Phishing – “A scam to steal private information”
Phishing is a type of social engineering technique in which an attacker sends an e-mail or displays a Web announcement that falsely claims to be from a legitimate organization. The intention of the messenger is to trick the user into surrendering private information.
A more specific definition is offered by the Anti-phishing Working Group (APWG): “Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.” The victim in a phishing attack is asked to respond to an e-mail or is directed to a Web site to update personal information, such as passwords, credit card numbers, Social Security numbers, bank account numbers, or other information for which the legitimate organization already has a record. However, the site is actually a fraudulent Web site designed to steal the user’s information.
Phishing can and usually leads to online identity theft. By capturing a user’s personal information, an attacker can gain access to the user’s account on a legitimate Web site, and can engage in a number of activities resulting in substantial financial loss to the user, denial of access to e-mail, and other problems.
Example of occurrence:
On the weekend of January 3, 2009, several users on the social network Web site, Twitter, became victims of a phishing attack. The users were deceived into giving away their passwords when they received an e-mail similar to one that they would receive from Twitter with a link that read, “hey, check out this funny blog about you…”. The link redirects to a site masquerading as the real Twitter site. Any personal information entered by the user on the fake site is then captured by the attacker.
Twitter responded by reporting the offending domain, and changing the affected users’ passwords.
What sort of Twitter would give away their password? (http://www.guardian.co.uk/technology/2009/jan/08/twitter-barack-obama-britney-spears-micro-blog-networking)
A Phishing email example:
Protection against phishing
Training users to identify a ‘phish’ is an important component in the fight against phishing. Training has taken two forms: the first is simply to provide anti-phishing information to users through e-mail and other media. The second is to give firsthand experience to users through games, simulated phish, cartoons, etc. Recent studies seem to indicate that the latter—giving firsthand experience to users—might be more effective. The game, Anti-Phishing Phil http://wombatsecurity.com/antiphishingphil, which teaches people how to identify suspicious Web site addresses while providing the experience of being captured by a phisher, is such an example. PhishGuru in the previous section is another example. It delivers cartoon-based, anti-phishing information after a user has been deceived by simulated phishing messages.
Although user ability to identify phish is an important component in the battle against phishing, combining it with technology yields better results. One of the techniques used to automatically identify phish is filtering. The objective of filtering is to identify (or flag) phishing attempts in e-mail or on Web pages. Filters are usually integrated into browsers or e-mail software. When a Web address is encountered the software compares it with a so-called “blacklist” of known phishing Web sites. It then takes appropriate actions, which usually include informing the user. The blacklist is updated periodically (for example, every 30 minutes) as new phishing sites become available. As with any blacklist, there is also a “whitelist” of known legitimate sites.
Consider the following PayPal e-mail. The Web address in the box, http//211.248.156/Paypal/cgi-bin/webscrcmd_login.php, appears when the user ‘mouse-overs’ the “Click here to verify your account” link.
- Complete the following security checklist for the above email (print the checklist).
- List any sentence, phrase or word that makes the e-mail a suspected phish.
|Vulnerability: Phishing Course: Computer Literacy|
|Task – Read the e-mail carefully; answer yes/no in the space provided||Yes/No|
|1. Were there suspicious words, phrases or sentences?|
|2. Were there suspicious links?|
|3. Are there grammatical or spelling errors in the e-mail?|
|4. Does the e-mail start with a generic greeting?|
|5. Does the e-mail contain any pop-up boxes or attachments?|
|6. Does the e-mail contain an air of urgency or a need to respond immediately?|
|7. Does the email ask you for personal information such as passwords and social security number?|
|If you answered yes to any of the above questions, then the e-mail is a suspected phishing mail.|
- Play at least two games of Anti-Phishing Phil at http://www.wombatsecurity.com/phil-demo-signup. You can use your university address for signing up. Create a “blacklist” of the phishing Web site addresses you encountered, and a “whitelist” of the legitimate Web sites (Hint: see the section on Anti-phishing Technologies.) Describe how the Anti-Phising Phil experience has helped you to better recognize phishing Web sites. What are your likes and dislikes about the game? Are there any suggestion(s) that you would like to provide so as to improve it? If so, explain.
- Take the “SonicWall Phishing and Spam IQ Test” a couple of times (http://www.sonicwall.com/phishing/). What was your maximum score? Look at the test result sheet, and give the name that appears in the “Subject” column for three of the questions. For each of the subjects, click on the “Why?” link that appears under the “Explain Answer Column.” The e-mail you viewed for that question should re-appear—this time with explanations. Copy one of the given explanations for each of the e-mails.
Further Work (optional – check with your instructor if you need to answer the following questions)
- In recent years, a more insidious form of phishing, known as spear phishing, has taken root. Spear phishing is customized to a particular user. It often addresses the recipient directly (by name) and may include other personal information about the user. Provide a recent example of spear phishing and discuss the peculiarities of the e-mail that makes it a suspected phish. Your example could be taken from an e-mail you or someone you know received, from a handout from your instructor, or from a recent newspaper or Web article.
- Pharming is yet another recent form of phishing, which automatically redirects the user to a fake Web site—no clicking required. Give a recent example of pharming and discuss the peculiarities of the e-mail that makes it a suspected phish. Again, your example could be taken from an e-mail you or someone you know received, a handout from your instructor, or from a recent newspaper or Web article.