The Faces of Phishing: Part 1 of 3
The Faces of
Phishing
Identifying and
Defending Against
E-mail Phishing Scams
Part 1 of 3
Phishing is a type of social engineering attack used to entice victims
to divulge personal information such as passwords, account numbers, and
social security numbers. The attacker typically relies upon tricking
unsuspecting victims into navigating to a web site that looks almost
exactly like a legitimate web site. From there the victim is prompted
to enter their personal information.
Phishing attacks are very convincing and account for an estimated loss
of hundreds of millions of dollars a year. The web sites that phishers
craft today are near-perfect replicas of legitimate web sites and are
getting harder and harder to detect. The only real defense against a
phishing attack is awareness. The following are some basic antiphishing guidelines:
•
Never send sensitive personal or financial information unless it
is encrypted on a secure web site. Regular e-mails are not
encrypted and are subject to prying eyes. You can tell if a web
browser session is encrypted by looking for the CLOSED-padlock
symbol on the bottom bar of the browser.
•
Do not click on any link contained in an e-mail. The link may not
be trustworthy. If you ever want to visit your bank, insurance
company, or broker, either use a local bookmark to get to their
site, or manually type in the URL.
Beware of phony "look alike" web sites. Just because a web site
posts privacy and security statements, it does not mean that it
is legitimate. Often, phony sites will have a few real links back
to the legitimate site intermingled with the bogus or fraudulent
links to their site.
Do not reply to ANY e-mail that requests your personal
information. Be very suspicious of any e-mail from a business or
person that asks for your User ID, Password, Social Security
Number, Credit Card or Account Numbers, Credit Card Security Code
•
•
•
(CCV) or other highly sensitive information. Never reply to any
e-mail that asks you to update or confirm personal information.
Leave suspicious sites. If you suspect that a web site is not
what it purports to be, leave the web site immediately and close
your browser. Do not follow any of the instructions that it
presents.
With the above tips in mind, consider how you might react if you
received the following in your inbox:
According to the above e-mail it appears that someone other than you
has been trying to log on to your account. Even more alarming, the
offense originates beyond US borders. Lucky for you the friendly folks
at PayPal were kind enough to identify the nefarious behavior and
inform you. According to this message, if you don't click on the link
provided your account will be suspended, rendering a severe blow to
your closet eBay addiction. Obviously the only sensible reaction to
such an e-mail is to click on the link as soon as possible and give
them what they want. Or is it?
With the familiar PayPal logo and trademark look and feel, this message
appears quite authentic. However, as you might have already guessed,
this is simply a rather polished attempt to phish for your personal
information. In this example, consider the following observations:
•
Generic greeting. Nowhere in the message is
PayPal referring to you by your real name.
Phishers generally have no idea who will
receive their message. In an attempt to
maintain an authentic look and feel phishers
often omit the name. Also, when you receive an
e-mail that addresses someone else by name,
your phishing scam warning light should start
blinking furiously.
•
Grammatical errors. In the paragraph
immediately following the URL, the phisher got
sloppy and misspelled the words “choice” and
“temporarily”. Misspelled words should be good
tips that something is not quite right. Major
organizations like PayPal are determined to
maintain a professional image for their brand
and would never allow the release of such a
communication without first running it through
a review cycle, much less spell check.
•
Poor use of language. Notice the use of informal language such as
the word “Thanks” in what is certainly meant to appear as a
formal communication. Many phishing communications are crafted by
persons that do not use English as their first language. Their
lack of familiarity with the English language is often apparent
in the way they arrange words to convey their message. Flex your
4th grade grammar skills and phishy e-mails will stand out like a
sumo wrestler at a beauty pageant.
