Saturday, April 19, 2008

Are you Dumb enough to give away your password and confidential data anywhere on net??

Passwords are your keys to your online closets. You don't want people to intrude into your closet and let them do the nastiest things that you've ever thought of.


Do you think, yeah THINK before you enter your credential data like username and password anywhere on the net? Are you not afraid of entering your credit card details on net to do online shopping?

If you are smart, you'll most probably think before you do the things that I've asked above.

Lemme show you the example. There is a guy and he has a msn account and he wants to check if his female friend is blocking him or not after his last argument with her. He goes to some site like this below:

http://rbscienceclb.10gbfreehost.com/block.html
(this site will take him to some genuine site. Here, this site will take you to Nepal Telecom's official site. DON'T EVER GIVE YOUR REAL USERNAME and PASSWORD but you can try with fake one. It's interesting, how these phishers work and steal peoples informations)

He'll supposedly enter his msn username and password and click submit. He thinks his job is done.

On the other hand, the eavesdropper will supposedly get his username and password from this link below(at the backend):
http://rbscienceclb.10gbfreehost.com/data.txt

Are you surprised to see the stuff you've just entered few moments ago right on this second link? umm,.. that's how these phishers work.

www.ntc.net.np(for this example, I'm not endorsing that company at all) is the official site of 'Nepal Telecom' company and it's one genuine site. Many Nepalese people visit that site and people have rare chance to disbelief it's credential. It's obvious many people would fall for this trick as soon as they see the TLD of this site on their browser's address bar,they usually end up entering their important informations. Don't do that, just roll your eyes to full line on the address bar? Do you see something out there, it's called PHP/SQL exploits where phisher is successful to fully violate the insecure system. So, even if the domain name is genuine, it's fake page generated dynamically with the help of java scripts(it looks like the page is the part of the genuine site, which is not). As soon as someone inputs the data on such phishing site, the things he entered will be dynamically saved on some remote servers file system. Phishers could access that data in later time with ease.

The first link is bit unconvincing. If phisher is smart enough, he could have the anchor text to be like as genuine(ex: ntc.net.net/msnblockcheck.html)one. And, nobody would ever find what's going on.

My suggestion is try to check the address bar before you give any important details online. Because, it's irrelevant and obscure to see such weird and long lines just on the Login page. After you login, it's the session and cookie handling takes place, which means, it's okie to see such lines after you signed in. But when you are trying to give something online and you see, such long weird lines at first, it's time to get ALARMED and BE SMART? You could actually ask the company for that particular stuff you are facing and make sure everything(your data) is safe beforehand.


Coming to my second question on second para of this post, I'd suggest you to create a PAYPAL account. I'm not endorsing this paypal thing but it could save lots of hassles. I see the Paypal as the next credit card for online shopping. If you are afraid of giving your long credit card details everytime you shop online, it's time to shift to PAYPAL(there are other alternatives too but I'm focusing on it). Sign up for PAYPAL, get verified by integrating your BANK account with PAYPAL's system and now, you can shop easily. Just give your PAYPAL ID(don't bother about giving your entire credit card details) and make purchases(PAYPAL is still not adopted by many online shops but it's ever expanding as another option to make payment). If you want to pay, use your PAYPAL ID. Easy as 1-2-3. One thing to remember, these big companies would never ever send any ALERT mails to you. They would most probably affix message if that's so important (instead of mailing you on your email address) on your account login page. Consider this and you'll be safe from all those phishing scam mails which claims they are originated from the genuine site itself, which is not.


Thank you for reading.

idea src: KoolD@NepSecure@googlegroups.com
img src:http://buckeyesecure.osu.edu/pmwiki/uploads/SafeComputing/password_star.jpg
img src:http://www.websitesecurityinformer.com/wp-content/uploads/2007/11/phishing.jpg

0 comments:

Copyright © 2014
Designed by Navin