The Internet is a wonderful thing. When I was a kid my dad use to tell me that anything I wanted to know can be found in a book. While this still holds true, I find that anything I want to know can be found quicker on the Internet.
Even though the Internet is a great resource for improving one's knowledge about pretty much everything, it can also be a dangerous place for those that are not very computer savvy. Hell, even really savvy computer people can sometimes fall victim to cyber crime. One of the biggest, and easiest methods of cyber crime is Phishing.
For those of you living under a rock, according to Wikipedia:
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Basically an attacker will create a web page that looks almost just like a real website for a bank, or credit card company and lure you in to visit the fake page by sending you an email or something. A lot of time the emails look pretty real, and they will say something like they need to verify your account info, click the link and enter your account information. Bam! Now they have your bank information, credit card information, etc.
I found a site called the PhishTank that allows you to report known Phishing sites, and they put these sites into a database. Software vendors can then use their API to develop software to protect you from going to known phishing sites. Pretty cool huh? It's like a Spam Haus for Phishing!
From their page:
PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.
Here is a screen shot of a PayPal phishing page I found in the PhishTank:
Notice that not only the URL has nothing to do with PayPal really, but it is also not encrypted with SSL. Here is a screen shot of the real PayPal site, and you will notice that not only is their URL correct (www.paypal.com) but it also has an extended validation SSL certificate.
Even though to me, and you most likely, the above example site seems like it would be easy to spot by the fake address, the truth is most users don't pay enough attention. The site in the above example looks legit enough, so the user might not think twice about entering in their information. That's where a service like PhishTank shines! Companies can tie into their API, and automatically protect users like your Grandma from Phishing attacks. They can't do it alone though, they need your help.
The next time someone at your company sends you a suspicious email and asks if you think it's Phishing, check it out. If it is a Phishing site, report it to the PhishTank and help them, help the community. Join the fight, and together we'll put the phish back in the tank!
- 4 General Methods You Can Use To Detect Phishing Attacks
- GeekWord - Phishing
- How a Phone is Phished: New Infographic