Security Vulnerabilities of Web Applications - Dangers Lurking in Your Mailbox
(Page 4 of 4 )
Targeted fraud attempts are much more popular than one might guess. Companies are doing their best to inform and prepare their users to be aware of these attempts. Generally, these arrive in the shape of an e-mail trying to use social engineering to get the user to give out his or her sensitive data. Surely, this kind of attack does not yield the kind of return that can be had from breaking into an entire database, but with enough targets (like millions) the results can become significant.
How do these work? The user receives a mail from a fake address- but the address looks legit; this is the general rule. There are well-documented techniques through which this is possible. The attacker composes a malicious email that also looks quite legit, trying to convince the user that due to some sort of security check or server maintenance or who knows what else, the user is required to re-enter his or her sensitive information.
Now the attacker requests that this happen via the victim sending a reply mail to their email box, which is monitored by them, or via a much more advanced technique where the user is sent to a website that looks exactly identical to the official, legitimate one. The user may not verify the link on which s/he clicks. Basically the website of the legitimate company is mirrored on the attacker's web server. The user thus thinks it's safe to enter his data.
These kinds of email scams are really popular in the case of PayPal. You may have already received emails that begin with "Dear PayPal User" or "Dear PayPal Member." Haha! Good joke. PayPal cannot stress enough that under no circumstance should you EVER give out any of your sensitive data without being 100% sure, and you can be sure only if you type in the website yourself, not by using redirection or by clicking on links from forums or emails.
Before closing this article, we should also state that these malicious techniques are usually called "phishing" attempts. Their basic methodology is to convince the user to visit their own website, which looks authentic and legitimate, and then make them type in their information. This is just as dangerous as unknown people offering candy or ice cream to little kids on the streets, you know. So be careful. See you in the next part!
In closing, I'd like to invite you to join our community of technology professionals experienced in all areas of IT&C starting from software and hardware up to consumer electronics at Dev Hardware Forums. Also, be sure to check out the community of our sister site at Dev Shed Forums. We are friendly and we'll do our best to help you.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |