You May be a Victim of Phishing (Part 1)
"Mr Ho had been using internet banking as an easy and convenient channel to conduct his online banking transactions. A few months ago, he received an email purportedly from his bank asking him to log on to its website to update his personal account information. He followed the email instructions asking him to click on the link to access the bank's website. Having accessed what looked like the bank's website, he entered his UserID, PIN, One Time Password (OTP) generated by his security token and other confidential details into the website.
Since he had never received such an email before, he decided to check with his bank to see if there was indeed such an exercise being carried out by the bank. He found out from the bank that the website he had accessed was a fake website designed to look like the bank's real website. The fake website had the bank's logo and similar design to mislead customers into believing that it belonged to the bank.
The bank immediately worked with the relevant authorities to shut down the fraudulent website and locked Mr Ho's account to protect it from unauthorized access. As a result of the quick actions by Mr Ho and the bank, Mr Ho did not suffer any financial loss. A new PIN was promptly issued to Mr Ho to enable him to regain access to his Internet Banking account. He was also advised by his bank to read and follow the security guidelines and procedures set out in its website."
Nancy Boyle was not that lucky, read her story below:
"Nancy Boyle woke up one morning last December to discover that someone had stolen $1,800 from her online bank account. Then came the $800 credit card charge for escort services that she and her husband Dan never ordered.
The Boyles, who run a window treatment business out of their home in Racine, Wis., were getting a crash course in phishing.
The first e-mail appeared to come from Bank One, warning that Mrs. Boyle's account would be suspended unless she updated her information to conform with the company's new anti-fraud measures. She clicked on the link that came with the e-mail and entered the data on the Web site. Then the money disappeared from her account.
Not long after that, she got another message that looked like it came from eBay. It warned of fraudulent activity on her account and urged her to verify her details. She handed over her bank account number, Social Security number and her mother's maiden name — the keys to her identity.
For the Boyles, the timing could not have been worse. The scams hit less than a week before Christmas. Mr. Boyle's mother had recently been diagnosed with cancer. The Internal Revenue Service had just begun an audit of their finances. The police got involved, but the evidence trail ran cold after investigators traced the scam to "somewhere in Egypt."
The experience left them wiser to the dangers of the Internet, the Boyles said, but it stirs bitter emotions."
What is Phishing?
“Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Once such sensitive information is obtained from you, the fraudsters will have access to your account to perform unauthorized transactions.
Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public.”
Phishing is a continual threat that keeps growing to this day. The risk grows even larger in social media such as Facebook, Twitter, Myspace etc. Hackers commonly use these sites to attack persons using these media sites in their workplace, homes, or public in order to take personal and security information that can affect the user and the company (if in a workplace environment).
Phishing is used to portray trust in the user since you can usually not tell that the site or program being visited/ used is not real, and when this occurs is when the hacker has the chance to access the personal information such as passwords, usernames, security codes, and credit card numbers among other things.
“A recent and popular case of phishing is the suspected Chinese phishing campaign targeting Gmail accounts of highly ranked officials of the United States and South Korean’s Government, military, and Chinese political activists. The Chinese government continues to deny accusations of taking part in cyber-attacks from within its borders, but evidence has been revealed that China’s own People’s Liberation Army has assisted in the coding of cyber-attack software.”
Now to some Statistics:
"Consumers and businesses in the UK lost an estimated £27bn in 2012 through cybercrime. More than £600m of this was through phishing attacks, making it the most 'phished' country in the world
“UK consumers lost more money to online fraud than those of any other country in the world in 2012 – overtaking the US to move into first place – according to cyber security experts RSA. Figures from its Anti-Fraud Command Centre (AFCC) give UK losses of £405.8m in 2012, obtained from almost 250,000 phishing attacks.
"This marked a 25% increase on 2011, while US losses declined by 19%. Canadians lost the third highest amount, while India was in fourth place, up from 8th. South Africa completes the top five – it is worth noting that all of these countries have a significant English speaking population" ………….The Guardian
There were at least 115,565 unique phishing attacks worldwide. This is nearly a 60% increase over the 72,758 seen the first half of 2013, but less than the 123,486 attacks observed in the second half of 2012. Most of the growth in attacks came from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.
Phishing continues to explode in China, where Chinese phishers are victimizing the growing online population of the country. Chinese phishers were responsible for 85% of the domain names that were registered for phishing
The Kaspersky Report:
About 10,000 Internet users in India face phishing attacks from cyber criminals daily, says a report by security solutions provider Kaspersky.
