phishing first podcast

Poll question of week 10

Link to us: http://snipurl.com/week10poll

Based of the result of the poll question, there is a total of 45 votes and 4 (8%) votes  the purpose of the phisher is hacking for fun. Some of people think the phisher are bored people looking for amusement. The people think the phisher break in because they think somebody might have interesting data and they have nothing better to do. The phisher have a strong desire to know about how to phishing attack and they often damage the something through ignorance or in trying to cover their tracks.
        3 (6%) votes the purpose of the phisher is to do damage. A few of people think the phisher out to do damage, either because they get their kicks from destroying things. The phisher just want to damage something which makes it less attractive, useful or valuable. Only 2 (4%) votes the phisher do not like somebody. Not many people think phisher are do not like somebody because they are anger somebody become a target to phishing attack.
       Most of people 22 (48%) votes  phisher break in because they are want information for other purpose. While these phisher are not above theft, they usually steal things that are directly convertible into money or further access such as credit card, telephone, or network access information. If they find secrets they think they can sell, they may try to do so, but that's not their main business.
       14 (31%) votes the purpose of the phisher is prefer sites of particular interest. A lot of people think phisher may prefer sites of particular interest. Breaking into something well-known, well-defended, or otherwise especially neat is usually worth more points to them. However, they will also attack anything they can get at; they are going for quantity as well as quality. They do not have to want anything you have got, or care in the least about the characteristics of your site. They may or may not do damage on the way through. They will certainly gather information and keep it for phishing attack.

Phishing Scams in Plain English

Crossword Puzzle Winner

The winner of our crossword puzzle is Chew Wing Sheng from Inti College Subang Jaya, who is taking Diploma in Internet Communication Technology. Thank you for those who have joined this contest! The prize given was a stack of Double A A4 paper which was useful for doing assignments. Here we provide our readers the answers of our puzzle.

Poll question of week 9

Link to us: http://snipurl.com/week9poll

Based of the result of the poll question, there is a total of 23 votes and 4 votes (17%)  can be able to recognize phishing attack because they have been familiar with a phisher behavior, seen, heard or personal experience about phishing attack. The few of people have information in their mind as a result of experience about phishing attack because they have learned or been told it.

            The most of people 10 (43%) votes maybe can avoid form phishing attack. They are not certain that phishing attack will be happen or not confidence they can avoid from phishing attack.7 (30%) votes don't known can  avoid from phisher or not. A lot of people do not know about what is phishing and do not understand how the phisher hacked. They may also do not heard about phishing attack before. 

             Only 2 (8%) votes cannot prevent from phishing attack. Not many people think they can not to realize or be aware the phishing attack. The reason they choose can be easily fooled by a phisher because they are may first time uses the internet or cannot understand how to prevent phishing attack. Another reason is they are very lazy to learn or read matter about phishing attack and also lazy to find information on the latest tactics fraud on the internet.

               According the poll question, phishing scams are now a part of everyday life. It’s important that you know how to spot one and avoid becoming a victim. Anyone can be tricked by a phishing scam. Simple phishing scams are easy to spot, but the best scammers are actually pretty smart. They use a variety of tricks to make the phishing scam look like a legitimate process.

    



Poll question of week 8

Link to us: http://snipurl.com/week8poll

Based of the result of the poll question, there is a total of 31 votes and 21(67%) votes Japan earthquake and tsunami is serious problem for phishing scam. 9(29%) votes may will be Japan earthquake and tsunami for phishing scam. Only 1(3%) vote Japan earthquake and tsunami will not effect by phishing scam. The result show that a lot of people know that disaster will affect victims for phishing scam, but some of people do not think that disaster will afffect victims from phishing scam and they don't think that should be worry.

Phishing Contest !!

Please download our contest here !! ---->>> CROSSWORD PUZZLE CONTEST

Please send an e-mail the complete puzzle with your information stated below to siewchin.92@gmail.com

Name:
Age:
Gender:
Email address:

Rule:
1.Your information submitted must be truth.
2.We have the capability to cancel your qualifications, if found any cheater.
3.No copy from your friend.
4.Must be Malaysian.
5.Pass up before the deadline.

Japan Earthquake Scam ?

