Is an attempt to trick a person into disclosing private information to someone who is not authorized to have it?

Phishing

Is the act of attempting to trick customers into disclosing their personal security information; their credit card numbers, bank account details, or other sensitive information by masquerading as trustworthy businesses in an e-mail. Their messages may ask the recipients to “update,” “validate,” or “confirm” their account information.

Phishing is a two time scam, first steals a company’s identity and then use it to victimize consumers by stealing their credit identities. The term Phishing (also called spoofing) comes from the fact that Internet scammers are using increasingly sophisticated lures as they “fish” for user’s financial information and password data.

Phishing becomes the most commonly used social engineering attack to date due to the fact that it is quite easy to be carried out, no direct communication between hacker and victim is required (i.e., hacker does not need to phone their prey, pretending that they are a technical support staff, etc.). Sending mass-mails to thousands of potential victims increases the chance of getting someone hooked. There are usually three separate steps in order for such attacks to work, these are:

Setting up a mimic web site.

Sending out a convincingly fake e-mail, luring the users to that mimic site.

Getting information then redirect users to the real site.

In step 1, the hacker steals an organization’s identity and creates a look-alike web site. This can easily be done by viewing the targeted site’s source code, then copying all graphics and HTML lines from that real web site. Due to this tactic, it would really be very hard for even an experienced user to spot the differences. On the mimic web site, usually there will be a log-in form, prompting the user to enter secret personal data. Once the data are entered here, a server-side script will handle the submission, collecting the data and send it to the hacker, then redirect users to the real web site so everything look unsuspicious.

The hardest part of phishing attack that challenges most hackers is in the second step. This does not mean it is technically hard, but grammatically it is! In this step, the hacker will make a convincingly fake e-mail which later will be sent by a “ghost” mailing program, enabling the hacker to fake the source address of the e-mail.

The main purpose of this fake e-mail is to urge the users going to the mimic web site and entering their data that hackers wanted to capture. Commonly employed tactics are asking users to response over emergency matters such as warning that customers need to log-in immediately or their accounts could be blocked; notifying that someone just sends the user some money and they need to log in now in order to get it (this usually is an effective trap to PayPal users), etc. Inside this fake e-mail, users often find a hyperlink, which once clicked, will open the mimic web site so they can “log in.” As discussed before, the easiest way to quickly identify a fake e-mail is not just by looking at the address source (since it can be altered to anything) but to check English grammar in the e-mail. You may find this sounds surprising, however, 8 out of 10 scam e-mails have obvious grammar mistakes. Regardless of this, the trick still works.

In the last step, once a user has opened the mimic web site and “log in,” their information will be handled by a server-side script. That information will later be sent to hacker via e-mail and user will be redirected to the real web site. However, the confidentiality of user’s financial data or secret password has now been breached.

Due to the recent financial crises, mergers and takeovers, many changes have taken place in the financial marketplace. These changes have encouraged scam artists to phish for customers’ details.

The key points are:

Social engineering attacks have the highest success rate

Prevention includes educating people about the value of information and training them to protect it

Increasing people’s awareness of how social engineers operate

Do not click on links in the e-mail message

It appears that phishing e-mail scam has been around in one form or another since February 2004 and it seems to be still evolving, similar to the way virus writers share and evolve code.

According to the global phishing survey carried out by the Anti-Phishing working group published in 2013 (APWG, 2013)

Vulnerable hosting providers are inadvertently contributing to phishing. Mass compromises led to 27% of all phishing attacks.

Phishing continues to explode in China, where the expanding middle class is using e-commerce more often.

The number of phishing targets (brands) is up, indicating that e-criminals are spending time looking for new opportunities.

Phishers continue to take advantage of inattentive or indifferent domain name registrars, registries, and subdomain resellers. The number of top-level registries is poised to quintuple over the next 2 years.

The average and median uptimes of phishing attacks are climbing.

According to Symantec Intelligence Report (2013) Fake offerings continue to dominate Social Media attacks, while disclosed vulnerability numbers are up 17% compared to the same period in 2012 (Symantec, 2013).

