your savings balance to drop to ZERO, right?)
Fraudsters are getting smarter and equipping with techniques that almost fool you. So now its our turn to get smart and fight back.

Common methods of phishing

Most phishing scams start from fake e-mails that arise from compromised mail servers across the world, or from zombie computers called botnets. Phishing mails will be asking for confidential data like PIN numbers, Bank account id and passwords, or anything personal. There would be some links in the mail that redirects to some compromised server, which would be very similar to the legitimate site.
Another common scam is someone asking for your bank account details to help them transfer money, and you will get a fair share of it.
Or you have won a big sum of money in some lottery in some unknown place, and you have to provide the bank account details to get the money.

If you fall for these scams, most probably you will loose everything you have.

How to get smart?

Phishing is mostly successful because of ignorance from the part of customers and the thought of making easy money. So its time to get smart!
Phishing mails
+ are mass mailed, So...
+ It would not contain your name
+ It would not contain any personal info about you that was provided to the legitimate organization.
+ It would not have a valid source. If your email client can display advanced headers, please go through the headers if you suspect of a phishing scam.
+ It may contain grammatical as well as spelling mistakes.

Now even if it contains your name and free from mistakes still you cannot rule out the phishing scenario.

Take a part of the phishing message and do a Web search on it using popular search engines like google, yahoo. From the search results you can identify wether it is scam or original.
In most cases, no banks will never ask you to enter your PIN or similar sensitive data through mails.
You can also mail the legitimate organization for a confirmation on the email.

Still you think its legitimate?

There will be a link in the email where you are supposed to enter the confidential data. Before clicking take a good look at the url. Most browsers show the target url on the status bar (bottom of the page), Is it the url ?
Copy the link address and paste it to a new text file and examine it from head to tail. Do a google search for the site, if anything related to phishing comes up...
One old phishing technique was to mask the target server using the

http://username:password@www.site.com

So the fraudster would mask his url as
http://www.urbanksite.com/somevrylongtext/todistractyou@www.evilsite.com

Now this technique has depricated since most browsers warn you.
Latest browsers like Firefox 2, Opera 9 and IE 7 also report about phishing when you are about to visit a phishing site. So upgrade your browser today.

A new technique that may not be yet known is the use of mirroring character to reverse the link, so that it appears legitimate.
But in this technique to the original link appears in the status bar or copy the link location and pasting shows you the original target url.

For webmasters and server administrators

Most spams and phishing scams originate from compromised sites due to poor design.
One experience I had is with a feedback form on a site which mails the feedbacks to me. Now some spammer creatively modified the feedback text so that the mail was sent to many!. Now thats a security risk!
So we must be careful when designing such systems, what I did was to replace the @ symbols in the feedback form with "(at)". Now that has stopped the spams from getting through to others.

Another poor design comes when there is XSS (Cross Site Scripting holes) vulnerabities in your site. A fraud/hacker can manipulate the site and put fake login pages on your server. So all XSS vulnerabilities must be scanned and removed.

Related

+ Intro to XSS
+ Mirroring character
+ Protect yourselves from Phishing

Spread the word

Please spread the info to help protect yourselves and those near and dear from this peril !
Any more info to share? Leave a comment...

1 comments:

Anonymous said...

bate => bait