Comprehensive analysis of new threats to network security "phishing" attacks _ web surfing

Source: Internet
Author: User
Tags knowledge base sender policy framework lenovo

What is phishing?

Phishing (Phishing) is the word "fishing" and "phone" complex, because the first hacker ancestor is the phone, so use "Ph" to replace "F", created the "Phishing."

Phishing attacks use deceptive e-mail and bogus Web sites for fraudulent activities, and victims often disclose their financial data, such as credit card numbers, account username, passwords, and social Security numbers. Fraudsters often disguise themselves as credible brands such as well-known banks, online retailers and credit card companies, and up to 5% of all users who have access to fraudulent information respond to these scams.

In the United States and the United Kingdom have begun to appear specialized anti-phishing organizations, more and more online companies, technology companies, security agencies to join the anti-"phishing" organizations, such as Microsoft, Daldu announced the establishment of a project analyst or the introduction of user education program, Microsoft also donated 46,000 of billions of dollars of software to help prevent "phishing."

User Self-Defense guide

First, ordinary consumers:

Security expert tip: the best way to protect yourself is that you don't need much technology.

1. The request to re-enter the account information, or will stop the credit card account and other messages ignored.

2. More importantly, do not reply to or click on a link to a message-if you want to verify the email message, use the phone instead of the mouse, and if you want to visit a company's Web site, use a browser to access it directly instead of clicking on the link in the message.

3. Pay attention to the Web site-most legitimate web sites have relatively short URLs, usually at the end of. com or. gov, where the address of a phishing site is usually long, with only legitimate business names (or even not included).

4. Avoid the opening of unsolicited e-mail and documents, install anti-virus software and timely upgrade the virus Knowledge base and operating system patches, sensitive information into privacy protection, open Personal firewall.

5. When using the network bank, choose to use Network voucher and the agreement account way carries on the transfer transaction, do not do on-line transaction or the transfer in the Internet café, the public computer and the Unknown underground website.

6. Most of the "phishing" letters are in English, and unless you apply for the service abroad, you should receive a Chinese letter.

7. Forwarding suspicious software to network security agencies.

Finally, it is a good idea to change the password and cancel the credit card as soon as possible.

Second, commercial institutions

1. In order to avoid being "phishing" impersonation, the most important thing is to increase the difficulty of making the website. Specific measures include: "Do not use pop-up ads", "Do not hide the address bar", "do not use the frame" and so on. This kind of precaution is essential, because once the website name is used by "phishing", the enterprise will also be involved, so should be prepared before the flood.

2. Strengthen user verification means, improve user safety awareness.

3. Timely handling of user feedback, and actively combat counterfeiting sites and other related violations. The customer center is similar to "Why do I have to enter two accounts and passwords every time I log in?" "Such complaints, it is necessary to think of the possibility of" phishing ", because" phishing "people usually" hijacked "the first data, and the user once again entered the real page.

4. Of course, the installation of anti-virus software and firewalls, timely upgrades, patching, enhance staff safety awareness, and security vendors to maintain close contact are essential.

Finally, I would like to remind you that once the scene of being copied, the enterprise should take down the fraudulent Web page first. Sometimes, this is not a simple, quick job.

Response Chapter

Step 1: Education

In an interview with the internet world, any large online enterprise would put "proper education for users" at the top of the "phishing" initiative. Citibank has a clear link at the bottom of the homepage to alert users to the problem of email scams.

What justice said: "Phishing" is also "willing to take the bait", the reason is constantly happening, that is, people to prevent the concept of weak. If everyone's sense of safety stays in the present, then the "phishing" event will be more and more. Wang Hongyang said: "The increase in user security awareness can reduce the risk of" phishing ", strict implementation of security policies, good security habits, security technology, can significantly reduce the" phishing "the probability of success.

But before completing this article, the reporter browsed many domestic commercial websites, and did not find out about "phishing" or even the significant security hints, of course, did not see some verification means.