Introducing Mobile Phishing Attacks

Phishing is the 21st-century version of identity theft, where bad actors steal victims' sensitive information, such as online logins, Social Security numbers, and credit card numbers using social engineering and online attack vectors. Phishing can appear in different shapes and forms; however, e-mail remains the most favored vehicle of phishing.

The mobile environment is a rich ground for phishers to target, as attacks are more convincing to victims, and protection and detection solutions are still immature therein.

Vulnerabilities in Bluetooth, mobile operating systems such as Symbian and WinCE, or even open wireless access points can be exploited by bad actors to launch phishing and pharming attacks in a mobile environment.

SMishing is an emerging vector of phishing attacks where the victim receives a short message service (SMS) and is thus lured into clicking a URL to download malware or be redirected to a fraudulent site.

Understanding the Human Element

Phishing e-mails prey on a variety of human emotions in order to achieve the desired action [1]. Often, phishing e-mails create a sense of urgency, claiming that the recipient's account will be disabled if immediate action isn't taken. Another popular attack is the e-card e-mail. This attack indicates that someone has sent the user an e-card and they must click on the link to retrieve it. Other tactics to persuade an employee to fall prey to an attack include using their first name or sending an e-mail that appears to be from a fellow employee.

10.2.1 Phishing

Phishing is, where target contacts the individual by means of mail or calls and trap recognizable data, banking and charge card information, and passwords. The data are then used to get to important accounts and can bring about wholesale fraud and money-related loss. Researchers looked at changed machine learning procedures like Logistic Regression (LR), Classification and Regression Trees, Bayesian Additive Regression Trees, Support Vector Machines (SVM), Random Forests, and Neural Networks (NN). Also, the examinations show that LR has the most elevated exactness and generally high review in correlation with different classifiers. Zhuang et al. (2012) used bunching solutions like various leveled grouping and k-mean clusters for phishing recognition and got 85% performance.

Methods: Phishing and DDoS

The media report on two main methods that the SEA makes use of: Phishing and DDoS attacks.

Phishing can involve sending out large numbers of e-mails, which contain a message that appears to originate from a legitimate source (i.e., a well-known company such as PayPal or Twitter). The aim of the e-mail is to convince the potential victim to provide their personal details. Some e-mails can direct readers to an external hoax website, which is made to look authentic. The website can also encourage the victim to provide their confidential information (bank account details, identifying details, social security numbers, passwords, etc.)—which can then be used by the Phisher to commit an array of subsequent fraudulent acts. Some more complicated phishing campaigns can include harmful malware in the email itself, or on the hoax website—which can directly extract the information it needs from the target's computer, without requiring the victim to provide the confidential information directly (see Chapter 12 for more detail about Phishing).

DDoS (Distributed Denial of Service) or a denial-of-service (DoS) usually involves a system being overwhelmed by simultaneous online requests. This can result in the service becoming unavailable to its users. Distributed denial of service attacks are sent by two or more people or bots whereas denial of service attacks are sent by one system or person (see Chapter 17 for further information).

Phishing

Phishing is an attack that falls along the lines of social engineering – thus, evading controls through trust. How is it done specifically? Well, if we followed the attacks listed earlier in this chapter where a phone call was used to glean valuable information, we can follow the same premise here within the digital domain. In recent years, phishing attacks have grown in number significantly. Why, you ask? Because of the simplicity in launching them and the successful information they produce.

In Figure 3.5, we can see an example of a common phishing scam. An attacker creates a form e-mail that looks professional. They may even make a copy of one used with company letterhead, images pulled from the site, and official-looking logos. They craft this e-mail with a malicious call to action and a payload. The call to action is based on fear.

The attacker tries to get you to produce information by clicking on a link (for example) that takes you to a malicious and fraudulent website. This website too contains official-looking information and, at times, is an exact replica of the site that you believe is legitimate. You may even enter your credentials that are recorded and used on the real site you thought you were visiting. This is one example of how phishing can be used to gather information.

Phishing

In Phishing (pronounced like fishing), the social engineer attempts to get the targeted individual to disclose personal information like user names, account numbers, and passwords. This is often done by using authentic looking, but fake, emails from corporations, banks, and customer support staff. Other forms of phishing attempt to get users to click on phony hyperlinks that will allow malicious code to be installed on the targets computer without their knowledge. This malware will then be used to remove data from the computer or use the computer to attack others. Phishing normally is not targeted at specific users but may be everyone on a mailing list or with a specific email address extension, for example every user with an “@foo.com” extension.

