PHISHING : Examples and Prevention

Phishing is a scam in which the attacker sends an email purporting to be from a valid financial or eCommerce provider. The email often uses fear tactics in an effort to entice the intended victim into visiting a fraudulent website.

Once on the website, which generally looks and feels much like the valid eCommerce/banking site, the victim is instructed to login to their account and enter sensitive financial information such as their bank PIN number, their Social Security number, mother's maiden name, etc.

EXAMPLES

eBay phishing scam

This eBay phishing email includes the eBay logo in an attempt to gain credibility. The email warns that a billing error may have been made on the account and urges the eBay member to login and verify the charges.
Scammers phish on ebay to obtain eBay ID's which then are used to sell fake or non-existent goods or such accounts can be sold further in the underground market. In other words, the new owners of stolen eBay ID's now are equipped with positive feedback, previously generated by the real owner, and are now used to scam people.

(Click to view large)

Look at the link here. It looks as valid as it could. It is written http://signin.ebay.com, but this written link actually points again, yes, to a clone of ebay. This is done with a href code in html coding. I will show you an example. Click on this link:

http://www.ebay.com

The Address shows ebay, but you were linked to amazon. I have linked you to amazon, but Con artist will link you to dupes of legit business websites and scam you. Beware what you click, your browser shows you the link in the left bottom corner if you only point over the link, without clicking it.

Find out more in http://www.bustathief.com/2007/08/what-is-phishing-ebay-phishing-examples.html

Another example of phishing is Paypal. Paypal is becoming the online payment processor of choice for many users. Paypal allows virtually anyone to except credit card payments. Paypal is also a great way to send and receive electronic payments. Unfortunate fame has it’s price and in the case of Paypal that means scam artists preying on the Paypal members.
The most common Paypal Scam involves e-mail. You will receive an e-mail from someone claiming to be Paypal requesting you verify your information. Look out for warning signs below to identify phishing scam:

Warning Sign1 : Paypal will never send you an E-Mail Requesting Your Personal Information
Warning Sign2 : Often this e-mail will be sent to an e-mail address that is not the same one that Paypal has on file.
Warning Sign3: Forged Headers (from address). This is often hard to detect without knowledge of the Internet. Many spam filters are now setup to block e-mail that has forged headers. Ask your e-mail provider how you can block Forged Headers.
Warning Sign4: Greetings. Paypal knows who you are they will use the name you registered with.

Warning Sign5: Threats. The e-mail will threaten to suspend your account if you don’t take immediate action.
Warning Sign6: Non Secure Page. If you do click on the link in the E-Mail you will not be on a secure Page, No Https in the URL and no little Padlock in the lower left hand corner of your browser.
Warning Sign7: Bad Grammar or Misspelled words

If you receive an E-mail from Paypal with even 1 of these warning signs more likely it is a scam.

PREVENTION

There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing.

Social responses

One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be promising, especially where training provides direct feedback. People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" (or any other topic used by phishers), it is a sensible precaution to contact the company from which the e-mail apparently originates to check that the e-mail is legitimate. Alternatively, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message.

Technical responses

1. Helping to identify legitimate sites
Some anti-phishing toolbars display the domain name for the visited website. The petname extension for Firefox lets users type in their own labels for websites, so they can later recognize when they have returned to the site. If the site is suspect, then the software may either warn the user or block the site outright.

2. Browsers alerting users to fraudulent websites
Another popular approach to fighting phishing is to maintain a list of known phishing sites and to check websites against the list. Microsoft's IE7 browser, Mozilla Firefox 2.0, and Opera all contain this type of anti-phishing measure. Firefox 2 uses Google anti-phishing software. Opera 9.1 uses live blacklists from PhishTank and GeoTrust, as well as live whitelists from GeoTrust. Some implementations of this approach send the visited URLs to a central service to be checked, which has raised concerns about privacy.

3. Eliminating phishing mail
Specialized spam filters can reduce the number of phishing e-mails that reach their addressees' inboxes. These approaches rely on machine learning and natural language processing approaches to classify phishing e-mails.

Many of these phishing emails appear to be quite legitimate. Don't be a victim. Look over the following examples of phishing scams to familiarize yourself with the clever techniques used.

The application of third party certification programme in Malaysia

Third-parties called certificate authority issues digital certificates used to create digital signatures and public-private key pairs. The role of the third party in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be certificate authority are a critical component in data security and e-commerce because they guarantee that the two parties exchanging information are really who they claim to be. A digital certificate is an electronic certificate that establishes your credentials when doing business or other transactions on the Web. The certificate is issued by a Certification Authority (CA).

Example of third party in Malaysia is MSC Trustgate.com Sdn Bhd(www.msctrustgate.com). It is a licensed Certification Authority (CA) operating out of the Multimedia Super Corridor. MSC Trustgate was incorporated in 1999 to meet the growing need for secure open network communications and become the catalyst for the growth of e-commerce, both locally and across the ASEAN region. In present, MSC Trustgate has 12 million in paid up capital.

