Monday, June 23, 2008

Phishing: Examples and its prevention methods

Phishing is act of sending an e-mail to a user untruly claiming to be an established lawful enterprise in an attempt to scam the user private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the lawful organization already has. However, the web site is false and set up only to steal the user’s information.


Phishing examples: PayPal

An example of a phishing e-mail targeted at PayPal users.

PayPal phishing attempt can be notice by the spelling mistakes in the e-mail and IP address in the link which is the visible in the tooltip under yellow box. Another clue is lack of personal greeting, even though the company personal details would not be security of legality. Other signs are misspellings of simple words and threat of consequences such as account suspension if recipient fails to fulfill the message requests.

Preventions:

Social responses

By training people to recognize phishing attempts and to deal with them such as in education where training provides directs feedback. To avoid phishing attempts, people can slightly modify their browsing habits such as when contacted about an account needing to verified, it is wise able to contact the company. Almost all legal e-mail messages from companies to their customers contain an item of information that is not readily available to phishes. For example, PayPal always address their customers by their username in e-mails.

Website forgery

Some phishing scams uses JavaScript instructions to change the address bar. This can be done either placing a picture of a legitimate URL over the address bar or by closing original address bar and open new one with legitimate URL.

Besides, attacker can use flaws in trusted website’s own scripts. This type of attack is known as cross-site scripting. They direct user to sign in at their bank or services own web page where whole from web address to security certificates appears correct.

Augmenting password logins

Furthermore, to prevent phishing transaction numbers (TANs) is to combine each TAN with “lock number”. The bank server sends the lock number as a challenge, and user provides matching TAN as response. Server selects key-lock pair randomly from the list to prevent obtains two repeated TANs. Lock number are not sequential, so phishers can only guess correct numbers.

4 comments:

joyne said...

Did you know phishing activities and identification before this blog ?

Lynn said...

Actually i don't know it, but after do this assignment and lecture class i just realized it.

andy said...
This comment has been removed by the author.
andy said...

It's actually a very popular scam and more people need to be aware, you could be "phished" when you least expect it from fake emails.

http://www.aboutscams.com