Phishing
|
In computing, phishing is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). It is a form of social engineering attack. (See an example (http://purl.org/net/tbc/misc/phish001.htm).) The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they "fish" for users' financial information and password data. The first mention on the Internet of phishing is on the alt.2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the printed edition of the hacker newsletter "2600".
Contents |
Early History
The term was coined in the mid 1990s by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.
"Ph" is a common hacker replacement for "f", and is a nod to the original form of hacking, known as "phone phreaking".
There is also an Irish IRC network called Phishy, although it predates the use of that term for anything illegal.
Early Phishing on AOL
Those who phished on AOL during the 1990s originally were getting on AOL with fake, algorithmically generated credit card numbers. The accounts would last weeks to months and then they would have to make new ones. To prevent this from happening, AOL adapted tougher regulations for their system in late 1995. As a result of this, the people who created the fake accounts resorted to phishing for legit AOL accounts. The phishing on AOL was closely associated with the warez community, that exchanged pirated software. However in 1997, AOL's policy with phishing and warez became stricter and forced pirated software off AOL servers. Around that time also, phishing was so prevalent on AOL that AOL added a line on all instant messages that said no one working at AOL will ask for your password or billing information — yet still despite this, phishing for both continued to work. Around that time as well, AOL developed a system to quickly deactivate any account phishing — booting them offline often before their phishes could respond, so they then lost more accounts phishing than they gained. The phishers attempted to get around this problem by phishing moving to AOL Instant Messenger(AIM). They made this move because they could not be banned on the server.
The shutting down of the warez scene on AOL caused most phishers to leave the service. Also, the phishers themselves eventually grew older (many were young teens) and got jobs to pay for an Internet Service Provider legitimately. Both phishing and warezing on AOL generally required special programs, and if these programs were popular, their creators, always going by aliases, became well-known in these circles. The first program well-known for phishing, warez, and other disruptive activities on AOL was AOHell.
Additional attack methods
Besides URL spoofing, it is also possible for the attacker to utilize the bank/service's own scripts against them. These attacks are particularly problematic because they actually direct the user to sign in at their bank/service's own web pages, where everything from the URL to the SSL certificate are correct. Example: [1] (https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3dRedirectToDomain%26DomainUrl=http%3A%2F%2F127.0.0.1%2FeBayISAPI.php&pageType=1883) (address changed to protect the reader) While clicking on this link brings you to eBay's site to log in, it then forwards the authenticated request to another domain/server, where the hacker's harvesting script is potentially waiting for this information.
If you are contacted about an account needing to be "verified," you should contact the company directly, or type in the address for their webpage.
Be especially concerned about an address containing the "@" symbol, for example http://www.google.com@members.tripod.com/. These addresses will attempt to connect as a user www.google.com to the server members.tripod.com. This will very likely succeed even if the user does not exist, and the first part of the link may look legitimate. The same is true for misspelled URLs or subdomains, for example http://www.yourfavbankdomain.com.spamdomain.net.
Secunia has issued a security advisory on the IDN spoofing issue [2] (http://secunia.com/advisories/14163/), based on the IDN homograph attacks identified by Eric Johanson [3] (http://www.shmoo.com/idn/homograph.txt). Users of web browsers that implement IDN are affected. Some websites have noted that Internet Explorer is safe from this issue. This is misleading, since Internet Explorer has not implemented IDN, and the Verisign IDN plug-in is affected [4] (http://secunia.com/advisories/14209/). Mozilla developers Darin Fisher and Ben Goodger point out that ICANN should prevent the registration of malicious domain names. The IDN bug was partially fixed in Mozilla and Mozilla Firefox in 24 hours after the bug was announced publicly [5] (http://www.boingboing.net/2005/02/08/mozilla_and_firefox_.html). Apple later fixed this flaw in Safari [6] (http://docs.info.apple.com/article.html?artnum=301116).
Also, some companies like eBay and PayPal always address you by your username in e-mails. If an e-mail addresses you by a generic denomination, for example "Dear valued eBay member", it is definitely fake, an attempt at phishing.
Phishing example
The following is an example of a phishing e-mail.
- From: eBay Billing Department <aw-confirm@ebay.com>
- To: xxx@aschool.edu
- Subject: Important Notification
- Register for eBay
- Dear valued customer
- Need Help?
- We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.
- For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.
- Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.
- Regards,
- Safeharbor Department
- eBay, Inc
- The eBay team.
- This is an automatic message. Please do not reply.
Response by authorities
In the United States, Democrat Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing bill proposes that those criminals who create fake Web sites and spam bogus e-mails in order to defraud consumers could be fined up to $250,000 and have jail terms of up to five years imposed upon them (Information Week, March 2, 2005).
Microsoft has joined in on the effort to crack down on phishing. On March 31, 2005 Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of using various different methods to obtain passwords and confidential information about people. They hope to use these lawsuits to uncover some of the largest phishing operators.
See also
This article is part of the Spamming series.
|
E-mail spam | Messaging spam | Newsgroup spam | Spamdexing Blog spam | Mobile phone spam | VoIP spam |
Make money fast | Advance fee fraud | Lottery scam | Phishing |
History of spamming |
Stopping e-mail abuse | DNSBL |
References
- Template:Citenews
- Template:Citenewsauthor (also cites InformationWeek, "Phishers Would Face 5 Years Under New Bill", March 3, 2005)
External links
Phishing information
- Anti-Phishing Working Group (http://www.anti-phishing.org) - Daily news from the net about phishing
- www.Spamfo.co.uk (http://www.spamfo.co.uk)- Articles and contemporary news items relating to phishing and internet scams
- Phishing alerts, news and reports - MillerSmiles.co.uk (http://www.millersmiles.co.uk)
- A Memo On Phishing: What You Need To Know Right Now (http://www.geocities.com/phishingmemo)
- Trust Management for Humans (http://www.waterken.com/dev/YURL/Name/) - Explains the design flaw in the WWW that enables phishing and provides a simple solution to the problem
- Phishing Scams (http://www.phishingdangers.com)
- Webopedia (http://www.webopedia.com/TERM/p/phishing.html) - Phishing details from Webopedia.
- Bank Safe Online (http://www.banksafeonline.org.uk/) - Advice to UK consumers regarding phishing scams and more.
- GishPuppy.com (http://www.gishpuppy.com/details.html) - Using disposable email addressing (DEA) to spot phishing.
- U. S. Banker | A Phish Story - February 2005 (http://www.us-banker.com/article.html?id=20050201N4N89WK9)
- Network Appliance, Inc. Phishing Survey 2004 (PDF) (http://www.netapp.com/ftp/phishing-attacks.pdf)
- Know Your Enemy: Phishing (http://www.honeynet.org/papers/phishing/) - Case study from the Honeynet Project on detailed techniques of a couple of phishers.
Legislation
- Computer Crime Research Center (http://www.crime-research.org/analytics/phishing_duke/) - Plugging the "phishing" hole: legislation versus technology.
Anti-phishing
- Gallery of Phishing Messages (http://rjohara.net/pfishing-scams/) - Examples claiming to come from banks, credit card companies, and auction houses.
- Online survey tool by MailFrontier (http://survey.mailfrontier.com/survey/quiztest.html) - measures ability of users to distinguish e-mail that is legitimate or "phish".
- How to Avoid Phishing Scams (http://www.windowsecurity.com/articles/Avoid-Phishing.html)
- FTC - How Not to Get Hooked by a Phishing Scam (http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm)
- ShareCube.com (http://www.sharecube.com) - Solutions for Banks and Financial institutions.
Anti-phishing Software
- Netcraft Toolbar (http://toolbar.netcraft.com) - browser plugin that shows country, hosting location and longevity of sites and operates a community where the first people to receive a phishing attack can block it for everyone else using the toolbar.
- Adorons Easy Security (http://www.adorons.com/adorons-products.html) Free software plug-in for Internet Explorer that disables phishing scripts.
- Spoofstick (http://www.corestreet.com/spoofstick/) - A plug-in for Internet Explorer and Mozilla that displays the real un-spoofed address for the current site. Works in pop-up windows as well.
Examples
- Example of e-mail used for phishing (http://purl.org/net/tbc/misc/phish001.htm) - an actual phishing message
- Fight Identity Theft (http://www.fightidentitytheft.com/paypal_scam.html) - Phishing Samplesde:Phishing
es:Phishing fr:Phishing it:Phishing la:Insidiae hamatae nl:Phishing ja:フィッシング (詐欺) pl:Phishing ru:Фишинг sl:Phishing sv:Phishing