The Threat of Phishing

• Home
• Phishing - What is it?
• Example
• Solutions
• Future Threats
• Trends
• References & Links

Phishing - What is it?

According to Webopedia Phishing is The act of sending a ‘Spoof’ e-mail to a user falsely claiming to be an established enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. 1 The webpage received is often pretending to be from an existing organisation and has a link to a counterfeit webpage designed to trick the recipient into divulging personal information such as account names, passwords or credit card details. Like a conman at your door the ‘phisher’ relies on your gullability and odds that of the thousands of fake emails distributed there will always be a few users foolish enough to believe their claims.

With the ongoing development and increasing use of non-webpage internet resources like messenger services computer users need to be vigilant of changing techniques and sources of phishing. No longer is email the only distribution method for these fake sites but also applications such as messenger services and sharing applications have been targeted.

Example

Phishing through compromised web servers

This technique involves hackers breaking into a vulnerable server and installing malicious web content. This web content in the form of a bogus website and mass emailing tool then emails out on mass, advertising the fake web site via spam email. The spam email immitates a legitimate site and requests the user to visit a webpage to update supply personal information.

Another method used to obtain information is to include a form with the email and request information then with a ‘click’ of the submit button your personal information is forwarded to a bogus site. 2

There are other variants upon this example but not technically phishing but more a use of ‘malware’ or a weakness in a computers security. For further reading start with the References & Links below.

↑ top of page ↑

Solutions

Consumers can help avoid falling victim to phishing attacks by following a few simple ideas: 3

Remain Calm

Remain calm and resist the first impulse to hit the ‘reply’ button or on the link in a suspicious e-mail that warns you, with little notice, that an account of yours will be shut down unless you confirm your account information. Instead, contact the company cited in the e-mail using a telephone number that you are sure is genuine.

Security

Before submitting financial information through a website, look for the locked padlock on the browser’s status bar or look for “https://” at the beginning of the web address in your browser’s address window. The presence of a padlock and the “https://” does not guarantee that the website is legitimate or secure. However, the absence of either the padlock or the “https://” does indicate that the website is not secure. Or better still only go to the official website for your institution through your favourites or type the address in.

Review

Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized transactions. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your address and account balances.

Report

Report suspicious activity to the institution involved. Send the actual phishing e-mail to them.

Legitimate Sites

Legitimate companies will never ask for your personal details by email as they already have it, if unsure visit a branch or call them on the phone.

Separate

Keep separate passwords for each online account to eliminate the risk of all accounts being illegally accessed.

Further Information

Visit the ASIC's website at www.fido.gov.au or call the ASIC infoline on 1300 300 630. 4

↑ top of page ↑

Future Threats

Clever criminals of the future may use methods involving 'complex aware' resources for example bidders on ebay are contacted informing them they are the winning bid and provide information (payment details) to process a timely delivery of goods. The bidders however are unaware the site they have provided information to is a fake site.

Also in the future the use of social networks and the inherent trust they foster is a source of information criminals may utilise for phishing purposes. It still relies on the user being 'caught out' and using a fake email & web site but with a link provided from a phisher immitating a friend or relative trust is less likely to be an issue.

↑ top of page ↑

Trends

According to APWG information the number of reported phishing attacks has incresed by almost 100% in the first six months of 2005. Furthermore the shift in sectors being targeted away from retail and ISP's towards financial organisations is of a growing concern. 5 With the increasing growth of phishing attacks the credability and confidence of users is at risk and it is evident to combat this institutions and customers need to be vigilant and remain always aware.

6

References & Links

1. http://www.webopedia.com/TERM/p/phishing.html ⊂ visited 2005-08-13 ⊃
2. http://www.fbiic.gov/ ⊂ visited 2005-08-13 ⊃
3. E Bay E-Commerce Guide ⊂ visited 2005-08-13 ⊃
4. http://www.asic.gov.au/fido/fido.nsf ⊂ visited 2005-08-13 ⊃
5. APWG Phishing Activity Report June 2005 ⊂ visited 2005-08-13 ⊃
6. http://www.antiphishing.org/ ⊂ visited 2005-08-13 ⊃
7. http://www.honeynet.org/ ⊂ visited 2005-08-13 ⊃
8. Australian Computer Crime & Security Survey 2005, AusCERT

↑ top of page ↑