In the United States and the United Kingdom have begun to appear specialized anti-phishing organizations, such as APWG last November and the establishment of this June, "Trusted Electronic Communications Forum (TECF)", they are dedicated to educating users to end- At the very least, reduce the "phishing" attack.

Step 2: Verify

In addition to education, online brands should also authenticate legitimate e-mail messages in a simple, easy-to-use way. The oft-pretended ebay warns that even if the sender writes "support@ebay.com" and "billing@ebay.com", it is not necessarily an ebay message.

Because phishing is also a spam message, people can filter Web pages and emails using the same spam processing tools. Trend technology will launch IWSS 2.0, which includes an anti-phishing technology called PHISHTRAP, which uses fraudulent Web site feature databases to filter email.

In addition, the bank has enabled digital electronic signatures in e-mails sent, and now technology is making "The Ming" simpler, and once phishing attempts to forge a digital signature, the recipient receives a warning message. Of course, users must learn to recognize electronic signatures.

Long-term global validation projects include the Sender Strategy Framework (Sender Policy framework), Yahoo DomainKeys Recommendations, and Microsoft Caller-id. But it will take time for these methods to be perfected, and 100% of the online business needs to be fully identified.

Step 3: Confirm

Web sites also need to use certain validation mechanisms to prove their legitimacy. As a result, the professional identity Enterprise Corestreet recently posted a free browser helper called Spoofstick on its web site. When the user is at the legitimate site, notice that an obvious comment appears below the URL box and displays "You ' re on ebay.com." "If a user is tricked into a bogus site, the comment will show" You ' re on 10.19.32.4. ”

Ebay has added a new service to its toolbars, called account bodyguards. This service can tell users whether they are on ebay or PayPal's legal site. If the user enters an ebay password on an unconfirmed website, ebay will send a further warning letter to the user.

Step 4: Block

Some ISPs can also prevent users from being directed to a poorly-known web site. For example, when AOL's customers report that they have received spam, the links contained in the spam message are added to a list of blocked sites. When users click on these links, they are displayed as error pages. But the technology may also block legitimate links that provide real business services.

The United States Earthlink on April 19 launched a toolbar with the ability to prevent phishing, when users try to access a confirmed scam site, the toolbar will issue a warning and redirect the user to the Earthlink Company's WWW web page. Websense, which prevents Internet access from being blocked, also includes "phishing" or a malicious Web site as one of the blocking items.

Step 5: Monitor

Earthlink also uses a service. The service issues a warning when someone registers a brand similar to his or her company. The purpose is to confirm whether the website will impersonate Earthlink through ' phishing '. ”

MasterCard International credit card and NameProtect company June 21 announced a partnership to crack down on "phishing", using NameProtect to detect online crime in real time, monitoring domain names, web pages, bulletin boards, and spam. Surveillance can lead to a significant reduction in the number of victims.

Understanding article

means: bullying and luring

Phishing uses deceptive e-mails and bogus web sites for fraudulent activities, and fraudsters often disclose their financial data, such as credit card numbers, account username, passwords, and social Security numbers.

The main trick of phishing is to counterfeit certain companies ' websites or emails, and then start working with the code in them, and if users believe that their links and requirements are filled with important personal information, the data will be sent to the fraudster.

Richard_cheng, a member of the trend Technology "phishtrap (anti-phishing trap)", explains: "When these cyber fraudsters spread the bait (email) to the Internet, they wait for the victim to take the bait." "According to Gartner, as many as 5% of all users who have access to fraudulent information are responding to these scams, as fraudsters often disguise themselves as credible brands such as well-known banks, online retailers and credit card companies."

Fraudsters often use "coercion and inducements" to create "themes" of various nomenclature. For example, the first "phishing" event that caused widespread concern was the MIMAIL.J virus that appeared last November, disguised as a message sent by PayPal's website, indicating that the recipient's account will expire after 5 working days, requiring users to update their personal information before restarting the account. Another example, July 20, a malicious Web site disguised as Lenovo homepage, the former will be the number 1 to replace the English letter L, using a variety of IE bugs planted trojan virus, and spread "Lenovo Group and Tencent company jointly donated QQ coins" false message, lured more users to visit the site caused by infection.

