Phishing:  What You Need To Know!

When the first personal computer came out, they were expensive, but we were told that everyone would have them. Today, Americans have more computers than they had televisions in the 1960’s. We all depend on them for information, communications, entertainment, banking and shopping. The convenience of online commerce has been embraced by consumers. Unfortunately, it has also been embraced by criminals. The proliferation of spam, malware and spyware has also given rise to a threat that grows exponentially: Phishing!

What is phishing?
The definition of phishing is the act of stealing personal information via the Internet for the purpose of committing financial fraud. The term “phishing” actually has its origin in attacks in the mid -1990s, when it was used to describe the process of acquiring Internet Service Provider (ISP) account information. However, today the term has evolved to encompass a variety of attacks that target personal information. In the past few years, phishing has become a significant criminal activity on the internet. Phishers are now increasing their attacks, the diversity of those attacks and the technical sophistication used in phishing and online financial fraud. As if we don’t have enough to worry about with the recent announcement that we are and have been in a recession since December of 2007 (duh!), phishing has a negative impact on the economy through financial losses experienced by businesses and consumers, along with the adverse effect of decreasing consumer confidence in online commerce.

Why is phishing growing?
Many phishing scams have flourished in recent years. This is due to many factors. The resources required by unseemly characters and criminals to conduct phishing attacks can be easily and readily acquired through public and private sources. Just last year, the Computerworld site published an article titled “Phishing tool constructs new sites in two seconds: Easy-peasy-sleazy 0wnage in 120 seconds,” which you can read by clicking this link. The article described this latest tool kit or “phisher’s tackle box.” It contained all HTML (Hypertext Markup Language) code and graphics needed for the fraudulent Web site, spoofed a real site and even ran from an .exe that put all of the code, links, and graphics in the correct location, without user intervention, automatically. The process has been streamlined so that even those who are not tech savvy can take part in this the latest scourge of the Internet. All it takes is a computer, Internet access and one of these “cookbook” approaches to Phishing, and the perpetrator is in business.

How do today’s attacks differ from the way they started?
Originally, phishing was identified as the use of electronic mail messages. Show of hands-how many of you got an email from a bank, credit card company, America Online (remember them?) saying there was a problem and they needed your password? All of those emails were designed to look like a trusted agent, but they asked for information that the entity would never ask for in such a way as noted in their ‘terms of use / service’. They’re usually a link that lead to a site other than the one the email was from. All of these kinds of attacks had their roots in social engineering approaches to get information. Today, the attacks are a bit more sophisticated. They often include the offer to fill out a survey for an online banking site with a monetary reward if the user includes account information. Additional scams involve email messages claiming to be from hotel reward clubs, cruise clubs or even time shares and others that ask users to verify credit card information that a customer may store on the legitimate site for reservation purposes. They usually include a URL for which then directs the user to a site to enter their personal information.
This site is crafted to closely mimic the look and feel of the legitimate site, and may even include graphics that have been “borrowed” from the legitimate web site.

What should you watch for?
In a way, phishers are just like real fishermen. They have a large variety of tools in their “tackle box.” These tools allow the Phisher to email, host phishing sites and special tools for other methods of deceit. They all have one thing in common. They count on you as an individual to provide them with private information. The key is to “just say no!” If you get a pop-up that promises you something for nothing, to clean a computer virus infection that this web pop-up just found, a communication from a widow who will share millions left by her late husband if you help her transfer it out of the country, or just simply accessing a web site that is almost spelled the same as the one you intended, close those windows. If the entire window is a button and not just the ‘button’ icon, close the window! Corporate users have protection in the form of SAS (Software as Service) solutions and hardware appliances. Home users can make use of programs like GeoTrust's TrustWatch, Webroot Software's Phish Net, EarthLink's ScamBlocker and CoreStreet's SpoofStick.

How can I get more information on this subject?
We strive to stay up to date and provide you with the latest information available. You can also follow the technical news and see what is happening. As always, keep your system up to date with security patches, have a firewall installed and active and run software for detecting viruses, bots, malware and spyware… and keep it up to date!. If you have questions or comments about this article or if there is anything new on the subject, contact me. I would be happy to respond!