SurfControl Identifies Dangerous New 'Secured Phishing' Attack
LONDON, September 29 /PRNewswire/ -- SurfControl (LSE: SRF), a world leader in enterprise threat protection, today issued a warning about a newly discovered "Secured Phishing" technique designed to fool Website visitors into divulging personal information because they believe they are visiting a secured, trusted website. This threat has been rated "High Risk" by SurfControl experts due to the sophistication of the scam and the potential to victimise everyday Internet users with limited knowledge of Web security and digital certificates.
Internet users traverse many secured Websites when performing business-related research, checking Web-based e-mail, conducting online transactions, or interacting with password-protected sites. Encryption and the use of digital certificates to validate the authenticity of a Website are two primary security layers designed to protect people from online fraud and data theft. Encrypted Websites are designated with https:// in front of the URL in the address bar. When a user visits a secure site, Windows checks the validity of a Secure Sockets Layer digital certificate issued by a certificate authority. If Windows identifies a potential issue with the Website's SSL certificate, it will warn the user with a pop up dialog box that lists the problematic area of the Website's digital certificate, and provide the user with the option of either continuing to the site or not.
The "secured phish" technique provides the same user experience, but creates an illusion of security in order to mask the phishing attack. This blended threat is delivered via e-mail and supported with a spoofed Website and a self-signed digital certificate. The spoofed site is an exact copy of a legitimate site that uses the HTTPS protocol signified by the "lock" icon at the bottom of a browser -- a generally accepted symbol of Website safety. Phishers achieve this appearance of trust through a self-issued Secure Socket Layer digital certificate that is presented when the Windows alert prompts a user that they are visiting a site that may not be totally secure. Unfortunately many users are unfamiliar with the content of this dialogue box, or so often see these alerts, that they simply click "yes" to continue visiting the page.
"Using this approach, phishers can act as criminal intermediaries by stealing sensitive information such as log-ins and passwords, credit card numbers and personal data. This can be done by sending the information directly to the phisher's site, or intercepting it between the phishing site and legitimate site without being detected," said Russell Chadwick, head of marketing for SurfControl in the U.K. and Ireland. "Regardless of their Internet experience or familiarity with security issues, most people have come to accept the idea that if they see the lock in the corner of their browser, they are safe. This cunningly crafted technique preys on this trust."
To protect against the secured phishing technique, SurfControl recommends the following:
-- IT departments should issue an advisory to warn employees of this potential scam and re-enforce acceptable Internet Use Policies, including information about browser security; -- Individuals should scrutinise alert messages concerning digital certificates and refer to their IT department or another trusted resource if they need assistance in identifying potential frauds; -- Individuals should navigate to well-known online vendors for transactions and be aware that financial sites should have a valid SSL certificate issued by a Trusted Certificate Authority. These sites will not prompt an alert dialog box; -- Individuals should never respond to e-mail requests for personal or financial information; -- Individuals should immediately delete any unsolicited e-mail and e-mails with nonsense subjects without opening the message.
SurfControl plc (LSE: SRF) is a world leading Internet Security company delivering multiple layers of threat protection to shield organisations against complex blended threats. SurfControl's Enterprise Protection Suite has redefined traditional "filtering" by offering a unified threat management solution that eliminates spam, spyware and phishing attacks, as well as Web and e-mail abuse. The SurfControl Adaptive Threat Intelligence(TM) Service provides continuous and proactive threat detection and protection from emerging threats, known blended threats, and customer-specific threats. Customers avoid significant business downtime that impacts productivity and the bottom line, while limiting legal liability and enforcing regulatory compliance and confidentiality. SurfControl has 14 offices worldwide serving more than 20,000 enterprise customers. For further information and news on SurfControl, visit http://www.surfcontrol.com .
Web site: http://www.surfcontrol.com
Journalists and Bloggers
Visit PR Newswire for Journalists for releases, photos and customised feeds just for Media.
View and download archived video content distributed by MultiVu on The Digital Center.
Until you hear the full story, why would you invest?
Making sound investment decisions can be difficult. You can study the figures and read the analyst recommendations, but how do you really know the story behind company strategy? How can you get answers to your questions?
The Private Investor Network helps you to reach an informed decision on the stocks you pick. Interactive presentations from UK listed companies give you the kind of access previously enjoyed only by the big fund managers. And with keynote speeches from industry experts, downloadable content and an investor lounge where you can swap tips with your peers, you can invest with confidence.
For more information, and to register for FREE, visit us at www.privateinvestornetwork.co.uk
Get content for your website
Enhance your website's or blog's content with PR Newswire's customised real-time news feeds.
Contact PR Newswire
Send us an email at MarketingUK@prnewswire.co.uk or call us at +44 (0)20 7454 5382
Become a PR Newswire client
Request more information about PR Newswire products & services or call us at +44 (0)20 7454 5382