You've got a mail. It's a security alert from your bank. And the content:
Security is the utmost priority at Fraudulent Bank. We require our customers to
work with us to protect their account details. The subsequent lines raise an
instant alarm.
At 23:60 hours on April 31, 2006, our system detected an unauthorized access
attempt on your account. The attempt came from the IP address 420.12.24.14,
which does not correspond to your current address:
Mr. Fool Hoodwink,
Dupe Street,
530 007
The mail asks you to confirm your address and card details. You go to the
link provided, obey and perish. In actuality the mail was sent from a website
similar to your bank. This is a classic case of phishing.
Though a recent phenomenon in India, phishing has wrong-footed quite a few.
In an interview with Kishore Kumar of CyberMedia News, Captain
Raghu Raman, CEO of InfoSec consulting firm Mahindra Special Services Group,
delves into the various facets of phishing.
There has been an increase in cases of phishing. What can be the magnitude of
the damages caused due to phishing?
Phishing scams effect three kinds of people: the receiver, the Internet
Service Provider and the bank or the company on whose name the fraudulent mails
are sent. The receiver is at the risk of compromising his/her personal
information like credit card details, social security number, etc. The Internet
Service Provider suffers as thousands of mails are sent in the fishing scam,
thus clogging its network and bringing down the revenues. The bank/company
targeted is at the risk of losing its brand image, customer loyalty and future
business.
What are the common modes of phishing being carried out by cyber criminals?
Phishing scams are usually done by people looking for quick money. They send
spoofed mails to thousands of recipients requesting for credit card details and
Internet Banking login and passwords. Even if less than 5 per cent recipients
respond to these mails, the attacker has made his money, before the whole
incident can be even reported and investigated. United States is the leader in
hosting phishing sites. A large number are also being hosted in Asia Pacific
countries. However, these phishing scams can also be part of focused attack
against a particular company or organization. The method used by phishers is
usually to make fraudulent websites, similar to the genuine website by mimicking
the HTML code containing the same images, text and sections. Some phishing
websites register a similar domain name to the legitimate website of a company
or a bank. The most common method used by phishers is by forms, for example, the
Internet Banking login page or a form for password verification. Some attacks
spoof the address bar by using text and images. It involves placement of text
with white background over the URL on the address bar. It is possible to stop
this deception by disabling Active X and JavaScript in browser settings. Pop up
windows on genuine web pages also mislead the users.
How much of help can anti-phising software be to negate this attack?
Personally I believe that the strongest defence organizations can build is to
strengthen the core business process so that InfoSec is imbibed into the way of
working, harden technologies to prevent leakage and train their employees and
make them more aware as to how InfoSec breaches can adversely affect their
personal aspirations. If this framework is followed, it's the best defense an
organization can have. However there are innovative concepts that prevent
phishing. Some are architecturally quite simple — except that organizations
such as banks should have taken the initiative to have implemented them. Let me
give an example. All banks collect your pictures at the time of opening your
account. All the bank has to do is to divide the online login process into two
parts. In the first part you put in your login name. The page refreshes and
provides your photo from the database — thus proving irrefutably that it is
indeed the genuine bank's URL and then you put in your password. The
fundamental challenge remains that most organizations do not think like
attackers and hence keep spending resources in the wrong place instead of
thinking of innovative yet simple to implement measures.
How rampant is phishing in India? How much awareness needs be created among
Indians?
There have been several cases of attacks on genuine websites. As net
transactions become more popular in India, the possibility of sharp rise in
phishing attacks is guaranteed. Financial institutions are the main targets.
Some private banks have been recent targets. A lot of awareness needs to be
created amongst Indians. Many elder people who have just begun surfing the net
are falling prey to phishing scams. Western countries have better recourse
mechanisms in place. InfoSec awareness and concerns are still nascent and are
being largely driven by overseas customers or MNCs. Slowly, but surely that is
changing and we are seeing more organizations giving it management mindshare.
Unfortunately most organizations have still not assumed the onus of
responsibility when it comes to protecting their customers from phishing
attacks. Too many of them choose to hide behind the 'fine print' of online
lack of answerability.
What's the functionality of cyber law with regards to phishing?
The information technology act is comprehensive and provides stiff penalties.
But the enforcers are not able to understand and deal with cyber crime. Cases go
unreported because discovery levels are low. Many victims don't even know they've
been hit. Given the proper systems, there would be a substantial increase in the
number of cases registered. The actual enforcers — the police — need to be
educated, training sessions on technology frauds are a must. The police must
also understand the psychology of phishers and hackers. They are obviously very
different from and much more sophisticated than normal criminals.
© CyberMedia News