|MyCERT received numerous incidents referred by Malaysian internet users regarding phishing websites targeting well known local bank names. Phishing attacks involve in manipulating the weakside of human security, by masquerading as a trustworthy entity (e.g website). This is also a kind of social engineering which causes people into performing actions or divulging confidential information like user-names and passwords to the attacker.
The number of phishing attempts is in the rise and accelerating due to several factors such as below:
- The sophistication of phishing activities and collaboration among attackers in the underground economies. Attackers collaborate with the rest of cyber criminals who provide different type of services to facilitate phishing including botnet owners, phishkits sellers, money mule or transfer agents. Some of the tools used are automated in such a way, minimal human intervention is required and anonymity of the activities are preserved.
- Underground economies do provide services to sell lists of various brands of modified version of internet banking phishing site known as “phishkits” to attackers. This will contribute to large amount of known brand being targeted resulting to massive compromise of user accounts via multiple instances of phishing kits. Some attackers sometimes deploy multiple phishing websites of various brands in the same host to take the advantage of brands diversification, huge users and leveraging effectiveness of phishing. Phishkits normally known based on similarity of file names, email messages and the phishing page at various hosts.
- The underground economies also provide services to spam phishing emails as botnet owners takes care of all the anonymity and randomness issues of the emails. With fewer efforts, emails will be relayed in an automated way with a single instruction from the owners. With the help of automated email address harvester, attackers can simply collect millions of email addresses in an automated way. They just simply need to crawl the harvester on the internet by looking at some patterns like the “@” signs to identify and collect email addresses. Some of these emails are profiled in such a way that the attacker can select the target groups of phishing emails that they want to send.
- The attacker will have a number of compromised hosts in which they can use for hosting phishing websites as well as to send random emails.
- The attacker will copy the exact look and feel of the internet banking login page from bank’s internet banking website and modify the code to redirect user input like usernames and passwords to a remote host for later retrieval.
- The attacker will start sending bulk of random emails relayed from compromised hosts containing fishy email subject header such as:
- ABC Bank – LAST WARNING
- Validate Your Online Banking Account!
- ABC BANK BERHAD E-Gift Voucher Number!
- Final Notice: Account Problem
- New Security Measures !
- Blocked access
- Action required to avoid account suspension
- Security measures – Account temporary suspended!
- This is purposely created for attracting the attention of their victims. The sender would sometimes spoof the email of their victims by pretending the email was sent by the banks with bogus domain names or look like the bank’s
- The email content is purposely written in Hypertext Markup Language (HTML) instead of plain text. This is to hide the actual URL of the compromised host and not the actual banking website. The email body will look like the following example:
If a user clicks on the links, it will bring them to the phishing websites. Phishing websites are exactly similar with the legitimate internet banking websites except:
- The web codes were modified to steal the usernames and passwords instead of accepting legitimate transactions without the user knowing of it. Any user inputs will be redirected to a remote hosts or even a local plain text file for later processing by attacker.
- The faked website URL is different from the original website. Even though sometimes attackers do register bank’s domain variants or look alike domains manipulating the domain spelling but it will never be the same as original bank domains.
- Most phishing websites do not start with https:// for SSL-based URLs. But sometimes, attackers do host their own SSL-based phishing site just to imitate to the closest of the original website and to confuse their target victims as much as they can.
Things you need to know about phishing:
- Banks will never ask users to do account updates, password reset, account unlocking or anything in relation to banking via emails and URLs. If you do receive such emails and it looks like from the banks or any financial institutions:
- You can completely ignore the emails.
- Ask respective bank for clarification and verification.
Always access to the internet banking sites by actually typing the URL into the URL bar at the web browsers. Check for the common indication of the legitimate website like the digital certificates validity, the domain name spelling, IP address, geo-location of the website etc.
Always update and patch your web browsers to the latest patch level. Some web browsers have the capability to alert users about fake or forged websites like Mozilla Firefox and Internet Explorer 8. Tools for patch level notification of software like Secunia Personal Software Inspector (Secunia PSI) is a useful tool to keep track your software are up-to-date and patched. The tool can be downloaded at: http://secunia.com/PSISetup.exe
Have a good time and relax while doing internet banking. Do not rush.
Reducing the risks of being phished:
If you need to put your email address on a website, you can do “address munging” (http://en.wikipedia.org/wiki/Address_munging) by disguising the email address creatively. This includes but not limited to the following examples:
no-one at example (dot) com
n o – o n e @ e x a m p l e . c o m
- or .jpg email address
- Change your internet banking password regularly, “munge” (http://en.wikipedia.org/wiki/Munge) it to certain extent which is difficult to guess but easy to memorize, combine with alphanumeric letters and never share it with anyone.
- Do your internet banking transactions using only “trusted computers” (e.g: personal laptop/desktop) in a “trusted network” (e.g: broadband internet at home). Using a dedicated computer just for doing internet banking is strongly recommended.
If you are a victim:
- Notify the respective bank to temporarily discard all transactions and freeze the account immediately.
- Lodge a police report at the nearby police station by providing relevant information.
MyCERT can be reached through the following channels for further assistance:
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24×7 call incident reporting)
SMS : +60 19 2813801 (24×7 SMS reporting)
Business Hours : Mon – Fri 08:30 -17:30 MYT
Web : http://mycert.org.my