What is Phishing? Part 2: The Lessons to Learn

In the first part of our expedition in the land of phishers, we learned the various methods that they use to deceive unwary victims. Before going on the second part of this phishing journey, let me remind you that I did not publish the first of this two-part article to cultivate the phishers inside us. I am writing this merely to inform you of the dangers such attacks might cause by showing how they work. It is actually in this second part that I will tell you how to avoid any kind of phishing attacks. Having said that, let us begin with a few statistics and cases that I gathered all over the Internet to strengthen your urge towards phishing awareness.

Giving Man a Phish

Phishing can deal a wide array of damages, ranging from inability to access your online accounts to loss of virtual financial resources and even your virtual identity, if you are the type of person who uses one or two passwords for all your accounts in the web. To further illustrate how damaging phishing can get, let me show you some cases and figures.

RSA’s Anti-Fraud Command Center or AFCC, a group dedicated on detection, monitoring, tracking, and closing phishing sites, has shut down over 60,000 phishing attacks throughout its existence. It has created reports on phishing kits, international domain attacks, and spread of malicious programs, all of which we discussed in the first article.

Last November, AFCC detected a phishing website that spoofed YouTube, the popular website that hosts user-generated videos. With a very big number of people aware of what YouTube is, phishers decided to send e-mail messages asking the user to click on a link with YouTube content in it. Once clicked, the spoof YouTube website then displays a message telling the user that the video is unable to play because of certain reasons, requiring the user to install a Flash player. The spoof site further offers a link to a supposed Flash player installation file, which in fact is a link that downloads malicious programs or malware to the user’s computer. Clever and nasty!

Going further back to October, a group of phishers used, instead, internationalized domain names or IDNs—web addresses used locally depending on the country. Through IDNs, international websites can use the native language of the country where a website is opened. And just by that, phishers can easily hide their phishing URL’s identity just by using alphabet codes other than the usual ASCII (American Standard Code for Information Interchange) configuration. By this, a URL can look genuine even though it is configured using another coding standard. Although the attack that the AFCC discovered did not attempt to spoof a genuine domain because the phishers behind didn’t fully realize and utilize the advantages of using IDNs for identity theft, the existence of IDN phishing alone is enough to alert AFCC and shut such activity down.

Microsoft’s Report

Also done last October, Microsoft released their Security Intelligence Report against phishing throughout the first half of the year 2007. In the report, Microsoft presented a realization that over the first six months of this year, there had been 150 per cent increase in phishing activities, amounting to 31.6 million scams. They also found out that two Trojan horse families that infect computers actually steal confidential data from the victim, and as such, can be considered phishing scam as well. Further, there was a 500 per cent increase in downloaders of malware like key loggers and password stealers.

In the latest studies and discoveries of the Anti-Phishing Working Group or APWG, an association that aims to eliminate phishing attacks throughout the web, it detected 32,079 phishing websites last August and 30,999 last July. Over 90 per cent of those phishing websites on both records has online finance and transactions as target, more than half of them targeting European institutions. Approximately, 20,000 to 30,000 of the reported phishing websites every month comprise unique phishing attacks. Also, based on APWG’s reports, there were 110 to 180 brands hijacked by phishers every month, August’s being 129 while July’s is at 126.

The APWG has discovered 294 unique key loggers last August, and, as we have discussed earlier in the first article, key loggers allow phishing, which can further lead to the spread of other malicious programs like how the ones above did. The highest recorded unique key logging variants amounted to 345, which cam into being last January of this year. Also, the group was able to record unique URLs containing key loggers. Last August, there were 2,880 URLs with password-stealing codes. The highest number of URLs with coded key loggers this year, according to APWG, was last May, with 3,353. The records under URLs containing key loggers range roughly from approximately 1,500 to 3,400 reports.

Online Fraud

And finally, some good news. Javelin Strategy and Research, a website created to aid in topics that are finance-related, released a report on identity fraud against business and online transaction services. In the report, it showed a decrease in the number of U.s.-based adult victims of identity theft from 2003’s 10.1 million to 2005’s 9.3 million and even to 2007’s 8.4 million. Phished money decreased from $55.7 billion in 2006 to $49.3 billion in 2007. Moving along, Javelin found out that at the most common time, every victim has to wait 40 hours for a resolution to come, and that was in 2006. Today, every victim only has to wait for 25 hours before the phisher is detected and proper action is taken.

You can search Google for more information on phishing statistics. I just showed you four studies and results that discuses phishing activities this year. And finally, I will present you the ways on how to avoid phishing activities from getting you.

No (More) Phishing Allowed

Although it is generally hard to spot phishing clues as they have evolved to more complex, more believable, and seemingly perfect replicas of the websites they are spoofing, there are still ways to implement the lesson: Prevention is better than cure.

Basic education on websites and programming is one of the key social responses, as a user who doesn’t really know the goings-on behind computer processes tend to just click away or type in confidential details and wait for the result of their action, which is often too risky. Remember, there is no undo buttons when you just “click away” or “type away” and “wait for results” from the opened website. If you initially don’t trust the sender of the e-mail message containing the link, don’t click the presented URL address or enter any confidential information.