"In 2012-2013, 102,100 users around the world were subjected to phishing attacks on a daily basis. In Russia, 19,000 users were attacked each day, 12,000 in the US, 10,000 in India, 6,000 in Germany, 3,000 in France, and another 3,000 in the UK," the report said.
"Overall, the volume and intensity of phishing attacks has more than doubled over the past two years," it said.
In 2012-2013, 37.3 million users around the world were subjected to phishing attacks, up 87 per cent from 2011-2012.
"Most often, phishing attacks targeted users in Russia, the US, India, Vietnam and the UK. Phishing attacks were most frequently launched from the US, the UK, Germany, Russia and India," the report revealed.
Yahoo!, Google, Facebook and Amazon are top targets of malicious users. Online game services, online payment systems, and the websites of banks and other credit and financial organizations are also common targets, it added.
Over 20 per cent of all attacks targeted banks and other credit and financial organizations, Kaspersky said in its report.
Phishing has some local accents: phisher targets are different from country to country, depending on the popularity of local online resources
According to Kaspersky, there are 2 major ways by which phishing links are spread:
It’s easiest to encounter a link on a phishing site while using the Internet: banners to legitimate websites, messages on forums and blogs, and private messages on social networks can all turn out to be a ruse. Majority of phishing attacks are launched against users when they are surfing the web.
Top 10 Attacked Countries:
￼￼￼In 2012-2013, 102,100 users around the world were subjected to phishing attacks. That is double the number of victims in 2011 – 2012.
Where are phishing attacks coming from?
According to GetCybersafe.ca:
156 million phishing emails are sent every day; cyber criminals start their phishing trip by sending out millions of phishing emails.
16 million make it through filters; many phishing emails end their journey destroyed in spam filters; 10% make it through.
8 million are opened; of those that make it through spam filters, half continue their journey by being opened.
800,000 links are clicked; of those emails that are opened, 10% lure someone into clicking on a phishing link.
80,000 fall for a scam every day and share their personal information. And finally, another 10% of people who click the link are netted by the baited website. Their information results in stolen identities, financial loss, credit card frauds and other Internet scams. So in the end, these phishing emails hook about 80,000 victims.
Identifying Phishing Messages
Below are examples of phishing messages:
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
"Your account is currently being updated as we are introducing a new security system. Follow the instructions below to reactivate your account."
"Your credit card is the subject of a police investigation for fraud. Please follow the instructions below."
"Our records indicate that payment for your Internet account is due. We are also currently introducing a new e-payment service. Please follow the instructions below."
"You are the lucky winner of our lucky draw. Please submit your credit card details so that we can verify your identity.
The following are examples of the instructions you may be asked to follow:
"Please provide a return email with your account details, PIN, OTP or credit card number. We will reactivate your account as soon as we receive your email."
"Please click on the hyperlink below to update your personal details."
"Please click on the attachment below. This will automatically generate an alert on our side. We will update your account and inform you."
Types of Phishing
Spear phishing” is targeted communication toward employees or members of a certain organization or online group. Emails are customized with information publicly available on web sites like Facebook or MySpace. The emails then direct people to a fake login page.
“Whaling” is phishing that is targeted at corporate executives, affluent people and other “big phish.” Like spear phishing, whaling emails often are customized with information directed to the recipient (name and other personal information) and sent to a relatively small group of people.
A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Phone phishing is currently the latest type of phishing. Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialled, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box."So, Covert Redirect is a perfect phishing method. Once the user login, the attacker could get the personal data, which in the case of Facebook, could include the email address, birth date, contacts, work history, etc. But, if in case “the token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, friends list, online presence and most possibly even operate and control the user’s account.
Other types of phishing are: Rogue WIFI, Link Manipulation, Filter evasion, Website Forgery…
How do you protect yourself from Phishing?…………………………………….to be continued…
Federal Trade Commission (FTC)
MoneySENSE- A National Financial Education Programme for Singapore
The Washington Post
Global Chinese Phishing sites report 2nd Half 2012
Financial Cyber Threats in 2013. Part 1: Phishing
Global Phishing Survey: Global Phishing Survey 2H2013: Trends and Domain Name Use. http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf
The Economic Times
THE EVOLUTION OF PHISHING ATTACKS: 2011-2013- Kaspersky Labs
University of Florida: Solutions for your life
How To Understand Phishing
Copyright: <a href='http://www.123rf.com/profile_faithie'>faithie / 123RF Stock Photo</a>
Copyright: <a href='http://www.123rf.com/profile_3quarks'>3quarks / 123RF Stock Photo</a>
Copyright: <a href='http://www.123rf.com/profile_ijdema'>ijdema / 123RF Stock Photo</a>