|
Did you know that some smart crooks think you are a fish ready to be fried? They use what is now known as phishing techniques to hook you and your money.
What is Phishing?
Phishing is a process whereby fake web sites are used to trick you into thinking that you are interacting with a trusted site, a brand name, online retailer and bank or business partner site. The site then lures you into submitting your sensitive personal or financial information which falls into the wrong hands. There are on the average 300-400 rogue web sites at any one time (as of the 2nd quarter 2004), reports the Anti-Phishing Working Group industry association. These rogue sites target millions of innocent users. About 5% of these users take the bait concludes APWG.
How do they reach you?
A common scheme is to send emails which direct you to what looks like a trusted web site. But emails are by no means the only way. They may get you to their site when you simply click on a search result, when you use instant messaging or by planting spyware in your computer.
You are no fool, so how can they trick you?
While you may notice some phishing attempts, others are quite difficult to find out.
Look carefully at the image below. It looks innocent enough, does it not?
(The above is a replica of a SunTrust** web page made by a fraudulant web site)
If you examine the address bar of the browser you will see the following:
The address bar (supposedly) reveals two important facts about the site:
| 1. | The page you are looking at is indeed one that belongs to SunTrust (suntrust.com) |
| 2. | The page is secure (uses https: as a prefix to the address). |
The truth unfortunately is anything but. The real address of the site is http://196.40.75.39 and it is not using a secure connection!
How could you know?
First and foremost, be on guard. To help you in drawing your attention to suspicious web sites, you may want to try SignupShield* - a desktop toolbar software that monitors your form submission activities to alert you when you are about to submit sensitive personal or financial information to a suspicious web site.
SignupShield does not care about what is displayed on an address bar, SignupShield cares only about two things:
| 1. | What information you are about to submit? |
| 2. | Where is this information going? |
When you submit sensitive personal or financial information via a web form and this information is about to be sent to a suspicious site, SignupShield will alert you, giving you the opportunity to intervene and stop that submission!
Thus, SignupShield does not produce an alert each time you just visit a site. It limits its intervention to cases where actual sensitive information is about to be submitted.
Once you have SignupShield installed on your computer, this is what happens after you enter your sign on credentials and hit the "Sign On” button. SignupShield pops up with the following alert:
What is a 'suspicious' site?
SignupShield uses a patent pending technique that combines 3 independent data sources to classify the target server (where your information is being sent to).
- The first data source is your own database of sites you have signed-in to in the past.
- The second data source is the attributes of the target site (retrieved in real-time)
- The third data source is black/white lists of sites.
Using advanced analysis techniques SignupShield can then classify a site as ‘suspicious’ and alert you at the right moment.
How does one create a database of past sign-in records?
This is where SignupShield really shines, as it integrates a password manager and form filling program with an anti phishing alert service. It also helps you in signing-up, signing-in, and automatically filling out forms on web sites.
However, unlike other password managers, SignupShield’s main charter is to protect your sensitive information when you sign-up to a web site. Hence the name - SignupShield.
According to SignupShield, your "sensitive information” includes your passwords, your email addresses, social security number, bank account and more. SignupShield protects your passwords by generating a unique password for each site you sign-up to and it protects your email address by creating a unique "disposable email address” on-the-fly and feed that address to a site’s sign-up form.
Vendor home page:
www.protecteer.com
* SignupShield is a trademark of Protecteer, LLC
** (c)SunTrust Banks, Inc.
|
