What is a Phishing threat and how users can be safeguarded


This article explains what are Phishing attacks, why it is a network security threat, how emails are used to gain confidential information, what else the phishers can do other than directing to a fraudulent website, how such Phishing attacks are mitigated by enterprise companies. There is also a small introduction to a related threat – Pharming.

What is Phishing and what are the types of Phishing attacks?

You have an offline account with a bank. You have been thinking whether you need to use the e-banking facility offered by them or not. At this time, an email comes from your bank to your official email address asking you to update your user name and password for your e-banking account as they are updating their security systems or they have had a breach in their network where they lost all user information. So, you think this is the right time to start using the ebanking system, and enter the user name and password so that they could update their system. After a couple of days, some amount is missing from your Bank account! This is called Phishing!!

Actually your Banks never send emails like the above (especially giving links and asking you to update email passwords etc.). They are sent as a bulk spam by phishers. But the logo, design and even the link look so authentic that for untrained eyes, they might look genuine. So, when a user clicks the link given in the email, they are taken to a duplicate website that just resembles the original Bank website. And when you enter the user name and password, they are stolen by the phishers to later drain money from your Bank account.

With time, the phishers were able to plant malicious software in your computers that installed key-loggers in it. So, what ever you type, is actually sent to the phishers via the internet. They wait till you login to your Bank account and when you do, they steal your username and password. When Banks started using special drop-down lists for selecting passwords or online keyboard to enter passwords, phishers responded with mouse loggers and screen grabbers to obtain the information.

How is Phishing prevented?

Different vendors have different approaches to preventing Phishing in an enterprise. Some make it a part of their email security appliance, some make it a part of their anti-spam/anti-virus solutions (gateway level) and some provide client level security too.

Basically, security companies maintain a list of phishing websites and phishing mailer accounts. This is collected by the data submitted from e-commerce companies and they also have their own honey-pot systems where they lure the phishers by making it un-protected. So, a database is constantly updated containing all the details and if the users go to any of these known sources of phishing sites, they are automatically blocked.

Anti-spam is another effective way of preventing Phishing, as they use bulk mailers to get confidential information. So, if the bulk mailers are themselves prevented from entering in to the mailbox, it would help prevent Phishing too.

A variety of structural features are also analysed for locating common spoofing techniques used in phishing attacks. For example, many phishing mails either leave out obvious HTML structural components in their email or use fraudulent HTML structures – which can be detected and such mails blocked. The URL in the email is also analysed for any abnormalities – like if the fraudulent URL is added with the actual URL or if the fraudulent URL is hiding behind an actual URL by using some escape sequences so as to display only the actual URL. Some phishers can also use a permutation of the actual site – like www.actualsite-offer.com. It is actually a spoofed version of the actual domain. These patterns can be identified by some email security solutions/ appliances which can block emails with such attributes from reaching the end user.

The open source community has introduced a technology called SPF – Sender Policy Framework. So, for those domains that have implemented the SPF, the sender IP address is checked if it matches with the SPF query of that domain. So, if they match, they could be flagged as safe. But if they don’t, they might be held up for further investigation.

Pharming:

Pharming is a type of attack which changes the DNS settings of a website hosting server or ISP which automatically redirect the genuine URL requests to a fraudulent URL. Actually the ISP hosts a local DNS server which is like an internet directory. The location of all the websites is stored there. When there is a new website requested by a internet user, it queries the other DNS servers for its location. It is possible that the phishers can set up a fraudulent DNS server to send out wrong URL record details which is saved in the DNS server. When a user is typing a genuine bank website address, he may be re-directed to a fraudulent website and credentials stolen. This is called a Pharming attack. This can be prevented by configuring the DNS servers not to accept such extra records.

excITingIP.com

You could stay up to date on the various computer networking technologies by subscribing to this blog using your email address in the sidebar box mentioned as “Get email updates when new articles are published”