How to Get Ahead of Spear PhishingRecent breaches of personal data and email addresses managed by email providers such as Silverpop and Epsilon have renewed fears that spear phishing is becoming more common and more successful.Spear phishing is not a new threat.Businesses that contend with large numbers of users and large volumes of email need to raise the security bar, whether they outsource email or manage it in-house... More What to do if your web site is hacked by phishersThis report is a reference guide for any web site owner or operator who suspects, discovers, or receives notification that it's web site is being used to host a phishing site. The report explains important incident response measures to take in the areas of identification, notification, containment, recovery, restoration and follow-up when an attack is suspected or confirmed. The report provides a framework for response and highlights key actions for each stage of incident response. More... Care and Handling of Credit InfoDespite the real and present dangers Internet Identity Thefts, Phishing and email scam attacks pose, we cannot afford to overlook measures we can take to protect our identities and credit from attacks in the real (physical) world. Financial institutions, law enforcement agencies and attorneys recommend a number of ways you can protect against credit card theft and misuse, check fraud, and unintentional disclosure of personal information that can be used by impersonators, extortionists and other malicious or malevolent persons. More... Recognizing and responding to spoof email messagesEven the best of antispam measures may not be enough to protect you from spoof email messages. By spoof email, I mean a message that appears to be from a party you know - most commonly, an ecommerce site, financial institution, even your IT department - but in fact, is a bogus message, with a malicious intent. More... Anti-phishing measure: User Behavior ModificationRecently, a fellow security professional asked if he could use some of my anti-phishing material in a presentation he was preparing for an upcoming CSI conference. Revisiting the presentation I gave at IPComm 2004, I recalled (and related) a dialog I had with an attendee about an interesting behavior modification program. |
Making Waves in the Phishers' Safest HarborsThis advisory describes how phishers use subdomain registries as safe harbors for malicious and criminal activities. A subdomain registry is a naming service web hosting providers offer to customers. The customer chooses a label (name) from the parent domain. For example, if the hosting domain is freewebhosting.com, a customer could choose eBay.freewebhosting.com, BankofAmerica.freewebhosting.com... But wait, those names infringe on a brand! And couldn't someone use such a site to impersonate a brand and phish for accounts from such a site? More... A test to detect a phish or scam siteSuppose you attempt to to purchase a product with a credit card on a site you've never visited before. You find the product you want, add it to your cart, and proceed to checkout. You connect with HTTPS:// for that warm and comfy feeling everyone gets when they begin a *secure transaction*,-) But - oh my! - your browser warns you that some aspect of the certificate is suspicious. You are now faced with several choices. More... Anatomy of a Phishing ExpeditionThe Wordspy defines phishing as, "Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data". A phishing expedition is a two-pronged attack. First, the phisher creates a spoof email message: posing as a legitimate e-merchant operator, the phisher tries to lure a victim into visiting a web page. Do you trust your online banking home page?More precisely, has your bank made it impossible for you to do so? After reading Adam Shostack's blog item at Emergent Chaos, How not to train users, and following the thread begun by Peter Gutmann on the Cryptography mailing list, US Banks: Training the next generation of phishing victims, I wonder once again why we always sacrifice security for performance. How to get ahead of spearphishingSpear phishing is not a new threat. The opportunities have been greatly amplified by the volumes of personal and corporate information individuals send; the outsourcing of email service to parties whose security competencies have been seriously undermined; and our continued willingness to blithely hand over whatever personal information is asked of us without exercising individual or corporate due care in determining how that information is protected. More... |
Please make use of the resources on this page to help protect yourself, your family, and your company from Phishing attacks and Identity Theft.
You may also find the Spyware Resources page at Core Competence valuable as well.
