SgCERT Advisory No.
032005: Phishing
Introduction
Phishing is now slowly permeating into the Sabah Government’s SabahNet network via emails and unsuspecting Sabah Government’s users will need to be extra careful and vigilant in scrutinizing the sources of emails they receive.
In
many cases, those that lost money through such scam emails found it difficult
to get a refund from their bank. We can’t blame the banks or e-commerce
retailers for these loses as these institutions can do so much to
protect their clients. This is a debate that will run for some time. Even with
the la
What is phishing?
The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they “fish” for users’ financial information and password data.
Phishing is a con that fools you into thinking an e-mail message and website are legitimate, while the hidden motive is to steal sensitive personal information (such as your credit card and bank account data) from you illegally.
How phishing
works?
A con artist (can be hacker and scammer) sends you an email, supposedly from your bank or from an online retailer, which tells you that you need to confirm your account details. The email looks convincing and the link that it contains appears to take you to the correct site. However, both the email and the site that you’re directed to are fake, designed to make you part with usernames, passwords, credit card information, identity card, and even PIN (Personal Identification Number) numbers. The fakes can be convincing, including spoofed URLs, designed to look similar to those used by the company that you usually deal with.
How to avoid phishing?
Few banks correspond with customers via email. So if you receive an email demanding action in a short space of time, with account closure threatened, suspect a phishing attack. Don’t follow or click the link in the email. Browse directly to the bank’s site by typing its URL address in the browser and make an enquiry. Consider too phoning the bank if necessary. You should guard your account information: you can always open a new one if it’s closed down.
Preventive Measures
While online banking and e-commerce are very safe, as a general rule you should be careful about giving out your personal financial information over the Internet.
Below are helpful tips that need to be kept in mind:
1. Don’t use the links in an email to get to any web page, if you suspect the message might not be authentic
a. Instead, call the bank or company on the telephone, or log onto the website directly by typing in the bank’s address so as to be sure you’re logging into the right website
2. Be suspicious of any email with urgent requests for personal financial information
a. Unless the email is digitally signed, you can’t be sure it wasn’t forged or spoofed
b. Sometimes the email address has been spoofed, so while it looks valid it’s actually masking a completely different name
c. Phishers typically include upsetting (account suspended) or exciting (you’ve won a prize) statements in their emails to get people to react immediately
d. They typically ask for information such as usernames, passwords, credit card numbers, identity card numbers, etc
e. Phisher emails are typically NOT personalized, while valid messages from your banks or e-commerce company generally are
3. Avoid filling out forms in email messages that ask for personal financial information
a. You should only communicate information such as credit card numbers or account information via a secure website or the telephone
b. Don’t use the “remember password” function because this information can be easily accessed by hackers
4. Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
a. To make sure you’re on a secure Web server, check the beginning of Web address in your browser’s address bar – it should be “https://” rather than just “http://” - note the ‘s’
5. In any case, if you have the misfortune of clicking and then entered sensitive personal details, you must do two things quickly:
a. First, log on to your account through your Web browser (in other words, type the known URL address in directly; don’t click the link in the email again), and immediately change your log-on details – at the very least, change your password.
b. Second, inform the bank/company in question as to what you’ve done and ask for advice – you may find extra help on its website.
6. Consider installing a Web browser toolbar to help protect you from known phishing fraud websites
a. EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a page that is on EarthLink’s list of known fraudulent phisher Web sites.
b. It is free to all Internet users – downloadable at
http://www.earthlink.net/earthlinktoolbar
7. Download security updates and patches regularly from Microsoft Security homepage at http://www.microsoft.com/security/
8. Please
report phishing or spoofed emails to:
a. team@sgCERT.org
(Sabah Government CERT)
b. Make sure not to delete the email as sgCERT may need to have it as proof of infringement
Reference and Sources:
·
PC
Answer magazine (July 2005)
·
Microsoft
Windows XP magazine (June 2005)
·
http://en.wikipedia.org/wiki/phishing
- in-depth phishing explanation with examples
·
www.honeynet.net.org/papers/phishing
- another in-depth phishing explanation – very
technical
·
www.antiphishing.org
- list out known phishing scams and it is updated
regularly when the need arises
·
www.fraudwatchinternational.com
- worth checking (contain phishing, lottery scams,
Nigerian 419 scams alerts)
·
www.nhtcu.org
- useful National HiTech Crime Unit website but more
UK-centric
·
http://www.earthlink.net/earthlinktoolbar
- free ScamBlocker toolbar for Internet users
·
www.ifccfbi.gov
- Notify the