[AI] security expert
ilovecold at gmail.com
Mon Sep 27 05:37:57 EDT 2010
Online criminals are after one thing: your money. Rather than trying to hack
your computer to steal private details, many opt for the easier route of
tricking you into divulging information or falling for scams. In this month's
Security Expert, we'll look at how cyber-criminals try to trick you, and how you
can spot a phishing website.
Expert on security
Outsmarting phishing websites
Attempts to steal personal data by phishing are becoming ever more prevalent.
Simon Edwards shows you how to stop them
Online criminals will use every trick in the book to steal as much personal
information as possible. They're capable of sophisticated attacks using
cutting-edge technology, but they're not above simply lying if there's a chance
you'll hand over your username and password. Combine some standard manipulation
with a bit of technical wizardry, and an attack can be devastating. There's a
special name for this type of con: phishing. This kind of attack is designed to
trick as many people as possible into sending criminals their details.
There are two stages to a typical phishing attack. First, you'll be asked to
log into a website. The attackers will use a number of ruses to tempt you to do
this. When you click on the link, you'll see what appears to be a genuine
website, possibly belonging to your bank, auction service or a charity. The
second part of the attack occurs when you enter your username and password into
the site. Because it's a fake site run by criminals, it won't log you into the
service you expect. Instead, it will store your username and password. If the
site is pretending to be a bank, the hackers not only know that you use this
particular bank but they'll also have your login details. Some fake sites may
try to log you into the real service after they have stolen your details, so
you're none the wiser.
Once your details have been stolen, the criminals may use them to try to access
your web-based account directly or they may add your information to a file that
is then sold to other criminals.
baiting the hook
Invitations to a fake site can appear in many guises. Spam emails often contain
links to phishing sites. Messages that appear on social networking sites may
include harmful links. Fake charity websites will steal your money more
directly than we've described above. You can even receive phishing links when
you use internet messaging, or as a text message on your mobile.
Most of the time, you'll find phishing links in spam emails. These can be
targeted, being sent only to people who are known to use a particular bank, or
sent out randomly. Our example (see the screen, left) arrived in our special
email account - designed to catch viruses and other threats - even though we
don't have a NatWest bank account.
If you click on a phishing link, your web browser will load a site that looks
like a legitimate web page. In our example, an email claimed that Lloyds TSB,
which was on the verge of merging with HBOS, had redesigned its site and
requested that users log in to check that its online banking service was working
properly. If it wasn't (which was to be expected, because it's a fake site),
users were told they should try later.
Figure 1 above shows the site as it would have appeared to anybody who clicked
on the link in the email. Note how accurate the page looks, complete with
company logos and even some small print at the bottom. The criminal has
probably copied these details from the real bank's site.
When the victim attempts to log on, they won't succeed because the criminal
wants to gather more information. The victim will be asked to enter their
security code word - see Figure 2 above for evidence of the sort of page you can
expect to see. Note the poor grammar (in red). Following the supply of this
information, the victim is told that they have been successful in registering
with the new system (see figure 3). Within seconds, the web page shown
In its place, the fake website will load the genuine bank website (see figure
4), but the victim will find they're not logged in and must repeat the process
on the real website. They'll continue, not knowing they've handed their
security details to a criminal. They'll probably only realise they've been the
victim of a scam when money disappears from their account.
To avoid becoming the victim of a phishing attack, remain vigilant. If you
receive a message asking you to update your account for a service to which you
don't subscribe, ignore it. The same goes for any orders you haven't placed,
and any contact from charity websites you don't use.
Use anti-phishing tools built into email programs such as Thunderbird.
Web-based systems such as Google Mail and Yahoo! Mail provide similar
protection. Be suspicious of any messages these services highlight. You should
also use the anti-phishing tools built into your web browser. Internet Explorer
7 has an anti-phishing filter that appears at the bottom of the screen. If it
lights up when you visit a site, beware. Many internet security suites come
with anti-phishing filters. Some integrate with your web browser and prevent
suspicious sites loading.
Technical telepathy: 09969636745
Saints are not always saints; sinners are not always sinners.
More information about the AccessIndia