Science Fair Project Encyclopedia
In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack. (See an example.)
The term was coined in the mid 1990s by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.
The term "phishing" is sometimes said to stand for password harvesting fishing, though this is likely a backronym. The cracker community tends to use creative spellings as a sort of jargon, and coinages such as warez have even escaped into more mainstream usages. The term phreaking, which refers to gaining access to telephone networks, most likely influenced the spelling of the term. Still other theories accredit the term "phishing" to originate from the name "Brien Phish" who was the first to allegedly use psychological techniques to steal credit card numbers in the 1980s. Others believe that "Brien Phish" was not a real person but a fictional character used by scammers to identify each other. Another, more recent theory credits the nature of the attacks, in which one is fishing, metaphorically, for an unsuspecting user's information.
Today, online criminals put phishing to more directly profitable uses. Popular targets are users of online banking services, and auction sites such as eBay. Phishers usually work by sending out e-mail spam to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the phisher's use.
Typically, a phishing email will appear to come from a trustworthy company and contain a subject and message intended to alarm the recipient into taking action. A common approach is to tell the recipient that their account has been deactivated due to a problem and inform them that they must take action to re-activate their account. The user is provided with a convenient link in the same email that takes the email recipient to a fake webpage appearing to be that of a trustworthy company. Once at that page, the user enters her personal information which is then captured by the fraudster..
There are several types of URL spoofing :
- An IP address, e.g. http://192.168.1.1/
This relies on the user ignoring the URL bar completely, or being confused by its complexity.
- A completely different domain, e.g. https://www.randomdomain.com/
This relies on the user just not looking at the domain at all.
- A plausible-sounding but fake domain, e.g. https://www.paypal-secure.com
This relies on the user not knowing their exact destination.
- A visible-to-the-eye letter substitution, e.g. https://www.paypa1.com
This relies on the user not looking too closely at individual letters.
- An invisible letter substitution (punycode attack) by making use of fault in IDN, e.g. https://www.xn--pypal-4ve.com
This sort are currently almost undetectable.
- An address with username that looks like a domain name, e.g. http://firstname.lastname@example.org
- An address that uses wildcard DNS record characters to disguise the domain name . Some examples include:
Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers, that can be faked as well. However, the file properties feature of several popular browsers may disclose the real URL of the fake webpage.
Additional attack methods
Besides URL spoofing, it is also possible for the attacker to utilize the bank/service's own scripts against them. These attacks are particularly problematic because they actually direct the user to sign in at their bank/service's own web pages, where everything from the URL to the SSL certificate are correct. Example:  (address changed to protect the reader) While clicking on this link brings you to eBay's site to log in, it then forwards the authenticated request to another domain/server, where the hacker's harvesting script is potentially waiting for this information.
If you are contacted about an account needing to be "verified," you should contact the company directly, or type in the address for their webpage.
Be especially concerned about an address containing the "@" symbol, for example http://email@example.com/. These addresses will attempt to connect as a user www.google.com to the server members.tripod.com. This will very likely succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, for example http://www.yourfavbankdomain.com.spamdomain.net.
Secunia has issued a security advisory on the IDN spoofing issue , based on the IDN homograph attacks identified by Eric Johanson . Users of web browsers that implement IDN are affected. Some websites have noted that Internet Explorer is safe from this issue. This is misleading, since Internet Explorer has not implemented IDN, and the Verisign IDN plug-in is affected . Mozilla developers Darin Fisher and Ben Goodger point out that ICANN should prevent the registration of malicious domain names. The IDN bug was partially fixed in Mozilla and Mozilla Firefox in 24 hours after the bug was announced publicly . A simple application called "IDNSnitch" was also created as a defense for Safari .
Also, some companies like eBay and PayPal always address you by your username in e-mails. If an e-mail addresses you by a generic denomination, for example "Dear valued eBay member", it is definitely fake, an attempt at phishing.
The following is an example of a phishing e-mail.
From: eBay Billing Department <firstname.lastname@example.org>
Subject: Important Notification
Register for eBay
Dear valued customer Need Help?
We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.
For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.
Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.
Regards,Safeharbor Department eBay, Inc
The eBay team.
This is an automatic message. Please do not reply.
Response by authorities
In the United States, Democrat Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing bill proposes that those criminals who create fake Web sites and spam bogus e-mails in order to defraud consumers could be fined up to $250,000 and have jail terms of up to five years imposed upon them (Information Week , March 2, 2005).
Microsoft has joined in on the effort to crack down on phishing. On March 31, 2005 Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of using various different methods to obtain passwords and confidential information about people. They hope to use these lawsuits to uncover some of the largest phishing operators.
- (also cites InformationWeek , "Phishers Would Face 5 Years Under New Bill", March 2, 2005)
- Gallery of Phishing Messages - Examples claiming to come from banks, credit card companies, and auction houses.
- Computer Crime Research Center - Plugging the "phishing" hole: legislation versus technology.
- Netcraft Toolbar - browser plugin that shows country, hosting location and longevity of sites and operates a community where the first people to receive a phishing attack can block it for everyone else using the toolbar.
- Online survey tool by MailFrontier - measures ability of users to distinguish e-mail that is legitimate or "phish".
- Example of e-mail used for phishing - an actual phishing message
- Anti-Phishing Working Group - Daily news from the net about phishing
- How to Avoid Phishing Scams
- FTC - How Not to Get Hooked by a Phishing Scam
- Adorons Easy Security Free software plug-in for Internet Explorer that disables phishing scripts.
- Fight Identity Theft - Phishing Samples
- www.Spamfo.co.uk- Articles and contemporary news items relating to phishing and internet scams
- Phishing alerts, news and reports - MillerSmiles.co.uk
- A Memo On Phishing: What You Need To Know Right Now
- Trust Management for Humans - Explains the design flaw in the WWW that enables phishing and provides a simple solution to the problem
- Spoofstick - A plug-in for Internet Explorer and Mozilla that displays the real un-spoofed address for the current site. Works in pop-up windows as well.
- ShareCube.com - Solutions for Banks and Financial institutions.
- Webopedia - Phishing details from Webopedia.
- Phishing Scams
- Bank Safe Online - Advice to UK consumers regarding phishing scams and more.
- GishPuppy.com - Using disposable email addressing (DEA) to spot phishing.
- U. S. Banker | A Phish Story - February 2005
- Network Appliance, Inc. Phishing Survey 2004 (PDF)
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details