Phishing for Dollars

You just received a notice from Paypal informing that a new e-mail address has been added to your account.  Not having authorized any additional users to your account, you click on the link that will take you to the Paypal website.  In order to access your account you are asked to login and are prompted for your username and password which you enter and hit the login button.  You have just bit onto the baited hook and become one of a growing number of phishing victims.

This is not the kind of fishing you did with Grandpa down at the local lake.  The old fishing hole has been replaced with a computer, the nylon fishing line with copper wire and fibre optics, the bait has gone from worms to fear, and the reward has changed from a 5 lb trout to your bank account

This phishing is the impersonation of official organizations such as banks, credit card companies, or online businesses in order to acquire personal information such a login usernames and passwords, social security numbers, mother’s maiden name etc.  You don’t have to be a financial expert to figure out what damage can be done when you give malicious outsiders control over your bank accounts.

Most phishing expeditions can be likened to trolling, dragging a net behind your boat hoping to catch a lot of marketable fish.  Phishers chose an institution, create a bogus website that looks identical to the real site, and then send out thousands of e-mails purporting to be official correspondence informing the victim that there are irregularities with their account with links to the counterfeit site where the victims are asked to verify their account and their identity.  This is why you will get e-mail alerts from banks and other organizations that you do not do business with.  Fortunately correspondence from institutions you have no affiliation with are easy to ignore.  As people become more aware of phishing the phishers are being forced to adapt their methodology.  A newer incarnation has the user follow a link to a legitimate secure site; to increase trust they are not asked to log into their account this visit.  A couple of weeks later the user gets a similar e-mail but this time when they follow it they are asked to change their password.  In order to be able to do this they must first substantiate that they are who they say they are.  And the only way to do that is to enter their security information.

When phishing first started, it was only large institutions that were targeted, mainly because of all the e-mails that are sent out a large percentage will reach people that do not do business with their targeted organization and of those that do most people will either ignore the e-mail or call the organization on the phone (it is estimated that only 5% actually take the bait).  Now, due to the profitability of even a few victims can bring, it seems that phishers are targeting the users of even small regional banks with as few as 11 branches.  This is known as ‘puddle phishing’.

Apart from monetary damages inflicted on victims the other offshoot of phishing is the eroded trust in the companies that the phishers use to bait their hooks.  Companies like Earthlink, AOL, Paypal, and Citibank have all had their credibility damaged by being the bait of phishing attacks.
A newer, more sophisticated threat attempts, by exploiting vulnerabilities in legitimate Web pages, to lure unsuspecting users to URLs hosted on legitimate web sites.  Phishers add their own code in order to append their own content to the sites or redirect users to other fraudulent sites. This is known as a cross-site scripting attack. 
PayPal recently had to update the coding on its Web site to block this vulnerability when it found that phishers based in South Korea had been using it to rip off its members.  On the altered PayPal page, users were presented with a message secretly injected onto the site telling them that their accounts had been locked due to unauthorized access and asking them to wait while they were redirected to an account "resolution center" where they were properly fleeced.
There are a number of ways to prevent becoming the catch of the day,  Check the URL in the browser address bar, a secure site will have ‘https//’ in front of the address and a lock icon on the status bar at the bottom of the page.  Seeing this on a web page does not assure you that this is not a bogus site, it just means that the site is encrypting its traffic to and from your browser.  The more sophisticated phishers will have the ability to encrypt their sites.  Another thing to do is move the mouse over a link, either a button or text link, and check the address in the status bar.   Phishers will try to make the address look as legitimate as possible.

Perhaps the most effective way to determine whether or not you are on a spoofed site is to log in with a phony username and password.  If you are granted access you can be assured that you are not on your intended site.


Back