This year’s holiday period is predicted to generate more online sales than ever before. In the UK, Visa predicts a 39 per cent increase in e-commerce this Christmas. However, online consumers will be a very juicy target for cyber criminals using phishing and pharming to steal their identities and cash, so they need to be more careful than ever when they shop online.

Organised criminal gangs are targeting online consumers with ever more sophisticated blended phishing attacks, some of which even find out details of their interests and use them to generate phishing e-mails tailored to tempt them into giving away their identities. According to the Anti-Phishing Working Group, phishing is on increase again, the number of newly reported phishing campaigns reached 15,820 in October an increase of 127 per cent over last October.

In our day-to-day lives, both at home and at work, we are spending a great deal more of our time on our computers and on the internet. This familiarity with technology can regrettably make people more susceptible, or worse yet - more gullible. Today consumers seem to trust technology more then they do individuals. This level of blind trust in technology, combined perhaps with our less cautious nature around the holidays, can provide a target-rich environment for cyber criminals.

Last holiday season, phishers were relying on fairly basic socially engineered e-mails (albeit with very poor grammar and spelling) enticing consumers to ‘click here’ on an embedded link within the e-mail directing the recipient to an illegitimate ‘copy cat’ Web site that looked identical to the real thing. Many Internet users were unknowingly divulging their most personal financial information: PINs, Credit Card Numbers, Social Security Numbers, Usernames and Passwords to cyber criminals.

As awareness has grown about phishing within the Internet community, the tactics used by phishers have evolved since the last holiday season to make it more difficult for the consumer to realise they are being duped. Automated URL obfuscation tools are more commonly being used now by phishers in their efforts to deceive would-be victims.

With a freely downloadable tool from the Internet, the phisher simply enters the URL of the legitimate Web site and then enters the address of the fake malicious Web site, with the tool automatically crafting a new ‘socially engineered’ URL that includes the text from the legitimate URL as well as special characters that actually cause the URL to direct the browser to the fake malicious website. To the untrained eye this specially-crafted URL looks like the real thing.

The use of embedded Java script and Active X applets is becoming more common in phishing e-mails. These scripts and applets can automatically place a graphic image of the expected legitimate URL on top of the address bar within the browser to hide the actual address that the browser is really being directed to. Simply put, it has become a necessity to validate the authenticity of any Web site you are visiting before the submission any personal information.

Right clicking on a Web page within the browser will reveal a properties dialog box that provides the actual URL of the underlying Web page. You can quickly verify that the information being shown in the address bar within the browser matches the information shown on the properties dialog.

If phishing isn’t bad enough, this year, pharming will become an even bigger threat. Pharming is the technological evolution of phishing, and while it requires a more sophisticated and technically savvy cyber criminal, it is growing rapidly. Rather then a reliance on social engineering and simple browser tricks to steal your personal financial information, pharmers rely more upon their technical skills.

A skilful pharmer will take advantage of unpatched and vulnerable software using worms and viruses to compromise Internet DNS servers or host files on personal computers to transparently redirect consumers to illegitimate websites to their harvest personal financial information. Pharming eliminates any of the telltale signs that you have been directed to an illegitimate fake Web site.

Be on your guard this holiday season. Don’t let phishers and pharmers become your ‘Nightmare before Christmas.’ Here are some tips:

1. Be certain your PC’s operating system is up-to-date with the latest security patches as well as your anti-virus and firewall software.

2. No matter how official it looks never click on an embedded URL contained in any e-mail. Manually enter the URL in your browser address bar for your banking and credit card Web sites.

3. Do not fill in forms contained within email, your personal financial information should never be sent by e-mail. Only send your personal financial information via a secure Web site - verify that the URL contains https:// and that the closed lock appears on the lower right-hand side of the browser for a secure Web site connection.

4. Never click on an e-mail attachment unless you know the sender and you were in fact expecting to receive the attachment.

5. Monitor your banking and credit card accounts on line and check for illegitimate transactions regularly.

6. Use an on line credit monitoring service that offers alerts when there are any changes to your credit report i.e. new accounts and purchases.

7. Register with a credit card security system that requires a password to authorise transactions, such as Verified by Visa or MasterCard SecureCode.

8. Do not use the auto fill facility on websites for credit card and other personal details.

9. Use alternative secure online payment systems such as PayPal.

10. Finally, common sense is your best defence. If it looks too good to be true, then it probably is.

BIOS, Dec 22, 05 | Print | Send | Comments (0) | Posted In Security