Phishing : Examples and its prevention methods

What is Phishing ?


Phishing is the illegally fraudulent process of attempting to steal the recipient’s sensitive and important information, such as credit card details, username and password. In other words, phishing is also an internet scam designed to trick the recipient into revealing personal important information to “phishers” who intend to use them for fraudulent purposes.

Examples of Phishing

Phishing is normally carried out by e-mail, instant messaging, or a fake popular website. The communication purporting to be from some famous and popular websites, such as Facebook, eBay, PayPal and etc are used to attract the unsuspecting.



Example of Phishing Email





Example of Phishing Website






Prevention Methods

How to prevent? What to look in phishing email and website ?

1. Generic greeting. Phishing emails are normally sent in huge batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.

2. Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. Legitimate organizations would never request this information of you via email.

3. Sense of urgency. “Phishers” want you to provide your personal information NOW. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.

4. Poor resolution. Since they are created with urgency and have a short lifespan, phishing websites are often poor in quality. If you feel the resolution on a logo or in text are in poor resolution, be suspicious.

5. Forged URL. Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Read URLs from right to left — the real domain is at the end of the URL. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If you don't see "https" do not proceed. Look out for URLs that begin with an IP address, such as: http://12.34.56.78/firstgenericbank/account-update/ — these are likely phishes.

A review on a post on Internet Security from My E-Commerce blog

After a review on Internet Security Threats- Its Changing Faces ( Part 2) from My E-Commerce blog, I'm sure that most of you have ever encountered with Trojan especially when you're using pendrive in UTAR. So now I would like to explain more about Trojan and some others security threats that's not detaily elaborated in the blog.

A destructive program that attact users of computers. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. The Trojans can escape from conventional protective anti-virus software and firewalls.

A number of open source and modified Trojans, altered to avoid anti-virus detection, have been used. Or, the e-mails are sent to specific or targeted recipients. Unlike ”phishing” attacks, the e-mails use subject lines often referring to work or other subjects that the recipient would find relevant. The e-mails containing the dangerous attachments, or links to web sites hosting Trojan files are spoofed, making it appear to come from a colleague or reliable party. When opened, the file or link installs the Trojan which can be configured to transmit information to a remote attacker using ports assigned to a common service.

Next, a rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer usage.

Other than the prevention stated in My E-Commerce blog,you must make sure that your computers are up-to-date with security software updates; make sure you have installed, and are using the latest version of anti-virus software; keep your operating system and Microsoft Office software up-to-date; be suspicious of email messages and other electronic communications from sources you do not know or recognize; or do not ever open email attachment from unknown sources. I strongly recommend Kaspersky as it manages to give a strong and reliable protection.Click here for more detailed prevention.

Useful links:

1) Hackers using YouTube to spread latest Trojan threat, dubbed Fake Codec

2) Window Live OneCare

3) Threat of Exposure

Phishing: Examples and its prevention methods

Have you ever heard "Phishing"? Please do not be confused with Fish with Phish.

According to the definiton in Wikipedia, Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames,passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing scams always appear in:

• e-mail messages that pretending to be from your bank, paypal, ebay and etc
• social networking Web site
• fake Web site that accepts donations for charity
• Web sites that spoof your familiar sites using slightly different Web addresses
• your instant message program
• your cell phone or other mobile device

Examples:

This phishing scam targets Washington Mutual Bank customers and requires customers to confirm ATM card details in order to update the new security measure. The victim is eventually directed to visit a fraudulent site and private information entered on that site is sent to the attacker.

This is another example, although the link apparently is linked to Woodarovebank, but when you rest your mouse pointer on the link, it is actually another link.

Prevention Methods:
1)Be suspicious of any email that ask for your private information

2)Don't click the suspicious links provided in any channels

3)Ensure that you're using a secure website

4)Always look at the address line, be aware of where you are going.

5)Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate

6)Ensure that your browser is up to date and security patches applied

Useful links:
1) Phishing Scams

2)Solutions: After Given Out Your Personal Financial Information

How to safeguard our personal and financial data?

How do you safeguard your personal and financial data? Have you done a proper safeguards for your data? Nowadays, computer and internet are very common to everyone. We will rely on computer to save our personal data and using online financial services to do financial transactions such as online banking in order to safe time. Therefore, do you think the safeguards that you make are sufficient enough to protect your confidential data?

Below will be some suggestion ways for you to safeguard your data:

1. Password protect
-use a strong password or pass-phrase to protect your access data.

2. Install and update anti spyware and anti virus programs
-install an antivirus program such as Symantec and Norton anti virus, AVG anti virus, Kaspersky anti virus or other more in order to protect yourself against viruses,Trojan horses,worms or DOS that may steal or modify the data on your own computer . In order for the well protection, you must make sure that your virus definitions are up to date.

3. Install a firewall
-a firewall is a software program designed to allow good people in and keep bad people out. Most new computers come with firewalls integrated into their operating systems. If you have an older computer or using dial-up, you may need to buy a firewall separately and install it yourself.

