Alert 02122007
The dirtbags are at it again in a major new way.
They have developed a "Universal Man-in-the-Middle Phishing Kit" which is being offered on a free trial version on the internet and then (upon satisfactory demonstration) sold for about $1,000 a copy. The kit empowers a relatively unsophisticated fraudster to target a site (recent examples are Amazon and Citibank) allowing them to intercept UserIDs and passwords on a real-time basis. This subsequently permits them access to (say) the bank that you use, authorizing them to transfer money or perform other nefarious activities. Since it is a real-time event, it can pass on any information or authentication you may choose to provide, even the smart tokens. This is a serious threat to a lazy internet user. While better defenses against this are being developed, the best thing to do is never, that is NEVER, follow a link in an email you receive to any site you use that may need a password.
The phishing attacks to date (we can expect more complicated ones in the near future), send an email to an innocent party with a link to the target, let's say Citibank. It may be a free prize offer for the first 100 responders or a lame request for verification of your credentials (which is still a very popular phishing ploy against 5th 3rd Bank). If you are a user of the service, you may be led to believe it is a legitimate marketing ploy and click the link. In actuality the link is to the rogue URL which transmits your data to the target, Citibank, and receives the data back from Citibank and forwards it to you. Thus to you it looks absolutely normal. You may request the prize or decide to do some banking which will require your credentials. While your transaction goes through with no suspicious looking activity, all of your credentials have been picked off by the phisher. To date, the only protection against this is to manually enter the URL or use a predefined bookmark on your browser that you know to be valid. Do not click a link on an email you receive.
Best regards,