[AI] security expert

Sanjay ilovecold at gmail.com
Mon Sep 27 05:37:57 EDT 2010


Online criminals are after one thing: your money. Rather than trying to hack

your computer to steal private details, many opt for the easier route of

tricking you into divulging information or falling for scams. In this month's

Security Expert, we'll look at how cyber-criminals try to trick you, and how you

can spot a phishing website.

Simon edwards 

Expert on security 



Outsmarting phishing websites 

Attempts to steal personal data by phishing are becoming ever more prevalent.

Simon Edwards shows you how to stop them

Online criminals will use every trick in the book to steal as much personal

information as possible. They're capable of sophisticated attacks using

cutting-edge technology, but they're not above simply lying if there's a chance

you'll hand over your username and password. Combine some standard manipulation

with a bit of technical wizardry, and an attack can be devastating. There's a

special name for this type of con: phishing. This kind of attack is designed to

trick as many people as possible into sending criminals their details.

There are two stages to a typical phishing attack. First, you'll be asked to

log into a website. The attackers will use a number of ruses to tempt you to do

this. When you click on the link, you'll see what appears to be a genuine

website, possibly belonging to your bank, auction service or a charity. The

second part of the attack occurs when you enter your username and password into

the site. Because it's a fake site run by criminals, it won't log you into the

service you expect. Instead, it will store your username and password. If the

site is pretending to be a bank, the hackers not only know that you use this

particular bank but they'll also have your login details. Some fake sites may

try to log you into the real service after they have stolen your details, so

you're none the wiser.

Once your details have been stolen, the criminals may use them to try to access

your web-based account directly or they may add your information to a file that

is then sold to other criminals.

baiting the hook 

Invitations to a fake site can appear in many guises. Spam emails often contain

links to phishing sites. Messages that appear on social networking sites may

include harmful links. Fake charity websites will steal your money more

directly than we've described above. You can even receive phishing links when

you use internet messaging, or as a text message on your mobile.

Most of the time, you'll find phishing links in spam emails. These can be

targeted, being sent only to people who are known to use a particular bank, or

sent out randomly. Our example (see the screen, left) arrived in our special

email account - designed to catch viruses and other threats - even though we

don't have a NatWest bank account.

gone phishing 

If you click on a phishing link, your web browser will load a site that looks

like a legitimate web page. In our example, an email claimed that Lloyds TSB,

which was on the verge of merging with HBOS, had redesigned its site and

requested that users log in to check that its online banking service was working

properly. If it wasn't (which was to be expected, because it's a fake site),

users were told they should try later.

Figure 1 above shows the site as it would have appeared to anybody who clicked

on the link in the email. Note how accurate the page looks, complete with

company logos and even some small print at the bottom. The criminal has

probably copied these details from the real bank's site.

When the victim attempts to log on, they won't succeed because the criminal

wants to gather more information. The victim will be asked to enter their

security code word - see Figure 2 above for evidence of the sort of page you can

expect to see. Note the poor grammar (in red). Following the supply of this

information, the victim is told that they have been successful in registering

with the new system (see figure 3). Within seconds, the web page shown

disappears.

In its place, the fake website will load the genuine bank website (see figure

4), but the victim will find they're not logged in and must repeat the process

on the real website. They'll continue, not knowing they've handed their

security details to a criminal. They'll probably only realise they've been the

victim of a scam when money disappears from their account.

avoiding attacks 

To avoid becoming the victim of a phishing attack, remain vigilant. If you

receive a message asking you to update your account for a service to which you

don't subscribe, ignore it. The same goes for any orders you haven't placed,

and any contact from charity websites you don't use.

Use anti-phishing tools built into email programs such as Thunderbird.

Web-based systems such as Google Mail and Yahoo! Mail provide similar

protection. Be suspicious of any messages these services highlight. You should

also use the anti-phishing tools built into your web browser. Internet Explorer

7 has an anti-phishing filter that appears at the bottom of the screen. If it

lights up when you visit a site, beware. Many internet security suites come

with anti-phishing filters. Some integrate with your web browser and prevent

suspicious sites loading.


Technical telepathy: 09969636745
Saints are not always saints; sinners are not always sinners.
  


More information about the AccessIndia mailing list