# 20:32 Phishing is the new virus!
The number of phishing emails continues to rise at a shocking rate, with copycat websites opening as soon as one closes. So much so, that phishing now represents the biggest form of online identity theft.
The rapid development and sophistication of such attacks means that the concept of phishing is no longer limited to simply using email as the attack tool. There have been many cases citing web browser hijacking, instant messaging and automatic pop-ups, through to mediums such as fax, phone calls and even regular post.
These "next-generation" attacks are using blended methods that harness social engineering psychology (playing on people's fears and motivations) together with application and operating system vulnerabilities to run malicious code locally on users' PCs.
Key-loggers can now be programmed with behaviour mechanisms to wait until users access real websites to start logging keystrokes and take screen captures. To make matters worse, this is all conducted without users ever realising that they have been victims of phishing until they check their financial statements and receive an unpleasant surprise.
These new attacks have the potential to affect far more people than the original recipient. For example, an employee working at home on their company laptop receiving a phishing email clicks on a link, which could then infect other computers when the laptop is reconnected to the network.
# 25:02 Even Corporate environments are not totally safe
# 28:27 Mozilla Thunderbird adds AntiPhishing
Henrik Gemal reports that safeguards against phishing have been checked in to Mozilla Thunderbird. In builds with this feature, Thunderbird will display a confirmation dialogue when the user follows a link in an email to a site that looks like it might be part of a phishing scam.
# 30:27 Zombie trick expected to send spam sky-high
Spam levels are about to skyrocket, according to experts who warned last week that spammers have developed a new way of delivering their wares. Previously, zombie PCs have been used as mail servers themselves, sending spam e-mails directly to recipients. This new "zombie" computer is then used to send spam via the mail server of that PC's Internet service provider. This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it.
# 36:17 First Was Phishing, Next Is Pharming
New wave of larcenous attempts will involve attacks on Web browsers' address bars to redirect users to bogus Web sites.
Today's phishing attack usually consists of an official-looking e-mail from a bank, credit card company or other financial services provider. Inside the message is a link to what looks like an official Web site but is actually a clever-to-clumsy-looking scam that gathers personal account information, passwords, Social Security numbers and other information useful to crooks.
This first-generation phishing will move toward pharming, which involves Trojans, worms, or other technology that attack the browser address bar. Thus, when users type in a "valid" URL they are redirected to the criminals' Web sites.
Another way to accomplish the same thing is to attack the DNS system rather than individual machines. Do this and conceivably everyone who enters what seems like a valid URL—the one that worked properly moments before—will instead be taken to the scammer's site.
# 39:11 Anti-Phishing Working Group
The Anti-Phishing Working Group has made it their mission to track and report this sort of activity. You can review their website for more information. If you do a lot of online banking or online purchasing and you are concerned about this threat, Netcraft has developed their own toolbar (yes, I know… another toolbar) to help you identify potential scam sites. Please review their site for more information
# 40:47 How do I protect myself from phishing.
1. Never respond to requests for personal information via e-mail or in a pop-up window. If in doubt, call the institution that claims to be the sender of the e-mail or pop-up window.
2. Visit Web sites by typing the URL into your address bar.
3. Check to make sure the Web site is using encryption.
4. Routinely review your credit card and bank statements.
5. Report suspected abuses of your personal information to the proper authorities.
6. Check your HOSTS file regulary or disable it by renaming it to HOSTS.TXT.
7. Educate your whole household about phishing and make sure they understand its dangers.
# 45:52 Wamu.com Scam