A recent report by the Securities and Exchange Commission (www.sec.gov), indicates that phishing is on the rise. In fact, phishing is the kind of cybercrime an average user is most likely to encounter on a day-to-day basis. Phishing attacks rely on human vulnerabilities, making them more difficult to defend against when compared to viruses, for example. Although modern browsers and security suites incorporate anti-phishing technologies, it still pays to be aware of the most common phishing scams.
Still the most common form of phishing, emails from phishers impersonating bank employees or other legitimate parties asking the recipient to click on a link to enter sensitive data remain a threat. Typically, links will appear to be valid, but will actually direct the user to a forged website. Phishers count on users mistaking the fake site for the real one, and entering login information, credit card numbers, bank account information and other valuable data.
Often, these emails will include a logo for the impersonated company or agency and may even contain some legitimate links to seem more convincing. In the past, many of these emails featured blatant “tells”, such as a generic salutation – “Dear customer,” or something similar – and even contained grammatical or spelling errors in the body of the text. However, a report issued in 2011 by the Anti-Phishing Working Group listed “spear-phishing,” or the targeting of a specific individual by addressing him or her personally, as a growing threat.
Security experts recommend some basic tactics to avoid becoming the victim of a scam email. Since banks and government agencies rarely contact people regarding account information or personal data by email, be suspicious of any email claiming to be from bank personnel or an agency such as the IRS, especially if it opens with a generic salutation or contains spelling or grammatical errors. If you receive such an email and think it might be legitimate, call your bank or the organization directly and ask. If there is a link in the email, manually enter the link address rather than clicking on the link.
Another, simpler tactic is to direct the user to a URL that closely resembles a legitimate web address, such as www.citybank.com, or to a sub-domain containing the name of the real company. For example, a link might point to www.bankofamerica.register.com, counting on the fact that some users will not realize that the domain is register.com, and not a Bank of America site.
A variation on that tactic is referred to as a “Man-in-the-middle” (MITM) attack. These attacks occur when a phisher uses a fake site to capture data from the user, sends that data to the legitimate site, and then displays the data returned from the legitimate site on the fake page.
Taking the MITM attack to the next level, the so-called “evil twin” attack is a method by which phishers impersonate a legitimate wireless access point in an effort to glean login information and other sensitive data from nearby wireless users. Once the bogus access point is set up, it can be configured to pass users through to the legitimate access point in the hopes of gaining access to even more information. Because these attacks rely on the proximity of the phisher to potential victims, they can be effectively run using just a laptop with a WiFi card.
As early as 2005, PC World reported on this phenomenon, noting that attacks frequently occurred in typical “hotspot” areas such as cafes. With the dramatic increase in WiFi coverage, the popularity of WiFi hotspots, and the prevalence of powerful wireless devices, these types of attacks are a growing threat. Business travellers and users in areas such as airports and hotels are especially vulnerable, since these places see large numbers of transient customers, making it unlikely that a hacker would stand out from regular customers.
Evil twin scams can be difficult to detect since there aren’t many signs that would indicate to the non-technical user that something is amiss. Still, there are steps you can take to protect yourself, and to mitigate any harm should you fall victim to one of these attacks. Before you log on to any WiFi service, ask an employee for login instructions. They should be able to tell you the SSID of the wireless connection, as well as any security information you might need. Use your operating system and browser’s security features. All major operating systems and browsers offer security presets for wireless connections in public places such as libraries and cafes which make it more difficult for hackers to access your data. Some experts recommend getting one credit or debit card used solely for online activity in order to mitigate any financial repercussions should your card number be stolen, but the safest advice is to avoid carrying out any personal financial transactions in public spaces.
photo credit: ivanpw