I’m sure most of you know about, or have least heard of, phishing. If not then please read What Exactly Is A Phishing Scam? What you may not know is that a continuous fight against this fraud method yields poor results.
Maybe you’re watching TV or reading newspapers where the authorities announce they’re having good results in the fight against Phishing. Well, this is wrong. In my opinion, this war will never end. The more they fight against it, the cleverer the phishers become as they create more sophisticated and undetectable methods of phishing.
I will reveal some well known methods that phishers use for stealing sensitive information from the internet user and also some hidden methods too few people know about. Most of the cyber thieves use this method especially for stealing information about the user’s credit cards and bank accounts but it can also be used for stealing identities (identity theft), email or other company’s account passwords. I want to show you why there are so many phishing attempts out there.
You don’t even need to be a hacker to do it. Just to know how is it done and what tools you need. (Most of the tools are not even illegal)
PREPARING THE PHISHING ROD AND TOOLS
What are they doing with this information?
Reason number one is to steal money from the credit cards or bank account. They create scam pages mimicking the targeted bank’s real page. Then they create an email message as if the bank is sending it to their customers.
PREPARING THE BAIT
I want to cover a little more about the subject of these email messages. How can they create real messages which look like genuine ones?
Most of them have their own bank accounts or their parents or relatives do.
So they receive real messages from these banks. That’s how they get the idea of how the letter should look. But wait a minute you say, there are thousands of banks.
This is easy too.
There are many sites online that report on what hackers are up to and they reprint examples of letters, emails and websites. Most of the thieves feed their information databases from sites such as those. They can find good information about thousands of banks and even more examples of messages and phishing pages. Even for a beginner it is easy to start when you have so much information. They even know which banks work for phishing from that information.
This is how most of them discover new banks that have never been scammed. I bet you didn’t think that sites made against phishers would be very useful for them huh?
So we cleared up the part about how they manage to get hold of a genuine email message.
They gather together an email database. Most of them use email harvesting software. This software is legal and its even possible to find free versions of such software if you search the net for them. And if they need a license they don’t worry – they’ll just buy one with a stolen credit card, or buy email databases used for newsletters. They can find thousands of emails on guestbooks or forums.
THROWING THE BAIT
After they have the emails ready, they have to send them out. But for real impact, they need to send them to hundreds of thousands of email addresses.
How do they do it?
They use email sending software.
This is another type of legal software found in all corners of the internet, free or licensed, with hundreds of versions. In fact they can use your very own PC to send their emails, thus avoiding the spam blockers.
And now all they have to do is wait. Wait for people to fall for it and hope the authorities don’t find about their page too soon and shut it down. I was telling you earlier how virtual thieves use information to steal your money, identity and so on.. Now I’m going to explain how they can use your own PC for doing their dirty work. They don’t have the knowledge to figure this out for themselves but instead use other peoples’ brain power. What they do is scour the internet for software thats capable of scanning IPs or PCs with a remote connection enabled.
This kind of software is made by very intelligent programmers that did not intend the program to be used in this manner. Normally its utilised in a positive way for security testing, the goal being to find any leaks or bugs in a system. Unfortunately though when this type of program falls into the wrong hands it can and will be used against you. Even if your PC is password protected they can use brute force password crackers to find out your IP.
Quite honestly, Windows is crap when it comes to security.
Once they have access to your PC they will install their malicious software and load the email lists for sending fake emails. This reduces their chances of being caught to a minimum because in the header of the received emails your ip address will appear, not theirs. This is one reason why they use your PC.
Another reason is that they have to send millions of emails and doing this from a single address will get their ip banned by the spam blockers or internet providers. When they spread those emails out over 5-10 PCs, its easy for them to send their SPAM.
DON’T GET CAUGHT IN THE NET
How to protect yourself from this phishing attacks when they get harder and harder to detect each day?
This is very simple.
Maybe you have seen TV ads or warnings from the banks? All of them say not to reveal your info to emails coming from the bank or telephone, but the main precaution you can take is also the most easy to follow. Don’t give your PIN number to anyone including bank employees. No-one, and I mean no one, knows your PIN number. Even the bank doesn’t know your PIN number. Of course the bank can change your PIN but only that. The 4-6 digit personal identification number is secret. If you receive anything that requests your PIN, you can be sure 100% that its a fraud attempt.
DON’T RELY ON SOFTWARE TO PROTECT YOU FROM PHISHING
So, have a phishing filter and an antivirus software?
I don’t care.
The scam pages are so well done that they can easily pass by this type of software. Most of these programs work based on the words found in the scam page and by the domain name or ip of the scam site. Words like credit card, PIN, CVV2. Thieves can easily replace words with images and trick the software.
What can you do about that?
Warnings say that you should look in the address bar to see that the URL starts with HTTPS and if it does, its safe because that indicates a secure page.
Thieves can do this too.
They can make their scam pages go to secure servers that show HTTPS in the browser and if they don’t know how, they will spoof the ip address to show anything they want.
Another tip – look in the address bar – many of these phishing scams can also trick your eyes by using typos. Here is an example: Lets say this is the real bank address: www.bankoftesting.com and the fake one is www.bankoftestlng.com.
Can you notice the difference?
They replaced the ‘i’ with an ‘l’.
Of course you won’t always look carefully at the address and this way you can get tricked easy.
Also they can replace ‘o’ with ’0′ (zero).
There are many other typos they can use so read carefully the address.
Another warning by the bank says that you should look in the bottom right of your browser for a small padlock.
If you see that it means you’re on a secure webpage doesn’t it?
Thieves can replicate this too.
THE NUMBER ONE TIP FOR AVOIDING PHISHING
There are many tips to avoid being tricked and I will explain many in my future articles but rule number 1 is simple to follow:
Don’t give your PIN number or passwords to anyone, including bank employees.
Isn’t this very easy to follow?
It is so why do so many people get tricked and then upset when they fall victim to these attacks? It’s simply because people don’t pay attention. They’re not careful when they use their sensitive information anywhere, including the internet. Most of these attacks are based on peoples’ lack of knowledge or, as the hackers would call it, their stupidity.
I was once able to ask a thief caught by the police:
Q: Why do you defraud people?
A: Because they are stupid
Q: Why do you say they’re stupid ?
A: Because they really are, d’oh, he replied.
You know you’re not stupid and so do I. Protect yourself by paying attention to all warnings and the chances of you getting burned will be extremely low. Don’t reinvent the wheel, just follow the most simplest way.
Do you think you are now equipped to avoid each and every phishing attempt that comes your way? Find out with SonicWall’s phishing knowledge test.