Advanced | Help | Encyclopedia
Directory

Encyclopaedia
P
Ph
Pha
Phb
Phc
Phd
Phe
Phf
Phg
Phh
Phi
Phj
Phk
Phl
Phm
Phn
Pho
Php
Phq
Phr
Phs
Pht
Phu
Phv
Phw
Phx
Phy
Phz

Phishing

In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack. (See an example.)

The term was coined in the mid 1990s by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.

Those who phished on AOL during the 1990s originally were getting on AOL with fake, generated credit card numbers. The accounts would last weeks to months and then they would have to make new ones. In late 1995, AOL made tougher restrictions and so those people moved to phishing. The phishing on AOL was closely associated with the warez community, that exchanged pirated software. However in around 1997, AOL got tough on that and this activity has largely moved off AOL. Around that time also, phishing was so prevalent on AOL that AOL added a line on all instant messages that said no one working at AOL will ask for your password or billing information — yet still despite this, phishing for both continued to work, and this led to a lowering of an opinion of the intelligence of AOL members. Around that time as well, AOL developed a system to quickly deactivate any account phishing — booting them offline often before their phishes could respond, so they then lost more accounts phishing than they gained. So then the phishing moved to AOL Instant Messenger because they could not be banned. Although the shutting down of the warez scene on AOL and that the phishers themselves grew older (many were young teens) and got jobs to pay for an Internet Service Provider, caused most phishers leave AOL or get an account that they paid for. Both phishing and warezing on AOL generally used programs and if these programs were popular, then their creators, always going by aliases, were well-known in these circles. The first program well-known for phishing, warez, and other disruptive activities on AOL was AOHell.

There is also an Irish IRC network called Phishy, although it predates the use of that term for anything illegal.

Table of contents

Usage

The term "phishing" is sometimes said to stand for password harvesting fishing, though this is likely a backronym. The cracker community tends to use creative spellings as a sort of jargon, and coinages such as warez have even escaped into more mainstream usages.

"Phishing" attacks are named so because the senders are “fishing” for recipients’ personal information. The substitution of "ph" for "f"” is according to the U.S.-based Anti-Phishing Working Group said to be a nod to an early form of hacking known as phreaking, which refers to gaining access to telephone networks. Still other theories accredit the term "phishing" to originate from the name "Brien Phish" who was the first to allegedly use psychological techniques to steal credit card numbers in the 1980s. Others believe that "Brien Phish" was not a real person but a fictional character used by scammers to identify each other. Another, more recent theory credits the nature of the attacks, in which one is fishing, metaphorically, for an unsuspecting user's information.

Today, online criminals put phishing to more directly profitable uses. Popular targets are users of online banking services, and auction sites such as eBay. Phishers usually work by sending out e-mail spam to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to his online bank, for instance, but in fact captures his account information for the phisher's use.

Typically, a phishing email will appear to come from a trustworthy company and contain a subject and message intended to alarm the recipient into taking action. A common approach is to tell the recipient that his account has been deactivated due to a problem and to take action to re-activate the account. The user is provided with a convenient link in the same email that takes the email recipient to a fake webpage appearing to be that of a trustworthy company. Once at that page, the user enters his personal information which is then captured by the fraudster.

URL spoofing

There are several types of URL spoofing [1]:

  1. An IP address, e.g. http://192.168.1.1/
    This relies on the user ignoring the URL bar completely, or being confused by its complexity.
  2. A completely different domain, e.g. https://www.randomdomain.com/
    This relies on the user just not looking at the domain at all.
  3. A plausible-sounding but fake domain, e.g. https://www.paypal-secure.com
    This relies on the user not knowing their exact destination, which is made easier and more plausible by the fact that many real companies use a bewildering variety of domain names for their different branches and services instead of a logical structure of subdomains of its main domain.
  4. A visible-to-the-eye letter substitution, e.g. https://www.paypa1.com
    This relies on the user not looking too closely at individual letters.
  5. An invisible letter substitution (punycode attack) by making use of fault in IDN, e.g. https://www.xn--pypal-4ve.com
    This sort are currently almost undetectable on some browsers.
  6. An address with username that looks like a domain name, e.g. http://www.paypal.com@www.evil.com
  7. An address that uses wildcard DNS record characters to disguise the domain name [2]. Some examples include:
    http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/
    http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2
    http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/

Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers, that can be faked as well. However, the file properties feature of several popular browsers may disclose the real URL of the fake webpage.

Additional attack methods

Besides URL spoofing, it is also possible for the attacker to utilize the bank/service's own scripts against them. These attacks are particularly problematic because they actually direct the user to sign in at their bank/service's own web pages, where everything from the URL to the SSL certificate are correct. Example: [3] (address changed to protect the reader) While clicking on this link brings you to eBay's site to log in, it then forwards the authenticated request to another domain/server, where the hacker's harvesting script is potentially waiting for this information.

If you are contacted about an account needing to be "verified," you should contact the company directly, or type in the address for their webpage.

Be especially concerned about an address containing the "@" symbol, for example http://www.google.com@members.tripod.com/. These addresses will attempt to connect as a user www.google.com to the server members.tripod.com. This will very likely succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, for example http://www.yourfavbankdomain.com.spamdomain.net.

Secunia has issued a security advisory on the IDN spoofing issue [4], based on the IDN homograph attacks identified by Eric Johanson [5]. Users of web browsers that implement IDN are affected. Some websites have noted that Internet Explorer is safe from this issue. This is misleading, since Internet Explorer has not implemented IDN, and the Verisign IDN plug-in is affected [6]. Mozilla developers Darin Fisher and Ben Goodger point out that ICANN should prevent the registration of malicious domain names. The IDN bug was partially fixed in Mozilla and Mozilla Firefox in 24 hours after the bug was announced publicly [7]. A simple application called "IDNSnitch" was also created as a defense for Safari [8].

Also, some companies like eBay and PayPal always address you by your username in e-mails. If an e-mail addresses you by a generic denomination, for example "Dear valued eBay member", it is definitely fake, an attempt at phishing.

Phishing Example

The following is an example of a phishing e-mail.

From: eBay Billing Department <aw-confirm@ebay.com>
To: xxx@aschool.edu
Subject: Important Notification
Register for eBay
Dear valued customer
Need Help?
We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3–4 days, after this period your account will be terminated.
For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.
Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.
Regards,
Safeharbor Department
eBay, Inc
The eBay team.
This is an automatic message. Please do not reply.

Response by authorities

In the United States, Democrat Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing bill proposes that those criminals who create fake Web sites and spam bogus e-mails in order to defraud consumers could be fined up to $250,000 and have jail terms of up to five years imposed upon them (Information Week, March 2, 2005).

Microsoft has joined in on the effort to crack down on phishing. On March 31, 2005 Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of using various different methods to obtain passwords and confidential information about people. They hope to use these lawsuits to uncover some of the largest phishing operators.

See also

This article is part of the Spamming series.
E-mail spam | Messaging spam | Newsgroup spam | Spamdexing
Blog spam | Mobile phone spam | VoIP spam
Make money fast | Advance fee fraud | Lottery scam | Phishing
History of spamming
Stopping e-mail abuse | DNSBL

References

External links








Links: Addme | Keyword Research | Paid Inclusion | Femail | Software | Completive Intelligence

Add URL | About Slider | FREE Slider Toolbar - Simply Amazing
Copyright © 2000-2008 Slider.com. All rights reserved.
Content is distributed under the GNU Free Documentation License.