For Phishing is a type, among many, of computer scams made via web through which an attacker, woman or man who can be fooled into believing the victim to provide sensitive personal information.
It is an illegal activity that uses a special technique of social engineering, which involves sending, by randomly sending e-mail messages that have the ability to IMITATE perfectly WEBSITES Banks. It is practically a malicious that he tries to get the victims the access password to the account, or passwords that authorize payments or the number of credit card. The term phishing is a fishing variable, which in English means FISH and is influenced by phreaking, and alludes to the use of increasingly sophisticated techniques to ” fish ” for passwords and financial data of a user.
In the introduction, I made a quick description of what is meant and how this can act, Thief web, while in this first step I explain, in detail :
Methodology Of Attack
The main stages are as follows:
1.) The attacker (phishers) sends the hapless user an email message that simulates, graphics and content, that of an institution known to the recipient (for example, your bank, your web provider, an online auction site which is registered).
2.) Almost always it contains notices of special situation’s e-mail or problems occurring with your current account/accounts (eg a huge charge, account expiration, etc.) Or an offer of money.
3.) E-mail asks the recipient to follow a link in the message, to avoid a penalty and/or to regularize his position with the institution or company where the message mimics the graphics and the setting (Fake login).
4.) The link provided does not actually leads to the official web site, but a copy similar to the official website, located on a server controlled by the phisher, in order to request and obtain from the particular personal data recipient, usually under the guise of a confirmation or the need to perform an authentication to the system; this information is stored on the managed server by the phisher and then end up in the hands of the attacker.
5.) The phisher uses this information to purchase goods, transfer money or even as a ” bridge ” for further attacks.
Sometimes, e-mail contains the invitation to make a new ” job opportunities ” (as a financial operator or financial manager), which is to provide the bank’s own online account to receive the credit for sums that are then re -transfer abroad through money transference systems (Western Union or Money Gram), retaining a percentage of the amount, which can reach very high figures. In reality it is the money stolen with phishing, for which the holder of the beneficiary account online, often in good faith, commits the offense of money laundering.
This activity involves the phisher loss of a certain percentage of what he managed to escape, but there is still an interest to disperse the money taken in many current accounts and to re-exchanges in different countries, because then it becomes more difficult to trace the identity of the Cybercrime and reconstructs illicit mechanism.
First care, BANKS DO NOT SEND MAIL! Maximum Recommended sending you, so you do not respond to these emails.
Now we explain the: Main Defense Techniques
Care must be taken to visited sites not authentic. In the event of a request for personal information, account numbers, passwords or credit card, it is advisable, before clearing, forward a copy of the competent authorities and notify the bank or other interested parties, so that they can take further measures against the fake site and inform its users.
The customer can check the movements from your statement. You can see at the ATM or your online bank account. Many institutions offer an SMS alert service, more effective, because the movement as soon as the notification is made, not when it takes its registration, which can be of several days away.
The service is activated by ATM, at the branch or from the on-line, and consists of sending a message to the number specified by the customer, for any withdrawals or payments that exceed the amount set by these. The message part in real time when it made the movement (not on the record date, so even when this is not yet visible in the account statement). The service is free; the costs depend on the message by the telephone.
The Bank is not obligated to provide this type of service, and the phone companies do not guarantee receipt of the SMS at certain times, which may increase, in particular, if the customer is abroad with his receiving terminal. The person who realizes the payments made by third parties with his credit card or cash card, should contact the hotline of the bank to ask the card holder: the call is recorded and is assigned a lock code (which is identification and unique).
It must also make a complaint to the Police Force, and go to the agency with a copy of the complaint and the lock code. In the event of any charges ” abnormal ” later, for example, because it made from abroad and registered or recorded with a date after the block and the complaint, it is necessary to go back to integrate the complaint and reoccured copy subsidiary. The Agency shall provide the legal department of the Bank recusal of payments and the redemption request for liquidation.
The Legal Department checks whether the client was physically unable to carry out the accounting movements (withdrawals from the account or payments) because the account statement or complaint shall prove that he was in another place; if there is willful misconduct or negligence; apply a deductible, which is not refunded, if the activation of the card agreement provides for liability in these cases still remains the responsibility of the customer. In the presence of accreditation by strangers, the account holder must not withdraw the sum to the bank and ask for the reversal of accounting movement.
A frequent concern of users who suffer the tapping is to understand how did you know that the perpetrator have an account at the bank or online service listed in the message-bait. Any defensive action is not required apart from the recognition and the email that contains the deletion attempt to tapping. In the case of the related problem known as Pharming, instead, there is a real solution to the rear and is necessary preventive action. A first control to defend against tapping sites, is to display the icon, the lock icon in all browsers, indicating that yes, it is established a secure connection (such as SSL / TLS) connection.
