Recent phishing attempts have targeted the customer of bank and online payment services. Social networking sites such as Orkut are also a target of phishing.
Spoofed/Fraudulent e-mails are the most widely used tools to carry out the phishing attack. In most cases we get fake e-mail that appears to have come from a Trusted Website. Here the hacker may requests us to verify username & password by replaying to a given email address.
TECHNIQUES BEHIND PHISSHING ATTACK
1. Link Manipulation
Most methods of phishing use some from of technical deception design to make a link an email appear to belong to some trusted organization or spoofed organization. Misspelled URLs or the use of subdomain are common tricks used by phishers, such as this example URL
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com
instead of http://www.microsoft.com/
2. Filter Evasion
Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails. This is the reason Gmail or Yahoo will disable the images by default for incoming mails.
How does a phishing attack/scam look like?
As scam artist become sophisticated, so do their phishing e-mail messages and pop-up windows. They often include official-looking logos from other identifying information taken directly from real Web sites. Here is an example of how the phishing scam email looks like
Example of phishing e-mail message, including a deceptive URL address linking to a scam Web site. To make these phishing e-mail messages look even more ligitimate, the scam artist may place a link in them that to go to the legitimate Web site (1), but it actually takes you to a phishing site (2) or possibly a pop-up window that looks like the official site. These copycat sites are also called "spoofed" Web sites. Once you're at one of these spoofed sites, you may send personal information to the hackers.
How to identify a fraudulent e-mail?
here are a few phrases to look for it an e-mail message is a phishing scam.
"verify your account."
Legitimate sites will never ask you to send passwords, ligin names, Social Security numbers, or any other personal information through e-mail.
"IF you messages convey a sense of urgency so that you'll respond immediately without thinking.
"Dear Valued Customer."
Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
"Click the link below to gain access to your account."
HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not takee you to that address but somewhere different, usually a scam Web site.
Notice in the following example that resting the mouse pointer on the link reveal the real Wb address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.
So the Bottom line to defend from phishing attack is
1. Never assume that an e-mail is valid based on the sender's email address.
2. A trusted bank/organization such as paypal will never ask you for your full name and password in a payPal email.
3. An email from trusted organization will never contain attachment or software.
4. Clicking on a link in an email is the most insecure way to get to your account.
No comments:
Post a Comment