What is phishing?
The term phishing is a combination of "Fishing" and "Phone". Since the ancestor of hackers initially committed crimes with phone calls, he used "Ph" to replace "F" and created "Phing".
"Phishing" attacks use deceptive emails and fake Web sites to conduct fraudulent activities, and the victims often disclose their financial data, such as credit card numbers, account user names, passwords and social security numbers. Scammers often disguise themselves as trusted brands such as well-known banks, online retailers and credit card companies, and up to 5% of all users exposed to scam information will respond to these scams.
In the United States and the United Kingdom, organizations specializing in anti-phishing have begun to appear, and more and more online companies, technology companies, and security agencies have joined the ranks of anti-phishing organizations. For example, Microsoft and Dell have announced the establishment of project analysts or launching user education programs. Microsoft has also donated $46,000 in software to assist in the prevention and control of "phishing".
User Self-Defense Guide
1. Ordinary consumers:
Safety experts tip: The best way to protect yourself does not require much technology.
1. Do not pay attention to emails such as requesting to re-enter the account, otherwise you will stop your credit card account.
2. More importantly, do not reply or click on the link to the email - if you want to verify the email information, use the phone instead of the mouse; if you want to visit a company's website, use your browser to access it directly, rather than click on the link in the email.
3. Pay attention to the URL - Most legal websites have relatively short URLs, usually ending in .com or .gov, and counterfeit websites are usually long addresses, just including legal business names (even not even included at all).
4. Avoid opening emails and files of unknown origin, install antivirus software, and timely upgrade virus knowledge base and operating system patches, enter sensitive information to privacy protection, and open a personal firewall.
5. When using online banking, choose to use online vouchers and agreed accounts to conduct transfer transactions. Do not make online transactions or transfers on Internet cafes, public computers and unknown underground websites.
6. Most of the "phishing" letters are in English. Unless you apply for the service abroad, you should receive Chinese letters.
7. Forward suspicious software to a network security agency.
Finally, I would like to remind you that those who are unfortunately caught should change their password and cancel their credit card as soon as possible.
2. Commercial institutions
1. To avoid being impersonated by "phishing", the most important thing is to make the website more difficult. Specific methods include: "No pop-up ads", "No hidden address bar", "No frame", etc. This kind of prevention is essential because once the website name is exploited by the "phisher", the company will also be involved, so it should be prepared before it is flooded.
2. Strengthen user verification methods and improve user safety awareness.
3. Deal with user feedback in a timely manner and actively crack down on counterfeit websites and other related illegal acts. When a customer center complains like "Why do you have to enter your account and password twice every time you log in?", you have to think about whether there is a possibility of "phishing", because "phishing" usually "hijacks" the first data, and the user logs in again and enters the real page.
4. Of course, installing antivirus software and firewalls, timely upgrades, patching, strengthening employee security awareness, and maintaining close contact with security manufacturers are essential.
Finally, I would like to remind you that once a scene of being counterfeit occurs, the company should first take down the fraudulent web page. Sometimes, this is not a simple and quick job.
Countermeasures
Step 1: Education
In the interviews conducted by the US "Cyber World", any large online company puts "appropriate education of users" at the top of its response to "phishing". Citibank has an obvious link at the bottom of the homepage to remind users of issues regarding email scams.
He Gongdao said: "phishing" is also "willing to take the bait". The reason why it keeps happening is that people have weak concepts of prevention. If everyone's security awareness will always be at the present, then there will be more and more "phishing" incidents. Wang Hongyang said: Improved user security awareness can reduce the risk of "phishing". Strictly implemented security strategies, good security habits, and improved security technologies can greatly reduce the chance of "phishing" success.
However, before completing this article, the reporter browsed many domestic commercial websites and found no significant tips about "phishing" or even security, and of course he did not see some verification methods.
In the United States and the United Kingdom, the anti-phishing group has begun to appear, such as APWG, which was founded last November and the Trusted Electronic Communications Forum (TECF), which was founded in June this year, and the purpose of educating users is to terminate — at least to reduce “phishing” attacks.
Step 2: Verify
In addition to education, online brands should also verify legal emails in a simple and easy-to-use way. eBay, which is often pretended to be, warned that even if the sender wrote "support@" and "billing@", it may not be an email from eBay.
Because "phishing" is also a kind of spam, people can use the same spam processing tool to filter web pages and emails. Trend Micro will launch IWSS 2.0, which includes anti-phishing technology called PhishTrap, using a database of scam website features to filter emails.
In addition, banks have enabled digital electronic signatures in emails sent. Now the development of technology has made it easier to "verify the right person". Once a phisher tries to forge a digital signature, the recipient will receive a warning message. Of course, users must learn to identify electronic signatures.
Forward global verification projects include the Sender Policy Framework, Yahoo DomainKeys recommendations and Microsoft's Caller-ID. However, it will take some time to perfect these methods and need to be fully recognized by online companies.
Step 3: Confirm
Web sites also need to use certain confirmation mechanisms to prove their legitimacy. So, CoreStreet, a professional identity confirmation enterprise, recently posted a free browser assistant called Spoofstick on its web site. When the user is on a legitimate site, please note that an obvious comment appears below the URL box and says "You're on." If the user is tricked into a fake site, the comment will say "You're on 10.19.32.4."
eBay has added a new service to its toolbar called Account Bodyguard. This service can tell users whether they are on legal sites on eBay and PayPal. If the user enters the eBay password to an unconfirmed website, eBay will further send a warning letter to the user.
Step 4: Block
Some ISPs can also prevent users from being directed to bad reputation Web sites. For example, when AOL's customers report that they have received spam, the links included in the spam will be added to a list of blocked sites. When users click on these links, they display all error pages. But this technology also has the potential to block legitimate links that provide real commercial services.
