Phishing and Fraud Prevention Resources
Courtesy of Core Competence, Inc.
|
APWG Report: What to do if your web site
is hacked by phishers I co-authored this report with Suzy Clarke of ASB Bank to serve as a reference guide for any web site owner or operator who suspects, discovers, or receives notification that it's web site is being used to host a phishing site. The report explains important incident response measures to take in the areas of identification, notification, containment, recovery, restoration and follow-up when an attack is suspected or confirmed. The report provides a framework for response and highlights key actions for each stage of incident response. We do not attempt to provide an exhaustive list of actions but offer sufficient examples for seasoned web operators whilst not overwhelming readers who are less familiar with (and hence more vulnerable) to incident response following web attacks. More... Phlavors of Phishing Some of you no doubt recall your own awe and anticipation when presented with the opportunity to choose from 31 flavors of Baskin Robbins ice cream! Fifty years later, and I feel only angst and trepidation when I confront the imposing numbers of phlavors of phishing. Phishing is commonly associated with financial scams and identity theft. As I scanned nearly six months of mail posted to an antiphishing list, I noticed how broad the phishing reach has extended. More... Recognizing and responding to spoof email messages Even the best of antispam measures may not be enough to protect
you from spoof email messages. By spoof email, I mean a message
that appears to be from a party you know - most commonly, an
ecommerce site, financial institution, even your IT
department - but in fact, is a bogus message, with a
malicious intent. More... Anti-phishing measure: User Behavior Modification Recently, a fellow security professional asked if he could use some of my anti-phishing material in a presentation he was preparing for an upcoming CSI conference. Revisiting the presentation I gave at IPComm 2004, I recalled (and related) a dialog I had with an attendee about an interesting behavior modification program. |
Making Waves in the Phishers' Safest Harbors Rod Rasmussen and I collaborated to publish an APWG Advisory that describes how phishers use subdomain registries to provide safe harbors for malicious and criminal activities. A subdomain registry is a naming service web hosting providers offer to customers. The provider allows customers to register a subdomain from one of its own registered domains as part of a hosting service package. Customers to choose a label (name) from the parent domain. For example, if the web hosting company has registered the domain freewebhosting.com, a customer could register Paypal.freewebhosting.com, BankofAmerica.freewebhosting.com... But wait, those names infringe on a brand! And couldn't someone use such a site to impersonate a brand and phish for accounts from such a site? More... A simple test to detect a phishing or scam site Suppose you attempt to to purchase a product with a credit card on a site you've never visited before. You find the product you want, add it to your cart, and proceed to checkout. You connect with HTTPS:// for that warm and comfy feeling everyone gets when they begin a *secure transaction*,-) But - oh my! - your browser warns you that some aspect of the certificate is suspicious. You are now faced with several choices. More... Anatomy of a Phishing Expedition Phishing is a serious problem, but it really is an ailment we can manage with education rather than technology. I've written a complementary article to my LOOP article, Recognizing and responding to spoof email messages. The Wordspy defines phishing as, "Creating a replica of an existing
Web page to fool a user into submitting personal, financial, or password data".
A phishing expedition is a two-pronged attack. First, the phisher creates a
spoof email message: posing as a legitimate e-merchant operator, the phisher
tries to lure a victim into visiting a web page. More... Do you trust your online banking home page? More precisely, has your bank made it impossible for you to do so? After reading Adam Shostack's blog item at Emergent Chaos, How not to train users, and following the thread begun by Peter Gutmann on the Cryptography mailing list, US Banks: Training the next generation of phishing victims, I wonder once again why we always sacrifice security for performance.More... |
|
Care and Handling of Credit and Personal Information Despite the real and present dangers Internet Identity Thefts, Phishing and email scam attacks pose, we cannot afford to overlook measures we can take to protect our identities and credit from attacks in the real (physical) world. Financial institutions, law enforcement agencies and attorneys recommend a number of ways you can protect against credit card theft and misuse, check fraud, and unintentional disclosure of personal information that can be used by impersonators, extortionists and other malicious or malevolent persons. More... |
|
Please make use of the resources on this page to help protect yourself, your family, and your company from Phishing attacks and Identity Theft.
You may also find Corecom's Spyware Resources page valuable as well.
My Weblog also contains information about spyware, phishing, viruses and worms.
