Friday, November 03, 2006

What the heck is phishing ???

Phishing?? What the heck is that ?? In this section I am going to crack the term phishing!!!

Wikipedia says..phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well.

Phishing techniques

Phishing is some form of technical deception. It may be misspelled URLs or the use of subdomains are common tricks used by phishers, such as this example URL, Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site. Lets discuss various phishing techniques...

One method of spoofing links use web addresses containing the @ symbol, which are used to include a username and password in a web URL (contrary to the standard). For example, the link might deceive a casual observer into believing that the link will open a page on, whereas the link actually directs the browser to a page on, using a username of; were there no such user, the page would open normally. Such URLs were subsequently disabled in Internet Explorer, with the Mozilla and Opera web browsers opting instead to present a warning message and give users the option of continuing to the site or cancelling.

Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

In another popular method of phishing, an attacker uses a bank or service's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.

A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks have yet taken advantage of it.

Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told users to dial a phone number regarding a problem with their bank account. Once the phone number was dialed, prompts told users to enter their account numbers and PIN. The number was provided by a Voice over IP provider.

Now how to prevent phishing ??

One method to prevent phishing is to make the users aware of these phishing attempts. One newer phishing tactic, which uses phishing emails targeted at a specific company. This is called spear phishing.

Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers. Some companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. Emails from banks and credit card companies will often include partial account numbers. Therefore, one should always be suspicious if the message does not contain specific personal information. Phishing attempts in early 2006, however, used such highly personalized information, making it unsafe to rely on personal information alone as a sign that a message is legitimate. Further, another recent study concluded in part that the presence of this information does not significantly affect the success rate of phishing attacks, suggesting that most users do not pay attention to such details anyway.

Users who are contacted about an account needing to be "verified" can take steps to avoid phishing attempts, by contacting the company that is the subject of the email to check that the email is legitimate, or by typing in a trusted web address for the company's website into the address bar of their browser, to bypass the link in the suspected phishing message.

Anti-phishing software is available that may identify phishing contents on websites, act as a toolbar that displays the real domain name for the visited website, or spot phishing attempts in email. Microsoft's new IE7 browser, Mozilla's Firefox 2, and Opera from version 9.1 will include a form of anti-phishing technology, by which a site may be checked against a list of known phishing sites. If the site is a suspect the software may either warn a user or block the site outright. Firefox 2 uses Google anti-phishing software, which may also be installed under IE6. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive. An approach introduced in mid-2006 (similar in principle to using a hosts file to block web adverts) involves switching to using a special DNS service that filters out known phishing domains, which will work with any browser.

Sites have added verification tools that allow users to see a secret image that the user selected in advance; if the image does not appear, then the site is not legitimate. Bank of America uses this together with challenge questions, which ask the user for information that should be known only to the user and the bank. This feature (and other forms of two-way authentication and two-factor authentication) is still susceptible to attack, such as that suffered by Scandinavian bank Nordea in late 2005.