Saturday, February 7, 2009

Phishing: Examples and prevention methods


What is phishing?
The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.


For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.
Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.


Remember, no reputable business would send you an email requesting your personal account information. Any such email you receive asking for this information should be considered phony and brought to the attention of the business being 'phished'. WARNING…REMEMBER!!!





How You Can Prevent Phishing Scams
The Anti-Phishing Working Group has compiled a list of recommendations below that you can use to avoid becoming a victim of these scams.

  • Be suspicious of any email with urgent requests for personal financial information
    - unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed' - phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately
    - they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.
    - phisher emails are typically NOT personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure
  • Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle
    - instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser
  • Avoid filling out forms in email messages that ask for personal financial information
    - you should only communicate information such as credit card numbers or account information via a secure website or the telephone
  • Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser
    - Phishers are now able to 'spoof,' or forge BOTH the "https://" that you normally see when you're on a secure Web server AND a legitimate-looking address. You may even see both in the link of a scam email. Again, make it a habit to enter the address of any banking, shopping, auction, or financial transaction website yourself and not depend on displayed links.
    - Phishers may also forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered as another indicator that you are on a 'safe' site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does NOT match the certificate, do not continue.
  • Remember not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like "http://www.gotyouscammed.com/paypal/login.htm?" Be aware of where you are going.
  • Consider installing a Web browser tool bar to help protect you from known fraudulent websites. These toolbars match where you are going with lists of known phisher Web sites and will alert you.
    - The newer version of Internet Explorer version 7 includes this tool bar as does FireFox version 2
    - EarthLink ScamBlocker is part of a browser toolbar that is free to all Internet users - download at
    http://www.earthlink.net/earthlinktoolbar
  • Regularly log into your online accounts
    - don't leave it for as long as a month before you check each account
  • Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate
    - if anything is suspicious or you don't recognize the transaction, contact your bank and all card issuers
  • Ensure that your browser is up to date and security patches applied
  • Always report "phishing" or “spoofed” e-mails to the following groups:
    - forward the email to
    reportphishing@antiphishing.org
    - forward the email to the Federal Trade Commission at
    spam@uce.gov
    - forward the email to the "abuse" email address at the company that is being spoofed (e.g.
    spoof@ebay.com)
    - when forwarding spoofed messages, always include the entire original email with its original header information intact
    - notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website:
    www.ic3.gov/

For more information, check some of the following sources:For more information about how to protect yourself, see our Fact Sheet 17a Identity Theft: What to do if It Happens to You at http://www.privacyrights.org/fs/fs17a.htm. Read the information and tips put out by the Federal Trade Commission about phishing at http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm. Read the Department of Justice's recent whitepaper "Special Report on Phishing" at http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf

The Application of 3rd Party Certification Program in Malaysia

The programme of third-party certification are to provide a measure of conformity, satisfy customer demands and limit supplier risks without the expense of repeating tests.Most importantly is the assessment to be carried out by an independent, third party organization that is qualified and licensed to issue certification when the assessment is successfully completed.



MSC Trustgate.com Sdn Bhd is the most famous application of 3rd party certification program in Malaysia. MSC Trustgate.com is one of the example that is issuing certified licensing to consumer. It was established in 1999 as a licensed Certification Authority (CA) in Malaysia under the Digital Signature Act 1997. It provides security solutions and trusted services to help companies build a secure network and application infrastructure for the electronic transactions and communications over the network.

The objective of MSC Trustgate is to secure the open network communications from both locally and across the ASEAN region. Trustgate provide digital certification services such as digital certificates, cryptographic products and software development. The products and services of Trustgate are SSL Certificate, Managed PKI, Personal ID, MyTRUST, MyKAD ID, SSL VPN, Managed Security Services, VeriSign Certified Training and Application Development. The vision of Trustgate is to enable organizations to conduct their business securely over the internet, as much as what they have been enjoying in the physical world.



3rd Party Certification is always crucial and needed becuase there are threats of internet security spreading over the net nowadays. One good example is the increase of phishing on the internet. Customers couldn't care less of trustworthiness of party and other sides they dealing business with, and this includes security of their personal and other confidential datas. Thus, the certification from 3rd party is needed to ensure their information traveled over the Internet reaches the intended recipients and is safe.Apart from that,they serve well in providing e-mail protection and validation, secure online shopping carts and more services in order to avoid being spammed, hacked and attacked by the macilious software such as virus, trojan horse and worms.

Bottom line is, there are more safeguard for online shopping and various other aspects of e-commerce and business field with the existence of 3rd Party Certification which enhances the global trend in general.

For more information on MSC Trustgate, visit their website:
http://www.msctrustgate.com/

Friday, February 6, 2009

The threat of online security: how safe is our data?


The Internet is a global system of interconnected computer networks that interchange data by packet switching using the standardized Internet Protocol Suite (IP). It is a “network of networks” that consists of million of private and public business, academic and government networks, which carries various information resources and services such as electronic mail, file sharing or file transfer of local to global scope that are linked by wireless connection, copper wires and fiber-optic cables.

What is Internet Security?

What w
as once a small research network, a home for greybeard researchers and future millionaire geeks is now front-page material? When computer connects to a network and begin communicating with others, it is taking a risk. Internet security involves the protection of a computer’s internet account and files from intrusion of an outside user. Basic security measures involve protection by well selected passwords, change of file permissions and back up of computer’s data.

Programs can be mad
e to help your computer, but there are also some types of Internet Threats that user can create with intentions of destroying the computers data by being deceptive.

(i)
Trojan Horses: programs which pretend to do one thing, but in reality snoop out your personal data or damage it. These types conceal their identity and are usually quite hard to detect.

(ii) Viruses: programs which are able to log into the personal files on a computer it has affected and as a result, can end up removing all of them. It can have serious sides that will effects on a computers system.

(iii) Malware: also known as Malicious Software. It is software designed to infiltrate or damage a computer system without the owner’s informed consent. Besides, Malware can be classified as Trojans with a limited payload and are often not detected by most antivirus software. They may require the use of other software designed to detect other classes of malware, which including spyware.


(iv) Worms: programs which are able to replicate themselves over a computer network and in turn perform malicious actions. As a resu
lt it has the ability to affect other programs on the computer.


Hackers and How to Protect Yourself

http://www.youtube.com/watch?v=0TkDB4KK1s8

The latest in Internet Security Threats

http://www.youtube.com/watch?v=3x7Lj5sdWPk