Intelligent Phishing

Not much days ago, Twitter warned users of a phishing attempt. After clicking the infected link, they landed on a login page that was indistinguishable in terms of design from the original twitter login. After you gave your credentials, it redirected you to twitter home page(as you were never logged out). It was though a simple idea, many fell for it. Thus, hacked(err.. Technically 'Cracked' ).

Anyway, it's the most real trick. The villain can get your password, without a try, and you are giving it to him. No offense, but it a truth universally acknowledged that few of :) people on Social Networking sites are nincompoops. Hence, easy targets.

They fall for tricks like phishing. As it is, not quite difficult, find a free host and make the page look like login page of say twitter. Now what you have to do is, to get somebody visit the link. In the optimistic world, it'll be quite good if you even got login credentials of 1% of users visited.

[Image: Toastyken]

Well.. that was easy. There is quite high chance you already know about this. wait, there is something more.


Tabnabbing aka tabnapping!?
First of all, tabnapping?? the name is crazy. still getting used over the web now.This is the latest and the most intelligent one. You visit the page of bad guy, it's normal and informative now. With many more tabs open, the site of bad guy loses focus. Thanks to Javascript he detects it and changes his page's favicon and content to that of Gmail.com. You return to the tab, thinking you need to login, thus enter your credentials. All done. Again, this is Aza Raskin!



But, wait a second, are we so stupid to not remember we have gmail login open? maybe not this time, you can't be attentive every time! Hugely inspired by traditional phishing, they'll redirect you to the original page once you've entered the information(no matter right or wrong!). Obviously, you were never logged out. There is a creepy presentation Aza Raskin has on his page. Goto the link, after the page has loaded. get busy with another tab, after at least 5 seconds come back. Whoa! it has Gmail icon and whole page looks like that. Aza says, he was too lazy so he rather just showed the screenshot of gmail login. You get the idea it is possible.

Preventing Phishing
Not getting into what needs to be done with browsers, although the very complexities. It is a normal phishing attempt, just keep your eye on the URL. When logging into great things.
Any mis-spells, additional suspicious domain are the signs of phishing. and particularly avoid using full-screen mode of browsers while you login to any service.
One of the more secure thing is to make firefox remember your password, so whenever there is a login prompt firefox will fill it for you. In case it didn't, you'ld get some instinct or suspicion that the site's not right.

Desktop Phishing
Now this defines awesome. The bad  guy can get your username password even if you are on the right page. That is you login from the right page like http://www.twitter.com/login still you are falling for the trick!
How? See the video.




Note:Ok you googled it now? You will not find much about it. I am not big enough to interpret what is going on behind the scenes. But surely it has to do with security, normal bugs to be public is not a huge thing. Since, the potential of so called 'Desktop Phishing'. It is scary and without a cure today, that might be a reason why it is not something you have heard of.

So what he did is, he modified a system file that operates the TCP/IP protocol. How he modified it is even more simpler, compressed the file to be modified in sfx extention(it will extract itself). Obviously you won't start it anyway, so it is along with a legit software like teamviewer. Now every time the victim visited paypal.com, he is actually visiting the fake paypal page from the bad guy. The login button does nothing but saves your credentials in some file. Every noob in the cyber cafe at the corner of the road can do this.
Even more than that, imagine it's use on public computers. The computer owner may himself modify the file. Every one opening http://www.facebook.com for instance will first fall on his clone, after giving the credentials he can be redirected to the original facebook login which can lessen the suspicion of the user to a great extent.

How to prevent from this thing?!!
The only solution is to, use only official and trusted websites for downloading any piece of executable code or file. The way it is extracted and the type of file it is, no Anti-virus will warn you. Actually, no will know.
To the threat to public computers, i'm still unable to find a cure there. Comment if you do not agree! Surely, Desktop Phishing is the best way to 'phish'.
You don't need to be paranoid here. There is someone claiming that they'll alert you whenever the HOSTS file is edited, try inquiring about it. I'm not sure of its credibility.

How Secure is your Browser?
In most cases, we think Firefox is a reliable browser(It is, even Chrome Safari and IE are pretty much. No browser treats your privacy like facebook does.). It'll warn us, on many sites it does. But.. the speed and ease you can register a new domain(especially free ones) it is impossible for a browser to stay up to date with the amazingly new ways hackers find to bypass security. In real world, it never matters that Firefox saved you 100 times from phishing, still for the only time you are 'cracked' the loss is no less.
Here Gercek Karakus tells you how open you are when on web. Similar example StartPanic!
If they still seem a low threat, imagine a phisher who first knows which service do you use on the computer, and then present you the login page of same service. You'll not be able protect yourself every-time. or someone who first knows which bank you use then present you their login screen saying "Your login has expired!" which is normally what they show.

