Saturday, July 29, 2006

Top 5 Tips to avoid getting Phished

A number of technical solutions are currently being researched and explored to combat Phishing. Still user awareness remains a top priority, as even with technical controls Phishing will thrive if users are not alert and aware of the threats. So thought I will just list down a few tips which I feel are very important for any user to know and follow to avoid getting Phished. Here are the rules to be followed,
  1. Do not respond to emails received on behalf of any bank or any other oragnization with which you do online transactions. Read them if you want to but never click on any of the links on emails or submit information in forms imbedded within emails. To carry out any transaction always logon to the website directly by typing the complete URL in a browser.
  2. Since phone phishing is also on rise, always be alert while revealing information over phone. It is better if you do not entertain any calls made to you asking for personal information; instead for all queries or services you should directly call up the organization on a known valid contact number.
  3. Always keep the operating system and web browser of your system updated with all security patches. Microsoft Windows provides the automatic update feature which is quite efficient and should be enabled. Otherwise visit http://windowsupdate.microsoft.com/ to manually update security patches.
  4. Use a good Anti-Phishing browser toolbar. Netcraft toolbar is my favorite and you can download it free from http://toolbar.netcraft.com/. You can see a review of a few toolbars here.
  5. Also use a good Anti-Virus and Anti-Spyware software. Configure it for automatic updates and check the update status periodically. And yes, use a licensed copy; it does not cost much for home users.

Friday, July 21, 2006

Toolbars galore - Which one to choose?

Of late anti-phishing toolbars have been catching my attention. These small utilities can be quite useful in protecting a user from a known Phishing attack. But with so many different anti-phishing toolbar being launched, I thought of evaluating a few. I picked up five popular anti-phishing toolbars for evaluation, namely Anti-phishing Toolbar from Netcraft, Phishing Filter from Microsoft, Scamblocker from Earthlink, Trustwatch from Geotrust and Anti-fraud Toolbar from Cloudmark. These toolbars were evaluated against a set of parameters which is shown in the image below (click on the image to enlarge).


Looking at the evaluation results it is not difficult to interpret which tool has won the first place. Netcraft Anti-phishing toolbar is definitely most impressive and accurate in detecting phishing sites, followed closely by Geotrust’s Trustwatch. I used the following two recently found Phishing URLs to test the toolbar’s accuracy in detecting a known phishing attack,

http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html
http://adsl-71-132-90-121.dsl.sntc01.pacbell.net:81/update/

Netcraft alerting mechanism is also good as it displays a message popup as against other tools that rely on a visual icon on the toolbar which users may fail to see if they are not alert. The message popup thrown by Netcraft toolbar is shown below.



Netcraft also provides the most detailed analysis of the website along with a risk rank calculated based on a number of parameters. The help information available to the users is also quite detailed.

One interesting feature that I found in Trustwatch toolbar is the ‘Personal security ID’ which is aimed to prevent toolbar spoofing by displaying a user selected image or text on the toolbar. The text 'ABHISHEK' in the image below is the 'Personal Security ID' that I set during installation.



Microsoft phishing filter is right now in beta stage and has a lot of catching up to do. Cloudmark and Earthlink failed to detect the phishing sites and their features currently are not very useful. So after all this evaluation my pick is Netcraft Anti-phishing toolbar.

Monday, July 10, 2006

Phone phishing, now playing at Paypal

Ezhil Arasan tipped us to a more sophisticated phone phishing attack at Paypal reported by Register. An email requests users to re-validate their user account by calling a phone number, instead of visiting a website.

Unlike the earlier phone phish at Santa Barabara Bank and Trust, this one verifies the account details the victim has been lured into giving before hanging up.

We'd like to hear what new defenses are coming up to combat phone phishing. Will someone offer an "Immediate take down" of the phone recording? :)

Friday, July 07, 2006

Castlecops List of Top 20 Phished Brands

Today morning Jose pointed out the list of Top 20 Phished Brands released by Castlecops. This list is for the month of May 2006 and includes brands which have traditionly been targets of phishing such as Paypal, eBay, Bank of America, Barclays, Wells Fargo.

You can see the complete list Top 20 phished brands here . It also indicates an approximate count of attacks against each brand. Interesting to see all these statistics.

Tuesday, July 04, 2006

Revisiting 'Referer' Analysis

In the last post on 'referer' analysis, we discussed how ‘referers’ in the web server access logs can be analyzed to detect a Phishing attack. But a manual analysis of web server logs can be difficult and time consuming. However, there a number of tools which can be used for effective and fast analysis of web server logs.

One such versatile tool is
SAWMILL . Once the web server access logs have been processed using SAWMILL, a list of referer entries can be generated, which would appear as shown in the figure below (click to enlarge).


The ‘referers’ can then be analyzed for suspicious entries such as presence of IP address or organization name. See the previous post here to understand a suspicious referer. If a suspicious referer is found then that link can be followed and further analyzed. Of course to be effective in detecting a phishing attack the log analysis process has to be a regular activity.

Immediate Site Take Down at Fraud Watch

Bhaven pointed us to Fraud Watch International's "Immediate Site Take Down" service. For $200, this Australian company guarantees to take down a phishing site within 24 hours. I wish they gave more details what exactly they do. I haven't see a similar claim before for $200.

There's a very active list of phishing alerts on the company's site. The alerts, like this one for Wachovia Bank gives screen shots of the phishing email and/or website. An RSS feed is also available.

I liked the simple, straight forward tutorial on the different ways phishers fool users. That too includes screen shots of some of the attacks.

For our readers from the wrong side, check out if your name appears in their scam operatives list ;-)