You Could Fall Victim to a Phishing Attack

As stated in the OWASPs guide, phishing attacks are one of the highest visibility problems for banking and e-commerce sites because they have the potential to destroy a customer’s credit rating and livelihood.  Needless to say, this is a major concern.  To make matters worse, a recent report by Trusteer states that on average 12.5 users out of 1 million accidently access a phishing website, while this number may seem relatively small, it isn’t for banks.  They lose about $2.4-9.4 million annually.  In addition, 45% of bank customers who are redirected to a phishing site divulge their personal credentials—wow!  This report proves just how important it is for banks to use a WAF.

A WAF will detect the linking of third party websites to the legit web application and initiate counter-measures. This detection can also be carried out dynamically by only blocking access once a specific number of requests have occurred.

Trusteer’s data was compiled by measuring live phishing attacks from their Rapport browser plug-in.   Read the report in its entirety or check out ZDNet or The Tech Herald for additional commentary.

Follow the discussion on Twitter @hyperguard.

Could Gmail, Yahoo Mail, Hotmail, etc. Stopped the Phishing?

By know just about everyone has heard of the 20,000 hijacked e-mail accounts due to a potentially long-lived phishing attack. This, according to a Computerworld interview with the Anti-Phishing Working Group Chairman, Dave Jevans. As we imagined, this has kicked off quite a lot of discussion in the industry. The Washington Post offered some good background earlier this week.

The threat of phishing is becoming even more prevalent as hackers test both the savvy of users and defenses of websites and email providers. In fact, Slashdot just reported on the largest phishing bust to-date (the original we think came from IT Pro in this article).

The average person deserves some credit for perpetuating phishing of course, as TechCrunch illustrates in their plea for help. People have been sounding off in forums like Neowin and on blogs like Gizmodo. So does Google, Yahoo!, Hotmail and the other effected providers share some responsibility here? Each of these must have a WAF in place – we assume and hope J – so why didn’t the WAF identify, flag and prevent the outbound spamming?

Phishing is in essence an attack on the user and not on the web server, however, the operator of a web application can do various things with their WAF to at least make it harder to carry out phishing attacks.

In phishing, the attacker attempts to direct the user of a legit web application to a fake website. If the user has entered data on the phishing site, he will normally be directed from there to links on the legit site, rendering the attack undetected for as long as possible. Phishing sites also often directly embed icons, graphics and other content from the legit site. Here is where the WAF comes into play (or in Art of Defence’s case, hyperguard).

hyperguard will detect the linking of third party websites to the legit web application and initiate counter-measures. This detection can also be carried out dynamically – only blocking access once a specific number of requests have occurred.

From a technical point of view, the WAF checks the HTTP referrer header of requests using a whitelist, blacklist, graylist or a combined approach to do this.