This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Phishing refers to various techniques used by identity thieves to fish for personal information in a pool of unsuspecting internet users. In general terms criminals over the internet create and use e-mails and websites that look as if they were from or belonging to well-known, legitimate and trusted organisations. These criminals deceive internet users into disclosing their bank and financial information or other personal data such as usernames and passwords. There has been good progress in identifying the threat but at the same time there has also been an increase in attack diversity and technical sophistication by the people conducting phishing. Phishing has proved to create a negative impact on the economy.
In this paper, we will discuss some of the techniques of phishing and their impacts. We will also discuss the technical trends in phishing attacks and some basic techniques that can be used to detect and avoid phishing schemes.
Phishing is a type of social engineering where the attackers try to steal very confidential information from a victim by showing themselves as a legitimate and valid third party. It is a criminal act of stealing personal information by making people to surf a fake website. The means by which they make this request are phishing emails, chat rooms, spoofing, and other techniques. The common ones are making links appear as if they were links to legitimate websites by making certain modifications in the website links. Phishing attacks ultimately give the attacker to make use of people's financial information and make a profit out of it. Phishing is considered as a form of identity theft done online to steal sensitive information of users like online banking passwords and credit card information.
The History Of Phishing:
The word Phishing came from the early internet crimes that used email lures to "Phish" for financial data and login passwords from a pool of internet users. The term was coined in 1996 by the hackers who were stealing America Online accounts (AOL) by stealing passwords from the users making use of AOL. The accounts that were hacked were called "phish" and by 1997 phish were being traded actively between the hackers in the form of electronic currency. Those times they would trade about 10 usable AOL phish for one piece of hacking software or stolen game or application.
Over the time the definition of phishing changed and expanded. The term "phishing" then not only covered obtaining user account details but also the access to all the users' financial and personal information. Originally, users were tricked into giving away their passwords and their credit card information in replies to email. Later they expanded to fake websites through which that sensitive information were lured. Further more sophisticated ways like Trojan horse key-loggers, screen captures; man-in-the-middle proxies to capture data were used to deliver data through an electronic communication channel. Current extensions to the traditional ways are making use of fake job websites and job offers.
How Is Phishing Done?
In phishing schemes, the attacker who wants to steal user's personal information will first create an unauthorized replica of a legitimate website and email, which will be of a financial company or institution that is responsible for online banking or an online merchant. The emails will also be similar to that of a legitimate agency or company holding their logos, slogans and images.
The ease of creation of the fake website lies in the nature of the original websites creation language and its format. Thus it is easy to copy the images and sometimes the entire website itself. This reason has made internet a major mean of theft. The phishers will then send a fake e-mail to as many users as possible to lure them into their scheme. In some cases the hackers will use others means to steal a group of user's personal information and include those information in the email to make it more plausible to the users and lure them into their scheme. These e-mails will then redirect the users to the illegitimate website which will seem as if it were of the same organisations website. The attackers will be more concerned to make the users to believe that they are legitimate mails from that organisation as not all the users are going to have accounts in that company.
The phishing schemes will rely on three elements. First, phishing solicitations will make use of the corporate trademarks and trade names, such as the agency logo and name. This is called unawareness of threat. The use of such trademarks is often effective as the users will be well aware of them. Second, phishing solicitations will contain warning making the users to concern and worry about their access to their existing financial accounts. This is called unawareness of policy. These scams will make the users falsely fear that their account would be terminated if they do not follow the instructions given in that mail. This will lure the users into giving away their personal information. Finally, the phishing solicitations will rely on the fact that either the users will lack tools and technical knowledge to authenticate the e-mail from financial organisations or agencies or that the tools that exist in hands of the consumer will be inadequate for the authentication and can be spoofed. The term used for this solicitation is criminals' technical sophistication.
E-mails And Spam:
The most common way of phishing is by attacks using e-mails. Using various techniques and tools that are used by spammers, phishers are capable of delivering well crafted emails to many valid email addresses in less time. Making these emails successful in their purpose is by using many techniques. Some of them are:
Making the e-mail look official.
Making email copies using minor changes to the original URL.
Well crafted personalised and unique email message.
Creating fake posts in popular message boards and mail lists.
Making use of fake from addresses for hiding the source.
The other popular way to commit phishing attacks is by making use of website content. This website content will be created and operated by the phisher. The techniques used for this method are by making the website look legitimate. They make use of links that are disguised within websites and message boards that are very popular and commonly used. They deploy their well created fake logos and banners advertising graphics that will lure the users into their fake website created by the phisher from where the personal information of the user will be gathered. They will use pop-ups with windows to hide the true source of the phishers message. They will copy fake banners for advertising and place them on popular websites to redirect the users into the website created by the phisher.
Instant Messaging Forums:
The instant messaging forums have become a target for phishers. These communication channels have become very popular for home users. Their functionality has also increased since before. Their capability to hold embedded content that is dynamic like graphics, URLs and multimedia has made it a good phishing ground. The attackers use automated programs to participate and also listen in a particular conversation in a forum and while doing so it is easy for them to slip in a semi-relevant URL and fake information to the users participating in that particular discussion. Thus the user is lured into a fake website.
