Wednesday, October 3, 2012

Phish Tales - 2012

Going online offers great opportunities, but not without risk or threats.
  One of the most public threats is posed by the growth of "phishing" - where someone asserts false claims or identities in an attempt users to do something: provide money or credit card information, valuable personal information, or open files or visit websites to infect user devices with viruses under false pretenses.  A recent report from the Anti-Phishing Working Group shows the number and variety of phishing attacks continue to increase, despite increased public awareness and improved detection techniques.
  One I've seen multiple times in the last year were phoney emails claiming to be from our University's tech support, warning of potential problems and either requesting users to install "anti-viral software" or to validate their account by providing user IDs and passwords.  Listed as #3 of the "6 Most Evil Phishing Scams or 2012", these have become prevalent enough to generate its own name - spear phishing.  These are designed to seem that they come from a trusted internal/official source - sometimes using the correct titles and logos.  There's also been a rash of phishing attempts claiming to be from Microsoft's tech support, and asking for users to provide remote access control of their computers so that they can fix some problem, seek credit card info for payment of license fees, or directing users to spoofed sites.  There's been enough of these to earn this phishing attack a spot at #5.
  Number 1 on the list is to establish online email access sites that look like the real ones, but with small variations in the URL address - so they come up if people mistype the URL.  And then collect user IDs and passwords as individuals attempt to log in.  Some even redirected users and logged them into the real site, so that users wouldn't be aware of the phishing attempt.
  Number 2 was using public social network information details to attempt to gain the victim's trust.  My father almost fell for this one recently.  Someone used information from my nephew's Facebook page to identify relatives and note from a post that he was traveling at a certain town.  My father then got a call from someone posing as a lawyer that claimed my nephew had been arrested there and asking for money to cover bail.  Luckily, he was able to contact folks and discovered the phishing tale was false before he had sent the funds.
  Historically, most phishing attacks use email - but now they've expanded over to SMS text messaging.  Some I've seen are spoofed claims of winning prizes or discount coupons, or appearing to come from service providers or other official sources.  What brings this to #3 goes beyond the new means of contact - most cellphones and mobile OS don't have the same level of protection from malware and attacks that most PCs have - clicking on a link could provide access to device and user information from various programs and services on the device.  And returning a message to a number can be costly - owners of numbers can set fees (which is how charities allow donations of set amounts by texting or calling a certain number).  Phishers won't tell you about this, and the charges may not show up before your next bill, by which time they're long gone.
  Phishers have added a new twist in this election year, posing as candidate or affiliated interest groups (both real and fictitious) and soliciting donations or other forms of support.  But in terms of being evil, the Anti Phishing Working Group gave the final spot at #6 to the FinFisher Trojan attacks - because this phishing attack was used by the government of Bahrain to target political activists - and the idea that a government would purposely seek to infect individuals' computers (possible installing remote access or key tracking viruses) is truly evil.  (On a level with an attempt by the music industry to get the legal right to hack individual's computers to search for downloaded music files - a right I'm thankful Congress did not give them).

  If you're online, you need to be aware of the problem of phishing and the various ways it can occur.  And if you're a media outlet on the Internet, you need to not only worry about you (and your employees) falling for phishing attacks, you also need to be concerned that the website or firm the phishers are spoofing (posing as) is yours, and take steps when you can to make those attempts less effective.

Source:  6 Most Evil Phishing Scams of 2012, Information Week report available here

No comments:

Post a Comment