Status quo: The Hook of the crowd

In recent years, "phishing" in the United States, Britain and other countries have become very rampant, the number of rapid rise. According to a recent survey by Gartner, 57 million U.S. consumers have received such phishing emails, and the direct losses caused by ID fraud theft to users of Bank of America and credit card companies reached 1.2 billion dollars last year.

Data from the spam filtering company Brightmail shows that the total volume of phishing mail in the world has grown rapidly in the past 9 months, reaching 3.1 billion in April this year. Last year, more than 250 "phishing" attacks against major banks, credit card companies, E-commerce sites and government agencies were reported, according to MI2G, the UK Security Agency.

According to the latest statistics from the anti-phishing organization APWG (anti-phishing Working Group), about 70.8% of cyber frauds are targeted at financial institutions, while the top three most frequently copied are: Citibank (Citibank), ebay and PayPal.

Consequences: Credibility crisis

"Financial institutions, Internet service providers and other service providers must seriously address the", said Litan, senior vice president and research director at Gartner. Phishing problem, if this decoy attack is not greatly reduced, the consumer's trust in online trading will gradually erode, and eventually all participants in the network transaction will be harmed. ”

"These attacks are undermining the credibility of the entire e-business system-the way we operate," said David Jevans, chairman of APWG. "Indeed, ebay and dozens of other companies that have been repeatedly attacked by phishing are concerned that it not only hurts the business but also challenges customers and confidence in E-commerce."

"Phishing" has begun to show its immense destructive power. Consumer confidence in e-mail has fallen to its lowest level in history, according to a Pew Internet Life survey. Cyota, a recent survey of online bank account holders, found that 74% of respondents said they were unlikely to respond to emails from banks because of the threat, and that the likelihood of online shopping was lower. This means that some legitimate businesses may lose some or all of their online channels if they cannot prevent their brands from being exploited by fraudulent activities.

Of course the damage is also the brand of a commercial organization. MI2G CEO DK Matai points out: "Although in many cases, brand owners are not wrong, but these online brands should have the ability to use more minds to prevent consumers from making mistakes." "APWG, a member of the company, has been sued by clients for" phishing ", citing a failure to perform the corresponding duties.

In addition to trust, "phishing" will also bring some more direct losses to businesses and individuals. If the fraudster catches the user's credit card account information, both the cardholder and the seller are faced with the risk. In addition, for each user to issue new credit cards, accounts and passwords about 50 trillion dollars, if a large number of customers are caught, the cost is very alarming.

Vigilance: authenticity is difficult to distinguish

These deceptive emails and web sites are looking increasingly "perfect" and increasingly "believable".

Cayce Ullman, chief technology officer at Information encryption company POSTX, said: "We met a phishing scam using the ebay brand, and it took me 25 minutes to make sure he was a real liar." Even we are difficult to distinguish between true and false, then how can our consumers distinguish it? One of the most troubling concerns for security experts is that "phishing" uses JavaScript to replace the address displayed by the browser's Web site with the same URL as the official web site of a fake company.

"The vulnerability of the browser itself has also added to some degree of confusion," said Wang Hongyang, director of the Green Alliance Technology Services Division. He suggests that users can use other browsers to reduce risk.

Trend Technology China Technical advisor Jijun's advice: If this is the case must use the anti-phishing (anti-phishing) tool to prevent, because the eyes see the correct URL, but the tool to see the real machine code. He offers a "once and for all" approach, which is never to go straight out of an email link.

To ordinary users headaches is that "phishing" to achieve a wide range of fraud purposes, usually accompanied by viruses and Trojans, or virus mail, Trojan also often contains "phishing" content.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.