Introduction to new phishing techniques

Many Internet users are still unaware of the dangers of phishing, a technique to steal credentials, financial data and other sensitive information from unsuspecting Internet users. Some may know about first generation phishing attempts and that they should not trust emails that they receive in their inbox, and that they certainly should not open any attachments or click on links if they suspect illegitimate emails.

Still, there are many more who do not know even that and fall pray to phishing attacks that steal data or plant malicious software on their systems.

Anti-Phishing toolbars and implementations in major browsers or on a system-wide level are useful but can, as you will see, give you a false sense of security. This can be attributed to the fact that databases that contain the information are not updated in real time. Someone has to report a phishing website before it will be added to the database, it would be more than difficult to create an automatic solution for the problem. While there are attempts to do just that, those solutions are not 100% accurate either.

A second issue are new techniques used by hackers that are not detected by ant-phishing toolbars and programs.

Flash Phishing

Anti-Phishing toolbars do check the page contents for signs of phishing and also addresses, but do not analyze flash objects at all. Hackers know this and tend to use this to their advantage by using flash to emulate the original website. Users may believe that a website is "clean" because their anti-phishing toolbar does not warn them if they visit it.

It is however relatively easy to find out if the current website is fake.

1. You need to take a look at the url in the address bar. If it is not the original address leave it immediately.
2. Check if it is using https instead of http. If it is using http leave the site immediately.
3. If it is using https check the certificate.
4. If the site is only using flash leave it.
5. Never follow links in emails (unless you know the person)
6. Never follow links in chats (unless you know the person)

You should immediately contact the supposed owner of the website and ask for advice.

Social Phishing

Phishers use other means of getting sensitive data from users. We all know that we should contact the company if we have doubts about a website. What if you would receive a mail from your bank asking you to call them back because there was a security breach? Would you call them back?

What if the number was redirecting you to someone in China speaking fluent English? Would you give the person information when asked about personally identifiable information for identification purposes? Sir, we need to make sure that you are indeed our customer. Could you please supply your credit card information so that I can verify your identity?

This is not a huge market yet but it will grow over time.

Advertisement