I'm sorry if you've freaked out. But that is windows. :P
Download Virtualbox, and install Ubutnu on it. For more information, here is Tutorial. Once you get used to things in Ubutnu, you can prepare for dual boot. Linux are the safest systems out there and FREE too! FYI I don't belong among those Free and Open source software(FOSS) junkies, rather i think the energy they waste hating windows could have been better utilized if they wrote few good pieces of code for *nix. In a nutshell, windows is your native OS, keep it. But don't be blind to the world outside.

Internet is awesome technology but not at the cost of intrusion of user's privacy. Stay safe.

11 Tips to enhance your online security

Many people think that installing anti-virus, firewall and anti-spyware software should inoculate them from all manner of threats.
The truth is, you need to be a bit more savvy than that.
Read on to find out 10 really easy ways to close the security holes that still remain on your PC.
And if you're called upon to clean the junk off a friend or relative's PC this Easter break, you might want to share this link with them to save you getting called back out again in a week.

1. Augment your anti-virus tool
Threatfire is designed to work alongside existing security products. Unlike traditional anti-virus tools, it doesn't rely on signatures to identify malware; instead, it monitors your PC for suspicious malware-like behaviour. The only time you'll hear from the program is when it's found something suspicious; otherwise it'll sit silently in the background.

2. Switch to plain text mail
HTML can be used to hide all sorts of unpleasant things in email. Set your mail program to view all messages as plain text by default - you should see an option for viewing individual messages as HTML when you trust the sender.

3. Don't click mail links
Never visit web sites by clicking links in your email unless you're 100 per cent sure the link is safe. This is especially true for emails purporting to come from financial institutions asking you to log in to verify your account details - 99.9% are scams (the other 0.1% are irresponsible).

4. Vet your email
Most anti-spam tools only process email that's been downloaded from your mail server - install PopTray and you can check and preview your mail while it's still on the server, deleting unwanted and suspicious messages without exposing them to your mail program.


5. Switch web browser
Upgrade to the latest version of Internet Explorer or switch to a browser that doesn't support potentially malicious Active-X controls such as Firefox, Opera or Google Chrome. Check the browser's privacy and security settings are set to Medium High or greater.

6. Check web sites before you visit
Install the free Web of Trust plug-in for Internet Explorer or Firefox (Chrome will be supported once the browser supports third-party add-ons), and you'll be in a better position to avoid unsafe web sites thanks to its traffic-light system for both sites and search engine results.

7. Manage your passwords
A password manager such as KeePass enables you to securely and easily enter your passwords into any program. As you only need to remember one master password to use the program, there's no excuse to use the same password across all your online accounts (the program will even generate secure, random passwords for you).


8. Screen all downloads
Never open attachments or downloads directly - save the file to your hard drive, right-click it and run a quick scan with your security tool of choice prior to opening it. When downloading files, make sure you download from a reputable web site (typically the program's own home page or a respected download site) – the WOT plug-in will help here.

9. P2P basics
Peer-to-peer networks are a breeding ground for malicious software, particularly in content that's been copyrighted. If you can't live without P2P, pick a trusted provider and client (such as uTorrent). Be careful what you share, and scan all downloads prior to opening them.

10. Create a virtual sandbox
Sandboxie enables you to run any program in a protected and isolated space on your hard drive. Changes made are discarded when you close the sandbox, so you can surf the web and open mail attachments without fear of malware sneaking on to your PC.

11. Move to linux
It's always better prevention than the cure, the best thing for your security would be to switch to an O/S which is completely harmless i.e. Linux, there are many linux distros available on the internet, I'd recommend ubuntu, it's a nice start on linux. You can try Dual-boot but it's not recommended for newbies.
If you want to try Linux you can do so without it touching your computer's file system at all. This is accomplished using virtualization which creates virtual computers on top of your existing operating system so you can install many different operating systems on one computer. Install Ubuntu over Windows through VirtualBox. The article is about Windows XP but it's just as same for other Window O/S also. If you want to try Linux you can do so without it touching your computer's file system at all.
I use VirtualBox. It is better & easier than Microsoft Virtual Machine or vmWare in my opinion. Go on, try it. It's just like installing normal software.

So what do you think? I'd like to hear your experiences!

"Please verify your Gmail Account" Awesome Phishing!!

 

Attention!!!

Newbie Gmail Users

Please don't provide anyone your personal details

It's a perfect phishing, but a bit funny too, i am using Gmail for last 2-3 years so why Gmail will send me Verification mail NOW!!!