This week’s word of the week is phishing. What exactly does it involve and how can you prevent unsuspecting people from becoming the next phishing victim?
According to Wikipedia, “phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public”.
That sounds about right. The first reference was made in 1996 and according to the 2009 Phishing Activity Trends Report, the number of unique phishing websites detected in June rose to 49,084, the highest recorded since April, 2007’s record of 55,643.
Typical Phishing Methods and Latest trends:
The people behind the phishing scams always manage to keep up with technology improvements, and their email approaches are becoming increasingly sophisticated. They use official logos and mock-secure connections copied from actual web sites.
Drive By Downloads: The majority of phishing attempts with drive-by-downloads try to entice you to download EXE files and run them locally. Solution? EXE files should always be blocked. To quote Yves, You can open certain files on a case-by-case basis and in a very controlled fashion, but that’s the extent of it.
Spear Phishing: In her article, is your Boss a Whale, Margot discusses a more specific type of phishing known as spear phishing whereby spammers are focussing their efforts on company executives.
HTML Attachments: In his post, Sex, Pills, Scams, Marc discusses the rise of new phishing attempts using .html attachment files. Instead of placing URLs in an email, spammers have started obfuscating the link in an attached .html file that contains Javascript, cutting the URL into undetectable parts. Readers are enticed into the clicking on the link by catchy subject lines like Important News/World Cup results/Celebrity Death Announcements, compromised accounts and so on. In most cases, clicking on the link results in instant infection.
How do you prevent getting caught?
1- Ensure your email security solution is up to date and is scanning for these types of phishing threats.
2- Educate your end-users. As Marc suggests here, not all phishing threats are by email and you need to be careful even when accessing websites through search engines. A little typo in the address and a clever webmaster can lead you down the path to a malicious website.
Have you or your users been phished? Tell us your story in the comments below.
Leave a Comment