Also, being a little observant can help you to distinguish whether a visited website is phony or not. Let’s have phlashing, for example. If you know that the website often opens as a text-and-image type of page, try right-clicking on the page you are visiting. Spare a few seconds to check if you right-clicked on a web page or if you right-clicked on a Flash page, for you might be visiting a phlashed web page instead of the original. Simple precautions like that still are the best.

On a second note, there are things that your online accounts know that phishers don’t. Let’s take PayPal for example. Messages coming from PayPal usually address you by your whole name, which it took from its database registry as you have input it there, so seeing something like “Dear PayPal Customer” should make you doubt the message initially.

Secure HTTP

Learn the difference between http:// and https:// (note the ‘s’ among the alphabetic characters. The https:// is a scheme used to indicate that the website employs a security method. In technical terms, http:// allows access to resources using a protocol that transfers contents into your browser. In https:// however, there is an extra encryption and authentication layer standing between your protocol and the Internet provider. The layer allows secured communication between the user and a service provider. And https:// stands for Hypertext Transfer Protocol over Secure Socket Layer. Having an https:// should mean that you are doing a sensitive transaction, so also check the certificate of the website using such security scheme.

Further, websites that ask you for certain measures to act on often include notices on their own website, like PayPal asking you to confirm a sent or received amount of virtual money. Instead of clicking the link, try manually typing the address in the URL bar and log directly using the website’s home page and not through the supposed website the link in your e-mail message follows. Your identity is safer that way.

Same goes with voice phishing. If you are dubious that the number appearing in your e-mail message is genuine, try contacting the company’s trunk line first, and from there, make your way to the transaction you are supposed to verify.

Password Protection

Although a lot of phishers are good at knowing details and facts about you, you are still the master of your virtual household. Learn to use several passwords instead of just one. By that, if a phisher gains access to, say, your blogging account and get ahold of your e-mail address, if you have different passwords between your blog account and your e-mail account, they cannot access your more sensitive account with your blog account password simply because the phisher knows the wrong password to the right account.

Other than the usual social response to phishing, once you are learned of the basics of the craft of programming, you can now employ certain technical measures when checking if the site you are viewing is phished or not.

Use your anti-phishing toolbar. I know I mentioned in the first article that despite checking websites if they are identified as spoof websites, anti-phishing toolbars are still not efficient. That is because you just let your toolbar sit on your computer while you wait for it to react. Not all automatic things are secured, so may I repeat again, use your anti-phishing toolbar. Get the ones that display the real address of the website along with a few details regarding the website. To use it, compare the address you visited from the data the toolbar gave you. If somehow some details didn’t match, doubt the website immediately. Just by that, you can avoid being phished 80 per cent of the time.

Browsers

Browsers are also knowledgeable, too, when it comes to phishing. Internet Explorer 7, Firefox 2.0 and Opera 9.1 somehow implements their own anti-phishing programs as the toolbar versions do: IE7 uses a measure developed by an independent testing company; Firefox 2.0 uses Google’s anti-phishing software; and Opera 9.1 uses an array of phishing websites as checklist whether the visited website is a spoof or not.

Other than just keeping anti-phishing toolbars and browsers, update them too. Roughly 100 phishing attacks are launched everyday, so if they are easily detected by your computer, you aren’t only helping yourself but others as well because there are Internet communities that allow sharing of identified phishing websites list.

Even website owners did their share in the fight against phishing. Some website hosts have altered logos and images to alert the user if the site they visited has malicious code within it. Servers do the warning in this anti-phishing action as they send out warning messages if they cannot recognize the phisher’s embedded image after the change occur.

Some websites also employs security through sharing web objects, which are available only between the website and the user’s computer. A good example here is Yahoo! Mail, with its Sign-In Seal—a secret, according to Yahoo!, between the computer where it was set up on and the mail service. The seal will be an indicator that it is the genuine Yahoo! Site, because only you and Yahoo! can distinguish the image.

In relation to Yahoo! Mail’s Sign-In Seal, security skins are also implemented to tell users that a website is genuine. It also uses a user-selected image, but this time, instead of sharing between the user’s computer and the website, security skins share images between the user’s computers and the browser only. It will be more secured than the previous scheme as it relies on mutual authentication and your browser is not available around the Internet.

Seems like even the system used by e-mail service providers have learned their lessons. They now have spam filters that can reduce phishing e-mail messages and report them to the authorities at the same time.

DNS

If you are the techie type of person, then you might know a lot about how things go within the Internet world that you can employ advanced technical measures than the previous two above. If you have heard of specialized Domain Name System (DNS) service, then use it. DNS service acts like a firewall when it filters phishing sites from the ones you visits or have visited already. It works with any type of browsers too. Further security measures require outsiders to monitor and check around if the company is a likely to be the target of phishers. Such stand-alone security groups give out analysis and assistance for a company to avoid being phished, as it would be a grave financial damage if a company fell for a phishing scam. Moreover, individuals who know anti-phishing measures can be hired to check and report any loopholes that the company has. Better have an expert around!

Being initially doubtful of seemingly unexpected e-mail messages and website changes can often lead you to safety, so keep a close watch on your virtual surroundings. There you go, mate! Take care, and have a nice and phishing-free day!

Loki on December 17, 2007 Subscribe to our RSS Feed