Action Groups and Activists
Anti Phishing Working Group
CAUCE
Messaging Anti-Abuse Working Group, MAAWG
Privacy Rights Clearinghouse
US-CERT
Internet Fraud Complaint Center
National Consumers League
Facts, Statistics, Surveys, Lists of Phishing Attacks
APWG Phishing Trends Reports
Global Phishing Survey: Domain Name Use and Trends in 1H2008
US DOJ & PSEPC Joint Report on Phishing
MailFrontier Email Threat InfoCenter
Phishing IQ Test: MailFrontier
Lifespan of a Phishing Site: Netcraft
Phishing Attacks Using Banner Ads to Spread Malware
Phishing Lures Increase by Half, David Legard
Phishing Scams Increase 1,200% in 6 Months: Sharon Gaudin
Cost of Phishing hits $1.2 Billion: Sean Michael Kerner
Phishing for suckers: eMarketer
Articles
General
Anatomy of a Phishing Expedition: Dave Piscitello
Fraud Protection for Credit Card Processing Companies
Phishing: Russel Kay
How to not get hooked by a 'phishing' scam: FTC
Phishing: Spam that can't be ignored: ZDNet TechUpdate
The Phishing Guide: Gunter Ollman
What is Phishing?: Webopedia
Offline phishing: nasty attacks that phish with a fax: Dave Piscitello
Phishers get big mileage by using info that looks credible: Dave Piscitello
Phishing for Savvy Users: Scott Granneman
Phishing: Russell Kay
Phishing: Computerworld
Scam Alert: Watch Out for "Phishing" Emails: Privacy Rights Clearinghouse
Executive Conversation: Attacking the Phishing Threat - What Every Company Needs to Know: Melisa LaBancz-Bleasdale
Phear of Phishing: Deborah Radcliffe
Cheat Sheet: Phishing: Will Sturgeon
Phishing con hijacks browser bar: BBC News
Phishing Attacks: NW Fusion
Identity Theft gets phishy: Brad Grimes
Brief guide to phishing: Matt Bright
The Future of Phishing: Dr. Jonathan Tuliani
On Identity Theft: Spoof Email Phishing Scams and Fake Web Pages or Sites: Mat Bright
Phishing for dummies: hook, line, and sinker Scott Granneman
Phishing: Spam that cannot be ignored: David Berlind
What is Phishing
Recognizing Phishing and Avoiding Identity Theft
Online Identity Theft: Technology, Chokepoints and Countermeasures
Recognizing and responding to spoof email messages: Dave Piscitello
Phishing Awareness: Don't take the bait. Learn to spot a scam
Online Predators Revealed: Chris Powell
Raising awareness quickly: A brief overview on phishing: CSO Online
phishing (definition): Wordspy
6 Common Phishing Attacks and How to Protect Against Them: Tripwire
Security Tips: Email and Web: Visa
Avoiding Social Engineering and Phishing Attacks: US CERT
Phishing: Can software stop it?: Alorie Gilbert
Preventing Online Fraud: Microsoft
Spotting a Spoof Email eBay Security Center
Help Stop Deceptive E-mail Forgery ("Spoofing") Amazon.com
Phishing and Instant Messaging
Phishing Dips into Yahoo IM: Matt Hicks
Phishing Scam Targets Instant Messaging Users: Liberty Identity Theft Services
Phishers change bait as IM use grows: Munir Kotadia
Phishing evolves to IM
Enabling the Complaint Department: Marcus Ranum
Avoid Falling Victim to a Registrar Phishing Attack: Dave Piscitello
Phishers Are Casting Nets for Your Domain Names & DNS: Dave Piscitello
Legal Advice, Fraud Prevention Resources
Studying Criminal Justice: Criminal Justice Degree programs
Identity Thief Goes Phishing for Consumers Credit Information: FTC
Special Report on "phishing": US Department of Justice
Phishing Phacts: Better Business Bureau
FBIIC and FSSCC Report on Preventing, Detecting, and Responding to Phishing Attacks: US Treasury
DoD phishing awareness training: DISA/IASE
How to protect yourself: Phishing Florida State Attorney General
Phishing scams: 5 ways to help protect your identity: Microsoft
Email, Phishing and Security Tips: Visa USA
Phishing tricks: escape the phish hook
Law Enforcement, Victim Assistance, Phish Reporting Sites
Internet Fraud Complaint Center
How Law Enforcement can contact eBay eBay Security Center
Better Business Bureau
PhishTank
DNS blocklists and reputation services (part 1: background)
DNS blocklists and reputation services (part 2: growing up)
DNS blocklists and reputation services (part 3: the future)
4-1-9 Scams
CIAC Hoaxbusters on 4-1-9
U.S. Secret Service: 4-1-9 Scam Advisory
Urban Legends: on 4-1-9
The 419 Coalition Website
Client & Consumer Anti-spam solutions and Phishing Toolbars
Anti-fraud toolbars can block users from accessing web pages that have been identified as phishing and fraud sites. Various black list databases are maintained and some of these toolbars allow users to report suspicious sites. I've tried all these toolbars to verify they are not spyware. Some are very simple to use while others have more bells and whistles. Try a few and choose one that you're comfortable with.
Microsoft© Phishing Filter for Internet Explorer 7.0
Netcraft Anti-Phishing Toolbar for Internet Explorer and Firefox
WebRoot's phishnet
EarthLink Scambuster
TrustBar
PhishTank Site Checker Toolbar
Anti-Phishing, Anti-scam, Anti-Spam Companies
Digital Envoy eScam
Spam Inspector
Tumbleweed Anti-Spam and Email Security
WholeSecurity behavioral endpoint security
Name Protect Digital Asset Protection
SurfControl
CipherTrust
SpamStopsHere [White Paper]
MailFoundry
WebSense
Comments
You can follow this conversation by subscribing to the comment feed for this post.