Protect Yourself Against Phishing and Identity Theft

by Peter Mok

Background

The sophistication of IT crime increases as technology advances. Widespread of scams are rampaged through the popular use of the Internet and email. Among all IT crimes, they are dominated by phishing and identity theft activities[1]. Phishing is a high-tech scam that uses spam email or fake web pages to deceive consumers into disclosing their credit card numbers, bank account information, identity numbers, passwords, and other sensitive personal information[2]. It is the fastest growing Internet attack and everyone is at risk as the unsolicited email and fake web sites are now encountered almost on a daily basis. Phishing attackers are getting more sophisticated in adopting social engineering skills, and reaching every corner where there is Internet users.

This article tries to summarize all resources related to phishing attacks and suggests something that you can do to minimize your risks.

How Serious It Is

"By the end of December 2004, Symantec Brightmail AntiSpam antifraud filters were blocking an average of 33 million phishing attempts per week, up from an average of 9 million per week in July 2004. This represents an increase of over 366 percent."[3]
As reported by AntiPhishing.org (APWG), just within the month of October 2005, the number of unique phishing reports received is 15820 and the number of brands hijacked by phishing campaigns is 96[4]. Gartner has estimated that phishing cost banks and credit card companies $1.2 billion in direct losses in 2004, and that nearly 1 million users have suffered identity theft from these activities[5]. Phishing attack is the highest in US (around 28%) and China (around 32%) as reported by APWG based on information collected by WS Labs in December[6].

Phishing is attractive to scammers because of the high financial gain[7], the ease to deploy, the ease to reach the mass and it is relatively low risk.

Know the Way Phishers Launch an Attack

There are millions of unprotected PCs or poorly managed servers that phishers can take advantage of. Once being seized, scammers can implant malicious codes, start spam tools to broadcast spam and start web utilities to serve fake pages. It's too easy to fake a web site by copying all the graphics and codes from a genuine site. These web sites deceive the visitors by obtaining their personal information.

More sophisticated scammers will implant malicious programs such as key-loggers or similar Trojan programs to the victims' PCs to collect information stored and log their activities. Others will use instant messaging to lure its users, exploit software vulnerabilities on its users' computers, or cache-poison a weakly protected DNS server so that the network connection originally between the two parties now routes through the attacker's computer and thus all data being sent or received through that network connection become equally accessible by the attacker. Scammers are even refining their attack methodologies with bot nets where a bot (a short form of Robot) is a compromised computer with automated software installed by the hacker. Many bots can logically form a bot network (bot net) by connecting to a single computer which serves as a controller. They can simultaneously launch one or more attacks using the automated software already installed to one or more networks on Internet via the controller.

Phishing not just relies on technology. In most cases, social engineering techniques are being used instead. To list a few of them: messages that seem to be legitimate or using Internet addresses that closely resemble legitimate ones; sending messages that look urgent, important and highly confidential; messages that claim to verify your identity or provide security updates. Sometimes they also bet their success on victims' greed or fear[8].

We will not go into the details of all these techniques. Interested readers can consult the two very good articles available at NGSSoftware titled "The Phishing Guide" and the "The Pharming Guide"[9].

To Protect Oneself

News on identity theft and phishing attempts not only appear in technical reports, they also appear in many newspapers, broadcasts, government announcements, and warnings from commercial firms and banks. Despite all these effort and increased awareness, the number of incidents still increases dramatically. Through social engineering techniques, phishing still catches people out of unexpectedness. Some are even unaware that they were the victims of a phishing activity. Reasons for falling into a phishing trap are numerous; people tend to give up security protection for convenience.

If you do care to lower the risks, here are some of the tips:

  • Apply security patches of all software installed on your computer as soon as they become available. Don't just apply patches to the OS, but also to all installed software like the MS Office, the Acrobat Reader, the Java engine and Quicktime/RealOne as well.
  • Install an antivirus software and keep it up to date.
  • Turn on the personal firewall of your PC.
  • Change passwords of your PC and e-Commerce account regularly. Choose strong passwords (i.e. passwords that are not easy to guess or match from a dictionary).
  • Choose different passwords for your PC, your e-Commerce accounts and other applications.
  • Turn on the spam filter. The university has provided the server side spam filter service[10].
  • Turn on the pop-up blocker. Don't click on unexpected pop-up messages.
  • Install anti-spyware. Use a commercial tool such as Mcafee and Norton or a freeware. Microsoft has also a released a beta anti-spyware.
  • Use a secure email client. Turn on the text-only option and turn off automatic loading of graphics when reading email if this feature is available. Microsoft Outlook has this feature: html interpretation or loading of graphics can be turned on only when needed by single mouse click.
  • Be careful when you are required to open an email attachment or download files from Internet sites. Disable the automatic execution of attached files or embedded script.
  • Avoid sending email that contains personal information, your computer account information or financial information without encryption. Banks and universities seldom ask you to send highly confidential information via email. Whenever you are in doubt, call them up to verify.
  • Avoid using public PCs to peform e-Commerce transactions.
  • Avoid using a shared PC among your family members to perform e-Commerce transactions unless all of you exercise the same cautions to protect and use the PC.
  • Report a "phishing" case.
  • Pay attention to phishing news. Stay alert to new phishing techniques especially if you are a frequent e-Commerce user.
  • For any computer connected to the Internet, always have a clean backup image of its hard disk available so that when the computer is (or suspected to be) hacked or infected with malicious code, its hard disk can be formatted and restored using the backup image.

Tips described above merely serve as guidelines and are not bulletproof against phishing activities. As an Internet user, you should adopt a healthy skepticism and a seriously prudent approach. If you suspect that you have become a victim, make every effort to report your case while minimizing your loss. Notify your e-Commerce company or bank immediately if you are aware of any suspicious transaction and report an identified case to the police.

Reference

[1] McAfee AVERT Reports on the Top Threats and Potentially Unwanted Programs for Q1 2005
http://www.mcafee.com/us/about/press/corporate/2005/20050425_185320.htm
[2] FTC Consumer Alert
http://www.ftc.gov/bcp/conline/pubs/alerts/phishregsalrt.htm
[3] Symantec Internet Security Threat Report Highlights Rise in Threats to Confidential Information
http://www.symantec.com/region/hk/press/2005/hk_050322.html
[4] Phishing Activity Trends Report, Oct 2005 from antiphishing.org
http://antiphishing.org/apwg_phishing_activity_report_oct_05.pdf
[5] Gartner: Phishing Victims Likely Will Suffer Identity Theft Fraud, May 14, 2004.
http://www.gartner.com/
[6] APWG Phishing and eCrime Newswire
http://www.antiphishing.org/crimeware.html
[7] "Phishing is obviously worth it" in "F-Secure Corporation Data Security Summary" July to December 2005
http://www.f-secure.com/2005/2/
[8] Organized Crime May Be Behind Phishing
http://celebrationsca.com/InfoOrganizedCrimePhishing.htm
[9] NGSSoftware Insight Security Research
http://www.ngsconsulting.com/
[10] "Set up Junk Mail Filters" in the "General Email FAQ" of the university
http://email.cityu.edu.hk/faq/#junkfilters

Other Resources