Abstract:
phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing
Introduction of phishing:
Phishing is any process designed to elicit personal data from the targeted victim(Phishing also known a carding or brand spoofing ). This is often done via e-mail. A common scenario could involve the perpetrator setting up a fake Website that is designed to look like the Website of a legitimate financial institution (a bank, credit-card company, etc.). When someone clicks the link, he or she is taken to the fake Web site; when the victim enters his or her login information to verify the account, that person provides the perpetrator with his or her username and password. The perpetrator can then log on to the victim s real account and steal funds.
Phishing is a form of social engineering in which an attacker ( also known as a phisher )attempts to fraudulently retrieve legitimate users confidential or sensitive credential by mimicking electronic communications from a trustworthy or public organization in an automated fashion.
Phishing word is an evolution of the word fishing by hackers who frequently replace the letter (F) with the letters (PH)in a typed hacker dialect.
Note:
To combat phishing, many credit-card and banks companies are adding mechanisms whereby consumers can verify that they are visiting the real site, not a fake one.
History:
History of phishing stored in the early 1990 on the America online network system. At the time many hackers would create false (AOL) user accounts by registering with a fake identity and provide an automatically generated , fraudulent credit card number. Credit card numbers did not correspond to actual credit card no the made up identity they would pass the simple validity tests on the credit card numbers that were performed by (AOL),leaving AOL to believe that they were legitimate.In1990s marked a real change in computer crimes. The first changewasonthesideofthehackers.Basichackingskillsbecamemoreprevalent, and the Internet was more accessible to more people.
Process of phishing :
This process includes in building a successful phishing site is the following:
1- Register a fake domain name.
2- Build a look alike website.
3- Send e-mails to many users.
Attacker registers a domain name that looks similar to the site whose customers are to be phished. Phisher tries to register a domain name that is as close to the domain name of legitimate site as possible .Example, if the original site is WWW.abcbank .com so that user might think that it is the original URL.
Then , attacker tries to copy the original content of the HTML page into (his or her ) copy web page. Phisher will reference images on the original sit in their HTML.When the user load images for a phishing web site, the browser actually acquires the image from the original site.
And finally , when the phishing web site is ready. The attacker sends e-mails to (his or her) potential victims. The phisher avoid emails bouncing back due to invalid to or from addresses by using valid user IDs. When the recipient opens the mail, is greeted with a compelling offer prompting (him or her) to open the link to the phishers website.
Phishing methods:
1-E-mail and spam:
Most phishing , Phishers send millions of e-mails to valid email addresses by using the techniques and tools used by spammers. Use phisher a number of techniques to make their email appear legitimate. Often , use phishers format their email as HTML because it is easier to disguise the URLs that they link to email may have viruses or worms attaches to them to exploit security holes.
2-Web Based Delivery :
Type of attack is carried out by targeting customers through third party web site .
3-IRC and stant messaging :
Clients allow for embedded dynamic content .IRC and IM support the sharing of content among the channel participants.
4-Trogjaned hosts:
Give complete access to host computer to phishers.
Techniques used by Phishing attackers :
Phishing is simply the process of sending e-mails to a wide range of recipients, wherein the e-mails purport to be from some legitimate source and entice the recipient to either supply personal information or follow a link in the e-mail to a Web site to provide personal information. The most common scenario is that the e-mail will purport to be from a bank or credit-card company and inform you there is some problem with your account. You will then be asked to click on a link to log in to your account. The link will actually take you to a different Web site made to look like a legitimate financial institution. Once there, if you do log on, you will have just given your username and password to the identity thief.
How would an enterprising identity thief go about setting up and executing this sort of scam?
first step : is to establish a server to host the phishing Web site. Obviously, the perpetrator does not want to simply go to their Internet service provider and arrange for hosting service. This would make their eventual capture and conviction a foregone conclusion. So how do they set up a Web server that cannot be traced back to them? There are primarily two ways this is done.
In first method, the perpetrator uses a prepaid Visa card to purchase Web hosting on a commonly used hosting service, preferably one outside the country he or she will be targeting. The second method is to hack into any server anywhere that has poor security. The perpetrator can then use that server to host his or her phishing Web site. Should authorities track the phishing scheme back to the server, they will find its owners unwitting a com- places with no knowledge.
