Paypal 釣魚網站近兩萬個!淘寶、花旗、萬事達卡亦過千(加入官方回應)
一直以來,黑客都透過不同的方式、技術入侵用戶的電腦或企業的系統,最常見的便是虛假釣魚網站,黑客會仿照官方網站建立一個完全相同的網站頁面以誘使用戶輸入帳號,藉以偷取用戶個人資料及取得帳戶控制權。而隨著電子商務商機龐大,知名品牌、銀行,以及拍賣購物網站都成為黑客攻擊對象。
今天安全機構趨勢科技便公佈 2012 年 12 月遭受釣魚攻擊的主要網站。其中最常被攻擊的電子商務網站為 PayPal,其網站被偽冒的次數近兩萬次,更有黑客跟隨消費者以行動裝置進行購物與繳費的趨勢,發展出針對行動用戶的偽 PayPal 釣魚網頁。而在網上購物以及網上拍賣網站部份,淘寶、ebay、Amazon 以及阿里巴巴是最常遭黑客偽造的網站,並用於釣魚的購物網站。其中淘寶網更是黑客最愛的網絡釣魚誘餌。
花旗銀行則成為黑客黑洞漏洞攻擊(BHEK)的誘餌,騙取使用者打開偽造的花旗銀行電子郵件,點選其中內含的惡意程式連結,導致使用者下載會竊取個人資料、網絡憑證的惡意程式,造成使用者個人資料外洩。無獨有偶,除了花旗銀行外,黑客亦利用萬事達卡網站為網絡釣魚攻擊目標。目前專家已經發現近千個偽萬事達卡網站,其中有高達七成為針對日本使用者,單單十二月就已經有超過2000 次的點閱量。
專家呼籲公眾應對審慎處理來歴不明的電郵,勿輕易點選連結,更應注意以下幾點。
1. 偽造的電子郵件通常會使用通用問候語,而不會直接寫出全名。
2. 若電子郵件中有明顯的語法錯誤、拼寫和格式問題,則很有可能是偽造的電子郵件。
3. 網絡釣魚的電子郵件多會要求使用者點擊連結或提供個人資料。為達目的,黑客會借各種名目,如 facebook 帳號被停用,利用使用者恐懼心理,增加惡意連結的點選機率。
4. 有些網絡釣魚電子郵件看起來可能跟原公司的電子郵件一模一樣。使用者應該仔細閱讀電子郵件,詳細驗證電子郵件內容的正確性。
十大黑客最愛用來釣魚的品牌
PayPal (18947 個釣魚網站)
富國銀行(Wells Fargo)(2049 個釣魚網站)
Visa (1661 個釣魚網站)
花旗銀行 (1628 個釣魚網站)
美國銀行(Bank of America) (1477 個釣魚網站)
萬事達卡 (986 個釣魚網站)
Chase (656 個釣魚網站)
Bancolombia (369 個釣魚網站)
Natwest (324 個釣魚網站)
Cielo (310 個釣魚網站)
偽造釣魚網站數量
淘寶網 (1691 個釣魚網站)
eBay (504 個釣魚網站)
Amazon.com (251 個釣魚網站)
阿里巴巴 (150 個釣魚網站)
Littlewoods (39 個釣魚網站)
15/01/2013 – 淘寶今天回覆稱未知道 TrendMicro 的報告內容,因此暫時未能給予回應。不過淘寶強調已就用戶的安全問題推出多個使用建議,並將會盡一切可行的方法確保用戶安全。以下為淘寶提供的網址供大家參考。
http://bbs.taobao.com/catalog/thread/154504-5969040.htm?spm=0.0.0.183.GutOnq
http://bbs.taobao.com/catalog/thread/154504-252222289.htm?spm=0.0.29218.1.pQHlhD
http://service.taobao.com/support/knowledge-1119504.htm?spm=0.0.0.53.5ay0rv
http://110.taobao.com – comprehensive online security platform
04/02/2013 – Paypal 今天針對事件作回應,指一直以來都盡辦法保存用戶安全,同時亦視保安為第一位。現時 Paypal 以 Cutting-edge 方式針對郵件進行認證,並已向用戶提供 7 x 24 的實時監控;回應之中亦提及更新瀏覽器的重要性,因為只有保持瀏覽器更新,才可得到最新的保護技術以及漏洞修補方案,以下為 Paypal 的回應內容,供大家參考。
“At PayPal, protecting our customers is a top priority. PayPal has invested in the latest technology, uses cutting-edge methods to authenticate our emails, and provides 24/7 account monitoring.
PayPal has been in the industry for 14 years, and we are renowned as a secure third-party payments processor. We have applied our deep security knowledge to all of our products to ensure customers and sellers are provided with the most secure payment channels.
As a pioneer in online payments, we set the standard for fraud prevention by continuously developing and deploying a broad range of security measures.
You can count on PayPal’s technology to keep transactions and financial information safe and private, with:
o Antifraud risk models. Our highly sophisticated, proprietary fraud risk models help detect and predict fraudulent transactions – before they affect your business.
o Industry-leading use of data encryption. We use data encryption more extensively than any financial services company.
o Safeguarding financial information. We don’t share buyers’ financial information with sellers, enabling buyers to feel more secure and confident buying from PayPal merchants.
o Industry-standard services. We use industry-recognized Card Security Code (CSC, also known as CVV2) to help prevent credit card fraud.
o Antifraud Team. Our antifraud team is composed of over 2,000 specialists from around the world. The team works 24/7 to help keep your transactions safe and to ensure that your sensitive information remains private.
We also provide the following advice to our customers, to help protect themselves against phishing attacks:
Learn if it’s legitimate: If you’re not sure if an email is fake, forward the entire email to [email protected]
l Simply click “Forward” and send it to [email protected]
l Don’t change the subject line or anything else
l Then once you’ve sent it, delete the email – in most cases, we can verify if an email is fake or not
Upgrade your browser: One of the simplest and most important things you can do to protect yourself is to upgrade your browser to one with anti-phishing features such as the latest version of Internet Explorer. The process will take just a few minutes and you’ll be protected with the most up-to-date security available. ”
