September 26, 2005 (HOSTSEARCH.COM) - Leading Internet security company SurfControl plc recently issued a warning about a new Internet phenomena; "Secured Phishing" a somewhat more sophisticated enhancement of usual phishing practice Internet users have experienced to date. The technique leverages the average Internet users marginal knowledge of Web security issues.
Phishing is essentially a technique where fraudsters develop Web sites that mirror the sites of banks, credit card companies, and other businesses and institutions that might request user name and password identification. Visitors are sent emails asking for information updates, etc. which entice visitors into parting with their information. Until now, what distinguished phishing sites from the real thing is the lack of evidence of encryption and the use of Secure Sockets Layer (SSL) digital certificates issued by an appropriate certificate authority both features bone fide Web sites would certainly invest in.
Evidence of an encrypted Web site is the https:/// prefix at the start of a URL. When a visitor arrives at a secure site, Windows checks the validity of digital certificates and identifies irregularities, alerting users through a pop up notification. When there are no irregularities, HTTPS protocol is signified by an image of a "lock" at the bottom-right corner of a screen. Secured phish sites fully imitate these familiar features giving users a genuine sense of security and convincing them of the validity of the site they are visiting.
"Using this approach, phishers can act as criminal intermediaries by stealing sensitive information such as log-ins and passwords, credit card numbers and personal data. This can be done by sending the information directly to the phisher's site, or intercepting it between the phishing site and legitimate site without being detected," said Susan Larson, SurfControl's vice president of Global Threat Analysis & Research. "Regardless of their Internet experience or familiarity with security issues, most people have come to accept the idea that if they see the lock in the corner of their browser, they are safe. This cunningly crafted technique preys on this trust."