SurfControl Identifies Dangerous New 'Secured Phishing' Attack

LONDON, September 29 /PRNewswire/ -- SurfControl (LSE: SRF), a world leader in enterprise threat protection, today issued a warning about a newly discovered "Secured Phishing" technique designed to fool Website visitors into divulging personal information because they believe they are visiting a secured, trusted website. This threat has been rated "High Risk" by SurfControl experts due to the sophistication of the scam and the potential to victimise everyday Internet users with limited knowledge of Web security and digital certificates.

Internet users traverse many secured Websites when performing business-related research, checking Web-based e-mail, conducting online transactions, or interacting with password-protected sites. Encryption and the use of digital certificates to validate the authenticity of a Website are two primary security layers designed to protect people from online fraud and data theft. Encrypted Websites are designated with https:// in front of the URL in the address bar. When a user visits a secure site, Windows checks the validity of a Secure Sockets Layer digital certificate issued by a certificate authority. If Windows identifies a potential issue with the Website's SSL certificate, it will warn the user with a pop up dialog box that lists the problematic area of the Website's digital certificate, and provide the user with the option of either continuing to the site or not.

The "secured phish" technique provides the same user experience, but creates an illusion of security in order to mask the phishing attack. This blended threat is delivered via e-mail and supported with a spoofed Website and a self-signed digital certificate. The spoofed site is an exact copy of a legitimate site that uses the HTTPS protocol signified by the "lock" icon at the bottom of a browser -- a generally accepted symbol of Website safety. Phishers achieve this appearance of trust through a self-issued Secure Socket Layer digital certificate that is presented when the Windows alert prompts a user that they are visiting a site that may not be totally secure. Unfortunately many users are unfamiliar with the content of this dialogue box, or so often see these alerts, that they simply click "yes" to continue visiting the page.

"Using this approach, phishers can act as criminal intermediaries by stealing sensitive information such as log-ins and passwords, credit card numbers and personal data. This can be done by sending the information directly to the phisher's site, or intercepting it between the phishing site and legitimate site without being detected," said Russell Chadwick, head of marketing for SurfControl in the U.K. and Ireland. "Regardless of their Internet experience or familiarity with security issues, most people have come to accept the idea that if they see the lock in the corner of their browser, they are safe. This cunningly crafted technique preys on this trust."

To protect against the secured phishing technique, SurfControl recommends the following:

    
    -- IT departments should issue an advisory to warn employees of this
       potential scam and re-enforce acceptable Internet Use Policies,
       including information about browser security;
    -- Individuals should scrutinise alert messages concerning digital
       certificates and refer to their IT department or another trusted
       resource if they need assistance in identifying potential frauds;
    -- Individuals should navigate to well-known online vendors for
       transactions and be aware that financial sites should have a valid SSL
       certificate issued by a Trusted Certificate Authority. These sites 
       will not prompt an alert dialog box;
    -- Individuals should never respond to e-mail requests for personal or
       financial information;
    -- Individuals should immediately delete any unsolicited e-mail and
       e-mails with nonsense subjects without opening the message.

About SurfControl

SurfControl plc (LSE: SRF) is a world leading Internet Security company delivering multiple layers of threat protection to shield organisations against complex blended threats. SurfControl's Enterprise Protection Suite has redefined traditional "filtering" by offering a unified threat management solution that eliminates spam, spyware and phishing attacks, as well as Web and e-mail abuse. The SurfControl Adaptive Threat Intelligence(TM) Service provides continuous and proactive threat detection and protection from emerging threats, known blended threats, and customer-specific threats. Customers avoid significant business downtime that impacts productivity and the bottom line, while limiting legal liability and enforcing regulatory compliance and confidentiality. SurfControl has 14 offices worldwide serving more than 20,000 enterprise customers. For further information and news on SurfControl, visit http://www.surfcontrol.com .

Web site: http://www.surfcontrol.com

SOURCE SurfControl