May 25, 2007Even Following Good Advice Can Fail You
The common wisdom about phishing email messages is never click on a link in the message. The link may look legitimate, but the actual link destination (as coded in the message's HTML) is a different site with pages that resemble the real site. I advise anyone who is concerned about an issue presented by a phishing email (e.g., "your account is suspended") to log onto the site through an established bookmark or by manually typing the URL of the site.
That advice, however, may no longer be sufficient. An article in the Register reports that numerous PCs have some type of infection that injects a phony page when accessing the real site. In other words, all normal indications—address bar URL, security certificate—pass the "smell test" because your browser believes it is visiting the genuine site. The infection, however, injects HTML into the browser without disturbing the stuff that makes you think everything is OK.
And not just "you." Anti-phishing features built into the newest browsers don't see anything wrong with the URL, because the browser still believes it is visiting the real site. Worse still, the infection reported in the article wasn't detected by a major antivirus program installed on the computer; to the contrary, the antivirus software gave the page a "thumbs up."
This appears to be one nasty infection that most likely occurred through installation (intentional or drive-by) of a piece of software. Let me be clear about this: It is not the traditional phishing scenario. The user visited the financial site the correct way, but the infection slipped a phony page in place of the actual page. The phony page asked for more personal identity information than the financial institution would ever do online (or at all). At this point, you should get the same chill up your spine as the first time you saw the slasher movie with the line: "The call is coming from inside the house."
So, how does one guard against this kind of spoofing? It's obvious that you cannot rely entirely on technology. Antiphishing and antivirus technologies completely failed in the reported instance. It comes down (again) to the weakest link in the chain between identity thieves and the user: The user. Users need to be educated as to what personal information they should and should not reveal through a web page form. When in doubt, contact the institution by phone (not with a phone number supplied on the suspicious page) or in person to confirm that the information is needed. And, of course, follow all other good practices (e.g., not following unknown links in messages) to minimize the chance of infection in the first place. You may temporarily ward off exposure to these things by using browsers other than Internet Explorer and operating systems other than Windows, but you'd be a fool to think such actions will save you forever.Posted on May 25, 2007 at 09:09 AM