Search

The Online Encyclopedia and Dictionary

 
     
 

Encyclopedia

Dictionary

Quotes

 

Phishing


In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack. (See an example.)

The term was coined in the mid 1990s by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.

There is also an Irish IRC network called Phishy, although it predates the use of that term for anything illegal.

Contents

Usage

The term "phishing" is sometimes said to stand for password harvesting fishing, though this is likely a backronym. The cracker community tends to use creative spellings as a sort of jargon, and coinages such as warez have even escaped into more mainstream usages. The term phreaking, which refers to gaining access to telephone networks, most likely influenced the spelling of the term. Still other theories accredit the term "phishing" to originate from the name "Brien Phish" who was the first to allegedly use psychological techniques to steal credit card numbers in the 1980s. Others believe that "Brien Phish" was not a real person but a fictional character used by scammers to identify each other. Another, more recent theory credits the nature of the attacks, in which one is fishing, metaphorically, for an unsuspecting user's information.

Today, online criminals put phishing to more directly profitable uses. Popular targets are users of online banking services, and auction sites such as eBay. Phishers usually work by sending out e-mail spam to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the phisher's use.

Typically, a phishing email will appear to come from a trustworthy company and contain a subject and message intended to alarm the recipient into taking action. A common approach is to tell the recipient that their account has been deactivated due to a problem and inform them that they must take action to re-activate their account. The user is provided with a convenient link in the same email that takes the email recipient to a fake webpage appearing to be that of a trustworthy company. Once at that page, the user enters her personal information which is then captured by the fraudster..

URL spoofing

There are several types of URL spoofing [1]:

  1. An IP address, e.g. http://192.168.1.1/
    This relies on the user ignoring the URL bar completely, or being confused by its complexity.
  2. A completely different domain, e.g. https://www.randomdomain.com/
    This relies on the user just not looking at the domain at all.
  3. A plausible-sounding but fake domain, e.g. https://www.paypal-secure.com
    This relies on the user not knowing their exact destination.
  4. A visible-to-the-eye letter substitution, e.g. https://www.paypa1.com
    This relies on the user not looking too closely at individual letters.
  5. An invisible letter substitution (punycode attack) by making use of fault in IDN, e.g. https://www.xn--pypal-4ve.com
    This sort are currently almost undetectable.
  6. An address with username that looks like a domain name, e.g. http://[email protected]
  7. An address that uses wildcard DNS record characters to disguise the domain name [2]. Some examples include:
    http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/
    http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2
    http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/

Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers, that can be faked as well. However, the file properties feature of several popular browsers may disclose the real URL of the fake webpage.

Additional attack methods

Besides URL spoofing, it is also possible for the attacker to utilize the bank/service's own scripts against them. These attacks are particularly problematic because they actually direct the user to sign in at their bank/service's own web pages, where everything from the URL to the SSL certificate are correct. Example: [3] (address changed to protect the reader) While clicking on this link brings you to eBay's site to log in, it then forwards the authenticated request to another domain/server, where the hacker's harvesting script is potentially waiting for this information.

If you are contacted about an account needing to be "verified," you should contact the company directly, or type in the address for their webpage.

Be especially concerned about an address containing the "@" symbol, for example http://[email protected]/. These addresses will attempt to connect as a user www.google.com to the server members.tripod.com. This will very likely succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, for example http://www.yourfavbankdomain.com.spamdomain.net.

Secunia has issued a security advisory on the IDN spoofing issue [4], based on the IDN homograph attacks identified by Eric Johanson [5]. Users of web browsers that implement IDN are affected. Some websites have noted that Internet Explorer is safe from this issue. This is misleading, since Internet Explorer has not implemented IDN, and the Verisign IDN plug-in is affected [6]. Mozilla developers Darin Fisher and Ben Goodger point out that ICANN should prevent the registration of malicious domain names. The IDN bug was partially fixed in Mozilla and Mozilla Firefox in 24 hours after the bug was announced publicly [7]. A simple application called "IDNSnitch" was also created as a defense for Safari [8].

Also, some companies like eBay and PayPal always address you by your username in e-mails. If an e-mail addresses you by a generic denomination, for example "Dear valued eBay member", it is definitely fake, an attempt at phishing.

Phishing Example

The following is an example of a phishing e-mail.

From: eBay Billing Department <[email protected]>

To: [email protected]

Subject: Important Notification

Register for eBay
Dear valued customer Need Help?
We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.

Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.

Regards,Safeharbor Department eBay, Inc
The eBay team.
This is an automatic message. Please do not reply.

Response by authorities

In the United States, Democrat Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing bill proposes that those criminals who create fake Web sites and spam bogus e-mails in order to defraud consumers could be fined up to $250,000 and have jail terms of up to five years imposed upon them (Information Week , March 2, 2005).

Microsoft has joined in on the effort to crack down on phishing. On March 31, 2005 Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of using various different methods to obtain passwords and confidential information about people. They hope to use these lawsuits to uncover some of the largest phishing operators.

See also


References

  • (also cites InformationWeek , "Phishers Would Face 5 Years Under New Bill", March 2, 2005)

External links

The contents of this article are licensed from Wikipedia.org under the GNU Free Documentation License. How to see transparent copy