Phishing

Phishing is a particular social engineering technique and is largely employed through the use of electronic communications such as e-mail, texting, or phone calls. Most phishing attacks are very broad in nature and involve convincing the potential victim to click on a link in the e-mail, in order to send the victim to a fake site designed to collect personal information or credentials, or to have the victim install malware on their system. The fake sites used in web-based phishing attacks are typically copies of well-known web sites, such as banking sites, Facebook, and eBay. Some such sites are poorly designed imitations with clumsy attempts at similar design and logos and terrible grammar, while others are very cleverly crafted and extremely difficult to distinguish from the legitimate page that they are imitating.

For an additional method that might be used in phishing, certificate, and other similar attacks, do a bit of research on the internationalized domain name (IDN) homographic attack [2]. This was once a much worse attack than it is now, as many browsers are able to alert to such issues.

The problem with most phishing attacks is that unless the target victim actually has an account on the site being faked, the attack will fail; someone who does not have a MyBank bank account will not be convinced by a phishing attack that redirects to a fake MyBank bank web site. Even if the target victim does have an account, people are beginning to be cautious of unsolicited e-mails from their banks or other web sites. In general, phishing attacks do not count on careful inspection by the recipient, they count on a very small percentage of success over hundreds of thousands or millions of attempts. In order to work with better odds of success, attackers may turn to spear phishing.

Spear phishing is a targeted attack against a specific company, organization, or person. A spear phishing attack requires advanced reconnaissance so that the vehicle for the attack will be seen as legitimate and directs the potential victim to a fake site that the victim would expect, and see as valid. In addition, our e-mail must be seen to come from a valid sender—someone the victim would trust, such as someone from human resources, a manger, the corporate IT support team, a peer, or friend.

Where a normal phishing attack might be clumsy and poorly constructed, depending on a very small percentage of recipients responding regardless, a spear phishing attack is quite the opposite. In a spear phishing attack, the attacker will send a very clean e-mail containing the proper logos, graphics, signature block, and everything as expected. The language will be properly constructed grammatically and spelling will not be an issue. If there are links present, they will be disguised in such a fashion as to not appear immediately malicious. If the attack exists to steal credentials for a site or service, the attacker may even use the freshly stolen credentials to log the victim into the real site that they are imitating, leaving no error message or broken session to clue them in that something strange has happened.

Phishing

Phishing is a technique criminals use to fraudulently obtain private information. In most cases of phishing, the criminal (known as the phisher) will send an e-mail that appears to come from a legitimate source, such as your bank or credit card company. The e-mail will request a verification of your personal information, such as your social security number, date of birth, bank account number, or PIN. Because all of this information has been given to the financial institution on previous occasions, most people give little thought to what appears to be a legitimate request. Additional pressure to provide the information usually involves some sort of warning or threat that the victim’s account will be suspended if the requested information is not provided. Under such circumstances, many people are all too eager to comply with the request.

Generally, these e-mails will have a link that will purportedly take the victim to the bank’s website where they can update their account information. Of course, this link is a way for the criminal to obtain the victim’s personal information for fraudulent use. Once again, regular training to educate and remind employees of these threats is the key to keeping your business secure.

Phishing

Phishing (or Pharming) is the act of sending an email to a user and falsely claiming to be an established legitimate individual or enterprise in an attempt to coerce the user into providing private information that will be used for identity theft. Such emails usually direct the victim to visit a website where they are fooled into providing or updating personal information, such as passwords, credit card, social security, and bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the user’s information.

Warning

You should never trust an email because it looks like it came from a trusted source. Attackers are good at disguising their emails to look like bank websites or legitimate businesses. Attackers forge emails using logos and graphics from legitimate sources and hide their source addresses.

