Phishing

Dennis Faas's picture

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing is typically carried out by email or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.

Recent Phishing Attempts

Phishers are targeting the customers of banks and online payment services. Email, supposedly from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers.

Targeted versions of phishing have been termed spear phishing. Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.

Phishing and Social Networking

Social networking sites are now a prime target of phishing, since the personal details in such sites can be used in identity theft; in late 2006 a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details. Experiments show a success rate of over 70% for phishing attacks on social networks.

Tricks Used by Phishers

Link Manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers.

In the following example URL, http://www.phishingsite.yourbank.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "phishingsite" of the example website.

Another common trick is to make the displayed text for a link (the text between the tags) suggest a reliable destination, when the link actually goes to the phishers' site.

Fraudulent Websites and Web Forgeries

Once a victim visits the phishing website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.

Cross Site Scripting Attacks

An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct.

In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.

Man-In-The-Middle Automated Phishing Kits

A Universal Man-in-the-middle (MITM) Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.

To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites. These look much like the real website, but hide the text in a multimedia object.

Damage Caused by Phishing

The damage caused by phishing ranges from denial of access toe to mail substantial financial loss.

It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.

In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007. Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million.

This document is licensed under the GNU Free Documentation License (GFDL), which means that you can copy and modify it as long as the entire work (including additions) remains under this license.

| Tags:
Rate this article: 
No votes yet