Phishing: Difference between revisions

File:Phishing-Email-Image-Bank-2.gif

This phishing attempt, disguised as an official email from Charter One Bank, attempts to trick users into giving away their account information by "confirming" it at the phisher's linked website.

In computing, phishing (also known as carding and spoofing) is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message, such as an email or an instant message. It is a form of a social engineering attack. (See an example.) The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they "fish" for users' financial information and password data.

With the growing number of phishing incidents reported to the Anti-Phishing Working Group, additional methods of protection have been needed. As a result of this danger, to both the business and home user communities, there have been several different attempts to decrease the problem. These attempts include legislation, user training, and the creation of various types of software.

History

The first mention of phishing is on the alt.2600 hacker newsgroup in January 1996; however, the term may have appeared even earlier in the printed edition of the hacker newsletter "2600 Magazine". The term phishing was coined by some crackers attempting to steal accounts from unsuspecting AOL members. The cracker posed as an AOL staff member, sending an instant message to a potential victim, asking the victim to reveal his or her password. In order to lure the victim into giving up sensitive information, the message might include the text "verify your account" or "confirm billing information". Once the victim submitted his or her password, the attacker then accessed the victim's account and used it for various criminal purposes, such as spamming. "Ph" is a common hacker replacement for "f", and is a nod to an older form of hacking known as "phone phreaking"; since the technique is used to fish for information, it became known as phishing.

Early Phishing on AOL

Those that phished on AOL during the 1990s originally created accounts on AOL with fake, algorithmically generated credit card numbers. The accounts would last weeks to months and then they would have to make new ones. Eventually AOL adopted tougher regulations for their system in late 1995 to prevent this from happening, and as a result of this early AOL phishers that created the fake accounts resorted to phishing for legitimate AOL accounts.

Phishing on AOL was closely associated with the warez community that exchanged pirated software. However, in 1997 AOL's policy with respect to phishing and warez became stricter and forced pirated software off AOL servers. Also, around that time phishing was so prevalent on AOL that AOL added a line on all instant messages that said that "no one working at AOL will ask for your password or billing information". Despite this, phishing for both continued to work. Around that time as well, AOL developed a system to quickly deactivate any account phishing — booting them offline often before their phishes could respond, so that they then lost more accounts phishing than they gained. The phishers eventually attempted to get around this problem by moving to AOL Instant Messenger (AIM), and the phishers did this because they could not be banned on the AIM server.

The shutting down of the warez scene on AOL caused most phishers to leave the service. In addition, the phishers themselves eventually grew older (many were young teens) and acquired jobs to pay for an Internet Service Provider legitimately.

Both phishing and warezing on AOL generally required special programs, and if these programs were popular, their creators, always going by aliases, became well-known in these circles. The first program well-known for phishing, warez, and other disruptive activities on AOL was AOHell.

Attempts after AOL

File:Ufng007724.gif

The webcomic Userfriendly illustrates an example of Phishers mimicking banks.

In one popular method of phishing, the attacker attempts to utilize the bank/service's own scripts against its victim. These types of attacks are particularly problematic because they actually direct the user to sign in at their bank/service's own web pages, where everything from the internet address (URL) to the security certificates (SSL certificate) appears correct. In this attack method, users will receive a message saying that they have to "verify" their account. In the message, there will be a link to what appears to be an authentic website, as the one below. In reality, the link is a fake.

(hover your mouse over this link to see the spoofed URL.)

(Address changed to protect the reader. Explanation: this link uses the IP 127.0.0.1 — the user's own computer — as an example. The page will authenticate as the user rightfully in eBay, but then forward the authenticated request to another domain/server. Phishers will change this to their own server where they specially craft a page to steal user details.) A user who is contacted about an account needing to be "verified" should contact the company directly or type in the address for their webpage in the address bar. Typing the address in the address bar will prevent the phishing attempt from succeeding. Furthermore, many companies, including eBay and PayPal, always address their customers by their username in e-mails. If an e-mail addresses a user by a generic denomination, for example, "Dear valued eBay member", it is definitely fake, an attempt at phishing.

An address containing the "@" symbol, for example, http://www.google.com@members.tripod.com/, should be dealt with cautiously. These addresses attempt to connect as a user www.google.com to the server members.tripod.com. This is very likely to succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, such as http://www.yourfavbankdomain.com.spamdomain.net, for example.

