15/03/2011
10:18
Phishing: always present danger.
Analysis of the evoluting phishing techniques and some tips on how to avoid falling in the trap.
Every person that has ever done home banking activitie, might have heard of phishing more than once. Phishing is the attempt, carried out by a malicious entity called phisher, to acquire sensitive information such as usernames, passwords, and credit card details (indirectly, money), using always improving social engineering techniques.
This is achieved by masquerading as a trustworthy entity, in an electronic communication looking almost identical to the authentic and official one.
Most common phishing attempts mostrly involve banking and credit card companies, but also public istitutions (i.e. the tax office), internet and email providers, and more generally every service provider that can supply sensitive data such as identity and economic status.
The most common phishing technique is to send emails prompting the user to log in as soon as possible, in order to "verify their credentials" or to confirm the win of a bounty the institution decided to give as a gift (pictures 1-2). Of course this is a scam with the only goal being credentials theft.
A common phishing email simulates the need of account verification or re-activation, following maintenance works or alleged anomalies. The email can contain either a link that the user has to click, or an attached HTML page bearing striking similarities with the actual one. The user is convinced that their bank account can be freezed, they can be fined, or that their name is being used on online auction websited, and they are tricked into inserting their credentials.
|
|
|
|
|
Picture 1. - Phishing email with attachment. From: CartaSi Informs <blurred address> |
|
Picture 2. - Phishing email with link. From: Verified By VISA <blurred address> MasterCard SecureCode |
By clicking the link or opening the attached page, the user is not redirected to the actual website (i.e. the official CartaSi website), but they a fake page is shown instead, tricking the user into believing that they are visiting the original website, as it can be seen in Pictures 3 and 4. The data inserted into the form are not sent to the bank but to the phisher.
|
|
|
|
|
Picture 3. - This is an example of attached fake webpage. The user is asked to type in their username; password; date of birth; email address and password; fiscal code; card type, number, expiration date and CV2; One-Time-Password. |
|
Picture 4. - This is an example of misleading link. The user is asked to type in their name and surname; fiscal code; card type, number, expiration date and CV2; username; password; One-Time-Password. |
Always remember that no financial institution (i.e. bank), auction website, tax office and so on will ever ask to insert sensitive information via email, and that every connection to their portals must be done using a safe protocol, such as HTTPS, that uses SSL certificates to encrypt data flow to and from the website. Every modern browser shows the presence of a valid certificate with a symbol (usually a padlock), next to the website address bar.
In Italy, phishing aimed at BancoPosta bank account users is very common.
Users are asked to check payments allegedly made with their PostePay (a popular prepaid debit card) - picture 5 - or to log into their BancoPosta account in order to redeem a prize ranging from 50 to 100 EUR - picture 6.
|
|
|
Picture 5. - Phishing attemp masquerading as a PosteItaliane email. |
|
|
|
Picture 6. - Fake BancoPosta login page. |
Phishing techniques are constantly evolving, especially because users are becoming more aware of the risks they may face; newer and more sophisticated social engineering techniques are created every day, so it is up to the user to be alert and careful in order to keep their valuable data safe.
Roberto Spagliccia
TG Soft - Research Centre