•
Fake links. The link in a phishing e-mail may appear valid, as is
the case in the above example. However, such links often point to
a completely different web site. If you do make a habit of
clicking on links in e-mail despite best practices offered above,
make sure the link is valid before clicking on it. Do this by
moving your mouse over link and looking at the URL it points to
as indicated in the status bar of your <company email program>
client (located at the bottom of your <company email program>
client window). Try it out on the following sample fake link that
actually points to yahoo.com: http://www.google.com
•
Attachments. Similar to fake links, attachments can be used in
phishing e-mails and are extremely dangerous. Never click on an
email attachment that you are not specifically expecting. It
could cause you to download malware such as a virus or spyware.
The bottom line is that you should never respond to unsolicited
requests for your personal information. Sometimes phishing e-mails are
so convincing that you may still be compelled to visit their web site.
In such cases, avoid clicking on links provided in an e-mail and
navigate to the referenced site by manually typing in the address or
using a bookmark.
Even though you may follow the guidelines provided above, a phishing
email may appear so convincingly authentic that you are sometimes duped
into clicking on a link to a phony web site. In part 2 we discuss
simple strategies that you can use to identify and defend against such
fraudulent web sites.
The Faces of Phishing: Part 2 of 3
The Faces of
Phishing
Identifying and
Defending Against
Phony Web Sites
Part 2 of 3
In part 1, we discussed how to identify and defend against email
phishing scams. Despite your most vigilant efforts to not become a
phishing scam statistic, you may still get duped into surfing to a
phony site. It’s not entirely your fault. You have many different
accounts, deadlines just around the corner, and a never ending list of
demands at home. Your mind is so full of things you need to do to keep
your life moving forward that making room for the things necessary to
keep the bad guys from tearing it all down is often not a priority. The
phishers are determined to exploit that and are getting more and more
sophisticated by the day.
So what do these sites look like? They look alarmingly genuine. In this
segment we will help you learn to identify a few key characteristics of
phony web sites.
The phisher is usually looking for the quick and easy. As such, she is
prone to making many mistakes. Be on the look out for subtle
differences like spelling errors, grammatical errors, and poor page
formatting. Consider the following screenshot of an actual phony
website:
At first glance, this page looks to be 100% authentic. Scary, isn't it?
Take a closer look at the form fields for the username and password.
Notice how one is bigger than the other? A large organization like
PayPal is likely to make sure that small aesthetic details such as this
are spot on, especially on their most frequented pages like the log in
page.
Another way you can spot a phony site is to look at the URL in the
browser’s address bar. Consider the following example:
Shouldn't that say paypal.com? Major
institutions like PayPal will always make
sure their brand is clearly identified
somewhere in the URL. More advanced phishers
will register similar domains like "securepaypal.com" or "pay-pal.com". If something in
the URL appears questionable, think twice
before navigating the site further.
The more technically adept among us will also
notice that the destination port is 2347 (the
number after the colon) and not the standard
port 80 for web services. Most organizations
will avoid using non-standard ports for web
services to avoid complications with corporate firewalls and web
proxies.
Also, if the above example were the URL for the log in page, the fact
that it is not preceded with "https" should be alarming. Personal or
sensitive information such as login credentials or credit card data
should never be submitted on an un-secured page. Many phishers won't
bother configuring SSL encryption for their phony site.
In summary, be mindful of the following guidelines while surfing to
keep you from becoming the freshest victim of an online phishing scam:
•
•
•
Check for subtle errors that a major organization would likely
not allow in content representing their brand.
Be on the lookout for deceptive URLs.
Watch out for sites that request your personal or sensitive
information without providing SSL encryption.
In the next and final segment we'll discuss more advanced techniques
for identifying and defending against phony websites.
The Faces of Phishing: Part 3 of 3
The Faces of
Phishing
Advanced Phishing
Identification and
Defense
Part 3 of 3
In part 1 of this series, we described what phishing is and what a
typical phishing email looks like. We also reviewed some strategies to
help protect you against this type of social engineering attack. In
part 2 of this series, we demonstrated what phishing web sites may look
like and presented some basic techniques on how to recognize a phishing
email. In part 3, we explore several sophisticated phishing examples
along with more advanced techniques used to identify them.
Let’s take a look at this site:
Do you notice anything odd about this site? It certainly looks like
paypal.com, however, if you examine the address bar you will notice
something missing. The address bar shows http:// rather than https://.
