Phishing as Gaeilge - Espion warns about Irish Language phishing attack threats

Dublin, Ireland, 2nd March 2010 – The arrival of an email, in Irish, promising fortunes from Hong Kong was an obvious scam – littered with spelling and grammar errors that even the most amateur gaelgoir could point out – and unlikely to have fooled many. However the campaign, successful or not, demonstrated the potential for attacks to be tailored to a specific audience.  In all instances of fraud, with enough refinements, a fake can be easily mistaken for the “real thing”.

“As computer users have become more aware of phishing and how they should respond to email from unknown senders, attackers work on appearing more credible to the recipient to increase the likelihood that their email will be opened and links clicked on,” said Colm Murphy, technical director at Espion. “One of these methods uses local references as a means to seem more genuine. This has been seen in those attacks that reference indigenous Irish banks. Attackers are taking this further, researching and using local references including culture; sports, events to appear more authentic and better their chances of defrauding their targets.” 

A survey by AMAS and the Irish Internet Association carried out in the Autumn reported that 70% of Irish people trust the Internet believing that information online is real. Over 7% of Irish people surveyed indicated that they disclosed personal information when targeted by a phishing scam - Ireland was the second highest rated of the 27 EU countries analysed.

Phishing scams start with a fraudulent email message that appear to be sent from legitimate enterprises. Assuming the names of well known and respected banks, e-retailers and credit card companies, phishers look for ways to convince recipients to respond. Usually recipients are directed to a fake web site or directly requested to divulge private information (e.g., password, credit card, or PPSN numbers etc).  The victims may have their identity stolen leading to any number of risks including financial fraud or unauthorised use of credit cards or bank accounts. Targets are usually asked to –

• Visit a deceptive web site to correct a problem with their account or login details.
• Enrol online (using their account/personal information) in an anti-fraud program.
• “Cancel” a fake order that has been made with a credit card (requiring account/personal information to be divulged).
• Dispute a charge made to an account, with a link to “dispute” the charge.

Preventing and Responding to Phishing Attacks
As attacks become more localised people will have a greater challenge deciphering genuine email from phishing attacks.

• Ensure your existing anti-virus software includes anti-phishing functionality. Anti-virus vendors include anti-phishing toolbars with the latest versions of their products.
• If your anti-virus software doesn’t include anti-phishing functionality install one of the free alternatives such as BitDefender Anti-Phishing Free Edition, Netcraft Anti-Phishing and McAfee SiteAdvisor.
• Ensure you have the most up to date version of your Internet browser software installed.
• Keep your anti-virus software up to date.
• Monitor your financial accounts and statements and notify financial institutions of any suspicious transactions.
• Never respond to any unsolicited email or phone calls requesting personal information. No reputable company will ever ask for this kind of information by email.
• Ensure that any website requesting confidential information uses a secure connection. Look for https:// and a padlock in the browser window.
• Pay attention to error messages that the browser gives regarding certificates. When it says a site cannot be trusted or has a non-matching or expired certificate, the site may be fraudulent.
• Never send personal or confidential information in an email.

If you suspect that you are a victim of phishing:

• Alert the relevant organisation and An Garda Síochána.

• Use up-to-date anti-virus and anti-spyware software. Up to date software can keep unwanted or malicious software at bay.
• Monitor your financial accounts and statements and notify financial institutions of any suspicious transactions.
•  Change passwords regularly.
• Notify the company whose site is being forged or impersonated.

About Espion
Espion is an advisory practice specialising in information security. We work with companies to ensure that the critical information essential to their success is secure. Espion’s comprehensive approach is unique and highly effective and includes services to address information assurance, governance, risk and compliance, IT audit, forensic investigation and IT security training. Utilising a collaborative approach, our team of highly experienced consultants, look to fully understand the clients business first and from there determine the risks and exposures that they may have, and help the client understand, manage and mitigate those threats to information security.

Espion Ltd., The Penthouse, Block 2, Deansgrange Business Park, Deansgrange, Co. Dublin
Ph: +353-1-2101711 http://www.espion.ie  
For more information, please contact:

Colman Morrissey   Espion                                      01 210 1711
Colm Murphy           Espion Forensics                       01 210 1711
Jillian Godsil            Practice PR & Events                 053 94 296 76