EarthLink, the United States, launched a toolbar with the function of preventing "phishing" on April 19. When a user tries to access a confirmed scam website, the toolbar will issue a warning and redirect the user to the EarthLink company's WWW page. Websense, which started with the use of blocked websites, also included "phishing" or malicious websites as one of the anti-blocking projects.
Step 5: Monitor
EarthLink also uses a service. The service will warn when someone registers a brand similar to his or her company. The purpose is to confirm whether the website will impersonate EarthLink through 'phishing' methods. ”
On June 21, Mastercard International Credit Card Company and NameProtect announced a partnership to combat "phishing", using NameProtect's technology to detect online crimes in real time, monitoring domain names, web pages, bulletin boards, and spam. Surveillance can significantly reduce the number of victims.
Recognition
Means: Coercion and temptation
"Phing" uses deceptive emails and fake Web sites to conduct fraudulent activities. The victims often disclose their financial data, such as credit card numbers, account user names, passwords and social security numbers.
The main trick of "phishing" is to counterfeit the website or email of certain companies and then tamper with the program code in it. If the user believes it is true, fill in the personal important information according to its links and requirements, the information will be transferred to the scammer.
"When these online scammers scammers scammers take the bait after they spread the bait (email) to the internet, they wait for the scammers to take the bait." According to Gartner, as scammers often disguise themselves as trusted brands such as well-known banks, online retailers and credit card companies, up to 5% of all users exposed to scam information will respond to these scams.
Scammers usually use "coercion and inducement" to create various "themes" with names. For example, the earliest "phishing" incident that attracted widespread attention was a virus that appeared in November last year, disguised as information sent by Paypal website, indicating that the recipient's account will expire in 5 working days, and the user is required to update his personal information before restarting the account. For example, on July 20, a malicious website disguised itself as Lenovo's homepage. The former replaced the number 1 with the English letter L, used various IE vulnerabilities to plant * viruses, and spread false news that "Lenovo Group and Tencent jointly gave QQ coins", inducing more users to cause infection when visiting the website.
Current situation: Many people take the bait
In the past year, "phishing" has become very rampant in countries such as the United States and the United Kingdom, and the number has increased sharply. According to a recent Gartner survey, 57 million U.S. consumers have received such counterfeit emails, and the direct losses caused by ID fraud and theft to U.S. banks and credit card companies users reached $1.2 billion last year.
Data from spam filtering company Brightmail shows that the global total number of Phishing emails has grown rapidly in the past nine months, reaching 3.1 billion in April this year. According to a report by the British security agency MI2G, last year, there were more than 250 "phishing" attacks on major banks, credit card companies, e-commerce sites and government agencies.
According to the latest statistics from the anti-phishing organization APWG (Anti-Phishing Working Group), about 70.8% of cyber fraud is targeted at financial institutions, and the top three most commonly fake companies are: Citibank, eBay and Paypal.
Consequence: Crisis of integrity
"Financial institutions, Internet service providers and other service providers must seriously address the 'phishing' problem. If this bait attack cannot be greatly reduced, consumers' trust in online transactions will gradually be eroded, and eventually all participants in online transactions will be hurt."
"These attacks are destroying the entire e-commerce system—the credit of the way we operate," said David Jevans, chairman of APWG. Indeed, eBay and dozens of other companies that have been repeatedly attacked by "phishing" are worried that it not only damages the business, but also poses a huge challenge to customers and their confidence in e-commerce.
"Phing" has begun to show its huge destructive power. Consumers’ confidence in email has dropped to its lowest ever, according to a Pew Internet Life survey. A recent Cyota survey of online bank account holders showed that 74% of respondents said they were unlikely to respond to emails from banks due to the threat and that they were less likely to shop online. This means that if some legal commercial organizations cannot prevent their brand from being deceived from continuing to exploit, their online channels may be partially or completely lost.
Of course, the brands of commercial institutions are also damaged. MI2G executive president DK Matai pointed out: "Although in many cases, brand owners are not wrong, these online brands should have sufficient capabilities and use more thought to prevent consumers from making mistakes." A member of an APWG company was sued by customers for "phishing" on the grounds that they did not fulfill their corresponding responsibilities.
In addition to trust, "phishing" will also bring some more direct losses to companies and individuals. If the scammer catches the user's credit card account information, both the cardholder and the seller are at risk. In addition, issuing a new credit card, account and password for each user costs about $50. If a large number of customers are catching, the cost is also amazing.
Beware: It is difficult to distinguish between authenticity
These deceptive emails and web sites are looking more and more “perfect” and more “trustworthy”.
Cayce Ullman, chief technology officer of PostX, information encryption company, said: "We met a 'phisher' who used the eBay brand to commit fraud. It took me a full 25 minutes to determine that he was a real liar. Even we have a hard time distinguishing between real and fake ones, so how can our consumers distinguish it?" What worries security experts the most is that "phisher" uses javascript to replace the address displayed on the browser URL, so that the presented URL is exactly the same as the official website of a fake company.
Wang Hongyang, director of the professional service department of Green Network Technology, said: "The fragility of the browser itself has also increased confusion to a certain extent." He suggested that users can use other browsers to reduce risks.
Qi Jun, a technical consultant of Trend Technology China, suggested: If this is the case, you must use anti-phishing tools to prevent it, because what you see is the correct URL, but what the tool sees is the real machine code. He offers a "one-and-all method" that is to never connect directly from the email link.
What makes ordinary users trouble is that "phishing" to achieve the purpose of widespread fraud is usually accompanied by viruses and *s, or virus emails and *s often contain "phishing".