Link to us: http://snipurl.com/japanearthquakescam

Scammers and hackers are using the devastating earthquake and tsunami in Japan to appeal for fraudulent charity donations. US-CERT, the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS), is warning users regarding fake antivirus and phishing attacks regarding the Japan earthquake and the tsunami disasters. Scammers are also flooding e-mail inboxes with messages asking recipients to donate money to relief efforts.

In Facebook also scams are rocking, If you get a link to something like “Japanese Tsunami RAW Tidal Wave Footage’, don’t click it. It’s a scam. You may be tricked into “liking” the page and then taking a personal info harvesting survey, and then promoting the scam.

Symantec has observed a classic 419 message targeting the Japanese disaster, said researcher Samir Patil in a post to the company’s security blog. “The message is a bogus ‘next of kin’ story that purports to settle millions of dollars owing to an earthquake and tsunami victim.” Hackers have also registered a large number of domains with URLs that may fool users into thinking that they’re legitimate donation or relief sites, said Patil, a tactic that can also push those sites higher on search results.

How to Protect yourself

- Do not follow unsolicited web links or attachments in email messages.

- Maintain up-to-date antivirus software.

- Verify the legitimacy of the email by contacting the organization directly through a trusted contact number.

- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.

- Take advantage of any anti-phishing features offered by your email client and web browser.

refference: http://www.cybervally.com/2011/03/beware-fake-japan-earthquake-tsunami-disaster-email-scams-phishing-attacks/

Poll question of week 7

Link to us : http://snipurl.com/week7poll



  Based on the result of the poll question, there is a total of 36 votes and 31(83%) votes the paypal phishing will affects customers online purchased. According the top 10 phishing websites in 2010, the paypal phishing is one  of the most popular in the word. Most of people think that victims may be to click on the link in the e-mail which leads the victims to a fake website; this is serious problem for customers online purchased. Only 6 (16%) votes the paypal phishing will not be affect customers online purchased. A few of people are think the people having a lot of experience of the world and knowing about phishing and they do not worry about it.

Avoid Japan Earthquake Phishing

Link to us: http://snipurl.com/avoidjapanphishing

Global online community is showing support by charities’ websites like Red Cross for the 8-9 magnitudes earthquake that hit Japan on 17 March 2011- friday. There are some ways to make sure your donation reaches the right people.

1) Check for the URL spelling. Hackers are smart at making the fake URL looks real, for instance, credits.com for credit.com. This technique is called typosquatting.
2) Do not get misdirected. Online financial phishing scams will frequently direct you to a third party website that ask for your credit card information. If you’re being redirected to another site that does not look right, please disconnect from that website. Do not pay any attention to the link text because they can say anything. You have to pay more attention to the URL.
3) Avoid the social pressure. A scams usually works because it preys on a huge amount of people, please do some research if you see a website that appears syspicious. Never trust messages and links spread through Twitter.com and Facebook.com because they are hotbeds for scammers looking to mkake quick cash. Never give out your PIN code, driver's lisence number, phone number or date of birth because none of that information is required by legitimate sites like Red Cross.

Announcement :: Crossword Puzzle coming out soon !

Link to us: http://snipurl.com/crosswordpuzzle

After a while our blog is up, we've decided to come up with a crossover puzzle for our readers to play with ! This activity will make the readers understand more about phishing ! Prize will be given !!

Rules of Competition

- Must be a Malaysian

-Must be our Blog's follower

-Must submit real information

Prize: Mystery Gift will be Given to the winner !!

Please complete the below information and send an email to us if u wish to join the competition!

Name:
Gender:
Age:
Email Address:
Current Location:

Contact number:

Poll Week 6

Link to us: http://snipurl.com/week6poll

Poll question week seven:" Where Do You Think Our Blog's Standard Stand ?" There is a total of 27 votes and 1(3%) of them voted our blog's standard is poor and 3 (11%) of them voted the standard as Just nice and 23 (85%) voted Our blog's standard stand at Good !! None of the readers think our blog is noob . Thanks to those who voted for our blog, now we know where our standards stand and there'll be a contest coming up ! stay tuned !

