Phishing

The word “phishing” comes from the analogy that Internet scammers are using fake email to steal for Passwords and personal financial data from the sea of Internet users. Phishing is the creation of email messages and web Pages in such a way that the replicas of existing web sites to fool users and instruct them to submit their personal or financial details into fraudsters fake pages. Pharming is a technique to redirect users from real websites to the fraudulent websites by using malware/spyware, typically DNS hijacking. Pharming uses modifications in the name resolution system, so as when a user clicks a financial institution web page, it actually goes to the spoofed website. Phishing attack carried out from phone is also known as Vishing attack. During the last five years phishing has been growing rapidly, with an estimate citation of approximately 8 million daily phishing attempts all over the world.Latest Phishing News Headlines

Introduction

As people increasingly rely on the Internet for business, personal finance and investment, Internet fraud becomes a greater and greater threat. One interesting species of Internet fraud is phishing. Phishing attacks use email messages and web sites designed to look as if they come from a known and legitimate organization, in order to deceive users into disclosing personal, financial, or computer account information. The attacker can then use this information for criminal purposes, such as identity theft, larceny, or fraud. Users are tricked into disclosing their information either by providing it through a web form or by downloading and installing hostile software.

In an attempt to fraud precisely, even the URL masking (pharming) can be done to avoid being detected. Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses, they are the “signposts” of the Internet. Compromised DNS servers are sometimes referred to as “poisoned”. Recently in India, fraudsters target reserve bank of India’s web site for phishing attack and 6 other banks also in May 2010. Facebook has also found phishing page for its site on 2nd Dec, 2010.

Types of Phishing attack

Passive Phishing

In this type of phishing attack, the attacker’s web server impersonates the real server, but the real server is not involved into the attack.

Active Phishing

In this type of attack, the attacker’s machine acts only as a bridge to the real server, this effectively gives it Man-in-the-Middle capabilities.
Common Phishing techniques include sending a false URL via a fraudulent e-mail to the innocent user, and providing false links in web pages. In any case, once the user opens the URL, he is connected to the attacker’s web server which appears to be the legitimate server, where he is prompted to enter his personal details.
There are three possible Phishing scenarios:
1. Wrong-domain server: The most common scenario. the attacker solicited the user to connect to a false URL, which includes a domain-name different from the real server’s domain name.
2. DNS-poisoning: The attacker somehow managed to divert traffic designated to the real server’s URL to his own machine. This case is similar to the previous one, except that the domain name appears to be valid to the user. In this case no solicitation is required, as the user connects to the attacker’s machine whenever he attempts to connect the real server.
3. Real Man-in-the-Middle: The attacker is in full control of one of the hops in the path between the user and the real server. In this case no solicitation is required, as the attacker’s machine fully controls any traffic that passes through it.

Phishing Techniques

Link manipulation

Most methods of phishing use some form of technical deception designed to make a link in an e-mail appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the “yourbank” (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the < A > tags) suggests a reliable destination, when the link actually goes to the phishers’ site. The following example link, http://en.wikipedia.org/wiki/Genuine, appears to take you to an article entitled “Genuine”; clicking on it will in fact take you to the article entitled “Deception”. In the lower left hand corner of most browsers you can preview and verify where the link is going to take you.

Filter evasion

Here phishers use images instead of text to make it harder for anti-phishing filters to detect text, commonly used in phishing e-mails.

Website forgery

An attacker can even use flaws in a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge.

Phone phishing

Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialled, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.

Tabnabbing

Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded. The exploit employs scripts to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well-known Web sites the user has loaded in the past or in other tabs, and loads a simulation of the same sites. This attack can be done even if JavaScript is disabled, using the “meta refresh” meta element.

Best practices against phishing attack for Bank users

1. Always type correct URL on address bar.
2. Never reply to any email which is asking you to enter details such as username , password , DoB etc
3. Check for https protocol on address bar, a pad lock and a valid certificate.
4. Avoid use of cyber cafes for internet banking.
5. suspected cases of phishing must be reported to the bank immediately.
6. Use anti phishing tools like netcraft toolbar, SpoofGuard ,eBay Toolbar,etc.

Where to report phishing incidents

CERT-In Incident Response Help Desk
Tel : 1600-11-4949
FAX : 1600-11-6969
E-mail: incident@cert-in.org.in

Reference

[1] http://en.wikipedia.org/wiki/Phishing
[2]“Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures” -Aaron Emigh Radix Labs
[3] Phishing attacks and countermeasures- Anil Sagar
[4] Optimizing Anti-Phishing Solutions Based on User Awareness, Education and the Use of the Latest Web Security Solutions
[5] Video on phishing, http://www.youtube.com/watch?v=sqRZGhiHGxg

The video cannot be shown at the moment. Please try again later.