Phishing - Revision history

Hblankenship: /* Deploy SPF */

2018-06-30T09:02:22Z

‎Deploy SPF

KirstenS at 21:02, 14 April 2009

2009-04-14T21:02:02Z

KirstenS at 13:08, 2 March 2009

2009-03-02T13:08:22Z

KirstenS: /* What is Phishing? */

2009-03-01T23:38:57Z

‎What is Phishing?

KirstenS at 23:37, 1 March 2009

2009-03-01T23:37:37Z

KirstenS at 14:00, 16 February 2009

2009-02-16T14:00:54Z

KirstenS: /* Don’t be framed */

2008-09-20T13:02:02Z

‎Don’t be framed

KirstenS: /* Communicating with customers via e-mail */

2008-09-20T12:59:29Z

‎Communicating with customers via e-mail

KirstenS: /* Communicating with customers via e-mail */

2008-09-20T12:59:11Z

‎Communicating with customers via e-mail

KirstenS at 12:56, 20 September 2008

2008-09-20T12:56:03Z

@@ Line 54: / Line 54: @@
 It is not enough to not trust emails from banks. You need to question emails from all sources.
-==Deploy SPF ==
+==Deploy SPF, DKIM, DMARC ==
-SPF - Sender Policy Framework - http://www.openspf.org/ - is a simple addition you can make to your DNS servers to alow recipients to authenticate email messages you send.  After you're SPF-Enabled, any phishing emails that attempt to spoof your legitimate email domain will be erased by all good anti-spam software, thus preventing victims from ever receiving the phish emails.  DKIM - DomainKeys Identified Mail - http://www.dkim.org/ - is another similar system, albeit more resource intensive.
+SPF - Sender Policy Framework - http://www.openspf.org/ - is a simple addition you can make to your DNS servers to alow recipients to authenticate email messages you send.  After you're SPF-Enabled, any phishing emails that attempt to spoof your legitimate email domain will be erased by all good anti-spam software, thus preventing victims from ever receiving the phish emails.  DKIM - DomainKeys Identified Mail - http://www.dkim.org/ - is another similar system, albeit more resource intensive.  And finally, there is [https://www.dmarc.org DMARC] (Domain-based Message Authentication, Reporting & Conformance), which is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
 ==User Education ==

@@ Line 2: / Line 2: @@
 __TOC__
-[[Phishing attack|Phishing attacks]] are one of the highest visibility problems for banking and e-commerce sites, with the potential to destroy a customer’s livelihood and credit rating.  There are a few precautions that application writers can follow to reduce the risk, but most phishing controls are procedural and user education.
+Phishing attacks are one of the highest visibility problems for banking and e-commerce sites, with the potential to destroy a customer’s livelihood and credit rating.  There are a few precautions that application writers can follow to reduce the risk, but most phishing controls are procedural and user education.
 Phishing is a completely different approach from most scams.  In most scams, there is misrepresentation and the victim is clearly identifiable.  In phishing, the lines are blurred:

@@ Line 1: / Line 1: @@
 [[Guide Table of Contents|Development Guide Table of Contents]]
 __TOC__
 [[Phishing attack|Phishing attacks]] are one of the highest visibility problems for banking and e-commerce sites, with the potential to destroy a customer’s livelihood and credit rating.  There are a few precautions that application writers can follow to reduce the risk, but most phishing controls are procedural and user education.

@@ Line 20: / Line 20: @@
 The basic phishing attack follows one or more of these patterns:
-* Delivery via web site, e-mail or instant message, the attack asks users to click on a link to “re-validate” or “re-activate” their account.  The link displays a believable facsimile of your site and brand to con users into submitting private details
+* Delivery via web site, e-mail or instant message, the attack asks users to click on a link to “re-validate” or “re-activate” their account.  The link displays a believable facsimile of your site and brand to con users into submitting private details.
-* Sends a threatening e-mail to users telling them that the user has attacked the sender.  There’s a link in the e-mail which asks users to provide personal details
+* Sends a threatening e-mail to users telling them that the user has attacked the sender.  There’s a link in the e-mail which asks users to provide personal details.
-* Installs spyware that watches for certain bank URLs to be typed, and when typed, up pops a believable form that asks the users for their private details
+* Installs spyware that watches for certain bank URLs to be typed, and when typed, up pops a believable form that asks the users for their private details.
-* Installs spyware (such as Berbew) that watches for POST data, such as usernames and passwords, which is then sent onto a third party system
+* Installs spyware (such as Berbew) that watches for POST data, such as usernames and passwords, which is then sent onto a third party system.
-* Installs spyware (such as AgoBot) that dredges the host PC for information from caches and cookies
+* Installs spyware (such as AgoBot) that dredges the host PC for information from caches and cookies.
-* “Urgent” messages that the user’s account has been compromised, and they need to take some sort of action to “clear it up”
+* “Urgent” messages that the user’s account has been compromised, and they need to take some sort of action to “clear it up”.
 * Messages from the “Security” section asking the victim to check their account as someone illegally accessed it on this date.  Just click this trusty link…

@@ Line 10: / Line 10: @@
 * The identify theft victim is a victim.  And they will be repeatedly victimized for years. Simply draining their bank account is not the end.  Like all types of identity theft, the damage is never completely resolved.  Just when the person thinks that everything has finally been cleaned up, the information is used again.
-* Banks, ISPs, stores and other phishing targets are victimized – they suffer a huge loss of reputation and trust by consumers.  If you received a legitimate email from Citibank today, would you trust it?
+* Banks, ISPs, stores, and other phishing targets are victimized – they suffer a huge loss of reputation and trust by consumers.  If you received a legitimate email from Citibank today, would you trust it?
 ==What is Phishing? ==

@@ Line 273: / Line 273: @@
 [[Guide Table of Contents|Development Guide Table of Contents]]
 [[Category:OWASP_Guide_Project]]
 [[Category:Security Focus Area]]

@@ Line 126: / Line 126: @@
 Use the TARGET directive to create a new window, which will usually break out of IFRAME and other JavaScript jails.  This usually means using something like:
-'''''<A HREF=”<u>http://www.example.com/login</u>” TARGET=”_top”>'''''
+<pre>
 to open a new page in the same window, but without using a pop-up.

@@ Line 90: / Line 90: @@
 * Reduce Risk - don’t send HTML e-mail.  If you must send HTML e-mail, don’t allow URLs to be clickable and always send well-formed multi-part MIME e-mails with a readable text part.  HTML content should never contain JavaScript, submission forms, or ask for user information.
-* Reduce Risk - be careful of using “short” obfuscated URLs (like <u>http://redir.example.com/f45jgk</u>) for users to type in, as scammers may be able to work out how to use your obfuscation process to redirect users to a scam site.  In general, be wary of redirection facilities – nearly all of them are vulnerable to [[Cross-sire Scripting (XSS)|XSS]].
+* Reduce Risk - be careful of using “short” obfuscated URLs (like <u>http://redir.example.com/f45jgk</u>) for users to type in, as scammers may be able to work out how to use your obfuscation process to redirect users to a scam site.  In general, be wary of redirection facilities – nearly all of them are vulnerable to [[Cross-site Scripting (XSS)|XSS]].
 * Increase trust - Many large organizations outsource customer communications to third parties.  Work with these organizations to make all e-mail communications appear to come from your organization (i.e., crm.example.com where example.com is your domain, rather than smtp34.massmailer.com or even worse, just an IP address).  This goes for any image providers that are used in the main body.