Business Security: Phishing - Essay Example

Topic: Business Security: Phishing Introduction: This paper seeks to analyze and discuss phishing as an inevitable topic in business security. It therefore starts with defining clearly what it is, the techniques employed and the extent of damage it has inflicted. It continues by detailing what the stakeholders have done and what they plan to do with all the concerns on the reality of phishing. It ended with a practical advice on a personal note how an internet user protects itself from the dangers of failing to respond to the challenge. 2. Analysis and Discussion 2.1 Definition, techniques, proofs Wikipedia (2006) described phishing attempt as a disguised as an official email from a (fictional) bank, as attempts to trick the banks members into giving away their account information by "confirming" it at the phishers linked website. Phishing is bad and its one of the great enemies of the IT industry and its related industries, which particularly includes the e-commerce, electronic banking and other electronic finance related services. Wikipedia (2006) considers phishing as a form of criminal activity using social engineering techniques. It explains that phishers attempt fraudulently to acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Further, it states that phishing is typically carried out using email or an instant message. Given therefore the objective of phishers, one would not be surprised to here electronic fund theft or fraud as a result of phishing and the most likely victims are customers with banks accounts, credit card accounts a e-currency and other related accounts. As to what techniques are employed, Wikipedia (2006) said: Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers, such as this example URL, http://www.yourbank.com.example.com/. One method of spoofing links used web addresses containing the @ symbol, which were used to include a username and password in a web URL (contrary to the standard Berners-Lee, Tim. (n.d.). For example, the link http://www.google.com@members.tripod.com/ might deceive a casual observer into believing that the link will open a page on www.google.com, whereas the link actually directs the browser to a page on members.tripod.com, using a username of www.google.com; were there no such user, the page would open normally. This method has since been closed off in the Mozilla (Fisher, Darin. n.d.) and Internet Explorer (Microsoft, 2006) web browsers, while Opera provides a warning message and the option not to follow the link. One could now see the sophistication as to how phishing is conducted. In fact, what was mentioned above is not yet enough when Wikipedia (2006) further added techniques, saying, “ Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entitys URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL (BBC News (2004).” Further, Wikipedia (2006) said: “In another popular method of phishing, an attacker uses a bank or services own scripts against the victim (Evgeniy Gabrilovich and Alex Gontmakher (February 2002). These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or services own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal (Krebs, Brian. Flaws in Financial Sites Aid Scammers , 2006) ” What are the reported cases of phishing then and what is the extent of the damage? Wikipedia (2006) cited: “On January 26, 2004, the FTC (Federal Trade Commission) filed the first lawsuit against a suspected phisher. The defendant, a Californian teenager, allegedly created and used a webpage designed to look like the America Online website, so that he could steal credit card numbers (Leyden, John 2006). Other countries have followed the lead of the U.S. by tracing and arresting phishers. A phishing kingpin, Valid Paulo de Almeida, was arrested in Brazil for leading one of the largest phishing crime rings, which in 2 years stole between $18 and $37 million USD (Leyden, John,2006). UK authorities jailed two men in June 2005 for their role in a phishing fraud (Roberts, Paul, n.d.), in a case connected to the USSS Operation Firewall, which targeted notorious "carder" websites (Nineteen Individuals Indicted in Internet Carding Conspiracy, 2004). In 2006 eight people were arrested by Japanese police on suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting themselves 100 million yen ($870 thousand USD) (The Daily Yomiuri (n.d.).” 2.2 What actions or solutions have been done and things are being done by different stakeholders? The extent of damage done and the possibility of greater damage point the need for actions and decisions. In this regard, Wikipedia (2006), citing (Information Week, 2006) reported that in the United States, Democratic Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. It also said that the federal anti-phishing bill proposes that criminals who create fake web sites and spam bogus emails in order to defraud consumers could receive a fine up to $250,000 and receive jail terms of up to five years. Moreover, Wikipedia (2006), citing (Microsoft Australia (2006), said that Microsoft has also joined the effort to crack down on phishing. On March 31, 2005, Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. It said that the lawsuits accuse "John Doe" defendants of using various methods to obtain passwords and confidential information. March 2005 also saw Microsoft collaborates with the Australian government to teach law enforcement officials how to combat various cyber crimes, including phishing. In addition it said that Microsoft announced a planned further 100 lawsuits outside the U.S. in March 2006, citing (Espiner, Tom (2006). 