The security group, Secunia, issued security advisories involving problems with the Internationalized domain names (IDN). The issue reported concerns the web browser's vulnerability to IDN spoofing^[1], based on the IDN homograph attacks identified by Eric Johanson^[2]. People who use web browsers that implement IDN are affected. There has been claim from some websites that Internet Explorer is safe from this issue. This is misleading, since Internet Explorer has not implemented IDN, and the Verisign IDN plug-in is affected^[3]. Mozilla developers Darin Fisher and Ben Goodger argue that ICANN (Internet Corporation for Assigned Names and Numbers) should prevent the registration of malicious domain names. The IDN bug was partially fixed in Mozilla and Mozilla Firefox in 24 hours after the bug was announced publicly^[4]. Apple later fixed this flaw in Safari ^[5].

Phishing examples

Paypal Phishing Example

The following is an example of a phishing e-mail.

Under the yellow box that says "click here to verify your account" there is an IP address in the hyperlink. The IP address in the hyperlink is one sign that of a phishing attempt.
Also Notice that there are spelling mistakes in the email, for example, ..no choise but to temporaly suspend your account.

File:Paypal Phishing.jpg

---

SouthTrust Bank Example

Another phishing example.

In this example, the phisher used an image to make it harder for anti-phishing scanners to detect.

From: SouthTrust <support_id_99583160@southtrust.com>

To:: xxxxxx@yyyyy.com.br

Subject: SouthTrust Bank: Important Notification

Date: Thu, 16 Jun 2005 23:56:30 -0200 (22:56 BRT)

File:Phishing-Email-Image-Bank.gif

---

LaSalle Bank example

Another phishing example using an image.

This image method is generally used to confuse anti-phishing/anti-spam software in addition to the unsuspecting victim. Note that besides the bank's name and copyright information, the rest of the body of the message is exactly the same as Phishing Example 2.

From: LaSalle Bank

Subject: Attention To All LaSalle Bank Clients

File:Phishing-Email-Image-Bank2.png

Damage Caused by Phishing

A chart showing the increase in Phishing reports from October 2004 to June 2005.

The damage caused by phishing ranges from a user not able to access their email to losing all the money in their bank account. This style of identity theft is becoming more popular, because unsuspecting people are divulging personal information to phishers, including credit card numbers and social security numbers. All phishers need to do is to obtain a user's personal information from one of their phishing attacks. Once this information is acquired, the phishers can use a person's private information anyway they desire. They can create fake accounts in a victim's name, ruin a victim's credit, they can even prevent victims from accessing their own accounts that were phished.

Financially, Phishing costs people millions of dollars a year. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing. The estimated total of the losses is approximately $929 million USD. Furthermore, U.S. businesses lose an estimated $2 billion USD a year as their clients become victims.^[6] England also suffers from the immense increase in phishing. In March 2005, the amount of money lost in England was approximately £504 million GBP.^[7]

Anti-Phishing

There are several different techniques to combat "phishing". In addition, there is also legislation and technology created specifically to target phishing.

Response from the industry

One strategy for combating phishing is to have industries give more training to users on how to deal with phishing attempts. In order to do this, many IT specialists send out e-mails masquerading as phishers who are attempting to appear as legitimate senders. This tactic, called Spear Phishing, is used to train users at various locations, including West Point Military Academy. In a June 2004 experiment with spear phishing, 500 West Point Cadets were sent a fake e-mail. 80% of them got tricked into giving up their personal information and were given a "gotcha" message informing them that this could have been a real attempt.^[8]

Several anti-phishing software programs are available; the programs work by identifying phishing contents on websites and emails. Anti-phishing software is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the visiting website. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive.

Many organizations, including Bank of America, have introduced a feature called challenge questions to their systems. Challenge questions ask the user a question, which, along with the answer, would only be the knowledge of the user and the bank. Also, many sites added a verification tool that allowed users, upon request, to see a secret image that the user selected in advance. If the image did not appear, then the site is not legit.^[9]

The Anti-Phishing Working Group, a pan-industrial and law enforcement association, has noted that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers.^[10] They propose that pharming and crimeware will become more common tools for stealing information.

