Phishing

From Computing and Software Wiki

Revision as of 00:04, 9 December 2007 by Davisml3 (Talk)
Jump to: navigation, search

Phishing is a form of online identity theft that uses spoof e-mails and fraudulent web sites, among other techniques, to lure people into divulging personal and financial data such as: credit card numbers, account usernames, passwords and social security numbers.

Phishing attacks are aptly named because of the similarities they share with fishing. The criminals who are phishing for information are like fishermen and the victims are the fish. The criminals use several different methods to lure their victims into falling for an attack, just like fishermen uses bait to lure fish.

Phishers use the internet as a means to commit fraud. They may use the information they aquired to create fake accounts in the victims names, or make purchases using their credit cards. Often time phishers will sell the information they gather rather then use it.

Contents

Types of Phishing Attacks

Spamming and Spoofing

The most common method of phishing uses a combination of spamming and spoofing to phish for private information. Spam is defined as “Unsolicited Commercial E-mail”, or e-mail that you did not ask to be sent. Most spam is the form of advertisements, and is harmless, if not annoying. In a phishing attack spamming is similar to casting a line, phishermen use fake e-mails as bait. The unlucky people added to a spammers list become the victims in a phishing attack. They will be receiving e-mails they did not ask to be sent which will try and convince them to divulge private information. Next, two separate instances of spoofing are used to lure victims into taking the bait presented to them by spammers, e-mail spoofing and web page spoofing.

E-mail spoofing is a term used to describe e-mail that had been altered to appear as if it has originated from someone or somewhere other then the actual source. Online criminals masquerade as legitimate businesses by creating fraudulent e-mails that look like real e-mails a business would send. Spammers send the fake e-mails which will try to convince you that they need private information. They then direct you to click on the link provided which will take you to their web page. The link provided in the e-mail will direct you to a spoofed webpage. This webpage mimics the appearance of a legitimate company’s website, and is where they ask you to enter personal information. Any information you enter will then be in the hands of the criminals.

Spamming and Keylogging

Another method of information phishing utilizes a phishing based Trojan to obtain sensitive information.

This method of phishing also uses e-mails to lure victims, but instead of asking you to enter your private information online they just need you to click on a provided link. As soon as you click on this link a Trojan program will be downloaded onto your computer. This program will then download a keylogger program onto your system which will monitor the user’s computer activities. Keyloggers are provided with a list of keywords to look for; this list includes bank names and any on-line payment companies. The keylogger will idly wait until the user opens a window with a name on their list. When one of these windows opens the keylogger will begin recording keystrokes and save them to a text file. Then using a built in e-mail system it will send the text file containing all the private account numbers and passwords it recorded back to the waiting hands of the phisherman.

E-mail attachments and on-line software downloading are also commonly used to infect personal computers with Trojans and keyloggers.

Detecting and Preventing Phishing Attacks

There are several ways to detect phishing attacks. Knowing how a phishing attack works and being caution when supplying personal information over the internet is the best way to protect youself.

  • Be suspicious of e-mails urgently requesing personal or financial information.
    • Phishers include exciting or upsetting information in e-mail, hoping to get you to react quickly.
    • Phishing e-mails are sometimes personilized, just because they took the time to include your name in the e-mail does not mean its real.
  • Be suspicios of e-mail attachements.
    • E-mail attachments are the most common method used for carring out Trojan based phishing attacks.
  • Never use links privided in e-mails.
    • You should call the company directy or go to the companys website using their address.
  • Make sure you are using a secure website when submitting information in a web browser.
    • Phishers are able to spoof the yellow lock you see at the bottom of your screen when the website is suppose to be secure. If you double click on the lock the security certificate on the web site will pop up, if you get any warnings do not use the site.
  • Make sure you check the address line.
    • Check the adress line to make sure you are being directed to where you want to go.

Phishing Facts

  • 43% of internet users have received a phishing contact
    • %5 have responded
  • It has been estimated that the number of phishing e-mail messages that are sent worldwide each month is 6.1 billion
  • The average length a phishing site is operational is 3.6 days
  • In 2006, about 109 million U.S. adults received phishing e-mail attacks, compared with 57 million in 2004.
  • The financial services industry continues to be the main focus of scammers, with 78 percent of attacks targeting the customers of banks and other types of financial institutions.

References

1. Anti-Phishing Working Group, http://www.antiphishing.org/consumer_recs.html

2. Spoofing Attack, http://en.wikipedia.org/wiki/Spoofing_attack

3. Identity Theft Information Center, http://www.scambusters.org/identitytheft.html

4. E-mail Spam, http://en.wikipedia.org/wiki/E-mail_spam

Personal tools