One way to avoid being a victim of a phishing attack is to ignore the link in the email. You can bypass it altogether and go to the website in question directly to verify it. Never submit any confidential information online, especially to untrusted sources. Most companies will never ask you to verify personal data such as credit card numbers, your social security number, bank account numbers or any other sensitive data via email. By supplying any of this information, you leave yourself open to possible fraud.

The year 2003 saw the proliferation of a phishing scam in which users received emails supposedly from eBay claiming that the user’s account was or was about to be suspended unless the victim visited the provided link and updated credit card information which eBay already had. As it is relatively simple to make a website resemble a legitimate site by mimicking the HTML code, the scam relies on unsuspecting victims being tricked into thinking they were actually being contacted by eBay and were subsequently going to the official site to update their account information.

Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.

Note

A variation of phishing has come to light over the past couple years which goes by the name spear phishing. In this variation of phishing a fake or fraudulent email attempts to steal information from a specific target or organization seeking unauthorized access to confidential data. In contrast to regular email messages which used in the standard phishing expeditions, spear phishing messages are spoofed to appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base, such as a known vendor or client. Spear phishing alters this practice as, the apparent source of the email is likely to be an individual within the recipient’s own company or a trusted vendor and perhaps even someone in a position of authority.

For example, a variation of a spear phishing attack is one where a perpetrator finds a website for a specific victim or organization that offers unsecured and public information about employees and other useful data about the company. An attacker who is savvy and patient can put together all the available data in order to generate a message that is more authentic and plausible, the attacker will then draft an email that would then appear to come from an individual or someone that would likely or reasonably request confidential information, for example and human resource person or a network administrator. The typical goal of a spear phisher is to request information such as user names and passwords or to solicit recipients in order to get them to click on a link that will result in the user downloading spyware, and malicious code. The message employs the same type of social engineering seen in standard phishing attacks to entice the recipient. In most organizations the majority of employees have been shown to fall for this type of attack readily due to its construction and the “familiarity” of the attacker. The attacks can be particularly devastating as in the event that even a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and gain access to sensitive data almost unimpeded.

Some of the most successful email phishing attacks have started with seemingly harmless offers.

Note

Any legitimate business will never ask you to provide passwords or other personal information over email or any similar type of communication channel. Additionally, requests to provide passwords or other financial information over email should be dismissed and if you’re in business with the vendor you should contact them directly.

The lottery scam is a common phishing scam also known as the advanced-fee scam which preys upon human greed. One of the most widely used forms of advanced-fee fraud is a message that claims that the recipient has won a large sum of money, or that a person will pay out a large sum of money for little or no work on your part.

It is worth noting that this scam has several variations and none of them are legitimate in any way.

In this type of phishing a sense of urgency is used to compel the user to respond. When a user sees this email they may even respond without thinking leading to lost information and possibly identity theft. A phishing email message might even claim that your response is required because your account might have been compromised in some way.

Warning

In regards to phishing, it can happen both digitally and manually in the sense of social engineering. Any phone calls received or anyone personally requesting confidential information should be verified such as proving the identity of the person calling. You can request the general number from which the person is calling from if from a company and ask to speak to that person or department as a way to quickly verify their identity.

Did You Know?

Social engineering is the most preferred method of attackers because it’s the easiest. Social engineering is nothing more than using personal communication skills to penetrate defenses without ever touching a computer. Social engineering can be a simple phone call scam where one acts like someone else whom the victim believes is a trusted source and information gathered to exploit said victim. For example, an attacker poses as a bank professional and calls a victim to ask specific questions relating to the account, such as needing to verify the user’s bank account number, then using that information against them. Be aware that this would be the preferred method of attack every time, since it’s so easy to pull off and unfortunately, almost always yields a return for the attacker.

Note

Web browsers, email clients, mobile texting is all becoming the norm in how we communicate as a global population. Because of that, the avoidance of attack is unavoidable. Client desktop computers, mobile phones, pads and laptops all share the same things in common if they are used to communicate with one another, they will use a web browser, an email client or some other software. Learning how to secure all of these tools, applications and software programs is pertinent to ensuring your security. They are generally susceptible to similar attacks and are generally all secured the same way. Learn these attacks, ways of securing yourself and your computer system and you will be able to better mitigate risk and potential threat. Chapter 9 will cover mobile devices in more detail.