We all know what phishing attacks are and nobody falls prey to such attacks anymore. Right? Wrong.
Phishing attacks are increasing year on year; in fact, according to Gartner Inc., over 5 million US consumers lost money to phishing attacks during the 12 months ending September 2008. This represents a 40% increase over the previous year. The primary targets are fund transfer sites like PayPal, banks and social networking sites (refer www.phishtank.com).
Facebook has been the target a recent of phishing attack where users were sent a message, presumably from a friend, with a link which took the user to a Facebook look-alike page and requested the user to login. A copy of the message is also sent to all contacts of the user. The clean-up process is underway even as we publish this blog. The newsworthy fact here is not that there was an attack but that there were users who logged in on the fake Facebook page thus giving away their credentials.
Let us for a minute analyze this situation.
There was an attempt at a phishing attack on Facebook, many users fell for the attack and gave away their credentials (numbers not known), Facebook removed the links to the rogue site from all it’s pages and reset the passwords of those members whose accounts had been used to send the spam message.
Is this the end of the story now that all passwords have been reset and the attack has been stopped? No, it is here that we must remember that most people, two-thirds as far as US is concerned, use the same one or two passwords for all sites that require authentication. (Refer February 24, 2009 press release by Gartner, Inc.) So, the authors of this phishing attack have a treasure trove of valid credentials at their disposal. The passwords at their disposal could be valid for email accounts, bank accounts, PayPal accounts etc. Considering the fact that these users fell prey to a trivial and well-publicized form of attack, my guess is that these users will not change their passwords in other sites where they have re-used this password.
Let us now look at how the authors of this phishing attack could access a victim’s bank account. User IDs for online banking are usually not related to a user’s personal information like his name, email-ID or social security number. So, though our attacker has access to the victim’s password he does not know his online banking user-ID. What he does now is simple…he uses the password to login to the victim’s email account where bank account statements or mails containing the user’s online banking ID may be available.
Better methods to educate that section of online users who are gullible to such a primitive method of attack need to be evolved and implemented.
In addition to the usual refrains against phishing, users need to know that
– all kinds of documents ranging from PDFs to Videos can embed malware.
– if the same password has been used for many sites, change of password is necessary if the password on one site has been compromised.