In this technique the phisher will make use of Trojan horse software to hide the true source of the attacker. To do this the delivery source is made a home PC. The Trojan horse software is deployed in that PC and the phisher will that PC to propagate the messages. All that it takes for deploying Trojan horse software in a home PC is to make the user to lure into installing a fake application. Once the user's PC is deployed with the software it can then be used as a phishing e-mail propagator or sometimes to even host an illegitimate website.
A very highly targeted phishing attack is referred to as a spear phishing. A mail that appears to be legitimate to a specific group of users is sent with this mail. The group of users chosen will be a group that share the services of a particular product, agency, organisation, website or a group. The mail will be as of a tradition phishing e-mail. It will look as if it is from a trusted organisation or a source such as an employer or a colleague. Since the mail is from a known and trusted user it is more plausible to request and gather personal information of users.
In this type of phishing the attacker will first deploy a malicious program into the users system by making an application look genuine and luring the user to install it. Once the malicious code is in the users system it will redirect certain links into the phishers website. As we know when we type in a URL in we are directed into the website. In this case the attacker would have created a website with URL similar to as of what the user would access and without the users own knowledge when he/she keys in that websites URL the malicious software will change that URL and the user will be redirected into a different website from where the information given by the user will be gathered by the attacker. This scheme of attack is called redirection.
The other way to redirect users' information is by redirecting the keystrokes of the user. First the user is made to download and install particular software into the system, and then when it is done, a key logger software that is included in that software downloaded will reside in the system and only act whenever the user accesses an online financial account. As the user keys in the login id and password the keystrokes are recorded by the key logger software and sent to the phisher.
In this type of phishing that is "Vishing" or voice phishing the attacker will create a traditional phishing e-mail and send it to targeted users. This mail will include a phone number that would have been created and operated by the phisher. The mail would state that the user must call that particular number in order to avoid termination of an account or any other serious issue. When the user calls that number; the user will be requested for his/her personal information like credit card number. In another method of vishing the attacker would create software to directly call the user and lure the user to give the sensitive financial information by posing as a legitimate caller.
THE IMPACTS OF PHISHING:
Phishing has both domestic and international impacts that have concerns over the commercial and financial sectors and also to the law enforcement in both the countries.
Direct Financial Loss:
The type of fraud the attacker commits by stealing data, consumers and businesses can lose a lot of money. In fact, small e-commerce business may be affected to a great extend.
Public Trust In The Internet:
Consumers are likely to lose their trust in the internet. They become uncertain about the integrity of the financial and commercial websites. They will have doubts of the internet's addressing system and by which the users are likely to lose their trust in using the internet for financial transactions.
Difficult Law Enforcement Investigations:
Unlike other physical identity thefts where the crime is situated in a particular location and the law enforcement agencies can locate the criminal, phishing is a crime that exploits the internet. The possibility of locating the attacker is difficult and at times it's even not possible. The attacker may use various techniques to hide the source of attack and sometimes even fake the source of attack by making a different computer in a different country as the source of the attack.
Simple Tips To Avoid Phishing Spam:
Legitimate organisations will never ask users for their personal information or financial information via e-mails. So users must not reply to such mails or pop-up messages and also should not click on the links that may be present.
When users receive e-mails having a phone number and are asked to call for certain reasons, cross refer the phone number given in the e-mail with the phone numbers given in your financial statements.
Keep your browser up-to-date and apply security patches.
Be cautious when you receive e-mails with urgent needs for financial information.
Check the URL when any secure transaction is performed.
Log into bank accounts on regular bases and check for any suspicious transactions.
Avoid links in e-mails to reach websites holding your sensitive information and also avoid filling in information of the same information on forms in e-mails and pop-up messages.
Some phishing emails may include software that can do harm to your system. It is recommended that the users have proper anti-virus and anti-spyware software in their system and also update them regularly. Firewalls are suggested to keep users invisible on the internet and also block unauthorized access.
Users are asked never to e-mail their personal and financial information as e-mails are not a secure ways to transit such sensitive information.
Users must check their credit card statements as soon as they receive them and if they find any unauthorized charges made, they are to report to the company.
Users must always be cautious about opening any attachment from e-mails.
User Level Security Techniques:
As a user, the client-side can be protected against phishing using various techniques.
Some of the desktop PC protections techniques can provide an anti-phishing mean. These services are given by having anti-virus, firewalls, anti-spam, and spyware detection protection.
Web browsers that offer extended functionality must be used. These browsers must be able to disable features like ActiveX, java runtime, multimedia; storage of cookies not secure and automatic downloads from the browser.
The user can avoid becoming victims of phishing schemes by inspecting the mails that they receive.
Awareness mechanisms like information about the phishing possibilities in company e-mails or the website are a user level security technique against phishing.
Web browser toolbars is an effort made to protect the users from phishing schemes. These toolbars help the user to gain knowledge if the website they are accessing is genuine or not.