Phishing – The “Catch” of the Day

It is the beginning of the “Phishing” season with taxes just months ahead of us. Catching and releasing financial information may garner some very big trophy money in the end. The Phish market stands to make hundreds of millions of dollars. We have seen world events such as Haiti’s Earthquake spawn many malware sites top ranking on Google that were designed to capture donations and personal information. These fake websites are almost identical to the legitimate ones and are becoming increasingly more difficult to detect.

The most common phishing bait can be found embedded in email messages or instant messages. General salutations, such as Dear Valued Customer or Dear Client should be immediately flagged. All banking institutions have your exact name as shown on your account in their database. When misspelled words appear in the email they should be another indicator that the email is a scam. Once a recipient takes the bait by clicking on the link embedded in the email or IM to the fake website the phishing expedition begins.

Phishers’ use several “catch and release” techniques by disguising fake URLs. It has become increasingly difficult to detect the bait because the security certificate on a trusted website can be hidden in a multimedia object on a flash-based website. Other techniques to disguise malicious URLs include URL redirectors on the websites of trusted organizations. Fake URL redirectors can be “miss-spelled” domains or by merging a (.com) and a (.net) website to a convincingly reproduced website. Capturing log in and personal details bring in big prize money.

Some phishing expeditions include hooks, lines and sinkers. “Sinking” and embedding a corrupted (.reg) entry or file into the Windows Registry File will replace the legitimate (.reg) file. “Hooking” the corrupted file with a malicious application will ultimately reroute the “lines” of personal information and consumers’ credentials to the Phishers’ website.

To combat phishing attempts is to pay attention and to simply modify browsing habits. If an account needs to be “verified”, contact the company from which the email originates to see if it is legitimate and rather than trusting the links in the email, type the company’s genuine website into the browser’s address bar. Finally, your computer should always have up to date anti-virus software that includes spam filters.

The damage caused by world-wide phishing can be estimated in the billions per year. This lucrative phishing industry will evolve with more attractive lures and mouthwatering baits disguised as information from your financial institutions, your planned events and unforeseen cataclysms. Remember to be diligent no matter how enticing an email, IM, or website can be. Don’t take the bait.