Phone Phishing

Link to us: http://snipurl.com/phonephish

There is another type of phishing - phone phishing. This happens when someone pretending to be from a government agency or company, trying to ask for your personal information. It sounds easy to avoid, but unfortunately these people only need a few victims to fall for the scam to make it profitable.
Phone phishing is increasing. Sometimes it seems like your bank is really calling you. Phone phisher can assume your identity and empty your bank accounts. Here are some things you need to remember when conducting sensitive financial transactions over the phone:

1) Never give out full account numbers. Your financial institution doesn't need account numbers to verify your identity, if it is really necessary, give last four digits only, or insist on other methods to verify your identity, such as your date of birth.
2) Do not call a number left in a recording. Instead, you should call the known customer service for your bank. Although you may need to go through a couple of transfer, at least it is safer.
3) Be aware of repeated recordings to get a hold of you about important account or personal information. The bank is likely to use a real person to call you if there is really a problem.
4) Do not trust caller ID because it can be spoofed. It is important to find out the exactly spelling and words that should appear on caller ID from your bank's customer service number.

Have you been a victim of phone phishing?


Reference:
1)All Business [Online], Retrieved 11 March 2011
URL: http://www.allbusiness.com/crime-law-enforcement-corrections/criminal-offenses/14808871-1.html
2)Internet Fraud Tips [Online], Retrieved 11 March 2011
URL: http://www.fraud.org/tips/internet/phishing.htm

Poll week 5

Link to us: http://snipurl.com/week5poll

Poll question week six :"Do you like our slogan ? Beware!! Phishing ain't fishing". There is a totalof 42 vote, 39 which is 92% of them voted yes and 4 which is 9% of them voted of no,means they don't like the slogan. Majority like the slogan and we are very happy that they like the slogan.

Top 10 Phishing Website in 2010.

Link to us: http://snipurl.com/toptenphished



1. PayPal — 45.9%1.
2. Facebook — 5.3%2.
3. HSBC Group — 4.1%3.
4. World of Warcraft — 3.2%4.
5. Internal Revenue Service — 3%5.
6. Bradesco — 1.9%6.
7. Orkut — 1.7%7.
8. Sulake Corporation — 1.5 %8.
9. Steam — 1.2%9.
10. Tibia — 1%10.

In OpenDNS annual report for 2010, the most frequently phished website in every month of 2010 was Paypal, which is 9 times more than the second popular phisher target, Facebook (5.3% fake sites). Five of the top ten phished website (Facebook, World of Warcraft, Sulake Corporation, Steam and Tibia are associated with social and online games.

References
Help Net Security [Online], Retrieved on 10 March 2011.
URL: http://www.net-security.org/secworld.php?id=10487

New phishing technique exploits browser tab use

Link to us: http://snipurl.com/tabnabbing

According the SC magazine a leading Firefox developer has discovered a new phishing attack method. This new phishing attack called tabnabbing. Tabnabbing means the users generally do not keep track of all the tabs they have opened at one time on browser tabs.

Tabnabbing allow the attacker to implicitly change the contents of a separately tabbed page, name and logo when a user eventually returns to the tab such as Gmail and Facebook. In this new phishing attack, a user might to be tricked into visiting a maliciously crafted tabbed page including JavaScript. The victims may not expect is that a page they have been looking at will change behind the victims’ backs, when they are not looking. Phisher will catch them by surprise.

Besides this, an attacker could make the phishing ruse even more clever and skilful by tricking somebody that takes advantages of a user’s web browsing history file. Attacker also is able to display a message that the user’s session has timed out, thereby adding legitimacy to the attack.

Furthermore, users should check the URL of a site carefully if an unexpected login any webmail, bank or online commerce site page screen appears because there is no way to indicate that the page has changed.

Last but not least, users can consider running the NoScript add-on for Mozilla Firefox or they can deploy a password management tool, which should not make saved logins available for use at malicious sites.

References

Angela Moscaritolo, SC magazine [Online], Retrieved on 3 March 2011.

URL: http://www.scmagazineus.com/new-phishing-technique-exploits-browser-tab-use/article/170983/#

Poll question week 4

Link to us: http://snipurl.com/weekfour

Poll question week four: Did you check your URL everytime when you access to website?There is a total of 12 votes, 8 of them voted "Yes", 4 of them voted "Sometimess", and none of them voted "No". The poll make us know that majority of them beware of phishing. To avoid be the victim of phishers, we should always check the URL of the website you accessing.

