You may reprint or publish this article free of charge as long as bylines are included.Original URL (The Web version of article)
------------
href="http://www.defendingthenet.com/newsletters/Phishing-A nInterestingTwistToACommonScam.htm" rel="nofollow" target=_blank> Phishing: An Interesting Twist On A Common Scam
Title
-----
Phishing: An Interesting Twist On A Common Scam
After Two Security Assessments I Must Be Secure, Right?
-----------------------------------------------
Imagine you are CIO of a national financial institution and you've recently deployed a state of art online transaction service for your customers. To make sure your company's network perimeter is secure, you executed two external security assessments and penetration tests. When final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. "Is it really possible that we are completely secure?" Given you're skepticism, you decide to get one more opinion. The day of penetration test report delivery is now at hand. Based on previous assessments, you expect to receive nothing but positive information......
The Results Were Less Than Pleasing
--------------------------------------
During this penetration test, there were several interesting findings, but we are going to focus on one that would knock wind out of anyone responsible for security of online systems. Particularly if you are in business of money.
Most people are familiar with term "Phishing". Dictionary.com defines word Phishing as "the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords". Although SPAM / unsolicited e-mail and direct web server compromise are most common methods of Phishing. There are other ways to accomplish this fraudulent activity.
Internet Router Compromise Makes For A Bad Day In this case, Internet router was compromised by using a well-known CISCO vulnerability. Once this was accomplished, sky was limit as far as what could be done to impact organization. Even though company's web server was secure, and Firewall that was protecting web server was configured adequately, what took place next made these defense systems irrelevant.
Instead of setting up a duplicate login site on an external system, then sending out SPAM in order to entice a customer to give up their user ID, password, and account numbers, another approach, a much more nefarious approach was taken.
Phishing For Personal Or Financial Information
----------------------------------------------