/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsNEW DELHI, INDIA: As I logged into my ICICI online bank account to check whether my salary has been credited or not, I had a strange eerie feeling that some thing was not right.
The page design looked same as it looked every time I opened it in Microsoft Internet Explorer. The frames were correct, the logos and colours were all right but something was a miss. Some thing was not right. Some thing was phishy.
The ICICI Bank's online URL, though visibly correct, was showing too many characters to my liking. The digital signature supposed to be present on right bottom hand side of page was not there. The words of Patrick Runald, F Secure's senior security consultant, quickly hit my mind.
This isn’t a genuine ICICI website!
”Hundreds of fake domains are being created using the names of prestigious banks and their only idea is to steal money right under your nose,” Patrick had said.
He had added URLS of all the prestigious banks in India are being faked hundreds of times everyday and at F secure centre at Singapore tracks hundreds of such cases every day.
Patrick had also talked about the levels of sophistication that hackers have achived and these dangerous were constanly on prowl to hunt down lucrative victims.
How they are able to present a seemingly genuine websites which though actually are stealing user name and passwords.
I closed the window, copied the url and pasted it into Mozilla Firefox, which is light years more secure than the Internet explorer. Immediately, an alert from browser came indicating suspected web forgery.
"This page has been reported a a web forgery designed to trick users into sharing personal or financial information. Entering any personal information on this page may result in identify theft or other fraud."
”These types of web forgeries are used in scams known as phising attacks, in which fradulent web pages and emails are used to initiate sources you may trust."
I closed the website, thanked my stars, Patrick and Mozilla Firefox profusely for bing so lucky, and that my hard earned little salary was saved!
However, some other customers of ICICI Bank (names withheld) were not lucky . Phishers had striked gold and duped them of their hard earned money. Unfortunately, they are not lone losers in this big bad world of phishing.
Phishing attacks have come a long way. From amateurish attacks in the early 2000s, when phishers attacked to gain quick fame and make world stand up to their hacking prowess, present day attacks have become sophisticated and deadly.
Fame has taken a back seat and money, big bucks, is now every hacker’s ultimate goal.
Phishers over the last few years have redoubled their efforst to dupe innocents of their hard earned money. They even don’t show an iota of remorse even in decamping donations meant for earthquake and Tsunami victims.
Gartner reported globally in 2007 that the revenue loss due to phishing attacks was USD3.2 billion and approximately 3.6 million people were victims.
And what is scary is that though, most of the activity is around the US and Europe but India does have its fair share of phishing activity and according to a recent Anti-Phishing Working Group (APWG) report, India was placed 3rd on the list of countries hosting phishing websites.
Worst yet to come
And worryingly enough, worst is yet to come. Says Wing Fei Chia, Security Response Team Manager, F-Secure, “ We have really seen the worst of phishing and we doubt that it will get any worse over the next few years,”.
“Indeed they are becoming more targeted and such an attack is known as spear phishing which we do see every now and then but still not very popular yet,” adds Chia.
In the first half of 2007, 196,860 unique phishing messages worldwide were detected by the Symantec Probe Network. This is an 18 percent increase over the last six months of 2006, and equates to an average of 1,088 unique phishing messages daily, for the first half of 2007.
Phishing is a form of internet fraud that aims to steal valuable information such as credit cards details, social security numbers, user IDs and passwords for financial gains
The fraud is executed through spoof emails and fake websites that prompt users to disclose their personal details. The 24X7 Security Response Lab of Pune-based internet security firm Symantec found that in October last year, there were 20 unique attacks on Indian banks while the figure has grown to 120 attacks as of January, 2008.
The 24X7 Security Response Lab of Pune-based internet security firm Symantec found that in October last year, there were 20 unique attacks on Indian banks while the figure has grown to 120 attacks as of January, 2008.
The number of websites hosting keylogging crimeware systems rose by over 1,100, reaching 3,362, the second highest number recorded in the preceding 12 months. Websense Security Labs believes much of this increase is due to attackersincreasing ability to co-opt sites to spread crimeware using automated tools.
As per the findings of Axis Banks security department, phishers have sent more that 1,00,000 emails to account holders of Axis Bank as well as other banks.
The CERT-IN (Indian Computer Emergency Response Team), which manages computer securities incidence in India, said that the Indian products have become immensely popular among hackers for phishing after the US.
The Bank of India website recently had come under attack and was serving malware. The attack reported by SunbeltBLOG reported that Bank of India was "seriously compromised" and attempts were made to load multiple pieces of malware.
