/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsAphishing (FISH.ing) pp. Creating a replica of an existing Web page to fool a
user into submitting personal, financial, or password data.-adj.-phisher n.
All email users have probably got messages saying 'your account will be shut',
or 'a problem has been detected with your payment record'. The message asks
the user to go to the company website and correct the problem. The requests for
such information are mostly motivated by the so-called safety measures, or the
need to update the databanks. An example would be an urgent email, taking the
identity of a legitimate representative from, say e-bay, threatening to
terminate your account unless you go to the bogus website and hand over personal
information. So far so good, except that the site is not real, and the
unsuspecting user enters login name and password-and hands it over, on a
platter, to an e-conman-the phisher. Phishers have targeted Yahoo!, and
Instant Messaging in one of their latest attempts. Attackers send instant
messages to users, asking them to fill out their Yahoo! ID and password on a
fake Yahoo! site. The scheme appears legitimate because the message seems to
originate from somebody in the victim's friends list.
|
/dq/media/post_attachments/9a3c5fa112d3e72dcb02098ea747483574339dbcc972e15e24c5e020570bd439.jpg)
With e-commerce taking off and online transactions multiplying quickly,
fraudulent practices are also keeping pace. Phishing is one of them. Online
industry feels that phishing scams will very soon focus on identity thefts from
enterprise data centers also. The stolen information can be used to target
specific individuals from particular institutions. This information will be used
to send more personalized emails, which will appear very realistic since they
will have a name and other particulars that should not be available outside the
organization. According to Australian Media reports, in January, four high
school students were charged with helping drain millions of dollars from online
accounts. The accounts spanned Australia to eastern Europe. The criminals used
bogus ads and spams to install Trojans, and captured confidential information.
In another recent scam, as soon as a blank email was opened in an unpatched or
older version of Microsoft Outlook, the computer's host file was modified by a
bit of code in the email. Next time the user logged on to his banking site, he
was redirected to a bogus website. Not many got to know that they were
"doing business" with a server somewhere in Russia. The scam targeted
customers of various financial institutions in Brazil, and was followed by
attacks on British Banks.
So what is the solution? Experts say "education, education, and
education" of the end users. For instance:
- Do not reply to any email that is threatening.
- Avoid giving financial information. Double check. Enter passwords only if
completely sure. - Change passwords. Have different ones for different sites.
Security experts are also urging businesses not to include
clickable URL in their mails. Many companies have adopted a policy of private
message centers. eBay provides all users an inbox called 'My Messages'
housed on the company's website. JP Morgan Chase does the same. But, it is
correct that not enough is being done by companies to educate users. No one I
know has received cautionary emails or letters from banks and other sites
offering financial transactions. Maybe they do not want to spread fear. It would
be good to remember that ultimately only education can solve the problem.
The author is Editor-in-Chief of CyberMedia, the
publishers of Dataquest (with inputs from Saswati Sinha) Shyam
Malhotra