July 5, 2013

Protection from banking “phishers”


You do not often read “repentance” articles in the media when authors describe as they did something evidently stupid and paid for it. Last year one such piece was published in the British online magazine “Which?” by Consumer Rights Editor Amanda Diamond. She happened to fall foul of a phishing email and lost a certain sum of money. A small one but not worthless, to be sure.

Once Diamond tried to log in to her online bank account a few times and entered the wrong password and PIN. When she checked her email she found a letter from her bank entitled: ‘Your account has been put on restricted status’. When she opened the email it went on to say that her online access had been ‘temporarily suspended’ and that this was due to ‘a number of incorrect log in attempts’.

“As this happened to be true, I clicked on the link without thinking and began entering my online password and PIN. But then the alarm bells rang and before I’d entered all my details I promptly ceased what I was doing and closed down the page. But, it was too late”, – Amanda Diamond wrote. She said that evening the fraudsters had called the bank pretending to be her, reported the stolen credit card and requested emergency cash. The bank proceeded to give the scammers a PIN they could use in a cash machine. Thus she lost 240 pounds.

“…And I know that when entering my personal details online I should make sure the site is secure (by checking it’s got a padlock sign in front of the web address)”, – Diamond wrote. Sure.

Phishing – is a far from new but still very effective method of online fraud, which affects both ordinary users (even not so ordinary like Amanda Diamond) and large companies. Diamond is now in the process of appealing and expects to have the money fully refunded. Most likely she will succeed.

Here’s another story: “My YouTube account with 5,000 subscribers, my backup YouTube account, and my newest one were all hacked. He also hacked my PayPal account and stole my money. What can/should I do? Call the police? Call his ISP? I have his IP address and location”, – wrote some anonymous on Yahoo! Answers.

Now a counter-question arises: how could it happen? There are just two answers for that. The first variant is the work of some upscale professional who really tried his best (or he was paid for it by some enemies). This version should never be fully excluded. But there is another, much more credible and simple answer: the victim had used the same password for all his or her accounts, including PayPal. And if it was that, then he or she got an “F” for failing to comply with the basic web safety rules.

One of five phishing attacks registered since May 2012 till late April 2013 was targeted at banks and other financial institutions. These are the results of our study of the evolution of phishing threats, based on the data from Kaspersky Security Network cloud service. 20.64% of all phishing attacks recorded within the year ending in April 2013 were aimed at the sites of banks and other financial institutions around the world.

These data are indirectly confirmed by banks. According to the global survey that was conducted last spring by an authoritative analytical agency B2B International in cooperation with Kaspersky Lab, about 37% of the banks were subject to phishing attacks at least once in the last 12 months. There’s no way to guess how many bank clients were subject to such attacks.

Scammers’ interest in banking and e-commerce is natural: an attacker can make money just by selling personal information of phishing attacks’ victims. At the same time a successful phishing attack with the use of fake pages of online banking systems or popular online stores, as a rule, immediately pays an attacker.

It is quite possible to secure oneself from phishing. But there are too many different factors to be kept in mind. Firstly, by no means try using computers in public places (libraries, schools, restaurants, and internet cafes) to connect to any financial services or online shops. Nothing can guarantee the absence of even banal keyloggers on public devices.

In fact, it is not safe to use public WiFi. This is an example, describing the seemingly fantastic but true situation when a hacker (in that case rather a network security expert carrying out an experiment for journalists) brings his router in a cafe and sets it up so that potential customers would consider it the real cafe’s access point. Essentially, it is like attaching a skimmer to an ATM.

When referring to payment services you should check if there is secure connection: for example, whether the https protocol or just http is used, and in the latter case you certainly see a fake page. Even if it looks identical and you think that the web-address in the bar is correct. In general, when connecting to a payment or a banking online service you need to take into account such a great number of possible traps that an average user will find it hard to keep them all in mind.

Therefore, we have developed Safe Money – the online transaction security technology. It is available as a part of security packages for home users Kaspersky Internet Security and Kaspersky PURE. A key feature of the technology is that it was developed on the account of fraudulent techniques used by hackers attacking the users of online banking and shops. In particular, the technology prevents executing any potentially dangerous code in the browser, thus protecting the user from XSS attacks and attempts to automatically download malware from infected sites. In addition, the technology checks the legitimacy of the site to which the user is trying to log on with the help of the regularly updated database of trusted websites and phishing URLs. At the same time the integrated heuristics mechanism helps Kaspersky Lab software effectively detect malicious links before they are even included in the database.

In our unsafe networked world the use of specialized solutions for online payment protection seems quite adequate. It is much easier to activate a special mode for such cases (now that for many sites the Safe Money mode is triggered automatically), than to recollect all the necessary safety precautions before every transaction – just like pilots refer to their preflight checklists. Pilots do not have the right or ability to get along without reference, but the users of payment services are not required to hold their breaths every time they perform online transactions. Kaspersky Lab believes that users should be protected from threats at any instance of their work online. However, when it comes to real money, protection should be the maximum, so that the user should be aware that his or her money would not disappear, and the snitchers would abhor their choice of “profession”.