Thursday, June 25, 2009

Phishing: Examples and Its Prevention Methods

Phishing is a new word produced from ‘fishing’, it refers to a new type of network attack where the attacker creates a replica of an existing Web page to fool users (e.g., by using specially designed e-mails or instant messages) into submitting personal, financial, or password by masquerading as a trustworthy person or business in an electronic communication. This information then can be used for future target advertisements or even identity theft attacks (e.g., transfer money from victims’ bank account).

Example 1: Phishing email / Phishing website


A frequently used attack method is to send phishing e-mails to potential victims, which seemed to be sent by banks, online organizations, or ISPs. In these e-mails, they will makeup some causes such as password of your credit card had been mis-entered for many times, or they are providing upgrading services, to allure you visit their Web site to conform or modify your account number and password through the hyperlink provided in the e-mail. You will then be linked to a counterfeited Web site after clicking those links. Legitimate organizations would never request this information of you via email.



Example 2: JavaScript Obfuscation

There is a trend in phishing today to make an attempt to further fooling a victim in believing he/she is on a trusted page, at say, Netbank. Unmodified, a copied Netbank site will look like this on the phisher’s hosting server:



The location bar, which takes up approximately 2% of the screen height, accounts for virtually that all of the indication that a Web site is genuine. This is easily circumvented with a well known JavaScript vulnerability posted on the Bugtraq security mailing list in May of 2004, which uses a floating pop-up frame to change the address bar to the familiar:



The ability to produce “chromeless” frames outside the browser window using the window open JavaScript function continues to be available to Web developers, but thankfully, are now blocked by recent versions of Internet Explorer’s and Mozilla Firefox’s built-in “pop-up blockers,”.

Here is a quick checklist to bear in mind during our surfing, we should alert to the risks of phishing:
1. If you receive a mail that asks you to take immediate action, such as "to restore access to your bank account…." please don't click the link. Never has the bank will ask you to give them your user ID and password online. If in suspect something, speak with the bank directly to find out the truth.
2. Be alert in all Internet activities. Therefore be aware that there are unscrupulous elements out there trying to extract your personal details for their nefarious uses.
3. Check whether anything all right by log in to your account regularly.
4. Ensure your web browser is the latest version with all security patches updated to help you to detect and block the phishing. Web sites by using various spam filters to enhance the security of the web sites.
5. Do not filling out forms in email messages, especially if the form requires you to fill in personal detail information.
6. Never leave personal accounts unattended for long period of time (even for a month). Make it a habit to check your debit/credit of account and if you notice anything unusual, get clarification immediately.

7. Never reveal your personal information to anyone; however although genuine or trustful requester may sound. Personal details should only know by you and is your personal asset. It is better to be careful a bite.

Related links:
http://internet.suite101.com/article.cfm/avoid_phishing_attempts

http://research.microsoft.com/en-us/um/people/chguo/phishing.pdf

http://y2u.co.uk/Knowledge_Information/Technology/RN_Computer_Phishing_Scam.htm

http://www.phishtank.com/what_is_phishing.php

http://www.planbsecurity.net/wp/503167001_PhishingDetectionandPrevention.pdf