Spam might be getting easier to detect and avoid, but phishing schemes are becoming ever-more clever, according to the latest State of Spam and Phishing report from security company Symantec Corp.
The major Rustock botnet was shut down March 16 by Microsoft Corp. and its security partners, eliminating a huge amount of spam from the global market. But in February, other scams have been prevalent, despite the riddance of the major spammer.
Symantec’s report compiles data from February 2011 on spam and phishing levels worldwide. In Canada that month, only seven per cent of phishing lures were based in Canada and only two per cent of phishing hosts were here, according to the report. Among the economic up-and-comers “BRIC”- Brazil, Russia, India and China – spam output has been declining over the last 15 months, the report suggests.
“It’s too early to celebrate,” says Eric Park, an analyst with Symantec who was responsible for the spam portion of the report. While the major spam network has been taken down, there’s always the possibility that other botnets could take up the cause.
To make matters worse, phishing schemes are adapting to the security measures that security firms and major credit card companies are putting in place. “It stands to reason that they’d look the same as what you expect to see,” says Brian Bourne, president of CMS Consulting Inc. and the security expert on the ITBusiness.ca Editorial Advisory Board.
According to Symantec’s report, it is now common for phishing websites to request 3D secure passwords. The passwords are an extra level of security used by various banks and major companies with programs like Verified by Visa. If you try to purchase a ticket on Air Canada’s site using your Visa, you will be prompted for a secure “Verified by Visa” password.
One Web site in Turkey prompted users for their 3D secure number when they attempted to buy mobile airtime online. It even went so far as to feature a message promoting its high encryption system.
“There’s no one tool that is completely fool proof,” says Stephanie Wallat, business leader for e-commerce with Visa Canada. This is why Visa uses layered security, she says. She recommends that consumers look out for signs that the site they are on is valid, like authentication seals and security certificates.
“We’re aware that Verified by Visa has been targeted,” she says, since phishing sites are now including requests for 3D secure passwords.
The same can be said for major e-commerce site PayPal. According to security firm Sophos, 70 per cent of phishing e-mails in 2006 were created to appear as if they came from PayPal. By April 2010, the company had reduced that number to 3.7 per cent.
This was partly because of customer education, according to Darrell MacMullin, managing director of PayPal Canada. PayPal made sure to include links to its security information on every page of its site. It also warns its users (4 million in Canada alone) that the company will never send an e-mail with a link to alter or update account information.
Another disturbing piece of Symantec’s report comes from mass phishing using fake Secure Socket Layer (SSL) certificates. Phishers must either create a fake SSL certificate, or hack a legitimate site that has one to make its scam appear authentic. In one such scheme, users were also asked to provide log-in information for a popular e-commerce site.
Bourne says he is actually surprised that more phishing sites aren’t using SSL certificates to look legitimate. “It’s more work, but it’s not a lot more work,” he says, so it’s important for consumers and businesses to realize that a lock symbol doesn’t mean a site is safe.
Symantec also compiled a top 10 list of spam subject lines in February. The ones that make the top of the list only do so because of quantity, Park says. Most people know not to open an e-mail with the subject line “Guaranteed Quality of Viagra Pills, Fast delivery and Low prices,” one of the top ten lines used in February.
But there are more savvy criminals who send spam more effectively, Park says. “We typically do see these attacks whenever natural disasters occur,” he says, including the recent earthquake and tsunami in Japan.
Related Video: How to avoid Japan-related online scams
To avoid scams like this type of spam, and to stay generally safe from phishing, security experts have some basic recommendations:
Type URLs yourself instead of clicking links
“You can always pick up the phone,” Bourne says, to ensure a Web site asking for your information is legitimate. And in the same way that you initiate that call, you can initiate your visit to the website by typing in the URL yourself instead of clicking a link. Similarly, if you see a shortened link on a site like Twitter, use the preview function first instead of clicking the link.
“Shopping online with an unprotected computer is like driving without a seatbelt,” MacMullin says. Make sure your computer’s anti-virus and spam filters are up-to-date.
Use unique passwords
Choose passwords that aren’t obvious, and don’t use the same password too often, MacMullin says.
Trust your gut
“If it seems fishy, it probably is,” Bourne says.