Just two quick security-related links:
* Computer security software should secure your computer, right? Here's one example where a Windows without an antivirus software is more secure than one with AV installed.
* In a previous post, I pointed out McAfee's Site Advisor. On a more specific anti-phishing education, here is Paypal's Fight Phishing page. Take the exam; I got 5-of-5. Post your score at the comments.
Showing posts with label phishing. Show all posts
Showing posts with label phishing. Show all posts
Sep 13, 2007
Jul 19, 2007
[Security] Forms of phishing
In the last episode, you have tested yourself if you can spot phishing at its face or not. This post will discuss the forms of phishing and their combinations.
Note that this is not a comprehensive discussion.
The goal of a phisher is to get your login credentials. That is usually a user name and a password. To do this, a phisher can do several things: (1) fool you into giving your user name and password, and (2) sniff your credentials without you knowing it.
The first form of phishing involves an elaborate way of fooling a person. It is usually done by sending an email asking the user to log on to the phishing site. Depending on the phisher, it can be convincing or an obvious phish. Under this scenario, a phisher spams a fake email purporting to have come from a known Web company (like eBay or PayPal). The email is a social engineering trick to force you to click on a given link. This link is masked so that on first inspection, you won't realize that the URL is not as what it seems. Clicking on the link will divert you to an authentic looking Web site. When you enter your user name and password, the phisher gets your credentials.
In order for this method to work, the email must be convincing enough for the user to click on the link. Also, since the attack is via spam, this is a hit-or-miss affair. The phisher will have no idea if the recipient has an account for that Web company.
Now there is such a thing as a targetted attack. This scenario is scary because the phisher knows you have an account, and the fact that the phisher knows your email address means your online security has been compromised. Note the conjunction. The implication is grim, though this scenario is very rare.
The second form is more insidious. It invariably involves a malicious software (malware) commonly known as spyware. A spyware is a program that attempts to collect information about a computer user. It can do a lot of things to gather whatever information it needs. Most common is to sniff network packets, or monitor Web surfing habits of a user.
For example, the Bancos or Banker family of spyware are notorious in information stealing. Most of them monitors whatever Web sites a user views. When a user views a bank Web site, it can either display a spoof login page - a phish - or intercept the data that is submitted when a user logs in. You will probably never know that you have been compromised.
(Crossposted from here.)
Note that this is not a comprehensive discussion.
The goal of a phisher is to get your login credentials. That is usually a user name and a password. To do this, a phisher can do several things: (1) fool you into giving your user name and password, and (2) sniff your credentials without you knowing it.
The first form of phishing involves an elaborate way of fooling a person. It is usually done by sending an email asking the user to log on to the phishing site. Depending on the phisher, it can be convincing or an obvious phish. Under this scenario, a phisher spams a fake email purporting to have come from a known Web company (like eBay or PayPal). The email is a social engineering trick to force you to click on a given link. This link is masked so that on first inspection, you won't realize that the URL is not as what it seems. Clicking on the link will divert you to an authentic looking Web site. When you enter your user name and password, the phisher gets your credentials.
In order for this method to work, the email must be convincing enough for the user to click on the link. Also, since the attack is via spam, this is a hit-or-miss affair. The phisher will have no idea if the recipient has an account for that Web company.
Now there is such a thing as a targetted attack. This scenario is scary because the phisher knows you have an account, and the fact that the phisher knows your email address means your online security has been compromised. Note the conjunction. The implication is grim, though this scenario is very rare.
The second form is more insidious. It invariably involves a malicious software (malware) commonly known as spyware. A spyware is a program that attempts to collect information about a computer user. It can do a lot of things to gather whatever information it needs. Most common is to sniff network packets, or monitor Web surfing habits of a user.
For example, the Bancos or Banker family of spyware are notorious in information stealing. Most of them monitors whatever Web sites a user views. When a user views a bank Web site, it can either display a spoof login page - a phish - or intercept the data that is submitted when a user logs in. You will probably never know that you have been compromised.
(Crossposted from here.)
Jul 17, 2007
[Security] How aware are you about phishing?
Are you familiar with phishing?
Phishing is one of the new frontier of malicious activity over the Internet. While malware do damage to computers and networks, phishing is more insidious and more malicious. The goal of phishing is to gain money. Its objective is to gain a person's logon credentials for known business, e-commerce, and online bank sites. Phishing takes several forms and combinations of these forms, but the most common is by spoofing a Web site login page. There's also HTML email phishing; I am sure you have encountered spam emails purporting to have come from eBay or PayPal. I receive several of those every day.
Now, how well can you spot a phishing attempt? Take this quiz from McAfee SiteAdvisor. I got seven out of ten, so that means I have to be careful a wee bit. You will be surprised on the methods in determining whether a site is a spoof or not.
Why should you take phishing seriously? Quoting from CSO:
By this time, the amount should be more than a billion US dollars. That's serious money, and some people realized that there is a market for phishing. Hence, phishing kits are now available, allowing you to set up a phishing site/spoof Web site within second.
Be careful if you do online transactions, specially if they involve money.
(Crossposted from here.)
PS: Post your score at the comments. (I should have added this yesterday.)
Phishing is one of the new frontier of malicious activity over the Internet. While malware do damage to computers and networks, phishing is more insidious and more malicious. The goal of phishing is to gain money. Its objective is to gain a person's logon credentials for known business, e-commerce, and online bank sites. Phishing takes several forms and combinations of these forms, but the most common is by spoofing a Web site login page. There's also HTML email phishing; I am sure you have encountered spam emails purporting to have come from eBay or PayPal. I receive several of those every day.
Now, how well can you spot a phishing attempt? Take this quiz from McAfee SiteAdvisor. I got seven out of ten, so that means I have to be careful a wee bit. You will be surprised on the methods in determining whether a site is a spoof or not.
Why should you take phishing seriously? Quoting from CSO:
According to Gartner, between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million.
By this time, the amount should be more than a billion US dollars. That's serious money, and some people realized that there is a market for phishing. Hence, phishing kits are now available, allowing you to set up a phishing site/spoof Web site within second.
Be careful if you do online transactions, specially if they involve money.
(Crossposted from here.)
PS: Post your score at the comments. (I should have added this yesterday.)
Subscribe to:
Posts (Atom)