Security Experts Alert Users On New Phishing Scam

By Author: eccuni
Total Articles: 211
Comment this article

Security researchers have warned users against a new phishing scam. The scam is allegedly directed at Bank of America, TSB, Lloyds and PayPal users. The new phishing attack, first identified by Rodel Mendrez of M86 security labs comes with an unsolicited e-mail containing an HTML attachment. Unlike the usual phishing attacks, the latest attack does not redirect users to a seemingly legitimate, but fake website. Instead, the attack stores a malicious webpage locally. The use of HTML file allows attackers to evade being detected by a web browser. As a result of the security by-pass, users do not receive any warning and HTML attachment opens in the browser. When unwary users enter the requisite information and click on the submit button, the HTML form sends the extracted information to a remote compromised webserver. The information is send through a POST request directed at PHP scripts hosted on the compromised server.

Cybercriminals are continuously evolving their modus operandi to by-pass security filters, trick users and extract confidential information. The collected information could be misused to conduct unauthorized ...
... transactions, steal funds and transfer money. The gathered information could also be sold by the attackers to their peers in the underground crime market.

Usually, IT professionals qualified in masters of security science, penetration testing and other security certifications help developers in identifying the threat vectors and mitigating security flaws. In this case, attackers were successful in circumventing the anti-phishing filters used by the browsers and deceive users.

Cyber security awareness among Internet users is crucial to combat sophisticated threats. Cyber security tips could be circulated through brochures, e-flyers, video tutorials and advertisements. Online degree and learning programs could also be encouraged to create cyber security awareness. Internet users must be cautious, while providing personal information online. They must verify the authenticity of the sites, before entering any sensitive information. Users must be wary of e-mails that appear to come from banks, online payment and online shopping sites and seek sensitive information. They must verify the authenticity of such e-mails by directly contacting the organization through trusted communication channels such as phone number and e-mail id provided on the website.

Users must avoid opening e-mail attachments arriving from unknown and suspicious sources. They must also avoid replying to and clicking links provided on unsolicited e-mails. Attackers also deceive users by applying social engineering techniques. They gather information from various sources and send cleverly crafted e-mails, which appear to come from a peer, subordinate, new employee or supervisor. They also contact users through phone posing as a representative of a company. IT professionals could keep themselves of the evolving security threats through e-learning and online university degree programs. Organizations must ensure adherence of cyber security guidelines by the employees. Users must avoid disclosing sensitive personal and organizational information, without verifying the authenticity of the person by directly contacting the concerned organization.

Users must avoid arbitrarily disclosure of e-mail addresses to decrease the possibility of spam and unsolicited e-mail. Avoiding arbitrarily selection of multiple offers while registering on an online account may also help in reducing spam e-mails. Using privacy settings to hide or restrict access to e-mail address on social networking sites may help in avoiding unsolicited e-mails from strangers. Users must also look for the privacy policy of a website, before submitting personal details on the site.