This connection guarantees the confidentiality of data, and their integrity and authentication of the other party take place only in the presence of the digital signature, which is optional and not reported. An SSL connection can be established with trusted untrue, through a pair of public key and private valid, known to those who want to do phishing, but are not those of the actual site.
For example, the certificate shows that the site it. Wikipedia. Org uses a public key, which is actually that of the phishers. The browser rather than the affected user would connect to the site of a certificate authority to control: the database shows public keys and an identification of the owner, such as the IP address or the address of the site. Some sites have a specific anti-phishing toolbar that checks the authenticity of each page downloaded from the site, for example, via the digital signature. The login page of a site is easy to imitate.
In the browser, there is a option to view the HTML code of web pages, which you can copy and paste somewhere else, to get an identical site. Data included in the free fields of the form are stored in a database or in a text file that is linked to the site. Another tapping technique involves inserting keylogging applications. In this case, the links may lead to the original site, not necessarily an imitation, and the tapping of data occurs at the time of their addition to the keyboard.
These lines of code can be executed with the opening of some links, or by reading the same e-mail, if your mail program or the Internet service provider does not take sufficient protections. There are also specific programs such as the anti-tapping bar Netcraft and also blacklists (blacklist), which allow you to alert you when you visit a site probably not authentic.
Users of Microsoft Outlook / Outlook Express / can protect themselves through the free program Delphish, a toolbar inserted into the MS Outlook / MS Outlook Express with which you can find the suspicious links in email (see external links section).
These programs and the most common browsers do not take advantage of the logical and whitelist containing IP addresses of authentication pages of all the banks, which would be an anti-spillage definitely useful filter. If the user is not the holder of a current account online and receive periodic account statements by mail (not by email), can set the anti-spam filter, by entering the address of the bank. In this way, the emails containing a return address or a link in the text to the bank, will be included in the spam folder, making it easy to identify the suspect.
The Internet explorer users can use an anti-spillage filter that uses a blacklist, and compare the addresses of a suspicious web page with those in a global, centralized database, managed by Microsoft and fed by anonymous reports of the users themselves. Such protection is present in Mozilla Firefox (from version 2), which offers the user to choose between the verification of the sites based on a blacklist, and the use of anti-tapping service offered by Google. No databases of this type shared by the various browser vendors, or set up at public authorities who have the expertise on the issues of the Internet and the web (in Italy, the Postal and Communications Police).
The darkening of a spillage site is not a simple task, if that is hosted as a subdomain of another web address. In that case, you need the dimming of the host domain, because the ” false ” authentication page is not listed ICANN, but locally on the server.
The blocked site can still be quickly associated to another web address. You can bind to a page of a ” bait site ” a similar address, but not identical to that of the website ” copied. ” The average user is still difficult to distinguish a phishing site from that of the credit institution being targeted.
The address bar can contain an address of ” Name of the Bank. AutethicationPage. php@domain address of the host, ” the host of the domain address in the corresponding IP address, the ” @ ” in ASCII or binary equivalent or hexadecimal, making the ” phishing resource address ” similar and slightly longer than the one that has been falsified.
In this last step, we will explain the procedures for: Damages
Under Italian law, the banks are not required to provide customers from Internet fraud. They are not obliged to pay the sums wrongly levied because of an Internet customer account hijacking, or the cloning of their debit or credit cards.
Individual contracts for the opening of a bank account and online banking can be provided that in specific cases the bank is obliged to compensate the customer of sums unduly levied. Often, the financial institution is covered against the risk of theft or loss of data and identification cards. The cost of this reinsurance is overturned on customers, which sometimes benefit from contractual clauses in their favor for this type of roofing.
The institute generally refuse compensation if the customer, in addition to losing the card, he also lost the access PIN; similarly, for home banking refuses to compensate the sums if the customer has lost the login password with the token. This constitutes negligence on the part of the customer and the possibility of fraud and fraud to the bank: the customer may transfer to third parties, your personal data and the paper, which, in agreement with the client, could make the levies, while the holder declares the loss or theft.
The bank (or other institution or company) has the burden to apply both the minimum-security measures laid down in DL 196/03 to protect the personal data of the customer, is to implement all the appropriate preventive measures and that, even according to technical progress, can minimize the risks. In case of theft of credentials, even if the bank accuses you of being responsible because it could have responded to phishing emails, it is required to prove to the judge that it has implemented all the measures (both minimum established that that suitable preventative which must be assessed from case to case with a risk assessment – mandatory – and a programmatic document for safety) to minimize the risks.
If the bank has not implemented measures that in other banks are common for the prevention of computer fraud, unauthorized access, etc., for example, you might be required to compensate you for the damage.
Some links that may help: https://en.wikipedia.org/wiki/Phishing