4. Regularly scan your computer for spyware
-spyware or adware hidden in software programs may affect the performance of your computer and give attackers access to your data. Use a legitimate anti-spyware program to scan your computer and remove any of the infected files.


5. Avoid accessing financial information in public
-prevent form logging on to check your bank balance when working from a coffee shop that offers wireless access. Although the systems are convenient but we do not know how powerful their firewalls are.

To learn more about security tips, clich here!

Useful links:

1) Cyber Security Tips

2)Safeguarding Your Data

3) Six Ways to Safeguard Your Online Assets

The threat of online security: How safe is our date?

Hello again!Nowadays, most of us will involve in e-banking or purchase goods online. Do you know whether all the private&confidential information you sent are safe?

Most businesses that have made the move towards an online presence have experienced some kind of security threat to their business. Since the Internet is a public system in which every transaction can be tracked, logged, monitored and stored in many locations, it is important for businesses to understand possible security threats to their business.

Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. Integrity ensures data remains as is from the sender to the receiver. Availability ensures you have access and are authorized to resources.

Evidence from variety of security surveys provides a mixed picture of cyber attacks and crimes in e-commerce. Some of the trends which had been collected by Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad through surveys include the following:

Most of the organizations conduct security audits and employ a variety of technologies and procedures like antivirus software and firewalls to defend against cyber attacks. Between 65%-70% use access control lists, intrusion detection, and data encryption.

Organizations still are reserved to report computer intrusions to legal authorities because they feared negative publicity or were worried that their competitors would use it against them.

There are many threats to e-commerce that may come from sources within an organization or individual. The followings are some of the potential security threats that can be found:

Tricking the shopper - It is one of the easiest and most profitable attacks, also known as social engineering techniques. These attacks involve surveillance of the shopper’s behavior, gathering information to use against the shopper.

For example, a mother’s maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites.

Snooping the shopper’s computer - Most users’ knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers.

Sniffing the network - Here, the attacker monitors the data between the shopper’s computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers.

Using known server bugs - The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack.

With a brief write-up here about the threat of online security would help us (consumers and organizations) to beware and take necessary precautions in order to enhance the security of online information. The next few post will tell more about safeguards and prevention methods on how to handle these threats.

Useful links:

1)Security Threats That Can't Be Stopped

2)Major Onlline Security Threats

3)Defense officials still concerned about data lost in 2007 network attack

The Application of 3rd Party Certification Program in Malaysia

Security is the primary concern of entering into the new Internet economy. The ever-changing paradigm of e-commerce requires a well-mandated security infrastructure. Today, I will talk about third party certification security programs used in Malaysia.

What is the meaning of third party here? Is me, you or anyone? All wrong. Actually third party here means certificate authorities (CAs), who issue digital certificate to provide verification that your website does indeed represent your company.

Within so many company that provided third party certification program in Malaysia, the most famous one is the MSC Trustgate.com Sdn Bhd. MSC Trustgate.com Sdn Bhd was established in 1999 as a licensed Certification Authority (CA) operating out of the Multimedia Super Corridor in Malaysia under the Digital Signature Act 1997(DSA), a Malaysia law that sets a global precedent for the mandate of a CA. More information about MSC Trustgate pleace assess to http://www.msctrustgate.com/.

*Certification Authority (CA) is the body given the license to operate as a trusted third party in the issuance of digital certificates. Certification Authorities are an increasingly important component of electronic commerce.

Trustgate provides trusted and encryption technology that secure your online communication, hence protect your vital business information from prying eyes. Trustgate is the first Malaysian Internet trust solutions company authorized to offer 128-bit SSL Server ID that is now used in financial institutions, insurance companies, e-government, healthcare organizations and other online trading.

Trustgate also provided other services such as SSL Certificate, Managed PKI, Personal ID, MyTRUST, MyKAD ID, SSL VPN, Managed Security Services, VeriSign Certified Training and Application Development.

*What is digital certificates?

According to MSC trustgate, digital signatures are like the hand signature in the digital world. It can ensure the integrity of the data. Digital certificate usually attach to an e-mail message or an embedded program in a web page that verifies that user or website is who they claim to be. The common functions of a digital certificate are user authentication, encryption and digital signatures. User authentication provides other security than using username and password. Its session management is stronger. Encryption can make the data transmission secured by using the information encrypted. The intended recipient of the data is only person to receive the message.

By using the digital certificate, the users will be able to make transaction on the internet without fear of having the personal data being stolen, information contaminated by third parties, and the transacting party denying any commercial commitment with the users. Furthermore, the digital certificates can assist the development of greater internet based activities.

Now I will like to talk about the services provided one by one.

First are the trust services. SysTrust and Webrust are registered Marks (branded services) of the CICA. These services are based on principles and criteria developed jointly by the American Institute of Certified Public Accountants (AICPA) and the CICA. These principles and Criteria are called the Trust Services Principles and Criteria. To buse these Marks, a practitioner will need to be licensed by the CICA.

The licensed practitioner provides a report that gives assurance attesting to an entity's compliance with some or all of the Trust Services Principles and Criteria. The client is then permitted to display the appropriate SysTrust oer WebTrust mark on its web site.