3. On a personal level what could be done to avoid becoming the next victim? While actions are being done by governments and the firms industry, the consumer or user, who would be the victims of phishing could do many thing like what Thompson (2005) gave in following protection tips. As a rule, never e-mail personal or financial information. Never respond to requests for personal information in e-mails. Banks, the IRS and legitimate businesses never ask for such information through e-mail. If you are tempted to respond, call the company instead. If you initiate a transaction that calls for personal or financial information, confirm that the Web site is secure by checking for a lock icon on the browsers status bar or a URL that begins https (the s stands for secure) instead of http. Be aware that phishers are able to forge a security icon only when they initiate an e-mail, which is why you never should reveal information in response to a received e-mail. Check credit card and bank statements as soon as you receive them for any unauthorized charges. If your statement is late by more than a couple of days, call the company or bank to confirm your billing address and account balances. Use antivirus software and keep it current. Use a firewall if you have a broadband connection. Report suspected abuses to the antiphishing network authorities at reportphishing@antiphishing.org and to the company thats being spoofed. If you suspect your personal information has been compromised or stolen, be sure to promptly contact the Federal Trade Commission and the identity theft Web site at www.consumer.gov/idtheft. 3. Conclusion and Recommendation: Business entities exist with resources. Precisely they exist to manage resources of resource owners the stockholders and other stakeholders. Such management by companies also requires them to protect their resources and further demands increase in resources. Resources, specially the financial ones need to be protected from theft , fraud or even crimes. The speed by which business has allowed technology to hasten the process of business, has also produce an equally amount of speed in ease in losing business financial resources because of these theft, fraud and crimes. Phishing is one of the most popular and appear the latest crime of the this century. The stakeholders , particularly the users that includes , individuals, government and boringness must know the techniques and schemes through the use technologies used by phishers in effecting their evil purposes. I recommend that the strongest anti-dote is the cooperation among all the stakeholders through massive education of the users and governments strict and sure enforcement of anti-phishing laws it has made and made and will able to make. The fight for phishing is global fight. It transcends boundaries. The act of cooperation among nations could unify humanity that there is such a thing internet security. There is such thing as justice, and people who commit crimes be put to the bar of justice for stealing others money. In a deeper sense, the world of business is not only governed by profits and technologies, hence , the best anti-dote to crime like fishing is a foundation on morality where people are aware of the moral consequences of wrongful act be they appear via cyberspace or not. Bibliography 1. BBC News (2004) , "Phishing cacks broon hijwser bar", {www document} URL http://news.bbc.co.uk/2/hi/technology/3608943.stm , re-accessed July 25,2006 2. Berners-Lee, Tim. (n.d.) Uniform Resource Locators (URL), IETF Network Working Group. http://www.w3.org/Addressing/rfc1738.txt, Retrieved on January 28, 2006. Re-accessed July 25, 2006. 3. Evgeniy Gabrilovich and Alex Gontmakher (February 2002). "The Homograph Attack". Communications of the ACM 45(2): 128. , {www document} URL http://www.cs.technion.ac.il/%7Egabr/papers/homograph_full.pdf, re-accessed July 25,2006 4. Fisher, Darin. (n.d.), Warn when HTTP URL auth information is not necessary or when it is provided. Bugzilla, Retrieved on August 28, 2005, {www document} URL https://bugzilla.mozilla.org/show_bug.cgi?id=232567, re-accessed July 25,2006 5. Krebs, Brian. Flaws in Financial Sites Aid Scammers (2006) , Security Fix. Retrieved on June 28, 2006, {www document} URL http://blog.washingtonpost.com/securityfix/2006/06/flaws_in_financial_sites_aid_s.html, re-accessed July 25,2006 6. Legon, Jeordan (2005) , "Phishing scams reel in your identity", CNN, January 26, 2004., { www document } URL http://www.cnn.com/2003/TECH/internet/07/21/phishing.scam/index.html, re-accessed, July 25,2006 7. Leyden, John (2006), "Brazilian cops net phishing kingpin", The Register, March 21, 2005, { www document } URL http://www.cnn.com/2003/TECH/internet/07/21/phishing.scam/index.html 8. Microsoft (2006) . A security update is available that modifies the default behaviour of Internet Explorer for handling user information in HTTP and in HTTPS URLs. Microsoft Knowledgebase. Retrieved on August 28, 2005., {www document} URL http://support.microsoft.com/kb/834489, re-accessed July 25,2006 9. Nineteen Individuals Indicted in Internet Carding Conspiracy. (2004) Retrieved on November 20, 2005, { www document } URL http://www.cybercrime.gov/mantovaniIndict.htm 10. Roberts, Paul (n.d.), "UK Phishers Caught, Packed Away", eWEEK, June 27, 2005, { www document } URL http://www.eweek.com/article2/0%2C1895%2C1831960%2C00.asp 11. The Daily Yomiuri (n.d.) , "8 held over suspected phishing fraud", May 31, 2006., { www document } URL http://www.yomiuri.co.jp/dy/national/20060531TDY02012.htm 12. Thompson, S. (2005), Phight Phraud: Steps to Protect against Phishing AICPA RESOURCES, Technology Conference, Hilton, Austin, Texas Read More