Phishing for Fun and Profit

In my last article I discussed the malicious nature of spam email and how it is frequently used to install malware on unsuspecting email users. Today I will discuss a specific type of email threat that is related to spam, but more insidious. Phishing is a technique used by spammers whereby they send an email that appears to be from a particular business, usually a financial institution. The email will often instruct the recipient to login to their financial institution’s web site and provide account information such as username, password, PIN numbers and other sensitive information. Of course, once this information is disclosed it will be used by criminals to obtain funds from the victim’s account.

Phishing emails are effective because they often include graphics that mimic the logos and graphics used by the actual financial institution. They also frequently include links with deceptive URLs that take you to the scam web site. The URL may appear to be legitimate, but is actually masking the true address of the web site which belongs to criminals. Below is an example of a phishing email that demonstrates these techniques:

A more recent scam that takes phishing to the next level is called Spear Phishing. These emails use the same techniques as phishing, but they target a much narrower audience. Instead of sending the email to millions of people and hoping that some small percentage of people fall into the trap, spear phishers gather the email addresses of specific people and send very customized emails to them. These email may include personal information giving them additional legitimacy. One recent spear phishing attack targeted executive management at a number of large companies and appeared to be from the Better Business Bureau. It advised them that they had been reported to the BBB and should click on a link in the email to address the issue. Of course the link took them to a scam web site that attempted to infect their systems with malware.

There are steps you can take to protect yourself from phishing attacks:

1) Many anti-virus and anti-spyware programs can protect you from phishing attacks. Always run these types of security software and ensure they stay up-to-date.
2) Most businesses (especially banks) will never send you an email asking for personal information such as account numbers, SSNs, etc. If you receive such an email, contact your financial institution to verify the email and/or report the incident. They have staff trained to handle such incidents.
3) The email claims that your account will be closed if you do not respond within a certain period of time (e.g. 48 hours). This is a very common technique used by phishers and should alert you to the fraudulent nature of the email.
4) Frequently phishing emails will use vague terms when addressing you such as “valued customer” rather than your actual name due to the bulk nature of the email.
5) Verify that any link contained in the email is not actually masking a hidden IP address or web site. This can be done by mousing over the link (do not click on the link) and verify that it is the same as it appears in the email. Also ensure that the domain name is correct and has not been altered (e.g. payepal.com instead of paypal.com).

No Responses to “Phishing for Fun and Profit”

Trackbacks/Pingbacks

  1. V is for Vishing | InfoSecStuff - [...] with traditional phishing techniques.  If you are unfamiliar with phishing attacks, please see my earlier article on this topic…