Keep attackers from phishing in your waters

On the Internet, phishing (also known as carding or brand spoofing) is a scam used by an attacker who sits at a remote computer dangling a malicious Web site on spam e-mail waiting for a naive Internet user to happen by.

MessageLabs recorded a 1,000% increase in the number of phishing attacks they intercepted between June and July of 2004 and that number continued to grow, ending the year 50 times higher than the same period in 2003. Suffice it to say, phishing is a critical problem, particularly for users gullible enough to take the bait.

What can you do to protect Windows from being victimized by phishing scams? You've already had many experts tell you continually patch systems and get rid of Internet Explorer -- a Web browser with more exploitable vulnerabilities than its competition -- so here are a few other quick tips that may come in handy.

More Information Visit our phishing resource center for news, tips and expert advice on how to reduce this risk. Share this checklist with your users and teach them how to avoid phishing attacks.

Block spam effectively in Outlook
Filtering and blocking spam is probably the single biggest step you can take in guarding Windows against phishing attacks. Spam is the delivery mechanism that gets the bait to your computer. If an attacker can't get his phishing message to your inbox, there is no chance your systems will be victimized. The latest version of Microsoft Outlook and many other e-mail client applications now have fairly good junk mail filters to keep the majority of spam out of your inbox. In Outlook, you can set the Junkmail options by navigating to Actions/Junk E-mail/Junk E-Mail Options.

Guard your hosts file with an IPS
The hosts file in Windows maps network destinations or Web sites to IP addresses, and can be used to override DNS. Some phishing attacks actually rewrite the hosts file, so the next time users try to visit certain Web sites they are unwittingly visiting the malicious replica site. You should use an intrusion prevention system (IPS) or other security software to guard your hosts file, and periodically check the hosts file to look for any suspicious entries. You can open it in Notepad.

Strip out code in e-mail messages
Phishing scams rely almost exclusively on the ability to include and execute active-scripting code within an e-mail message. You can turn off this ability. To do so, go to Tools/Options/Security and then select Zone Settings. When the warning box pops up, click "ok" and select Custom Level to disable specific types of code from executing. You can also set Outlook to display all incoming e-mail as plain text only, which will prevent scripting code from being executed. Simply click Tools/Options/E-Mail Options and select the checkbox next to "Read all standard mail in plaint text".

About the author
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet/Network Security, providing a broad range of security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.

This tip orginally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities Phishing ING hopes to cut phishing attacks with encryption software Companies still monitoring email manually, survey finds Trojan downloaders, droppers skyrocket, Microsoft says New phishing, Zeus Trojan technique spreads crimeware New Storm attack exploits April Fool's Day Clinton, Obama campaigns used in spam blasts How secure is online banking today? Google-Postini email services deliver security market message PDF spam reemerges in some inboxes Researcher warns of new do-it-yourself phishing program Phishing Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary crimeware  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) spear phishing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.