Security Researchers Identify New Phishing Scam

March 21, 2011 - PRLog -- Security researchers have warned users against a new phishing scam. The scam is allegedly directed at Bank of America, TSB, Lloyds and PayPal users. The new phishing attack, first identified by Rodel Mendrez of M86 security labs comes with an unsolicited e-mail containing an HTML attachment. Unlike the usual phishing attacks, the latest attack does not redirect users to a seemingly legitimate, but fake website. Instead, the attack stores a malicious webpage locally. The use of HTML file allows attackers to evade being detected by a web browser. As a result of the security by-pass, users do not receive any warning and HTML attachment opens in the browser. When unwary users enter the requisite information and click on the submit button, the HTML form sends the extracted information to a remote compromised webserver. The information is send through a POST request directed at PHP scripts hosted on the compromised server.

Cybercriminals are continuously evolving their modus operandi to by-pass security filters, trick users and extract confidential information. The collected information could be misused to conduct unauthorized transactions, steal funds and transfer money. The gathered information could also be sold by the attackers to their peers in the underground crime market.  

Usually, IT professionals qualified in masters of security science, penetration testing and other security certifications help developers in identifying the threat vectors and mitigating security flaws. In this case, attackers were successful in circumventing the anti-phishing filters used by the browsers and deceive users.

Cyber security awareness among Internet users is crucial to combat sophisticated threats. Cyber security tips could be circulated through brochures, e-flyers, video tutorials and advertisements. Online degree and learning programs could also be encouraged to create cyber security awareness. Internet users must be cautious, while providing personal information online. They must verify the authenticity of the sites, before entering any sensitive information. Users must be wary of e-mails that appear to come from banks, online payment and online shopping sites and seek sensitive information. They must verify the authenticity of such e-mails by directly contacting the organization through trusted communication channels such as phone number and e-mail id provided on the website.

Users must avoid opening e-mail attachments arriving from unknown and suspicious sources. They must also avoid replying to and clicking links provided on unsolicited e-mails. Attackers also deceive users by applying social engineering techniques. They gather information from various sources and send cleverly crafted e-mails, which appear to come from a peer, subordinate, new employee or supervisor. They also contact users through phone posing as a representative of a company. IT professionals could keep themselves of the evolving security threats through e-learning and online university degree programs. Organizations must ensure adherence of cyber security guidelines by the employees. Users must avoid disclosing sensitive personal and organizational information, without verifying the authenticity of the person by directly contacting the concerned organization.

Users must avoid arbitrarily disclosure of e-mail addresses to decrease the possibility of spam and unsolicited e-mail. Avoiding arbitrarily selection of multiple offers while registering on an online account may also help in reducing spam e-mails. Using privacy settings to hide or restrict access to e-mail address on social networking sites may help in avoiding unsolicited e-mails from strangers. Users must also look for the privacy policy of a website, before submitting personal details on the site.

Contact Press

EC-Council
Website:  http://www.eccouncil.org
Email:  iclass@eccouncil.org
Tel:  505-341-3228

EC-Council University is based in Albuquerque, New Mexico and offers Master of Security Science (MSS) degree to students from various backgrounds such as graduates, IT Professionals, and military students amongst several others. The MSS is offered as a 100% online degree program and allows EC-Council University to reach students from not only the United States, but from all around the world.

EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates the global series of Hacker Halted security conferences.

# # #

iClass is EC- Council's online training delivery platform. Students can attend live, or recorded training sessions for courses such as Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) or Computer Hacking Forensic Investigator (CHFI).