Phishing and methods of protection from it

The most popular form of fraud on the web at the moment is phishing . Cybercriminals use fraudulent websites, keyboard interceptors, email messages that are compiled in accordance with the rules of social engineering, etc. Each day, these methods become more diverse and dangerous.
According to the Internetua.com website, with reference to the report of APWG (Anti-Phishing Work Group Phishing Activity Trends Report 2nd Half), the number of resources aimed at the theft of personal data in the second half of last year increased tenfold.

In June of this year, the Department of External and Public Relations of the Central Bank of Russia announced the appearance in the Russian segment of the Internet of sites that mimic representative offices of existing credit institutions. The style and domain names of these websites, most often very much resembled the official websites of the respective structures. In this case, users who have visited these resources are offered knowingly fake contact information and bank details. Using these data and entering into business relations with representatives of such sites involves a risk and can lead to disastrous consequences for customers, the Central Bank warns. This proves that phishing attacks are now becoming an increasingly urgent problem, so it is worth investigating in more detail their essence and methods of protection against them.

Phishing , according to the definition of Dr. Web, is a technology for online fraud, which involves stealing personal, private information, for example, identity and bank card data, access passwords, etc. With the help of postal "worms" and spam mailings, potential victims are sent letters from the person allegedly legal Organizations. In these letters they are asked to visit a fake site and confirm PIN-codes, passwords and other personal information that will be used by fraudsters in the future to steal from the account of a victim of money or other crimes.

According to Websense, the most popular tool for creating phishing resources is the Rock Phish Kit. At the moment, the situation with phishing is very similar to the situation that was several years ago when writing malicious codes when their designers appeared.

The essence of phishing is as follows: the attacker, deceiving the user, forces him to provide personal information (information about bank cards, names and passwords to various resources, etc.). The main difference of this type of fraud is the voluntary provision of information by the user. To achieve this, scammers actively use the method of social engineering.

Modern phishing can be divided into 3 types: online, postal and combined. The oldest is mail phishing : a letter is sent to the recipient's address with a request to send some information.

Online phishing involves the following scheme: scammers copy official resources using similar domain names and design. Then everything is simple. A user who visits such a resource can leave his data here in full confidence that they will fall into reliable hands. In fact, this information is in the hands of cybercriminals. Fortunately, now there is a tendency to increase the knowledge of users about basic measures of information security, therefore this fraud scheme is gradually losing its relevance.

The third type is combined. Its essence lies in creating a fake website of a real organization, to which scammers try to lure potential victims. In this case, attackers offer users to perform some operations on their own. On the Internet, almost every day, there are warnings about such resources, which make these methods of fraud well known. In this regard, scammers have become more used key-loggers - these are special programs that track user keystrokes and send this information to pre-established addresses.

On the territory of the CIS, the first phishing- attack was recorded in 2004. It was aimed at the clients of the Moscow branch of Citibank.

VISHING.

The first case of this Internet fraud was fixed in 2006. It is a kind of phishing and implemented with the use of war diallers (auto dialers), as well as Internet telephony (VoIP). With the help of this type of fraud, intruders get access to personal information, such as passwords, identification and bank cards, etc. The scheme of fraud is not much different from phishing : users of the payment system receive messages from the supposedly administrators by mail, where they are recommended to send their passwords and Account. But if in the case of phishing it is attached a link to a fake site, then when phishing e user offers to call the city number. When you call, a message is read out, in which the person is asked to reveal their confidential data. The difficulty in disclosing this type of fraud is that the development of Internet telephony allows you to redirect calls to a city number anywhere in the world, and the caller will not even suspect about it.

The company Secure Computing reported the most sophisticated method of fraud according to the scheme of the vishing - email was not used at all here, as the attackers programmed the PC to dial telephone numbers from the database and lose a pre-recorded message to which the subscriber was warned that the information about his credit The card was in the hands of scammers, so he needs to enter the number from the telephone keypad.

Using the VoIP protocol can significantly reduce the cost of telephone communications, but it also makes the company much more vulnerable to attacks. Banks and other organizations that use IP telephony for voice communication may be subjected to a wishing attack, which is not yet protected. In particular, this was said by The Grugq, an expert in information security, who made a presentation on fraud at the Hack In The Box Security Conference (HITB) in Malaysia. "Attackers will be able to freely enter banking networks and exercise control over bank telephone channels," says Grugq. According to him, the wishing attacks via VoIP will occur before the end of 2009. Scammers will have full access to confidential information, including bank account information and credit card numbers. To prevent them from doing this can only be a professional in the field of information security. "Theoretically, the customer calls the bank, and the phone line is already under the control of hackers," says The Grugq. In this case, the fraudster asks the caller to provide some credentials to contact the bank's support service.

"There is no technology that can guarantee companies protection from this problem," the expert is sure, noting that existing systems can not determine a VoIP attack. To organize it, attackers require standard software to support billing of telephone conversations and IP telephony.

According to Secure Computing, scammers configure a war dialler that dials numbers in a particular region. At the moment of the response, the following occurs:

• The answering machine informs the user that fraudulent actions are being carried out with his credit card and he recommends quickly calling back at a certain number.
• After the victim calls back to the number, he is answered by a "computer voice", which says that the user must be reconciled and enter the card number from the telephone keypad.
• Once the card number is entered, the fraudster receives all information (address, phone number, full name).
• Using this call, the viser can collect other additional information, such as the card's validity period, PIN code, bank account number and date of birth.

How to protect yourself from this type of fraud? There are a few simple ways that will secure you:

• All credit institutions by e-mail or telephone address the client by first and last name. If this is not indicated in the appeal, then, most likely, there is a fact of fraud.
• Never call for bank account or credit card security at the suggested phone number. All payment cards indicate a special telephone number, according to which you should call.
• If the caller seems to be your provider and asks questions about confidential data, he is most likely a fraudster.