Response by authorities

On January 26, 2004, the FTC's (Federal Trade Commission) filed the first lawsuit against a suspected phisher. The defendant, a teenage California boy, supposedly created and used a webpage that he designed to look like the America Online website so that he could con people out of their credit card numbers.^[11] Europe and Brazil both eventually followed the lead of the U.S. by tracing and arresting phishers. In late March 2005, a 24-year-old Estonian man was arrested for using a Trojan horse, which was a keylogger that allowed him to monitor what users typed after they visited his fake website that installed the malicious program on their computers.^[12] Likewise, authorities later arrested a phishing kingpin, Valdir Paulo de Almeida, for leading one of the largest phishing crime rings, which in 2 years stole between $18 and $37 million USD.^[13]

In the United States, Democrat Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing bill proposes that those criminals who create fake Web sites and spam bogus e-mails in order to defraud consumers could receive a fine up to $250,000 and receive a sentence in jail time of terms up to five years.^[14]

Microsoft also joined the effort to crack down on phishing. On March 31, 2005, Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of using various different methods to obtain passwords and confidential information about people. They hope to use these lawsuits to uncover some of the largest phishing operators. March 2005 also saw Microsoft partnering with the Australian government to teach law enforcement officials how to combat various cyber crimes, including phishing.^[15]

See also

• Anti-phishing software
• Computer insecurity (what can be done about various insecurities on a system that was not designed with good Computer security.)
• Computer security audit (inexpensive way to inspect a computer system, and practices of its users, to locate spectrum of insecurities or certify well protected from the risks.)
• Pharming
• Social_engineering_(computer_security)

References

1. ^ Template:Web reference author
2. ^ Template:Web reference author
3. ^ Template:Web reference author
4. ^ Template:Web reference simple
5. ^ "About Safari International Domain Name support". March 21, 2005. {{cite news}}: Unknown parameter |org= ignored (help)
6. ^ Kerstein, Paul (July 19, 2005). "How Can We Stop Phishing and Pharming Scams?". {{cite news}}: Unknown parameter |org= ignored (help)
7. ^ Richardson, Tim (May 3, 2005). "Brits fall prey to phishing". {{cite news}}: Unknown parameter |org= ignored (help)
8. ^ Bank, David (August 17, 2005). "'Spear Phishing' Tests Educate People About Online Scams". {{cite news}}: Unknown parameter |org= ignored (help)
9. ^ "Security: Bank to Require More Than Passwords". July 14, 2005. {{cite news}}: Unknown parameter |org= ignored (help)
10. ^ Kawamoto, Dawn (August 4, 2005). "Faced with a rise in so-called pharming and crimeware attacks, the Anti-Phishing Working Group will expand its charter to include these emerging threats". {{cite news}}: Unknown parameter |org= ignored (help)
11. ^ Legon, Jeordan (January 26, 2004). "'Phishing' scams reel in your identity". {{cite news}}: Unknown parameter |org= ignored (help)
12. ^ Leyden, John (April 4, 2005). "Trojan phishing suspect hauled in". {{cite news}}: Unknown parameter |org= ignored (help)
13. ^ Leyden, John (March 21, 2005). "Brazilian cops net 'phishing kingpin'". {{cite news}}: Unknown parameter |org= ignored (help)
14. ^ "Phishers Would Face 5 Years Under New Bill". March 2, 2005. {{cite news}}: Unknown parameter |org= ignored (help)
15. ^ Template:Web reference simple
16. Richardson, Chris (March 3, 2005). "New Phishing Law Could Net Offenders 5 Years". {{cite news}}: Unknown parameter |org= ignored (help) (also cites Information Week, "Phishers Would Face 5 Years Under New Bill", March 3 2005)
17. "Security: Phishing and Pharming". June 22, 2005. {{cite news}}: Unknown parameter |org= ignored (help)

External links

Phishing information

• Anti-Phishing Working Group - 'Monthly news from the net about phishing, last news posted February 2005.'
• Spamfo.co.uk - 'Articles and contemporary news items relating to phishing and internet scams.'
• Trust Management for Humans - 'Explains the design flaw in the WWW that enables phishing and provides a simple solution to the problem.'
• Phishing Scams - 'Contains various articles about phishing news.'
• Bank Safe Online - 'Advice to UK consumers regarding phishing.'
• U. S. Banker | A Phish Story - February 2005 - 'Article about phishing.'
• Know Your Enemy: Phishing - 'Case study from the Honeynet Project on detailed techniques of a couple of phishers.'
• Gallery of Phishing Messages - 'Examples claiming to come from banks, credit card companies, and auction houses.'

Anti-phishing

• Online survey tool by MailFrontier - 'Measures ability of users to distinguish e-mail that is legitimate or "phish".'
• Network World - 'Editorial on Complex and Simple Anti Phishing Technologies.'
• Network Appliance, Inc. Phishing Survey 2004 (PDF) - 'Tools and tips of how to protect yourself from phishing.'
• Windowsecurity - 'How to Avoid Phishing Scams.'
• FTC - 'How Not to Get Hooked by a Phishing Scam.'

Legislation

• Computer Crime Research Center - 'Plugging the "phishing" hole: legislation versus technology.'