TOKYO — “Attention: Dear Winner, Microsoft global and Netherlands Lottery has concluded its final draws of it’s periodical promotional program …”
Most computer users are smart enough to recognize e-mails like this as a scam known as “phishing,” an attempt to get access to an individual’s personal information.
But what if the e-mail in question appears to be from your bank, or even from within your own office network?
In recent years, security experts have seen a rise in the use of “spear phishing,” which targets a specific user or group of users.
Rohit Dhamankar, senior manager of security research for TippingPoint and project manager for the SANS Institute Top 20 Internet Security Risks, gave a presentation last week at the 2008 National Cyber-hack Briefings in Tokyo, where he discussed how many hackers have switched from targeting flaws in computer software to going after easily misled computer users.
Spear phishing often times will link users to a phony Web site that can install malicious software on the user’s computer that gives the hacker access to user’s network, Dhamankar said. “It has become an easy trick to take over a Web site or host a malicious Web site remotely and attack any users directed to that site,” he said.
Spear phishing is so successful, Dhamankar explained, because the information in the e-mails has been carefully researched by the hacker and is designed to look authentic as possible for that specific recipient.
For servicemembers and Department of Defense employees, this means the attack could take the form of an e-mail disguised to look like it is from their credit union, personnel office or even a co-worker.
“That’s why spear phishing is so dangerous,” explained Senior Airman Raul Vega, a 374th Airlift Wing mission security manager. “You see a dot-mil address and trust it right off the bat.”
Vega said that although DOD computers are updated on a regular basis, one of the best ways to minimize the risk of spear phishing is through education.
“Be aware that people are constantly trying to get your personal information,” he said. An e-mail “might look authentic, but it could be a threat.”
A good way to check the authenticity of a link in an e-mail, Vega said, is to type the address of the Web site into your browser bar instead of just clicking on the attached link.
Vega also advised using the same precautions at home with your private computer as you take at work.
“A lot of people do work at home, and there is always a threat that they could bring something to work with them,” he said.
One of the best ways to keep your home computer protected is to use a firewall and antivirus software.
Vega said the government offers free virus protection software and users should contact their system administrators for more information.
However, even with these tools, vigilance is key.
“Spear phishing has become one of the most damaging forms of attacks on military organizations in the U.S. and other developed countries,” the SANS Institute’s Web site said.
Tips to avoid phishing ploy
To fight against becoming an identity-theft victim, one antiphishing group offers the following suggestions:
n Be suspicious of any e-mail with urgent requests for personal financial information. Unless the e-mail is digitally signed, you can’t be sure it wasn’t forged or “spoofed.” Phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react immediately. They typically ask for information such as usernames, passwords, credit card numbers, Social Security numbers, dates of birth, etc. Phisher e-mails are typically NOT personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure.
Don’t use the links in an e-mail, instant message, or chat to get to any Web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle. Instead, call the company on the phone, or log onto the Web site directly by typing in the Web address in your browser.Avoid filling out forms in e-mail messages that ask for personal financial information; you should communicate information such as credit card numbers or account information only via a secure Web site or the phone.Phishers are now able to spoof, BOTH the “https://” URL that you normally see when you’re on a secure Web server AND a legitimate-looking address. You may even see both in the link of a scam e-mail.
They also may forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered an indicator that you are on a “safe” site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does not match the certificate, do not continue.
Get in the habit of looking at the address line of Web pages you visit. Were you directed to PayPal? Does the address line display something different like “http://www.gotyouscammed. com/paypal/login.htm?” Be aware of where you are going.Log into your online accounts at least twice a month.Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. If anything is suspicious or you don’t recognize the transaction, contact your bank and all card issuers.Ensure that your browser is up to date and security patches are applied.For more information, check out the Federal Trade Commission’s phishing consumer alert: FTC Alert.
An example of a phishing site is also posted at the FTC Web site: Click here to view..
Source: The Anti-Phishing Working Group (antiphishing.org)