Trustgate has been licensed under the Digital Signature Act 1997 (DSA), a Malaysia law that sets a global precedent for the mandate of a CA. As a CA, Trustgate’s core business is to provide digital certification services, including digital certificates, cryptographic products, and software development.

Verisign is the leading Secure Sockets Layer (SSL) Certificate Authority enabling secure e-commerce, communications, and interactions for Web sites, intranets, and extranets. Choose the most trusted mark on the Internet and enable the strongest SSL encryption available to every site visitor.

The application of third parties certificate in Malaysia are when a website visitor connects to a web server using digital certificate they will see that the URL in the address bar begins with https:// rather than the usual http:// and also a small gold padlock will appear in their browser, e.g.
As seen by users of Internet Explorer

Whenever a browser connects to a webserver (website) over https:// - this signifies that the communication will be encrypted and secure. The actual complexities of the digital certificate protocol remain invisible to the end customer.

All digital certificates are issued to either companies or legally accountable individuals. Typically SSL Certificates contain the domain name, the company name, the address i.e. city, state and country. It will also contain the expiry date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate.

When a browser connects to a secure site it will retrieve the site's digital certificate and check that it has not expired, that it has been issued by a Certification Authority the browser trusts and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user.


So both party in a deal are protected. The buyer mail the payment to the escrow services , which verify the payment and alert the seller when every things check out. At that point, the seller ship the goods to the buyer . after an agreed upon inspection period, the buyer notifies the service, which then send a escrow services. So. it impletation help to improve customers trust between both seller and buyer

As a conclusion, the application of third party certification programme in Malaysia make the online dealing more safety and increase trustiness
.

The treat of online security: How safe is our data?

Nowadays, getting more people using the internet to communicate with others, search for information and also engaged in the online transaction. Internet give us become more convenient because internet is an easy and useful tool that help people to do thing with lesser cost and more efficiency.But, as the internet users display more of their personal information on social networking web sites, and office workers upload more sensitive data to online software programs, computer hackers are employing increasingly sophisticated methods to pry that information loose. In many cases, they are devising small attacks that can go into traditional security software, while exploiting the trust users place in popular business and consumer Web sites.
Threats to e-commerce systems can be either malicious or accidental. Malicious threats could include hackers attempting to penetrate a system to read or alter sensitive data, burglars stealing a server or laptop that has unprotected sensitive data on its disk, imposters posing as legitimate users and even creating a website similar to yours, authorized users downloading a web page or receiving an email with hidden active content that attacks your systems or sends sensitive information to unauthorized people.

Some of the more common threats that hackers pose to e-commerce systems include carrying out denial-of-service (DoS), attacks that stop access to authorized users of a website, so that the site is forced to offer a reduced level of service or, in some cases, ceases operation completely, gaining access to sensitive data such as price lists, catalogues and valuable intellectual property, and altering, destroying or copying it altering the company’s website, thereby damaging company’s image or directing the customers to another site, gaining access to financial information about the business or customers, with a view to perpetrating fraud and using viruses to corrupt business data. These kinds of targeted attacks on Web-based services may constitute the top computer security threats of 2008 (BusinessWeek.com, 11/12/07).

As a conclusion, there are many threats to online security, so when doing online transaction must have proper safeguard such as encryption, digital certificate and firewall. With the safeguard, our data will be safer since the threat is so serious.

How to safeguard our personal and financial data?

Internet and all the on-line transaction have created convenient to all the users. However, there are getting more and more doubt on the internet security. There is a problem exist when user making transaction such as on-line banking. User will concern about the web security when they entering their private and confidential data into the system or website. It is especially important to take extra security precautions to safeguard the data in order to prevent lost of private and confidential information.

Encryption

(http://bluefive.pair.com/articles_encryption_and_decryption.htm )
How to safeguard our personal and financial data??? Encryption is one of the safeguard. Encryption is the conversion of data into a secret code for storage in the databases and transmission over network. The sender uses an encryption algorithm to convert the original message into a coded equivalent. At the receiving end the cipher text is decoded back into clear text. This can prevent leaking and lost of data.

Firewall

(http://www.articlesnatch.com/Article/Use-Network-Firewalls-To-Protect-Your-System/60788)
Besides, firewall can also protect user’s personal and financial data. Firewall is a system used to protect an organization’s intranet from the internet. It can be used to verify an outside user of the network, verify his or her level of access authority, and then direct the user to the program, data, or service requested. Most organization is using firewall to protect their private and confidential information.

Password

(http://www.securityfocus.com/infocus/1192 )
Other than that, creating secure passwords is also very important to safeguard our personal and financial data. Password is a secret code entered by the user to gain access to systems, applications data, or a network server. If the user cannot provide the correct password, the operating system should deny access. This can limited to those user that has password can access to the system.

As a conclusion, there is also other method to safeguard our personal and financial data. Adequate and appropriate safeguard is very important to each and every user as well as the organization in order to maintain correct and clear data or information.