| Do as they say: open a new browser window and connect to the demonstration site (microsoft.com in the given example). Then hit the "inject secunia.com" button. |
| A warning pops up. This is a demo frame injected by secunia. The demo can be tweaked to work with any secure site. If that warning had been a page that mimicked the log-in at your e-banking site, you would have typed in your username and password without thought "" the "secure site icon" would be visible. |
| It is that easy to be fooled. This deception is available in a wide variety of browsers. I tried it in Linux/Windows with dial-up and DSL (digital subscriber line) connections and firewalls up. I used the latest Opera, Netscape/Mozilla and Internet Explorer builds. Only Firefox stopped it and that's not a common browser. |
| Most browsers don't check if a frame belongs to a specific website. Therefore, one browser window can load content into a frame pasted in another window. The flaw lies in the design of Net frames and is present across most networks. |
| The hacker doesn't "crack" the e-commerce site. A victim visits the hacker's tainted site, which contains a nasty little display routine. Then he casually leaves that browser window open and goes to the secure site opening another window. The tainted frame is duly injected and hooks in the victim. |
| Welcome to "phishing" (pronounced "fishing") "" scams, which "phish" online for personal data. "Phishers" use a creative mix of social engineering and technical savvy to "hook" data. With a credit card PIN or bank account log-in details, they're in business. |
| Phishing enables identity-theft and fraud; a nightmare inflicted on thousands every year. PAN details, social security data, insurance details, credit card records and so on are stored online. The phisher can pretend to be you and misuse your funds. |
| Legally this is a grey area; there isn't enough case-law; what laws there are often contradict each other; nations interpret phishing crimes differently in their respective criminal justice systems. |
| You might receive no compensation for hacked losses. If a phisher buys child porn or trades drugs in your identity, you might have trouble staying out of jail! |
| Phishers often dangle bait in the form of attractive online offers. For example, many pay-porn sites are tainted by phishing scams; credit card majors often avoid porn order-processing because of security issues rather than moral qualms. |
| Another phishing gambit is to mimic the web page of a well-known e-commerce entity. The page looks the same, there is a minute change in the url (to "dot-org" perhaps, rather than "dot-com"), but the information goes to the fraud. The only big giveaway is a missing "secure site" icon. |
| Phishers also send out e-mails. Banks and card issuers never ask for password information online: they regularly post warnings about this. |
| Nevertheless, people do respond when an official-looking e-mail arrives, purporting to come from their credit-card issuer, and asking for sensitive data. The mail may have an html graphic with embedded "malware", designed to log keystrokes. |
| Another favourite ploy is the e-mailed "Income Tax demand" or "court summons", which demands information. A third popular gambit is a pop-up ad, with malware installed from a tainted site. If you click the "close" button or clickthrough, the pop up installs an invisible keystroke logger. |
| There are no foolproof anti-phishing measures. But following a few rules greatly enhances security. Always make a confirmatory phone call to the supposed sender before responding to any e-mail asking for sensitive information. |
| Disable java, use firewalls and install operating system updates. Clear cache and remove cookies after every surfing session. If you wish to access a financial site, log-off and log-on again and keep only one window open. |
| Ignore pop-ups, or install a pop-up killer. Keep sensitive data off networked drives. The list could go on. Most of all, you need to use commonsense and that's no easier to do in cyberspace than in meatspace. |
Top Section
Explore Business Standard