Type of Phishing Attack

Link to us: http://snipurl.com/typeofphishingattack

Deceptive Phishing. The term "phishing" originally referred to account theft using instant messaging but the most common broadcast method today is a deceptive email message. Messages about the need to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other scams are broadcast to a wide group of recipients with the hope that the unwary will respond by clicking a link to or signing onto a bogus site where their confidential information can be collected.

Malware-Based Phishing refers to scams that involve running malicious software on users' PCs. Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities--a particular issue for small and medium businesses (SMBs) who are not always able to keep their software applications up to date.

Keyloggers and Screenloggers are particular varieties of malware that track keyboard input and send relevant information to the hacker via the Internet. They can embed themselves into users' browsers as small utility programs known as helper objects that run automatically when the browser is started as well as into system files as device drivers or screen monitors.

Session Hijacking describes an attack where users' activities are monitored until they sign in to a target account or transaction and establish their bona fide credentials. At that point the malicious software takes over and can undertake unauthorized actions, such as transferring funds, without the user's knowledge.

Web Trojans pop up invisibly when users are attempting to log in. They collect the user's credentials locally and transmit them to the phisher.

Hosts File Poisoning. When a user types a URL to visit a website it must first be translated into an IP address before it's transmitted over the Internet. The majority of SMB users' PCs running a Microsoft Windows operating system first look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted,taking the user unwittingly to a fake "look alike" website where their information can be stolen.

System Reconfiguration Attacks modify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "bankofabc.com" to "bancofabc.com".

Data Theft. Unsecured PCs often contain subsets of sensitive information stored elsewhere on secured servers. Certainly PCs are used to access such servers and can be more easily compromised. Data theft is a widely used approach to business espionage. By stealing confidential communications, design documents, legal opinions, employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.

DNS-Based Phishing ("Pharming"). Pharming is the term given to hosts file modification or Domain Name System (DNS)-based phishing. With a pharming scheme, hackers tamper with a company's hosts files or domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site. The result: users are unaware that the website where they are entering confidential information is controlled by hackers and is probably not even in the same country as the legitimate website.

Content-Injection Phishing describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server.

Man-in-the-Middle Phishing is harder to detect than many other forms of phishing. In these attacks hackers position themselves between the user and the legitimate website or system. They record the information being entered but continue to pass it on so that users' transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system.

Search Engine Phishing occurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products or services and are fooled into giving up their information. For example, scammers have set up false banking sites offering lower credit costs or better interest rates than other banks. Victims who use these sites to save or make more from interest charges are encouraged to transfer existing accounts and deceived into giving up their details.

Reference : http://www.pcworld.com/businesscenter/article/135293/types_of_phishing_attacks.html

E-banking scams on the rise

Link to us: http://snipurl.com/ebankingscam

According to the scams targeting electronic banking have increased of 1426 reports were made to CyberSecurity Malaysia last year compared with 634 in 2009. CyberSecurity Malaysia had identified at least 900 phishing sites targeting financial institutions in the country, it is easy to obtain personal information, usernames, passwords or credit card information through the phishing websites. The rise in Internet banking scams to the increasing popularity of the online banking among Malaysians.

Step by step to scams targeting electronic banking: -

1. Phishing was to despatch e-mails to account holders informing them of a “hitch” in their accounts, and that they should quickly log in to the account to verify some information.

2. Victims may will be to click on the link in the e-mail which leads the victims to a fake website.

3. The fake websites are used to mislead the victims log in by entering their usernames and passwords, which are immediately copied by the creator of the fake website.

4. The cyber criminal can then log in and empty the victim entire account in minutes if the amount is within the limit allowed to be transferred in a day.

References

E-banking scams on the rise , the star online,[Online],Retrieved on 17 February 2011.

URL: http://www.thestar.com.my/news/story.asp?sec=nation&file=/2011/2/16/nation/8071653

Spear Phishing Trial in Canada

Link to us: http://snipurl.com/spearphishing

What is spear phishing?

Firstly,I would like to explain something more about spear phishing. Spear phishing is an

e-mail spoofing fraud attempt that targets a specific organization, seeking

unauthorized access to confidential data. As with the e-mail messages used in

regular phishing expeditions, spear phishing messages appear to come from a

trusted source. Phishing messages usually appear to come from a large and

well-known company or Web site with a broad membership base, such as eBay or

Pay Pal.

In the case of spear phishing, however, the apparent source of the e-mail is

likely to be an individual within the recipient's own company and generally

someone in a position of authority. From what I've read somewhere, spear

phishing attempts are not from random hacker, they are more likely conducted by

sophisticated groups out for financial gain, trade secrets or military

information.

In Toronto, computer hackers infiltrated some Canadian government computer systems

but were not able to access the classified data they were seeking. Stockwell Day,

the president of Treasury Board, which is also a federal administrative agency

said the attacks were significant but that Canada's cyber security systems

detected the intrusions and blocked them.

TheCanadian Broadcasting Corporation reported computers belonging to the Treasury

Board and Finance Department were among the systems infiltrated in early

January, along with Defence Research and Development Canada, which is a

research agency within the Department of National Defence. No indications that

any data relating to Canadians was compromised.

Prime Minister Stephen Harper said that federal security agencies were working to

deal with cyber threats. The CBC reported the cyber attacks were traced to

computer servers in China, but no government official would confirm the origins

of the attacks.

The report said hackers were using a technique known as spear phishing, which

involves impersonating bureaucrats via their e-mail accounts to snoop around

government computer systems and steal key passwords that unlock government data

systems.

Reference

http://biz.thestar.com.my/news/story.asp?file=/2011/2/18/business/20110218080041&sec=business

Search Engine Phishing

Link to us: http://snipurl.com/searchenginephishing

Search engine phisher refer to using powerful search engine to locate high-value targets or to search for valuable information. Phishers always try to create web pages for fake products, get the pages indexed by search engines, and wait for unsuspecting customers to enter their confidential information as part of an order, sign-up, or balance transfer. Such pages usually offer product or services at a price slightly too good to be true.

Phisher is a clever and dishonest plan for making money involving fraudulent banks have been particularly successful. A scam creates a page advertising an interest rate slightly higher than any real bank. For example, victims find the site of searching for products or services and use these sites to save or make from interest charges to transfer existing accounts; they are fooled into giving up their information to search engine phishing. Some victims even provided their bank account numbers to “Flintstone National Bank,” of “Bedrock, Colorado” of fraudulent banks.

The best way to prevent search engine phishing is should be very careful to notice any signs of danger when dealing with something because you think that there may be a problem site that has offers that seem just too good to be true.

Google is known to have the cleanest design, fastest search results, and its unique Page Rank technology used by Internet users today. Google hacking involves using the Google search engine to locate specific strings of text within search engine. A web browser names as Mozilla Firefox plug-in website detections by leveraging the Google search engine. According to the Electrical and Computer Engineering Department, University of Toronto that search result of the unique keywords are then used to compare with the website that the users are currently visiting and to determine whether the website is a phishing website. Since most phishing sites are short-lived; they would have much less visitors compared to the legitimate sites they imitate. So it can be derived that the suspicious web site is unlikely to be the one that the users are expecting they are visiting when there is a mismatch in the domain result of the websites in the top search results and the suspicious web site.

References
1. Jessica Hunter, Search Engine Phishing-What you need to known, [Online], Retrieved on 16 February 2011.
URL: http://www.identitytheftfixes.com/search_engine_phishing_--_what_you_need_to_know.html
2. Robert Ma, Phishing Attack Detection by Using a Reputable Search Engine, [Online], Electrical and Computer Engineering Department, University of Toronto, Retrieved on 17 February 2011.
URL: http://www.eecg.toronto.edu/~lie/Courses/ECE1776-2006/Projects/Phishing2a-proposal.pdf

What is Phishing ?

Link to us:http://snipurl.com/whatisphishing

什么是“网络钓鱼”？

(What is phishing ?)

网络钓鱼是通过大量发送声称来自于银行或其他知名机构的欺骗性垃圾邮件，意图引诱收信人给出敏感信息（如用户名、口令、帐号 ID 、ATM PIN 码或信用卡详细信息）

Phishing is sent through a large number of something claim to be from banks or other reputable organizations deceptive spam, intended to give sensitive information to lure the recipient such as user name, password, account ID, ATM PIN code or credit card details.