In second method is actually more common than you might think; there are so many poorly secured servers that it is generally not a particularly difficult task to find one that can be compromised.
Countermeasures against phishing attacks:
We will learn how to protect yourself from identity theft, we examine each technique that identity thieves use and then we use the specific counter measures for that technique. And we will examine what you should do if you think you have been the victim of identity theft.
Phishing is the criminally fraudulent to get you to provide the perpetrator with personal information that can be used to steal your identity. Phishing uses spoofed email and web sites to try to lure the victim into divulging personal data . this is most common way to perpetrate phishing can easiest to defend against.
Phishing E-mails:
phishing e-mail will purport to be from a legitimate source. It will try to convince you there is a problem with a particular account , and in order to correct the mistake you have to click on the link in the e-mail and fill out some form. But rather than take you to a legitimate site, if you click that link, it will take you to a site set up by the criminals in order to gather your personal information
Phishing Web Sites:
Websites play Important a role in phishing scams. The most common way is for the Web site to be the target of a phishing email. Even if you do follow a link to a Web site, there are ways you can tell if the site is legitimate. One such way that is becoming increasingly popular with financial institutions is the site key. The way a site key works is that when you open an account you are asked to select an image from a random group of images ,and then to select a pass phrase ,which can be anything you want. You can add to that any random pass phrase. Then when you log in to the Web site, the first step is to enter just your ID, not your password. After your ID is entered, the Web site will show you your image and pass phrase; this is your site key.
A Prevention and Reporting Checklist for Phishing Schemes
One of the most basic measures that government and the private sector are taking to protect the public from phishing is the provision of specific advice to the public about how to avoid phishing schemes and how to report phishing schemes. It is important to note that, according to a recent phishing study by researchers at Harvard University and the University of California at Berkeley, good phishing websites fooled 90 percent of the participants, nearly one-quarter of the participants did not look at existing anti-phishing
visual cues (e.g., security indicators), and some visual deception [phishing] attacks can fool even the most sophisticated users
Prevention: What to Do
Protect your computer with anti-virus software, spyware filters, e-mail filters, and firewall programs, and make sure that they are regularly updated. o Consider installing a Web browser tool bar to help protect you from known phishing fraud websites. (Check with your browser or e-mail provider for such toolbars.)
Ensure that your Internet browser is up to date and security patches applied. o In particular, people who use the Microsoft Internet Explorer browser should immediately go to the Microsoft Security home page http://www.microsoft.com/security/ to download a special patch relating to certain phishing schemes.
Be suspicious of any e-mail with urgent requests for personal financial information or threats of termination of online accounts. o Unless the e-mail is digitally signed, you can't be sure it wasn't forged or spoofed. o Phishers typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. o Phisher e-mails are typically not personalized, while valid messages from your bank or e-commerce company generally are.
When contacting your financial institution, use only channels that you know from independent sources are reliable (e.g., information on your bank card, hard-copy correspondence, or monthly account statement), and don t rely on links contained in e-mails, even if the web address appears to be correct.
Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser. o To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar – it should be "https://" rather than just "http://."
Regularly log into your online accounts. o Don't leave them for as long as a month before you check each account.
Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. o If anything is suspicious, contact your bank and all card issuers.
2. Prevention: What Not to Do
Don't assume that you can correctly identify a website as legitimate just by looking at its general appearance.
Don t use the links in an e-mail to get to any web page, if you suspect the message might not be authentic. o Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.
Avoid filling out forms in e-mail messages or pop-up windows that ask for personal financial information. o You should only communicate information such as credit card numbers or account information via a secure website or the telephone
Rachna Dhamija, J.D. Tygar, and Why Phishing Works paper presented at CHI 2006, April 22-27, 2006, Montr al
Conclusion:
Phishing is a serious problem , because attempting to acquire sensitive information such as password and credit card . There are steps you can take both to prevent identity theft and to deal with it once it has occurred .So it is critical that you learn the steps required to prevent identity theft and that you implement those steps.