Friday, February 6, 2009

Phishing: Examples and its prevention methods.

What is Phishing and its Examples.
Phishing is a scam in which the attacker sends an email purporting to be from a valid financial or eCommerce provider, which generally looks and feels much like the valid eCommerce or banking site.
Often phishing spam messages will use legitimate 'From:' email addresses, logos, and links to reputable businesses such as Citibank, PayPal, eBay in the message. But the message instructs you to click on a web link that sends you to a fake website where you are asked to provide personal information such as your name, address, phone number, date of birth, and bank or credit card account number. Providing this kind of information can leave consumers at risk for identity theft.

We may see the phishing scam in the e-mail messages, social networking website, fake website that accepts donations for charity, instant message program and even on your cell phone or other mobile devices.

Fake, copycat Web sites are also called spoofed Web sites. They are designed to look like the legitimate site, sometimes using graphics or fonts from the legitimate site. They might even have a Web address that's very similar to the legitimate site you are used to visiting.

These are few examples of phishing scams:
This PayPal phishing scams tries to trick recipients by pretending to be some sort of security alert. Claiming that someone 'from a foreign IP address' attempted to login to your PayPal account, the email urges recipients to confirm their account details via the link provided.

The attacker claims to be acting in the interests of safety and integrity for the online banking community. Of course, in order to do so, you are instructed to visit a fake website and enter critical financial details that the attacker will then use to disrupt the very safety and integrity they claim to be protecting.

This eBay phishing email includes the eBay logo in an attempt to gain credibility. The email warns that a billing error may have been made on the account and urges the eBay member to login and verify the charges.

Prevention Methods
It is easy to uncover a crude phishing scam. For example, if you get an email from a bank you’ve never opened an account at, then don’t follow the link and enter your personal information. Now, if you actually have an account at the institution it gets more interesting.
Besides that, user must avoid filling out forms in e-mail messages. You can't know with certainty where the data will be sent and the information can make several stops on the way to the recipient.
If you click on a link in an e-mail message from a company be aware that many scam artists are making forgeries of company's sites that look like the real thing. Verify the legitimacy of a web address with the company directly before submitting your personal information.

Here are some common phrases where e-mail message or phone message may be a phishing scam:

"Verify your account."
Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.
"You have won the lottery."
The lottery scam is a common phishing scam known as advance fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies, such as Microsoft.
"If you don't respond within 48 hours, your account will be closed."
These messages convey a sense of urgency so that you'll respond immediately without thinking. A phishing e-mail message might even claim that your response is required because your account might have been compromised.

The best way to avoid becoming a phishing scam victim is to use your best own adjustment. No financial institution with any sense will email you and ask you to provide all of your sensitive information. In fact, most institution are informing customers that “ we will never ask you for your personal information via phone or email.

Thursday, February 5, 2009

The Application of 3rd Party Certification Program in Malaysia

Third party certification is an assessment carried out to ensure compliance with a publicly available technical specification. Importantly, the assessment is carried out by an independent, third party organization that is qualified and licensed to issue certification when the assessment is successfully completed.

This means that rather than an organization or company claiming to comply with industry standards, they have taken their commitment to quality further and invited in an external third party to verify that their product or service does indeed comply with the industry standards.

The most popular application of 3rd party certification in Malaysia is provided by the MSC Sdn. Bhd. MSC Sdn Bhd is a licensed Certification Authority (CA) operating within the Multimedia Super Corridor. MSC Trustgate was incorporated in 1999 to meet the growing need for secure open network communications and become the catalyst for the growth of e-commerce, both locally and across the ASEAN region.

Trustgate is licensed under the Digital Signature Act 1997 (DSA), a Malaysia law that sets a global precedent for the mandate of a CA. As a CA, Trustgate’s core business is to provide digital certification services, including digital certificates, cryptographic products, and software development. It provides security solutions for individuals, enterprises, government, and e-commerce service providers using digital certificates, digital signatures, encryption and decryption as this is the primary concern of entering into the new Internet economy.

Among the products and services that they provide are Secure Sockets Layer (SSL) Certificate Authority, Managed PKI, Personal ID, MyTRUST, MyKad ID and etc. In addition, MSC Trustgate has been appointed as Asia's first VeriSign Authorised Training Centre. Under this partnership, MSC and APIIT (Asia Pacific Institute of Information Technology) jointly facilitate the delivery of VeriSign’s high-end Security and E-Commerce programmes. VeriSign is the leading Secure Sockets Layer (SSL) Certificate Authority which also enabling the security of e-commerce, communications, and interactions for Web sites, intranets, and extranets. It provides security solutions to protect an organization’s consumers, brand, Web site, and network.

The Diagram below shows how Verisign tackle spamming and it's solutions:

Therefore, it is important to apply 3rd certification programme as it provides a safe and secure Internet protection. More e-consumer can now shop and purchase online care-free while their personal information or confidentiality is protected


The threat of online security: How safe is our data?

