Avoiding being Phished
I interviewed Brandon Olekas for this topic. Brandon is a Lead Security Engineer at Citrix. He has been working in XenApp security for about four years, has been involved with many security features and improvements in the XenApp product, and helped co-author . He has a Computer Science degree from Georgia Institute of Technology and is an Associate of (ISC)2.
Here is Brandon:
Q: What is Phishing?
A: It is a form of Social engineering – attempting to fool people into revealing information that is subsequently used against them.
Phishing doesn’t require a lot of capital, so it is no wonder it is so prevalent. Research firm Gartner Group estimates that phishers will cost US businesses and consumers a whopping $2.8B this year. The average take: $1244 per victim.
Phishing primarily targets stealing personal information through the use of e-mail and websites. Phishing emails usually appear to come from well-known financial institutions (which they are not) and their goal is to acquire login information, credit card numbers, social security numbers, or account numbers.
Phishing e-mails attempt to entice the user into clicking a link which will direct them to a malicious website. The thing is, legitimate businesses will never request this information via e-mail.
Bottom line is, if you receive an e-mail asking you to login to your bank, . Open a browser and go directly to the official bank site.
Q: Don’t malicious Phishing sites also attempt to do damage to the victim’s computer?
A: Actually, most virus scans catch virus-infected attachments now. Phishers are looking to steal personal information. One other case that comes to mind is the Nigerian scam, which is considered phishing because they attempt to fool victims into sending money. The victims were enticed to send actual money to the Phisher after being convinced some amount of their own money was required to free up the large winnings. Even though this sounds ludicrous, many victims fell prey to this scam. Even now, people still fall for the Nigerian type scams
Q: How else can people notice the dangers and avoid “being Phished”?
A: According to phishtank.com, the most important things to look for in a phishing e-mail are:
1. Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like “First Generic Bank Customer” so they don’t have to type all recipients’ names out and send emails one-by-one. If you don’t see your name, be suspicious.
2. Forged link. Even if a link has a name you recognize somewhere in it, it doesn’t mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don’t click on the link. Also, websites where it is safe to enter personal information begin with “https” — the “s” stands for secure. If you don’t see “https” do not proceed.
3. Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
4. Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.
In addition, in the URL, pay attention to be sure you are reading correctly. For example, http://Realbank.hacker.com does not mean it is from Realbank. To the contrary, it is from hacker.com.
Also look out for numbers preceded by a % sign, which are encoded characters. They can trick you. For example, %47 is just a capital G, but it means the same thing to your web browser, i.e., http://%47oogle.com = = http://www.Google.com.
A good educational resource is at this site: http://cups.cs.cmu.edu/antiphishing_phil/ Anti-Phishing Phil – it’s a fun online game that teaches how to recognize phishing websites.
Q: What is “Spear Phishing”?
A: Just like regular Phishing, the objective is to entice the victim into divulging key information. Spear Phishing is slightly different in that it is directed to a target person or group, and it is often extremely personalized. For example, a Spear Phishing exploit may include having all the managers in a company receive a note that looks like it’s from the CEO, asking them to click on a malicious web site that could look very credible. Any person on a network is able to spoof a particular user. Even a user outside the network could easily get a free email account with the CEO’s name clearly evident.
Q: What are “Phishing Kits”?
A: These are sold on hacker forums on the internet. They provide easy ways for nontechnical people to easily set up a Phishing operation. Well, often the laugh is even on them: many of these kits create fraudulent web sites that actually send emails back to the Phishing Kit author, giving him the desired Phishing information, instead of or in addition to the Phisher. Since the nontechnical Kit buyer can’t read the code, they can’t see that they are actually the dupe.
One of the most prolific phishing groups and kit authors is called Rock Phish. No one can say for sure where Rock Phish is based, or whether the group operates out of a single country. “They are sort of the Keyser Soze of Phishing,” says Zulfikar Ramzan, senior principal researcher with Symantec’s Security Response group, referring to the secretive criminal kingpin in the 1995 film, . Security experts estimate that Rock Phish is responsible for between a third and a half of all phishing messages sent out on a given day. Information was taken from, and full article can be found at http://www.pcworld.com/article/128175/who_or_what_is_rock_phish_and_why_should_you_care.html
Q: Where can people go for more general information on phishing?
A: There are some Good statistics here:
Other good resources:
[www.phishtank.com] – Collects and verifies phishing sites. If you suspect a site is fraudulent, you can check it here.
[www.apwg.org]- The Anti-Phishing Working Group. The global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that results from phishing, pharming, and e-mail spoofing of all types