Author Topic: Phishing, All You Need To Know  (Read 9524 times)

Offline Prince

  • Administrator
  • Honorable
  • *****
  • Posts: 32,949
  • Country: ng
  • Gender: Male
    • View Profile
Phishing, All You Need To Know
« on: March 12, 2008, 07:17:24 PM »
In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures. The first recorded mention of phishing is on the alt.online-service.america-online Usenet newsgroup on January 2, 1996, although the term may have appeared even earlier in the print edition of the ......er magazine 2600.

Recent phishing

More recent phishing attempts have targeted the customers of banks and online payment services. E-mails supposedly from the Internal Revenue Service have also been used to glean sensitive data from U.S. taxpayers. While the first such examples were sent indiscriminately in the hope of finding a customer of a given bank or service, recent research has shown that phishers may in principle be able to establish what bank a potential victim has a relationship with, and then send an appropriate spoofed email to this victim. Targeted versions of phishing have been termed spear phishing. Social networking sites are also a target of phishing, since the personal details in such sites can be used in identity theft. Experiments show a success rate of over 70% for phishing attacks on social networks.In late 2006 a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details.

Link manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers, such as this example URL, http://www.yourbank.com.example.com/. Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site.
   
An old method of spoofing links used links containing the @ symbol, originally intended as a way to include a username and password in a web link (contrary to the standard). For example, the link http://www.google.com@members.tripod.com/ might deceive a casual observer into believing that the link will open a page on www.google.com, whereas the link actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied. Such URLs were disabled in Internet Explorer, while the Mozilla  and Opera web browsers opted to present a warning message and give users the option of continuing to the site or cancelling.

A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks have yet taken advantage of it. Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.

Website forgery

Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

In another popular method of phishing, an attacker uses a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without spe...t knowledge. Just such a flaw was used in 2006 against PayPal.

A Universal Man-in-the-Middle Phishing Kit, discovered by RSA Security, provides a simple to use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site.

Phone phishing

Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told users to dial a phone number regarding a problem with their bank account. Once the phone number (owned by the phisher, and provided by a Voice over IP provider) was dialed, prompts told users to enter their account numbers and PIN.

Damage caused by phishing

The damage caused by phishing ranges from loss of access to email to substantial financial loss. This style of identity theft is becoming more popular, because of the ease with which unsuspecting people often divulge personal information to phishers, including credit card numbers, social security numbers, and mothers' maiden names. There are also fears that identity thieves can add such information to that they have gained through phishing simply by accessing public records. Once this information is acquired, the phishers may use a person's details to create fake accounts in a victim's name, ruin a victim's credit, or even prevent victims from accessing their own accounts.

It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims. In the United Kingdom losses from web banking fraud  mostly from phishing  almost doubled to 23.2m in 2005, from 12.2m in 2004,while 1 in 20 users claimed to have lost out to phishing in 2005.

Advertisements


Nigerian Best Forum . NBF

Phishing, All You Need To Know
« on: March 12, 2008, 07:17:24 PM »

Enter Your Email Below For Daily Jobs Updates, It's Free

100% Free


Offline beibee

  • Global Moderator
  • Honorable
  • ****
  • Posts: 29,294
  • Gender: Male
    • View Profile
Re: Phishing, All You Need To Know
« Reply #1 on: April 19, 2008, 12:47:55 PM »


may we be delivered from
the evil hands of phishers!
CLICK HERE TO MAKE NEW FRIENDS ON NBF SOCIAL NETWORK
You Need to Make 50 Posts For Your Link To Appear In your Signature
YOU DON'T HAVE TO SPAM TO INCREASE YOUR POSTS COUNT. START BY WELCOMING NEW MEMBERS AND HELPING OTHERS. SPAMMING WILL ONLY GET YOU BANNED!

Nigerian Best Forum . NBF

Re: Phishing, All You Need To Know
« Reply #1 on: April 19, 2008, 12:47:55 PM »

 

ads

Enter Your Email Below For Daily Jobs Updates, It's Free

100% Free