Any site that asks for personal information should be using https://
rather than http://. Even if this were a legitimate site, you should be
concerned that your information is passing over an unencrypted
connection. Always remember, to look for the 'S' in https. S for
Secure!
Also, did you notice the "Secure Log In" accompanied by a padlock icon
within the web site itself? This icon is meaningless and should give
you no confidence that the web site is secure. Any idea where you
should expect to find the padlock? (See part 1 of this series for the
answer!)
What’s wrong with this web site?
Ok, so we see https://, but another KEY item is missing. That’s right!
The padlock icon in the bottom right hand corner is missing. If this
were really a secure page (as suggested by the address bar) you would
also be presented with a padlock icon at the bottom right hand side of
the browser. It looks like this:
TIP: Some phishers have become keen to this type of detection and have
attempted to put an icon in the page itself to make unsuspecting
victims think that there is a padlock icon. This attack is similar to
the one discussed in the first example. The only difference is that the
padlock is placed closer to the bottom right-hand corner of the page,
near where the browser would normally display the padlock. Always look
closely and you'll notice whether or not it is in the right place.
Also, if you double click on the padlock, it should present you with a
valid certificate information statement. Remember, the padlock holds
the KEY!
The final technique is to examine the certificates. You probably have
seen those warnings that pop up on your web browser complaining about
certificates this or certificates that. They look like this:
In older browsers it looks like this:
Clicking on the recommended option or "No" prohibits you from
navigating the web site further. Such alerts can be quite annoying.
After a while, you might be tempted to condition yourself to continue
navigating every time you see this alert. This practice is very risky
and highly insecure. These warnings are trying to tell you that the
certificate presented to the browser failed one or more of its
certificate validation checks. Basically, the browser does not trust
the site and there's no reason you should either. Accepting such
certificates puts you and any information that you submit thereafter at
considerable risk.
Certificates are a valuable tool in determining whether a web site is
legitimate or not. Remember, if the certificate does not fit, you must
quit!
Summary
Over the course of this series, we examined phishing attacks from every
angle. Phishers are getting more sophisticated every day and the
success rate of this type of social engineering attack is astonishing.
While there are few technical defenses available to thwart these
attacks, the best defense is still awareness and common sense.
Hopefully, by following the guidance offered in this series, you will
be able to do your part to remain vigilant and defend yourself against
future phishing attacks. Here is a recap of the strategies <your
organization> recommends:
•
Never send sensitive personal or financial information unless it
is encrypted on a secure web site. Regular e-mails are not
encrypted and are subject to prying eyes. You can tell if a web
browser session is encrypted by looking for the CLOSED-padlock
symbol on the bottom bar of the browser.
•
Do not click on any link contained in an e-mail. The link may not
be trustworthy. If you ever want to visit your bank, insurance
company, or broker, either use a local bookmark to get to their
site, or manually type in the URL.
Beware of phony "look alike" web sites. Just because a web site
posts privacy and security statements, it does not mean that it
is legitimate. Often, phony sites will have a few real links back
to the legitimate site intermingled with the bogus or fraudulent
links to their site.
Do not reply to ANY e-mail that requests your personal
information. Be very suspicious of any e-mail from a business or
person that asks for your User ID, Password, Social Security
Number, Credit Card or Account Numbers, Credit Card Security Code
(CCV) or other highly sensitive information. Never reply to any
e-mail that asks you to update or confirm personal information.
Leave suspicious sites. If you suspect that a web site is not
what it purports to be, leave the web site immediately and close
your browser. Do not follow any of the instructions that it
presents.
•
•
•
For more information about phishing and what you can do to help protect
yourself, friends, and family, check out the following web sites or
contact the friendly folks in <your organization>!
•
•
•
Anti-Phishing Working Group: http://www.antiphishing.org
How Stuff Works: http://computer.howstuffworks.com/phishing.htm
<Your Organization’s Security Information Site>:
http://your.link.here