Phishers Deliver new Egg(TM) Recipe

Watch out which basket you put your eggs in. It might take them completely off your hands. Sci-fi as this may sound, it applies perfectly to a very down to earth phishing attempt targeting the users of Egg^TM, the “largest pure online bank”, which provides borrowing, saving and insurance services.

As always where there’s money and a chance of snatching users’ sensitive data to get to it, in pop the phishers! Nothing out of the ordinary at first. A fake Egg^TMlogin page web is set up to steal users’ identification data. Ironically enough, an anti-phishing warning is displayed right next to the login form, which makes the whole thing look very real.

Fig. 1 The fake web page used for phishing

This is when the special nature of this phishing mechanism reveals itself: it unfolds in the blink of an eye. After the Egg^TMcustomers input their data, the respective page disappears, giving them the impression that it mysteriously refreshed or that an accidentally pressed key made it go away. The trick is likely to work as the respective customers are instantly redirected to the actual Egg^TMweb page, which makes the previously described scenario quite plausible. Therefore, if they do not suspect anything, customers will input their data once again and go on with their activities without being aware that somebody else has the means to access their funds.

Here are a few things you should keep in mind to stay on the safe side of things when making transactions online:

• Make sure you always activate or turn on your antiphishing or phishing filter, as well as any other security applications or suites before browsing to your e-banking account. Ideally, you should install, activate and update a reliable security solution.

• Double-check the URL of the page you are on, especially if you are required to fill in credit card information.

• Make sure that the e-banking Web site uses SSL encryption (Secure Socket Layer) and security authentication methods – look for the “https” prefix and the locked padlock. If you are requested to accept a certificate for the session, check that the name on the certificate matches the name of the institution you wish to deal with and that the certificate is signed by a known Certificate Authority such as Thawte™ or VeriSign® before accepting.

• NEVER disclose your PIN to anyone, under any circumstances.

• Avoid using a non-secured computer (like a friend’s desktop or job colleague laptop). Still, if you are forced to do so, make sure you at least run BitDefender’s advanced scanning on-line tool, Quick Scan, before proceeding.

• Do not check your e-banking account from public computers connected to Internet (like those in a library or Internet Café).