What is phishing anyway?
From Wikipedia, the word phishing means a criminally fraudulent process of attempting to acquire sensitive information from users such as username, password and credit card details by masquerading as a trustworthy entity in electronic communication. Wikipedia:Phishing
Nowadays, you must receive at least one phishing email, containing phishing URL, every time you open your email. Most probably, it will stuck in spam folder. Spam filters nowadays really did what it suppose to do, but not in all cases.
How to identify phishing email? How to make sure you’re safe from phishing?
You cannot trust “From” field in an email. It can be spoof, and it can be anything. You can send an email to anyone, claiming you’re from Maybank Security Team . There is a mechanism to solve this issue, such as Sender Policy Framework (SPF), where it will verify whether the IP of the email sender is a valid email server to send email for the particular domain it claims to be, but it is not implemented widely yet.
The URL. The right bank will not ask you to fill in any username or password from the link they provided. If you happen to receive any email from your bank, just type bank URL in a new tab/window. Dont follow the link provided.
Anyhow, you have to be able to distinguish a valid URL, and phishing URL. In this case, I’m showing an example of Maybank. The valid URL for Maybank online banking is http://www.maybank2u.com.my. Some phishers will create the phishing site at different URL, and twisted to make you believe it is the valid Maybank URL.
All of above are invalid Maybank domain. The most important part in a URL were as bolded in the list above. We will go through the link above.
- The URL is pointing to a server, with ip address 184.108.40.206 (just illustration). The content is hosted at server with IP 220.127.116.11.
- The host is actually maybnk2u.com. The phisher is trying to cheat you, by using a domain name that is similar to the valid domain. /my/ in this case is just a content folder on the server.
- The domain name is almost similar like no 2, but the whole domain is maybnk2u.com.my. All .my domain name were handled by Domain Registry. You should report as soon as you see any phishing site using .my domains to DomainRegistry.
- You can see www.maybank2u.com.my as part of the domain, but the main domain is at mydomain.com. The owner of mydomain.com created a subdomain, and sub-sub domains for mydomains.com. So, www.maybank2u.com.my is subdomain of mydomain.com. The owner of mydomains.com is the phisher.
Rule of thumb
- Check for host name : from http:// until next /.
- In the hostname, check for domain name. Usually last 2 or 3 octet of hostname. such as domainname.com or domainname.com.my.
- If the domain is other than maybank2u.com.my, the URL is a phishing site.
What should I do with phishing site?
There are few databases of phishing website, that were shared to popular browsers to alert users of known phishing site. If you found a phishing URL, most probably a red alert output will appear to warn you. But, if the phishing site is still new, the alert won’t show up. You should contribute to the database as well, to make sure other users wont be cheated.
- Using firefox : Click help –> Report web forgery
- Go to phishtank.com, and submit the URL. Phishtank is one of the largest database of phishing sites.
What contribute to increase cases of phishing?
- Insecure server – Most phishers were riding on a compromise machine to host the phishing site. It will look like the compromised server is launching the phishing site, and keep them behind the scene. Besides, the compromised server sometime being used to send phishing email to massive email list, and most probably your email will be in it. Thanks to email harvester. There is a mail sending script that will facilitate the process.
- Compromised email account – You ever encountered your friend sending you a suspicious link? Most probably his/her account was compromised, and being used to send phishing URL or anything to you and his/her other friends in contact list. And most cases, it happen on yahoo email. Not sure why, maybe there’s alot of yahoo’s phishing victim. If it comes from yahoo email, you can check which IP the sender send the email from, leading to which country.
- Open relay mail server – Email server with mail relay enable will allow anyone to use that mail server to send email. There also some software to facilitate the process of connecting, and sending email using the mail server. You can check if your server have open mail relay enabled. Just google “check open mail relay“.
I hope to see everyone is safe online, while IT helps our life. Banking, social network, communication, we really depends on internet to do those things. So, it takes everyone’s responsibility to take online security and privacy seriously.
Hope this post will help some people in understanding one of the massive online threat, phishing.