|
You've got a mail. It's a security alert from your bank. And the content: Security is the utmost priority at Fraudulent Bank. We require our customers to work with us to protect their account details. The subsequent lines raise an instant alarm.
At 23:60 hours on April 31, 2006, our system detected an unauthorized access attempt on your account. The attempt came from the IP address 420.12.24.14, which does not correspond to your current address:
Mr. Fool Hoodwink,
Dupe Street,
530 007
The mail asks you to confirm your address and card details. You go to the link provided, obey and perish. In actuality the mail was sent from a website similar to your bank. This is a classic case of phishing.
Though a recent phenomenon in India, phishing has wrong-footed quite a few.
In an interview with Kishore Kumar of CyberMedia News, Captain Raghu Raman, CEO of InfoSec consulting firm Mahindra Special Services Group, delves into the various facets of phishing.
There has been an increase in cases of phishing. What can be the magnitude of the damages caused due to phishing?
Phishing scams effect three kinds of people: the receiver, the Internet Service Provider and the bank or the company on whose name the fraudulent mails are sent. The receiver is at the risk of compromising his/her personal information like credit card details, social security number, etc. The Internet Service Provider suffers as thousands of mails are sent in the fishing scam, thus clogging its network and bringing down the revenues. The bank/company targeted is at the risk of losing its brand image, customer loyalty and future business.
What are the common modes of phishing being carried out by cyber criminals?
Phishing scams are usually done by people looking for quick money. They send spoofed mails to thousands of recipients requesting for credit card details and Internet Banking login and passwords. Even if less than 5 per cent recipients respond to these mails, the attacker has made his money, before the whole incident can be even reported and investigated. United States is the leader in hosting phishing sites. A large number are also being hosted in Asia Pacific countries. However, these phishing scams can also be part of focused attack against a particular company or organization. The method used by phishers is usually to make fraudulent websites, similar to the genuine website by mimicking the HTML code containing the same images, text and sections. Some phishing websites register a similar domain name to the legitimate website of a company or a bank. The most common method used by phishers is by forms, for example, the Internet Banking login page or a form for password verification. Some attacks spoof the address bar by using text and images. It involves placement of text with white background over the URL on the address bar. It is possible to stop this deception by disabling Active X and JavaScript in browser settings. Pop up windows on genuine web pages also mislead the users.
How much of help can anti-phising software be to negate this attack?
Personally I believe that the strongest defence organizations can build is to strengthen the core business process so that InfoSec is imbibed into the way of working, harden technologies to prevent leakage and train their employees and make them more aware as to how InfoSec breaches can adversely affect their personal aspirations. If this framework is followed, it's the best defense an organization can have. However there are innovative concepts that prevent phishing. Some are architecturally quite simple – except that organizations such as banks should have taken the initiative to have implemented them. Let me give an example. All banks collect your pictures at the time of opening your account. All the bank has to do is to divide the online login process into two parts. In the first part you put in your login name. The page refreshes and provides your photo from the database – thus proving irrefutably that it is indeed the genuine bank's URL and then you put in your password. The fundamental challenge remains that most organizations do not think like attackers and hence keep spending resources in the wrong place instead of thinking of innovative yet simple to implement measures.
How rampant is phishing in India? How much awareness needs be created among Indians?
There have been several cases of attacks on genuine websites. As net transactions become more popular in India, the possibility of sharp rise in phishing attacks is guaranteed. Financial institutions are the main targets. Some private banks have been recent targets. A lot of awareness needs to be created amongst Indians. Many elder people who have just begun surfing the net are falling prey to phishing scams. Western countries have better recourse mechanisms in place. InfoSec awareness and concerns are still nascent and are being largely driven by overseas customers or MNCs. Slowly, but surely that is changing and we are seeing more organizations giving it management mindshare. Unfortunately most organizations have still not assumed the onus of responsibility when it comes to protecting their customers from phishing attacks. Too many of them choose to hide behind the 'fine print' of online lack of answerability.
What's the functionality of cyber law with regards to phishing?
The information technology act is comprehensive and provides stiff penalties. But the enforcers are not able to understand and deal with cyber crime. Cases go unreported because discovery levels are low. Many victims don't even know they've been hit. Given the proper systems, there would be a substantial increase in the number of cases registered. The actual enforcers – the police – need to be educated, training sessions on technology frauds are a must. The police must also understand the psychology of phishers and hackers. They are obviously very different from and much more sophisticated than normal criminals.
© CyberMedia News
|
