Phishing is defined as the attempt to steal personal details like user ids, password and other similar details by posing as the real person/institution in a cyber environment. Communications, which seem to be from auction sites, social web pages, internet payments or IT Admins are most commonly used to entice the general users. Various modes are used by phishers to carry out Phishing, for example, instant messaging, and email from fake accounts. All these messages are designed to direct all unsuspecting users, who click on the link in the email/chat window, to a fake website, which looks similar to the original site.
Motives Of Phishing
The primary purpose of the Phishing is to hack the user ids and passwords of users for the personal benefits of the hacker. For example, a hacked user id and password for a net banking site can be misused to draw and transfer money to the hacker’s account while hacked user id and password for a social networking sites can be used to get access to users’ personal information along with possibility of sending malwares to all the contacts in the site.
Recent Phishing Attacks
Recent Phishing victims include Best Buy and eBay, Charlotte’s Bank of America, where customers were re-directed to internet pages that had high similarity to the company’s web site. Facebook (a social networking site) users have faced news phishing fraud that can crash user’s computers, mobile phones and steal their passwords.
The first step towards compromise of Facebook user’s sensitive information is whenever they click on the link provided in the spam message; Clicking on the link leads user to a Facebook login page. If user logs in to the site, the site will steal email and password and will send their entire contacts/friends list the same message.
Mechanism/Methodology Of Phishing
The mechanism of phishing is simple to understand. Hackers’ have a way of capturing user id and password of the un-aware users by ‘luring’ him or her to his site which is exactly similar to the site where user intends to go except for the web-address. The most used methodology is to send an anxious looking email to the user with a fraudulent, innocent looking Uniform Resource Locator (URL), where the user clicks and reaches to a login page, which captures users’ id and password to be misused immediately or future. The captured password is changed immediately so that user cannot login for the immediate future and the hacker gets good time to misuse the account.
It seems quite naive that people fall in such traps but scientifically all humans have a built-in reaction seemingly to important things. Emails with subject lines cleverly worded to initiate anxiety are meant to prompt urgent action. There has been lot of research on the subject especially by banks going for internet banking, credit cards having online payment features. Phishing has permeated so much in common lives that all sites including corporate and government are pro-actively communicating to their users about the risks associated with Phishing attacks.
The methodology of phishing where an email with a link to the hacker’s site is sent to the un-suspecting users is called Link manipulation. The link is designed to look like a genuine site hence a general user feels it to be correct. Spellings, which seem similar to URLs or using sub-domains, are frequent tricks, which are used in Phishing.
Let us take example of a URL, http://www.bestbank.bankingdomain.com/. Users perceive the URL would link to the banking domain part of the bestbank site; in reality, this URL re-directs to the “bestbank” which is the phishing part of the example website.
Another trap, which is quite common is to make the main part of a URL seemingly valid, whereas the link is redirected to the fraudster’s site. The knowledgestore link in the following example, http://knowledgestore/True, seems to be opening an article titled “True;” even though the simple act of clicking on the link will open the article entitled “False.”
Another, not so new method of Phishing uses the technique of including ‘@’ ‘@’ symbol in the link. For instance, the URL link http://firstname.lastname@example.org/ might fool an un-attentive observer into trusting that the link would direct to www.travelcity.com, while in reality the users gets re-directed to one of the web-pages on members.gmail.com, with the user id of www.travelcity.com: the page opening process does not change hence does not raise any suspicion. These types of URLs are controlled by prompting a warning message letting user exercise a choice on whether continuing browsing or cancelling the operation in Mozilla Firefox and Opera while they are disabled in Internet Explorer.
Some phishers use Java commands to modify the address bar in the internet explorer by different ways like putting up an image which is a genuine URL over fake address bar. In some case, the genuine Internet explorer bar may be completely removed. Thus, the deception is far from over even if the user has clicked on the fraudulent link. Experts in animation, who hide the real text behind the multimedia flash animations, do something similar. The end objective is to fool a user to believe that the site he/she is trying to access is the genuine site and any information he shares on the site is secured and would not be leaked. As soon as user has trusted the look and feel of the site, he is deceived into giving his user id and password, which is the point where he is tricked.
Sometimes, phishers make use of flaws in a website’s operating scripts to trap the visitors. These cross-site scripting issue pose a big problem as they re-direct the users to login to the webpage where all the visual features appear to be correct. In reality, the link of the webpage is modified, though very difficult to spot without training into such area.
Another variation of the above attack is where the user is forwarded to the legitimate website of the net banking or a credit card site but just before the site opens, a pop-window is opened which requests the users for the logon credentials. The un-suspecting user provides the information on the presumption that the concerned bank is asking for the information. This can be made further lethal by incorporating an urgent sounding message, like – “Please reset your password else your account is at the risk of getting locked.”
Impact Of Phishing
According to one of the Cyber Experts, for the parameter of successful infection, malwares disseminated through the emails are 10 times less effective as compared to social networking sites. There can be substantial financial losses as well as denial of access to emails because of Phishing. In the year 2007, approximately 3.6 million phishing attacks happened. These phishing attacks resulted in a loss of approx USD 3.0 billion for a period of12 months until August 2007.
According to Microsoft, the Phishing losses are exaggerated. They estimates US suffering a phishing loss at approx USD60 million. In the UK, web-banking fraud was responsible for losses, which almost increased to £23.0m in year 2005, from £12.0m in 2004, attributed mainly to phishing attacks. 1 out of every 20 users of computers acknowledged to have been affected by Phishing in year 2005. According to the banking industry’s estimates in UK, Customers need to take appropriate pro-active measures to prevent themselves from Phishing. The Customers must also ensure that they are not sitting ducks to the Phishing crimes. On a similar vein, Bank of Ireland declined to take care of the losses suffered by its customers, amounting to €11,000, as a first reaction. The bank still refuses to acknowledge that it is their responsibility to ensure that their sites are secured for Customer rather puts the blame squarely on the customer in case they get affected by Phishing attacks and suffer losses.