In part two of our phishing special, we're taking a look at the anatomy of a phishing attack, as well as what cybercriminals hope to get out the deal if you're successfully phished.
Phishing attacks all have one common feature: someone trying to get personal information from you. So in one way, the easiest thing to do to avoid being phished is to never share any personal — particularly financial — information online. But if you want to use any number of online services such as internet banking or shopping, you do have to hand over some of these details, so the important thing is to know what to look out for.
Short of imposing an outright ban on sharing any of this kind of information online, there is one simple rule when it comes to stopping phishing that can be applied: never share these details via email, even if you receive a request from an official looking address with a logo and letterhead. As online security expert James Turner told us previously, no "legitimate company" will ever send you an email asking you to share your bank account number, address or phone numbers over email.
So what should we be looking out for? Here's a run through of some of the most common forms of phishing attacks.
Attacks that rely on forging identities
In one of the most common types of attacks, the attackers change the name that is associated with an email address to a trusted, familiar name, like for example, “Windows Live Customer Support” or "Commonwealth Bank," even though their e-mail address still is "yourfriendlyspammer@live.com". If you're not paying attention, it can be easy to mistake a message like this for a genuine request from Windows Live or your bank.
Attacks that use stolen accounts
In a variant of phishing, the attacker uses a previously compromised user account to send a link to everyone in the contact list for that account. If you unknowingly click the link, you land on a spam, phishing, or malware download site. As you can imagine, an e-mail you get from a friend’s account significantly increases the credibility of that message, and increases the likelihood of a successful attack. So, watch out for odd or uncharacteristic e-mails that comes from a friend’s account.
Attacks that ask you to provide credentials via phone
In a typical phone phishing scam, the scammer may direct you to call a customer support phone number, claiming that your account will be closed or other problems will occur if you don't call the number. A person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data.
Attacks via forged websites
Many phishing attacks will convince you to trust them by including official-looking logos or other identifying information taken directly from legitimate websites. A common trick is to create a web address that resembles the name of a well-known company but is slightly altered by adding, omitting, or transposing letters. For example, the address "www.microsoft.com" could appear instead as: “www.micosoft.com” OR “www.mircosoft.com” OR www.verify-microsoft.com
Attacks using social engineering
Sometimes a scammer will include convincing details about your personal life that they found on your social networking pages. It is easy for a user to think that they are getting an email from a friend wanting to reconnect and may inadvertently provide personal information.
Once the attackers have your credentials they typically use the account for various things:
They can use your account to send more phishing or spam messages
These could go out to people on your contact list. The response rates to campaigns using stolen e-mail accounts to send the messages are far superior to traditional campaigns because of the inherent trust your contacts have for e-mail with your name on it. Or, your email ID could be used for broader spamming, since this allows them to counter abuse detection technology for a while.
They can sell or use information from other accounts that you've linked to the stolen e-mail account
If you've used the same password for other financial services, merchant sites, and more, the impact could be very far reaching.
They can sell it
The resale value of a legitimate web mail account like yours is $2 a pop on the black market—twice the amount they can get for a credit card.
Krish Vitaldevara is a member of the Windows Live Hotmail team and a contributor to Windows Live Wire.
Home