Do you truly believe that your data is safe? You might think so. Unfortunately, there are threats online that keep knocking on your door until you let them in - intentionally or not. Once they are in your computer system, they will cause havoc and may result in you losing all your data.

Therefore, online security has become an enormous concern when surfing the net. And with good reason. These threats to online security may cripple your computer system and halt business activities which means losing precious data and time. Besides that, these threats evolve over time and always find a way to better the security softwares we have installed in our computer systems. Therefore, there is always a need to update security softwares to keep our data safe from these threats.

The following are some of the threats to online security:


A MALicious softWARE or malware constitutes any software written for malicious reasons that infiltrates a computer without authorization and performs some nefarious function. Malware can come in many varieties and perform a myriad of functions. it is this carefully engineered software that performs attacks on an automated level among millions of compromised machines around the world, that makes it the centerpoint of the modern cybercrime landscape. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, and other malicious and unwanted software.


A roBOT NETwork or botnet is a huge number of hijacked Internet computers that have been set up to forward traffic, includig spam and viruses, to other computers on the Internet. The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet. The very nature of botnets gives criminals plenty of power on the internet at large. With control over so many compromised systems, herders can now engage in quite more damaging activities than the internet has seen before.


Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on your computer, use your e-mail program to spread itself to other computers, or even erase everything on your hard disk.

Viruses are most easily spread by attachments in e-mail messages or instant messaging messages. That is why it is essential that you never open e-mail attachments unless you know who it's from and you are expecting it. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files. Viruses also spread through downloads on the Internet. They can be hidden in illicit software or other files or programs you might download.

Amount of viruses detected by various anti-virus software last year:

vendor detected total percent
AntiVir 26,457,598 28,024,135 94.41%
Avast-Commercial 12,425,965 13,437,873 92.47%
Norman 25,264,055 27,467,379 91.98%
F-Prot6 17,295,119 19,004,580 91.01%
Sophos 3,345,699 3,691,679 90.63%
NOD32 25,329,840 28,024,135 90.39%
AVG7 25,262,433 28,024,135 90.15%
F-Secure 25,148,742 28,024,135 89.74%
Ikarus 9,275,581 10,476,608 88.54%
TrendMicro 11,703,755 13,437,873 87.10%
QuickHeal 10,190,639 11,846,198 86.02%
DrWeb 23,856,884 28,009,899 85.17%
VirusBuster 13,881,573 16,859,499 82.34%
Vexira 13,877,493 16,859,499 82.31%
Clam 12,232,194 15,305,470 79.92%
BitDefender 22,070,962 28,024,135 78.76%
Kaspersky 20,835,947 28,024,135 74.35%
McAfee 12,332,904 16,744,538 73.65%
VBA32 18,326,900 26,958,740 67.98%
Panda 7,661,487 12,300,516 62.29%
G-Data 1,186,992 3,679,871 32.26%

It is shocking to know that our computer system is exposed to these malicious threats. It is of the utmost importance to always have your anti-virus software updated because these threats can adapt to changes and evolve through time.

The following are some ways to keep these threat at bay:

  1. Always ensure that the Internet firewall is running. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
  2. Subscribe to industry standard anti-virus software. In the case of a breach in security, these anti-virus software could trap the viruses and alert users of the breach and take the necessary steps to eliminate the viruses.
  3. Never open an e-mail attachment from someone you don't know.
  4. Avoid opening an e-mail attachment from someone you know, unless you know exactly what the attachment is. The sender may be unaware that it contains a virus.
Finally, as the saying goes - prevention is better than cure.

how to safeguard our personal and financial data?

Identity fraud and financial account fraud are not new. Criminals used to gain access to individual’s sensitive personal information with low-tech primary methods such as stealing their mail. But the methods used by criminals to gain access to the personal information that makes these crimes possible are changing with our times. Criminals are now turning to more technologically sophisticated methods of gathering and exploiting personal information.

Therefore, necessary steps to protect the security of individuals' information has to be taken seriously. A few of these safeguards will be discussed below.

Firstly, and also most traditionally, is to create strong passwords and PIN numbers to protect data from being assessed by using a combination of alphabets and numerics.

Besides that, it is crucially important to not only install but constantly update antispyware and antivirus programs. Popular programs include Norton AntiVirus and AVG Antivirus.

Other than that, installing a firewall is also another good safeguard as a firewall is a barrier to keep destructive forces away from your property. In fact, that's why its called a firewall. Its job is similar to a physical firewall that keeps a fire from spreading from one area to the next. Most computers today come with firewalls integrated into their operating systems.

Another safeguard would be to avoid assessing personal and financial information in public places such as cafes and restaurants. This can encourage hackers to hack into your confidential data and steal information from anywhere on the network.

The internet is a great source of information, but obviously also a great danger. However, if appropriate safeguards are taken, it is possible to protect personal and financial data.