Second is the MyKad PKI. I think most of you already know what is MyKad. Yes, it is the Malaysian Identity card that introduce by Malaysia. Malaysian government has provided this smart National Identity Card (“MyKad”) for every citizen. MyKad with PKI capability allows its holder to conduct online transaction with government agencies and private sectors.

This PKI is also primarily develop by MSC Trustgate. MyKad now allowed Malaysia citizen to authenticate themselves online and to digitally sign documents or transactions with MyKey (The MyKad PKI solution that works with the physically MyKad) and is accepted by the Malaysian government.

The third is Secure Socket Layer (SSL), a protocol developed by Netscape for transmitting private documents via theInternet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:.
Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing technologies. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.

SSL can certificate enables encryption of sensitive information during online transaction. Each SSL certificate contains unique, authenticated information about the certificate owner. The users will be able to make transaction on the internet without fear of having the personal data being stolen because of a Certificate Authority verifies the identity of the certificate owner when it is issued.

VeriSign (http://www.verisign.com/) had provided a strong SSL and you can try to use it. It may help a lot in your e-commerce.

Useful links:

1) How to Create an E-Commerce Web Site

2) SSL Certificate

How E-Commerce can reduce cycle time, improve employees’ empowerment and facilitate customer support

In the business environment, traditionally there is a need for a tangible and permanent form of communication in a transaction between buyer and seller. However, in e-commerce there is the ability to communicate in an electronic form where a computer is able to recognize, reproduce and store means that business could now be conducted in a paperless environment. Electronic commerce is the process of trading across the Internet, that is, a buyer visits a seller's website and makes a transaction there.


E-commerce eliminates the traditional purchase approach, which is time-consuming and labor-intensive. Issuing purchase orders, obtaining multilevel approvals and tracing invoices can lead to high transaction costs.

Internet procurement automates this process and helps companies increase the speed and reduce the cost of purchasing transactions. Orders will be placed electronically and the product will be produced and shipped out without the cost of middlemen. Perhaps most importantly, order status and inventory levels could be made available to both the seller and its customers. This should relieve the sales and customer-service departments of phone calls and e-mails to track orders and verify inventory levels.

Cyber space can be an outstanding way to nurture the business revenue base.Customers can reach a company on the Internet globally for 24 hours. It creates new markets and segments, allow customers to make wise purchasing decisions and increases business competitiveness.



E-commerce would provide consumers with benefits such as interactive communications, fast delivery, and more customization that would only be available for consumers through online shopping. Product information in the Internet is more compact and it ranges from various sites. Users have more opportunity to choose and compare products they want to purchase or easily find and select specialized products.


Progressive leaders, such as those in many high-tech firms and Internet companies are less likely than traditional leaders to give specific instructions to employees. Rather, they’re more likely to empower employees to make decisions on their own. Empowerment means giving employees the authority (the right to make a decision without consulting the manager) and responsibility (the requirement to accept the consequences of one’s actions) to respond quickly to customer.


The increasing use of computer to do routine tasks has shifted the kinds of skills needed for employees in the e-commerce industry. Employees are giving power to handle a variety of responsibilities, interact with customer and think creatively.


While the growth of the Internet is opening up new opportunities for e-commerce, however the limited understanding of e-commerce technology may leads to the cause of failure for the firms which start implementing doing their business online.


Useful links:

1) eCommerce-eBusiness Cost-Benefit

2) NetSuite-eCommerce Companies

An example of an E-Commerce success and its causes:PAYPAL

Happy chinese new year once again!happy ox year!Back to business,do you know what's PayPal?Although its not that popular or well-known in Malaysia, PayPal has been steadily established itself as one of the most successful e-commerce website.

Basically, PayPal is an e-commerce business that allows payments and money being transfer via the Internet. Moreover, it also serves an alternative to the traditional paper methods such as cheques and money orders.Paypal performs payments or transactions processing for online vendors, auction sites, and other corporate users, for which it charges a fee. Well, it sometimes does charges a transaction fee for receiving money, i.e. a % of the amount sent plus an additional fixed amount.

Paypal succeeded as an e-commerce business is mainly because of its safety and security where its provide a strong control in identifying the online theft and phishing. Besides that, Paypal also provides a security key which enhance the layer of security. Thus, make the user accounts to be more resistant to intrusion and it's easy to use.In addition, it's free to sign up for PayPal account to send money to friends and family.

Users also can transfer their money from their bank account to PayPal account at no charge. PayPal transaction fees for Premier and Business accounts, is considerably low. For instance, if monthly sales is between $ 0.00U SD to $3,000.00 USD, then the price of per transaction is only $0.30USD plus 3.9%.Paypal also enable the users to make payment without exposing credit card nor account numbers to the merchant. Thus, provide 100% protection for unauthorized payments. Moreover, provides 24/7 monitoring to prevent fraud.

For all these reasons, PayPal has been successfully in e-commerce world.

Useful links:
1) About PayPal

2) PayPal Security Center

3) PayPal-Nonprofit Success Stories