Sunday, October 9, 2011

New Phishing Technique

Many users are still unaware of the dangers that phishing could mean for their life’s. They might now that hackers try to lure unsuspecting users to fake websites hoping that their victims would try to supply login information, credit card details or social security numbers while trying to use the service. Those users already have difficulties identifying those first generation phishing websites that undoubtedly look and feel more professional with every passing day.
Anti-Phishing toolbars and implementations in the major browsers are useful but can, as you will see, give the user a false sense of security. This can be attributed to the fact that databases that contain the information are not updated in real time. Someone has to report a phishing website before it will be added to the database, it would be more than difficulty to create a automatic solution for this problem.
A second difficulty are new techniques used by hackers that are not detected by ant-phishing toolbars and implementations.
Flash Phishing
Anti-Phishing toolbars do check the page content for signs of phishing but do not analyze flash objects at all. Hackers know this and tend to use this to their advantage by using flash to emulate the original website. Users tend to believe that the site is “clean” because their anti-phishing toolbar did not react to it.
It is however relatively easy to find out if the current website is fake.
  1. You need to take a look at the url in the address bar. If it is not the original address leave it immediately.
  2. Check if it is using https instead of http. If it is using http leave the site immediately.
  3. If it is using https check the certificate.
  4. If the site is only using flash leave it.
  5. Never follow links in emails (unless you know the person)
  6. Never follow links in chats (unless you know the person)
You should immediately contact the supposed owner of the website and ask for advice.
Social Phishing
Phishers use other means of getting sensitive data from users. We all know that we should contact the company if we have doubts about a website. What if you would receive a mail from your bank asking you to call them back because there was a security breach ? Would you call them back ?
What if the number was redirecting you to someone in China speaking fluent English ? Would you give him the information he would be asking for to verify´that you are the customer ? Sir, we need to make sure that you are indeed our customer. Could you please supply your credit card information so that I can verify your identity ?
This is not a huge market yet but it will grow over time.

No comments:

Post a Comment