The attack was the handiwork of Russian Business Network (RBN), an underground criminal gang in Russia responsible for many attacks in the past.
"The hack was related to the Russian Business Network (RBN) criminal gang", said Alex Eckelberry,CEO, SunbeltBLOG in his blog.
Most of global phishing underground networks have their basis in Russia.
How to save yourselves
We caught up with Wing Fei Chia, Security Response Team Manager, F-Secure Security Labs, and asked him to answers the most important questions regarding phishing and and also how users can safeguard themselves from future attacks
How does one define phishing? What construes a phishing attack?
Phishing is an attack that tries to swindle the user into giving out their personal information with the use of social engineering tricks.
The business model of Phishing. How do Phishers benefit from such attacks
Once phishers get their hands on your information, they will trade it over the underground economy for a very good price. For instance, a bank account with USD20,000 balance can be sold for roughly USD700 on average.
We have really seen the worst of phishing and we doubt that it will get any worse over the next few years. Indeed they are becoming more targeted and such an attack is known as spear phishing which we do see every now and then but still not very popular yet. The phishers find the masses an easier target still.
How do spammers send e-mail messages which appear to be from real people and/or other seemingly-legitimate addresses?
They modify certain properties of the email like “Received From”, “Reply-To” and “Return-Path” fields would be changed to show a particular email address and which email server it originates from. In this case, if it is a legitimate address, the attacker must have harvested that “real” email address from somewhere with the full identity of the person possibly.
Where do most of the phishing attacks originate from. Asia pac, US or Americas. And which countries have been badly affected. How much have Indian banks and customers suffered. Any case study you deem sharing worthwhile
Most of the activity are around the US and Europe but India does have its fair share of phishing activity and according to a recent Anti-Phishing Working Group (APWG) report; India was placed 3rd on the list of countries hosting phishing websites. For th record Police Academy in India website was hosting a Bank of America phishing site. And we have also seen some reports that there was State Bank of India and ICICI Bank phishing sites.
How much money has been lost by bank or individuals who have been attacked by Phishing
Gartner reported globally in 2007 that the revenue loss due to phishing attacks was USD3.2 billion and approximately 3.6 million people were victims.
How serious and proactive are Indian banks to work with you stop attacks.
Banks globally have been doing a good job protecting their customers and their money from phishing attacks. The banks have taken many initiatives introducing stronger authentication mechanisms to customers and also give awareness sessions to their customers about the safe practices when performing transactions online.
How easy or difficult is it to stop a phishing attack. Can security vendors preempt such attacks? What are ways that phishing attacks can be stopped?
Tne challenge we do face when dealing with phishing sites is trying to contact the person responsible for hosting the website and removing the phishing site from it before anyone else becomes the next victim. Sometimes, the phishing site can be up for a month before someone shuts it down.
How to tell it is phishing attack
The latest web browsers available for download over the Internet today are equipped with a built-in phishing filter that is able to alert you right away if the site that you are trying to access is suspected of forgery. Some of them have better detection rates than the others, so users have to equipped themselves with the right one.
How does user report say that is phishing site or an phishing email? Can users tell if an e-mail message is a phishing scam just by reading it?
For the tech-savvy user, it is easy to tell quite instantly with the naked eye that the email is a phishing scam but for others, it might not be that effortless unless they have been made aware of the dangers of phishing. You can tell by looking at the address of the website or if there are additional fields that requires your input. If you get an email requesting you to update your details from a financial institution, they are never true. Always make sure you type in the URL manually, look for the pad lock icon at the bottom and ensure that your bank has at least a two-factor authentication mechanism given to customers to perform online transactions.
How does user report that a site may be phishing site?
Reporting has never been easier for the normal user, your web browser would most likely have this function in the menu. All you need to do is to click on it and you will be redirected to the reporting site where you can provide them with the details of the phishing site that you have just encountered.
What should a user do if he has already fallen into phishing scam?
First thing you should do is to change your passwords immediately once you have been a victim. It is pretty much the same like if you have lost your house keys, you replace all your locks with new keys after that. Once you have done that, report that to the relevant parties so that they can be on the alert looking for suspicious activity with your account.
What should a user do if he receives an e-mail phishing scam?
Ignore and delete it of course. And such phishing scams should be reported right away to the relevant parties whether it is a financial institution or a social networking site to ensure that the party is able to take necessary actions to take down the phishing site and inform their respective customers of the scam so that they do not become a victim of the scam.