最典型的网络钓鱼攻击将收信人引诱到一个通过精心设计与目标组织的网站非常相似的钓鱼网站上，并获取收信人在此网站上输入的个人敏感信息，通常这个攻击过程不会让受害者警觉。

The most typical phishing attack to lure the recipient to a target organization through well-designed/perfectly designed sites with very similar phishing site, and collect whatever sensitive personal information the recipients insert, usually the process will not alert the Victim.

这些个人信息对黑客们具有非常大的吸引力，因为这些信息使得他们可以假冒受害者进行欺诈性金融交易，从而获得经济利益。

Those information collected is very attractive for hacker, because the information collected allow hackers to act as the victims and to cheat in financial transaction to gain economy benefits.

受害者经常遭受显著的经济损失或全部个人信息被窃取并用于犯罪的目的。

Victims often suffer from significant economic loss or theft of personal information and to use for criminal purposes.

Online Refferences:
1. 什么是“网络钓鱼”？,[Online], Retrieved on 14 February 2011.
URL: http://iask.sina.com.cn/b/12785184.html?from=related

Poll week 2

Link to us: http://snipurl.com/weektwo


Poll question of the second week, "Did you know more about phishing after reading this blog?". The result of 8 votes from our readers, 37.5% of them voted "I have gained a lot of knowledge", thanks for the vote and this blog is going to contribute wider information to you people. 12.5% of them voted "A little", and 50% of them voted "Normal", we'll continue gather more information about phishing in this blog.

Why phishing website still exist?

Link to us: http://snipurl.com/whyphishingwebsitesstillexits

Mengikut statistik yang dikeluarkan pada tahun lepas, sebanyak 45% daripada 3 juta pengguna internet seluruh dunia tertipu dengan taktik laman web phishing ini.

According to statistics released last year (2009) of many 45% from 3 million internet users worldwide fooled by the tactics of these phishing websites.

A Group of people is easy to fooled



Figure 1: Phishing websites (Click the picture to enlarge)

The people are easily fooled by a phishing websites because they are first time uses the internet or online banking. Another reason is some of the group of people are very lazy to read perkara2 (matter2) like that and also lazy to find information on the latest taktik2 (tactics2) fraud on the internet.

The figure 1 show that you can look at the logo it still can be fooled, but when we look at the url (Uniform Resource Locator) given indeed sah2 (valid2) this phishing websites. For those who do not know, victims may be deceived by the tactics of these phishing websites.

How to avoid phishing websites

Figure 2: Phishing websites (Click the picture to enlarge)

To help you protect yourself from phishing websites by the following:

1. Do not click on links from a link provided via email.

In general, the bank or the controlling party ap2 (what2) online financial transactions will no contact us via the email. We should be contacted by phone if the party needs to updates the relevant maklumat2 (information2).

2. Communicate personal information only via phone or secure web sites.

You should be verify the identity of the person contact they and if possible, do the updates your account information in the nearest branch of a face to face.

3. Check the url in the address bar. It is pointing to the right websites.

Every time you login whatever websites, you must be double check the URL in the address bar of your browser. If you sure the correct url then can proceed with the transaction, if not, you can use the Google websites search list to compare it with the website address above (show the figure 2).

References:
Jmay, Kenapa laman web phishing masih wujud?,[Online], updates on 27 December 2010.
URL: http://www.jmayz.com/kenapa-laman-web-phishing-masih-wujud/

What does a phishing E-mails look like ?

Link to us: http://snipurl.com/emailphishing

It is never a good idea to click on any hyperlink in an e-mail, especially from unknown sources. You never know where the link is really going to take you or whether it will activate malicious code. Some hyperlinks can take you to a fake HTML page that will try to scam you into typing sensitive information. If you really want to check out the link, manually retype it into a Web browser.Whenever you are passing sensitive information such as credit cards or bank information, make sure the address bar shows "https://" rather than just "http://" and that you have a secure lock icon at the bottom right hand corner of your Web browser. You can also double-click the lock to guarantee the third-party SSL certificate that provides the https service. Many types of attacks are not encrypted but copy an encrypted page. Always look to make sure the Web page is truly encrypted.

As the technologies gets better and better, the people behind the phishing scams also become more devious. They now use pop-up windows, official logos, and mock-secure connections copied from actual Web sites.

Picture 1 shows an example of a fishing scam e-mail.

