Online Identity Theft
Identity Theft is the phrase used to describe an action where a person uses the identity of another to fraudulently obtain credit, goods, services, or to commit crimes. Examples of these crimes are bank and credit card fraud, wire fraud, mail fraud, money laundering, bankruptcy fraud and computer crimes. With the advance of the Internet, the traditional fraud schemes became magnified, in particular with Online identity theft crimes.
The word “phishing” was first used around 1996 when hackers began stealing America On-Line accounts by sending email to AOL users, that appeared to come from AOL. Phishing attacks now target users of online banking, payment services such as PayPal, online e-commerce sites, and web-based e-mail sites. Phishing attacks are growing quickly in number and sophistication. In fact, most major banks in the USA, the UK and Australia have been hit with phishing attacks.
Spear phishing is a highly targeted phishing attack. Spear phishers send e-mails that include information about staff or current organizational issues that make it appear genuine to employees or members within a certain company, government agency, organization, or group. The message may look like it comes from your employer or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or the person who manages the computer systems, and could include requests for user names or passwords or tell recipients to download malicious attachments from an infected web site. Spear phishing has become one of the most damaging forms of attacks on military organizations in the US and other developed countries. Attackers gain user name and password information and then break in to ex filtrate sensitive military information.
A newer form of phishing replaces a web site with a telephone number. In this form of phishing, an email tells you to call a specific number where an audio response unit, at the end of a compromised voice phone line, waits to take your account number, personal identification number, password, or other valuable personal data. The person/audio unit on the other end of the voice phone line might claim that your account will be closed or other problems could occur if you don’t respond.
Affected Operating Systems
Phishing is a social engineering technique that targets users. While various application add-ons can provide some defense against phishing techniques, all operating systems can be considered equally affected because the attack target is the end user. There is a natural human instinct to trust; phishing attacks attempt to exploit this. While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy: ultimately it is the end user that is tricked into providing information to the phishers.
How to Determine if You Are at Risk
Phishing mostly uses social engineering techniques to ensure success. Awareness of such techniques can diminish the chance of being in risk of such attacks.
Identity thieves may also use computer intrusions into organisations such as online businesses to gather large amounts of credit card or other identification information. They may also attempt to harvest information that is available on public Internet sites; do not expose too much information about yourself or your family members (e.g. addresses and phone numbers) to community web sites such as MySpace, Orkut and Facebook
How to Protect against Phishing Attacks
Since phishing attacks are aimed at users, user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness.
Less effective, but still valuable methods include:
- Do not mass e-mail your customer base with web links directed to your site or any other website. Doing so teaches your customer base to accept such emails as normal.
- Do not use your authentication credentials, or other non-public personal information, to authenticate your customer base.
- Log identifying information for any system changing user information online.
- Be sure to report all incidents of fraud to a law enforcement agency.
- Anti-Phishing Software: Applications that attempt to identify phishing content in both e-mail and web sites usually integrate with web browsers and e-mail clients. Several options exist:
- NetCraft Toolbar: available for both Internet Explorer and Firefox
- Google Safe browsing: available for Firefox
- Ebay Toolbar: available for Internet Explorer
- Earthlink Scamblocker: available for both Internet Explorer and Firefox
- Geotrust Trustwatch – available for Internet Explorer, Firefox, and Flock
- McAfee SiteAdvisor – available for Internet Explorer and Firefox
- User Education: One of the best strategies to combat phishing is to educate your users of current and all new phishing attack methods, and to make them knowledgeable on what to do in the event of a phishing attack.
- Two Factor Authentication: Include other non-password authentication mechanisms when possible.
Anti-Phishing Working Group
3sharp study Gone Phishing: Evaluating Anti-Phishing Tools for Windows
VoIP Phishing Scams
The Ghost In The Browser; Analysis of Web-based Malware
Phone phishing: The role of VoIP in phishing attacks
Phishing and Spamming via IM (SPIM)
Suspicious e-Mails and Identity Theft