Security : Step to protect you from Phishers

IT Articles : Step to protect you from Phishers

Phishers are reported to be able to exploit a vulnerability in the JavaScript engines of current browsers, including Internet Explorer, Firefox, Safari and Chrome. Trusteer is a security services provider specialising in online banking, whose chief technician is the well known security specialist Amit Klein. Trusteer report that a crafted web site can exploit a certain JavaScript function to identify the bank page a user is currently logged into.

If a user is connected to his bank’s online banking service in one window, and leaves it open while visiting other sites, a crafted site can identify his bank, then activate a pop-up window imitating the bank’s logo and appearance and ask for the login to be repeated. An inattentive user who re-inputs the data falls right into the phisher’s trap.

Trusteer’s reportPDF doesn’t name the JavaScript function concerned, but says it doesn’t surrender the information about open sites, instead it goes through a list of bank sites, asking each time whether the user is logged in to that particular bank, the response being a straight “yes” or “no”. In order to make a phishing attack, a crafted web site merely needs to hold a long list of known banks and financial institutions.

One way to guard against what Trusteer calls “in-session” attacks is to have only the online banking site open in the browser and then to log off and close that window, before surfing elsewhere. Trusteer doesn’t say whether it has reported the problem to the browser makers

Steps to protect your web site:

1. Don’t give out your username/password to anyone else.

Even if it’s your own net/web/system admin. Chances are he/she already knows it for he/she can just login as admin to the control panel and look at your password.

2. Change your password once in a while.

It’s better to write them down instead of saving them on a hard disk with insufficient firewall protection.

3. Don’t use any word that can be found in dictionary or anything that signifies your birthdate, your street number to make it difficult for the hackers to guess.

4. Disable the “Forgot Password” utility on your site. This utility is very convenient to most end users, so fast that it gives out password so easy to for hackers to play with.

5. Make your password question / password answer (the one used to remind your forgotten password) difficult to guess. Treat it as a password. If anyone can just guess it, chances are hackers will start exploring with your account.

6. Make sure you are in constant contact with your web provider so they know your real identity and they can help you out as soon as there’s hacking going on in your site.

7. Don’t use any irc (internet relay chat) based chat system for it connects to ports 6660 to 6669. Hackers will exploit these ports and will upload trojan virus in your computer that can get your username/password on most of your accounts.

If you are going to use any irc chat system, don’t even use it without the aid of psybnc or bnc. For more details and pricing of this tool, email: sales@nabaza.com with Subject: psybnc or go to http://www.nabaza.com/support.htm and post your request there.

8. Don’t trust any email (even if it’s an email message coming from your trusted friend) message that has .exe file attachment. Chances are it came from a malicious programmer and this .exe file already spreadand infected/duplicated in all email addresses in your addressbook including yours. For antivirus information, go to http://www.nabaza.com/antivirus.htm