Action Groups and Activists
Anti Phishing Working Group
CAUCE
Privacy Rights Clearinghouse
US-CERT
SecurityFrauds.org
Internet Fraud Complaint Center
National Consumers League
HoaxBusters
SpoofKillers
The Inter-Net Fraud League (I-NFL) Hall of Shame
Facts, Statistics, Surveys, Lists of Phishing Attacks
APWG Phishing Trends Reports
Global Phishing Survey: Domain Name Use and Trends in 1H2008
US DOJ & PSEPC Joint Report on Phishing
MailFrontier Email Threat InfoCenter
Phishing IQ Test: MailFrontier
Lifespan of a Phishing Site: Netcraft
Phishing Attacks Using Banner Ads to Spread Malware
Phishing Lures Increase by Half, David Legard
Phishing Scams Increase 1,200% in 6 Months: Sharon Gaudin
Cost of Phishing hits $1.2 Billion: Sean Michael Kerner
Phishing for suckers: eMarketer
Articles
General
Anatomy of a Phishing Expedition: Dave Piscitello
Fraud Protection for
Credit Card Processing Companies
Phishing: Russel Kay
What you need to know about phishing: Microsoft
How to not get hooked by a 'phishing' scam: FTC
Phishing: Spam that can't be ignored: ZDNet TechUpdate
The Phishing Guide: Gunter Ollman
What is Phishing?: Webopedia
Phishing for Savvy Users: Scott Granneman
Phishing: Russell Kay
Phishing: Computerworld
Scam Alert: Watch Out for "Phishing" Emails: Privacy Rights Clearinghouse
Executive Conversation: Attacking the Phishing Threat - What Every Company Needs to Know: Melisa LaBancz-Bleasdale
Phear of Phishing: Deborah Radcliffe
Cheat Sheet: Phishing: Will Sturgeon
Phishing con hijacks browser bar: BBC News
Phishing Attacks: NW Fusion
Identity Theft gets phishy: Brad Grimes
Brief guide to phishing: Matt Bright
The Future of Phishing: Dr. Jonathan Tuliani
On Identity Theft: Spoof Email Phishing Scams and Fake Web Pages or Sites: Mat Bright
Phishing for dummies: hook, line, and sinker Scott Granneman
Phishing: Spam that cannot be ignored: David Berlind
What is Phishing
Recognizing Phishing and Avoiding Identity Theft
Online Identity Theft: Technology, Chokepoints and Countermeasures
Recognizing and responding to spoof email messages: Dave Piscitello
Online Predators Revealed: Chris Powell
phishing (definition): Wordspy
Security Tips: Email and Web: Visa
Avoiding Social Engineering and Phishing Attacks: US CERT
Phishing: Can software stop it?: Alorie Gilbert
Preventing Online Fraud: Microsoft
Beware of Phishing: Better Business Bureau
Spotting a Spoof Email eBay Security Center
Help Stop Deceptive E-mail Forgery ("Spoofing") Amazon.com
Phishing and Instant Messaging
Phishing Dips into Yahoo IM: Matt Hicks
Phishing Scam Targets Instant Messaging Users: Liberty Identity Theft Services
Phishers change bait as IM use grows: Munir Kotadia
Phishing evolves to IM
Enabling the Complaint Department: Marcus Ranum
Legal Advice, Fraud Prevention Resources
Identity Thief Goes Phishing for Consumers Credit Information: FTC
Special Report on "phishing": US Department of Justice
Phishing Phacts: Better Business Bureau
FBIIC and FSSCC Report on Preventing, Detecting, and Responding to Phishing Attacks: US Treasury
How to protect yourself: Phishing lorida State Attorney General
Fraud Prevention Wachovia Bank
Phishing scams: 5 ways to help protect your identity: Microsoft
Email, Phishing and Security Tips: Visa USA
Phishing tricks: escape the phish hook
Law Enforcement, Victim Assistance, Phish Reporting Sites
Internet Fraud Complaint Center
How Law Enforcement can contact eBay eBay Security Center
Square Trade Dispute resolution for eBay
Better Business Bureau
PhishTank
4-1-9 Scams
CIAC Hoaxbusters on 4-1-9
U.S. Secret Service: 4-1-9 Scam Advisory
Urban Legends: on 4-1-9
The 419 Coalition Website
Client & Consumer Anti-spam solutions and Phishing Toolbars
Anti-fraud toolbars can block users from accessing web pages that have been identified as phishing and fraud sites. Various black list databases are maintained and some of these toolbars allow users to report suspicious sites. I've tried all these toolbars to verify they are not spyware. Some are very simple to use while others have more bells and whistles. Try a few and choose one that you're comfortable with.
Microsoft© Phishing Filter for Internet Explorer 7.0
Netcraft Anti-Phishing Toolbar for Internet Explorer and Firefox
FraudEliminator for Internet Explorer and Firefox
Corestreet's SpoofStick for Internet Explorer
WebRoot's phishnet
EarthLink Scambuster
TrustBar
PhishTank Site Checker Toolbar
Anti-Phishing, Anti-scam, Anti-Spam Companies
MailFrontier MatadorDigital Envoy eScam
Spam Inspector
Tumbleweed Anti-Spam and Email Security
WholeSecurity behavioral endpoint security
Name Protect Digital Asset Protection
SurfControl
CipherTrust
SpamStopsHere [White Paper]
MailFoundry
WebSense