The link in this e-mail, which is suppose to go to eBay, actually goes somewhere else.You can see that this text is actually hiding a link to another site (66.246.90.60), as shown in the close up in Picture 2. And also, the original link text does not have a "https://" secure address, but if a link like this read "https://" you might think it was safe while it could actually be hiding a fake, non-secure URL. Picture 2

Describe Phishing attacks

Link to us: http://snipurl.com/describephishingattacks

Phishing is one of the most common attack vectors used by hackers and social engineers to steal identities. Phishing involves sending an e-mail, usually posing as a bank, credit-card company, or other financial organization. The e-mail requests that the recipient confirm banking information or reset password or PIN numbers.

            Phishing is the practice of sending fraudulent e-mail messages to addresses requesting them to supply confidential information. The e-mail is disguised to look like a request from a legitimate organization such as a thrift, or a credit card company. Victims may be directed to provide personal account information by responding to the e-mail. The hacker and social engineering is able to capture this information and use it for financial gain. The brief e-mails that addressed masses were no longer the most effective way to trick a victim into giving up their credentials.

Attacks method

1. Fake Website

Attackers try to convince the user that the email has been by a trusted organization. The phisher then sends out messages to fool a victim into clicking the link in the email and is redirected to a fake website. Links in those emails lead to fake websites that look like the original website. The purpose of the fake websites is to catch the log in data of the user who does not realize that the fake websites is not the real one. The unsuspecting victim log in and their credentials logged.

2. Pop-up windows

A pop up appears that is from a company that you have open in another tab. They may have several tabs or windows open with several different websites including PayPal, Google, Amazon.com and Ebay.When the real website loads, a pop-up appears asking for the user's credentials,to enter your password and your credit card information.The victim viewing the legitimate site in the background would think the pop-up was from a legitimate source and enter their information.

References:

What is Phishing, [Online], Retrieved  1 February 2011.

URL: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci916037,00.html

How to Identify Phishing,[Online],Retrieved 3 February 2011.

URL:http://loginhelper.com/login-security/identify-phishing-attacks/
Phishing PopUps- Fake Requests for Personal Financial Information,[Online],Retrieved 3 February 2011.
URL:http://www.consumerfraudreporting.org/phishingpopups.php

Facebook Phishing

Link to us: http://snipurl.com/facebookphishing

Phishing is "the activity of tricking people by getting them to give their identity, bank account members, etc. over the Internet or by email, and then using these to steal money from them.", Nowadays phishing is so common that everyone can simply learn it by watching phishing tutorials videos from youtube.

This post is going to discuss about phishing in facebook. First, people will fall into phishing in facebook mainly because they have clicked into some link that sent by a phisher. Those message can be from e-mail, user wall or any website.

(example of e-mail from phisher)

*can you spot the typo error in the picture?

After clicking to the link, a fake page created by facebook phisher will appear, bear in mind that facebook.com login URL is always "http://www.facebook.com/login.php".

(this is not facebook URL)

Ways to avoid from falling from facebook phishing.

- Choose a unique username and password for it, try not to set the same password for every accounts because this may cause you keep stolen information from compromising other accounts. (If it's too difficult for you to remember every single password from each site, I suggest to write a note and paste it beside the screen of your own personal computer)

- Always check the URL whenever you enter facebook.com, as I have stated earlier.

- Always update Anti-Virus Program for protecting your site from unknown virus.

- Remember facebook will not ask for re-enter password whenever you access to applications in facebook. (except: when you set a security question, send a virtual gift, or change your contact email.)

- Be extra aware of weird wall post, do not simply click on them unless you know very well where they go.

- Set a security question on your Facebook Account Setting page. For victims who have been phished, Facebook User Operations team needs you to answer to that question to let you back in your facebook account.

- Look for typo error!

(note: we helpS - typo error)

Online reference:
1. Ryan McGeehan, No Phishing,[Online],Retrieved on 1 February 2011.
URL: http://blog.facebook.com/blog.php?post=14600297130
2. Pinoytek, How to Stay Away From Phishing Websites That Look Like Facebook?,[Online], Retrieved on 1 February 2011.
URL: http://pinoytek.net/internet/how-to-stay-away-from-phishing-website-that-looks-like-facebook
3. MIKE, Facebook Phishing Attack, [Online], Retrieved on 1 February 2011.
URL: http://gadgetsteria.com/2009/04/29/facebook-phishing-attack-uh-oh/#