Gone Phishin’

Phishing is one of the growing security threats we face today. Unlike technical attacks, which try to use loopholes in the code used to create operating systems and applications, phishing falls under a category more like “social attacks.” Rather than attacking your machine directly in order to get information from you, a phisher tries to get you to give him the information he wants.

This is usually done through official sounding emails, mostly from banks and financial institutions, although recent “lottery” emails I’ve seen might represent a very crude form of phishing. Phishers send out emails that seem to come from your bank or financial institution, but in fact are from someone else entirely. In older, less advanced phishes, phishers tried to get you to email them personal information such as bank account numbers and PIN numbers. By posing as an official with your bank, they lull you into a false sense of security, and use our paranoia about our financial information to create a fear that your account may be suspended or closed. Only emailing your information, for “confirmation,” will keep your account open and active.

This kind of attack is fairly easy to thwart. Early on, when phishing first started to occur on a large scale, financial institutions reminded customers that they will never request information from a client through email … as such, any email requesting such info can be safely ignored. However, as time has passed, the attacks have become somewhat more sophisticated.

These days, its far more common to see a request to sign into your banking site in order to verify some transaction in a phish mail, complete with an official looking “direct link” to your banking login page. Unfortunately, these links are always false links, leading to someplace other than the banking site. Click on the link, and “login to your account” and you’ve just given access to your accounts to the phisher. The web page you end up on will look very much like your bank’s sign on page, but will instead be a simple web form designed to read and store the information entered in the fields.

Following is the full text of an email I received today which demonstrates this form of attack particularly well. I immediately knew it was a phish, as I do not bank with the Royal, but if I did bank with the Royal, this email might well have made me think more than most. One of the interesting features here is that the supposed reason they are contacting me is to warn me not to be surprised if I see unusual transactions on my statement, and that IS a valid reason for the bank to contact me. Warning … DO NOT click the link in the following quoted email, and whatever you do, do NOT enter any information on the page that pops up.

RBC Financial Group
Dear Client,

Royal Bank Financial Group audit department has detected a problem with transactions in your account. An amount was deposited and withdrawn by our accounting system. We warn you of this error so that you are not surprised when you see these transactions on your monthly statement. No Transaction expenses occurred. Never reveal your personal information on a site other than the RBC secure site. If you noticed another error, contact your institution during opening hours.

We encourage you to connect to your account and verify your transactions by Clicking Here

Be assured that RBC makes every effort to protect our internet users

Royal Bank Finacial Group thanks you for your business and appreciates your comprehension

RBC Financial Group
Security Advisor

  © Royal Bank of Canada 1996, 2002, 2003-2007

It was easy for me to spot the phish as I do not bank with this bank, however, even if it had been my own bank, I would have been suspicious by the second paragraph, “We encourage you to connect to your account and verify your transactions by Clicking Here” By providing me with a direct link in the email, but disguising the URL (by not actually typing in the full address it sends you to), they raised my suspicions, and sure enough, when I did check out the link, while it LOOKS like the RBC sign-on page, the URL address is not on Royal’s domain, but rather some outfit using cssfind.it.

CssFind doesn’t have a webpage at the default address, other than a simple page saying “Coming soon.” However, WhoIs domain search from Domain Tools shows me the domain is owned by John Michael Preston of Strassen, Luxembourg. I don’t know how big this particular phishing operation is, but its a bit more advanced than many I’ve seen and its one of the few that looks advanced enough to potentially fool even the more savvy users out there, so its definitely worth watching out for.

As a final note, its fairly easy to defeat almost ANY attempt at phishing. Even if the email looks completely legit, there are a few simple rules to follow.

  1. Never respond to any email that asks you to email information to the sender … your bank will NEVER do this
  2. Call your bank with any questions about any email that seems odd to you, or better yet, print it off and take it in to the bank to show a live person. They will be happy to let you know if its true or not.
  3. Finally, if you ever get an email that you think means you need to check your account for some reason, never do so using the link provided in the email. Instead, go to the address bar of your browser and type in the address for your bank directly (alternately, you can use one of your bookmarks or favorites to go there). That way, you know you are at the right site, and not giving info to a phisher.

Phishing attacks are some of the more dangerous attacks out there, not because of technical skill, but because of our own paranoias and fears. Ironically, phishers play on our fears of online banking and identity theft in order to steal our identities and hack our online banking. The attacks are fairly easy to defeat, if you are aware and paying attention, but its easy for even the most savvy users to get caught by one as well, if you let your guard down for a minute. Ultimately, though, if you follow the rules above (especially rule 4) you will be safe from most phishing attacks I have seen or heard about.

There’s a saying that goes “Even a bad day’s fishing is better than a good day of work.” That may be true, but in this case, the phisher had a bad day … I wasn’t biting.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: