Tuesday, October 19, 2010

PHISHING - Can your Browser protect you?

"When facts fail , reasons prevail."
You must be wondering why i used this quote in the beginning(i know none of you must have heard this because i created it while writing this blog) .
This is what phishing is all about . there has been a lot of buzz about the phishing scams that occur now and then which mostly targets lame internet users(sometimes expert) . They have a knowledge of almost all the technical advancements that internet can provide us like using emails, net banking, social circling etc. These are the building facts of the world wide web. But when there is some mis-happening(stealing of password, bank accounts etc) then they realise the reason behind it could be somthing we can call as a phishing scam .

before i tell you some intresting facts about phishing and its countermeasures let's find out what exactly is a phishing scam.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users and exploits the poor usability of current web security technologies.Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

There are numerous techniques exposed so far but i am mentioning the most commonly used scams here

Link manipulation

Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. 

Filter evasion

Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.

Website forgery

This is the most widly used phishing technique. We can say that website forgery is a super set of the other two phishing scams namely link manipulation and filter invasion because its basically the forged link or the web page that is mostly transferred as the target page.
in this technique the attacker sends a web page that is similar to the original website and fools the user into believing that this is the trusted web page. This can make the user to enter the confidential details into it which instead of getting sent to the source gets sent to the attacker.The user is then either redirected to the original page or some error message is displayed.

Phishing Facts


MessageLabs, a company that manages email security, reports a vast increase in phishing emails in the past six months. In September, 2003, the number of phishing emails the company saw was 279. By January of 2004, the number had risen 1200 percent to 337,050. Meantime, the Anti-Phishing Working Group, an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing, reports more dangerous facts. In April, the attacks increased 180%, and reports show 15 of the top 20 targeted organizations are financial institutions.

  • 1 in 5 Americans were the target of phishing attacks during the last year.
  • 57 million consumers have received phishing emails.
  • Out of 4 million consumers who encountered fraud last year when opening a new online account, over 50% said they also received a phishing e-mail.


India has got the dubious record of being among the top 10 countries where sites involved in `phishing' are hosted the most, according to a new report released by Anti-Phishing Working Group.

We all are always very curious to download the latest version of the various browser flavours that are available in the market but we hardly care about that why are these new versions incorporated or built around. It took microsoft just 433 days and crome 212 days to bring the advanced version of there previous browser. Can you answer why ? Its all about providing better security to the end user.
But by just downloading the latest version wont protect you, but you need to set up the settings which can really prevent you. Its not easy to manually detect the phishing attacks but there are various look-and-feel methods to find a phishing page. I am discussing some of the ways that you can use to set your favourite browser to protect you better against the phishing attack.
1..  The best way to avoid becoming a victim of a phishing attack is to detect and/or  block the phishing email (which is the first stage of the attack) which includes a  link to the actual phishing site.
a) Use a spam filter to block spam email
Phishing attacks generally rely on a user receiving and clicking on a link in a 
phishing email. By blocking and filtering spam email, users are less likely to  
read, trust or click on a link in a phishing email if it is blocked or marked as 
suspicious by a spam filter.
b) Change settings on your email software to warn you when you receive a 
suspicious email that may be a phishing email.

2..  To best protect yourself in the event that you are fooled by a phishing email(the first stage of the attack), and inadvertently click on a link to a phishing site,you should make use of the security measures available.The major web browsers have features which can be activated to help detect 
phishing web sites. Turning these features on is unlikely to have any noticeable impact on the speed of your Internet connection. Similarly to antivirus 
and anti-spyware software, there is always a delay between when a new attack is released and when these security technologies are updated to detect the new attack.

a) In Microsoft Internet Explorer version 7, the phishing filter can be turned on by selecting “Tools” menu, then “Internet Options”, then select “Turn on
automatic website checking”:

b) Click “Apply” then “OK” to save these settings.

c) In Microsoft Internet Explorer version 8, anti-phishing is handled by the 
SmartScreen Filter. The SmartScreen Filter is enabled by default – you can 
confirm that it is enabled by selecting the “Safety” menu, then “SmartScreen

d) In Mozilla Firefox, click on Tools menu, select Options, select the Security 
tab then select the check box for “Tell me if the site I’m visiting is a 
suspected forgery”. Either option is fine, however, according to the Mozilla 
Firefox help notes, the Google option will provide a more reliable check for 

e) In the Google Chrome web browser, phishing and malware protection is 
enabled by default. Confirm this by selecting the menu with a spanner icon
(rolling over this menu will display the text “Customize and control Google 
   chrome”) and then “Options”.

f) In the Apple Safari web browser, fraudulent website warnings are enabled 
by default. To confirm this, select the Safari menu, then Preferences and 
then click the Security icon to display the control panel pictured.

What to do if you encounter a phishing email or web site.

If you receive a phishing email simply delete it. Do not reply to the email 
address and do not click on the link within the email body.
If you do happen to click on the link in the email body by mistake, do not “login” 
to the phishing web site or complete any fields on the web page which seek 
information from you. If at any time you suspect that you may have navigated 
to a phishing web site, look particularly for the presence and validity of the
digital certificate on that site 
In general, always avoid providing information of a 
confidential nature to a web site that doesn’t have a valid digital certificate. 
Some phishing emails direct users to phishing web sites that also contain 
malware. Even if you do nothing more than click the link, you may unwittingly  
install malware on your computer.



Post a Comment