How to Avoid New Phishing Developments
Written by Paul Mah on March 2, 2011
Phishing attempts started off relatively benignly, with simple spoofing of e-mails and masquerading as trusted entities to obtain sensitive information. As users wised up to these online shenanigans, the criminal minds behind these cyber-rackets have adapted their methods and correspondingly retched up the sophistication of their schemes.
Today, phishing has evolved to replica banking websites that are indistinguishable from the real sites, well-written e-mails crafted to trick even experienced e-mail users to visit malware-laden sites, and sophisticated Trojan malware such as Zeus that are tuned specifically to steal banking usernames and passwords.
Today, I want to highlight a couple of recent developments on the phishing front, and some suggestions on how organizations can defend against them.
Mind the basics
Before moving on to new phishing developments, it makes sense to pay attention to some basic steps that will help shield your company against rudimentary phishing attempts.
- Train employees to recognize secured sites
Many administrators already teach their users to look out for the lock symbol that represents a properly encrypted site. However, what is often neglected are the couple of steps required to validate the authenticity of a site by examining the actual digital certificate. Recent versions of browsers are fortunately quite explicit in warning against self-signed sites, though it is hardly the best gauge since criminals can purchase valid digital certificates too.
- Implement good security software
A compromised machine is inviting cybercriminals to run circles around you, regardless of the security best practices that are in place. It is beyond the scope of this article, but you might want to explore the use of traditional antivirus software used in conjunction with whitelisting solutions.
- Enforce good password practices
The easiest way to steal the pertinent information necessary for identity theft would be to break into the target’s e-mail account. Passwords for practically every on-line service can be reset from the right e-mail address, not to mention the fact that many users use the same passwords across multiple services. And yes, the presence of e-mail forwarding rules does mean scammers can hijack an account with the rightful owner being none the wiser; it is hence imperative that passwords for e-mail accounts are robust and regularly changed.
Development #1: Make use of Second Factor Authentication
InfoSecurity.com ran a recent article about how cybercriminals made off with $63,000 from a company account in Kansas after the Windows PC of the financial controller was infected with a variant of the Zeus Trojan. It was not reported how the Trojan got onto the computer in the first place, though it was obvious that the theft was successful due to the lack of a second factor authentication beyond the use of a username and password. In addition, confirmation e-mails sent from the bank to the financial controller (on the same system) were also suppressed by the unknown assailants, further delaying discovery of the heist.
Phishing has evolved from small scams and identity-related crimes to large, tangible amounts of funds being siphoned away. And rather than high-level hackers, all it takes are criminals with the right tools and a minimal level of computer skills to pull an attack off. With the above example in mind, it can be surmised that mechanisms that rely on an uninfected system are extremely vulnerable to compromise, and should be beefed up with a second factor authentication that cannot be defeated by remotely commandeering a PC.
Development #2: Two-Factor Authentication doesn’t guarantee protection
In another new development, mobile-specific malware that facilitates phishing has been spotted. It works this way: Fraudulent fields are injected into a web page to quiz users on the model of their mobile phone and mobile number. Requisite information in hand, the cyber-crooks then send a text message with a link to a customized malware. If the hapless user takes the bait, a mobile phone Trojan is installed which then monitors incoming text messages and forwards them on to the criminals, effectively thwarting text message-based two-factor authentication.
There is no evidence yet that individuals or companies have succumbed to this attack, and the use of a hardware dongle – as opposed to text messages, would effectively curtail this attack vector. Moreover, there are ways of defending against mobile Trojans by proper policing and securing of smartphones too. Ultimately, I decided to highlight this development as a timely reminder that even two-factor authentication can be circumvented under certain situations. Just as phishing is no longer a threat limited to e-mails, protecting against a successful phish similarly requires more than just blocking off suspicious e-mails at the spam appliance.
Loading ...
Hardware dongles should be standard with enrollment in all online banking. The added security they provide to something we need to trust like banking makes a great deal of sense, and I think most people would pay a small online banking enrollment fee for the added peace of mind that it would provide.
It’s not only banks that are being phished. PayPal, Visa, Mastercard, and eBay were once used as an instrument for phishing.
There are many ways to prevent phishing. For one, you can install a web checker. I use Alexa to determine if a website is legitimate or not.
If the website has a low ranking, there’s a great probability that it is illicit.
You can also double-check the website URL or name. Just last year, an email, supposedly from PayPal, stated that I should reset my password for my account to be activated. I found out later that the sender was “PayPa1″ and not “PayPal”.
See the difference?
Thanks for the tip Angelo, I agree that double checking the validity of a website is an important step – given the ease with which sites can be duplicated/phished.