I have talked about social engineering attacks before, but in the recent wake of the latest Gmail and Hotmail attacks, I though I would re-address an easily avoidable hacking technique, Phishing. Let’s start by a little education on what Phishing is.
The technical definition defines Phishing as a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.
What does this mean? Basically it means that an email goes out that tricks you to entering your legitimate username and password onto a website that looks like the website you are familiar with, like your bank. Instead of being your bank’s website, it’s a fake that collects your username and password that then is used to login to the real website and take all your money.
If you go back and read the two different descriptions, you should see that Phishing is 100% avoidable and if you become a victim to a phishing attack, it’s all because of your actions. There is no forced hacking or stealing of data, you are willingly typing it in and giving it away. I want to make sure that people are aware that the Internet is a horrible, evil place at it’s core and your keys to your data is one mistake away from destroying your life.
Phishing is primarily done with emails and Instant Messages that you may receive. If you sign up for anything with your real, everyday email address, most likely that email will be sold off. This is how you get spam and why I am an advocate and personally have 4 addresses outside my personal email I use for websites, forums, and any other junk sites that make me register to get at what I want.
Be Skeptical Of Every Unsolicited Email You Get About Services You May or May Not Use
This is the best rule to follow. If you follow this rule, you don’t fall for phishing attempts. The main point to remember and trust me on this, NO BANK, BUSINESS, WEBSITE, WILL EVER, EVER, EVER ASK YOU TO LOGIN TO VERIFY YOUR ACCOUNT OR IT WILL BE DISABLED!!! NEVER! I say, let them disable it if it’s real. Pick up the ancient technology known as the telephone and call your bank to re-enable it. But all those are fake anyway, so don’t worry.
On top of that, these emails are kind enough to produce a link for you to click on. That link if FAKE, regardless what it looks like on the top, it’s fake. Here’s a short example onhow HTML works. Look at this link here -> https://www.bankofamerica.com. Now, don’t click on this link, but I do want to show you something with it. By the naked eye this link takes you to the Secure version of Bank Of America’s website. (I pulled BOA out of the air to use as example). Don’t click on that link but hover your mouse over it. Look down in the corner of your browser… what do you see. Do you see this -> http://binaryblogger.com/DontGetFooledByThis
It’s a simple trick. A link as two parts, the text that is the link and the internal target. Two different things. Binary Blogger or http://binaryblogger.com same link, different display. This is this first trick and a good practice to if you are wary of any link, just hover your mouse over it and look to where the link will take you.
The second trick, if you click on that link in an email that’s asking you to log in, is to play a trick on the eye and fool the target. Instead of going to www.bankofamerica.com it goes to www.bankofamrica.com. Reading it quickly you would miss the the second one is spelled wrong. The phishers mocked up the page just like BOA but it’s not. The site is actually a web server under the phisher’s control that gathers your info you enter.
OK, so let’s say you are a real worry wort and the email is really convincing. The other main rule to follow NEVER click on a link inside and email, go there from your bookmark or enter the website manually yourself. From my examples above, you can see why email links are not to be trusted. If you really want to check out your bank or accounts elsewhere, then you go there like you would normally, not from that email you received. Do that and your data will be safe.
Phishing is a social engineering approach to gathering critical information. Socializing the attack and tricking unsuspecting users to make a mistake and give their data away. If you think you logged into a phishing site, the simple way to block that release of information is to change your password as soon as possible and make it as strong as possible. Change your keys.
My next posts will be around how to keep your accounts secure. Give you tips like how you should never use the same password on all your sites…. how do you know each site protects the email the same way?
Never assume, never trust, your data is your responsibility to keep safe and no one else’s. If you cannot handle that responsibility the get off the Internet.
End of Line.
– Posted using BlogPress from my iPad
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.