Phishing: Examples And Its Prevention Methods

What Is Phishing?

In the field of computer security, phishing is a form of criminal activity using social engineering techniques. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake.

You might see a phishing scam:

•	In e-mail messages, even if they appear to be from a coworker or someone you know.
•	On your social networking Web site.
•	On a fake Web site that accepts donations for charity.
•	On Web sites that spoof your familiar sites using slightly different Web addresses, hoping you won't notice.
•	In your instant message program.
•	On your cell phone or other mobile device.

Often phishing scams rely on placing links in e-mail messages, on Web sites, or in instant messages that seem to come from a service that you trust, like your bank, credit card Company, or social networking site.

Typically, phishing attacks will direct the recipient to a web page designed to mimic a target organization’s own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack. Obtaining this type of personal data is attractive to black hats because it allows an attacker to impersonate their victims and make fraudulent financial transactions. Victims often suffer significant financial losses or have their entire identity stolen, usually for criminal purposes. As a successful and lucrative form of financial fraud, phishing made its mark on the networked landscape in 2004. Today, it is a booming segment of the identity theft “industry”. In January of 2004, there were 174 phishing Web sites identified by the cross-vendor Anti-Phishing Working Group. By December, there were over 1700. Finally, that year, the reported consumer loss due to Internet-based fraud was estimated between US$500 million (according to the Federal Trade Commission) and US$2 billion (according to the Anti-Phishing Working Group). Financial institutions and law enforcement agencies alike were ill-prepared to deal with organized, technically literate, internationally-based criminals.

Examples of Phishing Scam

Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, Best Buy, and America Online.

This phish claims that Washington Mutual Bank is adopting new security measures which require confirming ATM card details. As with other phishing scams, the victim is directed to visit a fraudulent site and any information entered on that site is sent to the attacker.

The email warns that failing to comply with the instructions may result in account suspension. Note the use of the SunTrust logo.This is a common tactic with 'phishers' who often use valid logos they have simply copied from the real banking site in an attempt to lead credence to their phishing email.

As with the SunTrust example, this eBay phishing email includes the eBay logo in an attempt to gain credibility. The email warns that a billing error may have been made on the account and urges the eBay member to login and verify the charges.

There is no shortage of irony in the Citibank phishing example. The attacker claims to be acting in the interests of safety and integrity for the online banking community. Of course, in order to do so, you are instructed to visit a fake website and enter critical financial details that the attacker will then use to disrupt the very safety and integrity they claim to be protecting.

As seen with the previous Citibank phishing scam, the Charter One phishing email also pretends to be working to preserve the safety and integrity of online banking. The email also includes the Charter One logo in an attempt to gain credibility.

PayPal and eBay were two of the earliest targets of phishing scams. In the example, this PayPal phishing scams tries to trick recipients by pretending to be some sort of security alert. Claiming that someone 'from a foreign IP address' attempted to login to your PayPal account, the email urges recipients to confirm their account details via the link provided.

As with other phishing scams, the displayed link is bogus - clicking the link actually takes the recipient to the attacker's website.A security flaw on a US government website has been exploited by a phishing scam claiming to be an IRS refund notification. The phishing email claims the recipient is eligible for a tax refund of $571.94. The email then tries to gain credibility by instructing recipients to copy/paste the URL rather than clicking it. That's because the link actually does point to a page on a legitimate government website, http://www.govbenefits.gov. The problem is, the page being targeted on that site allows the phishers to 'bounce' the user to another site altogether.

Prevention methods

There are several (technical or non-technical) ways to prevent phishing attacks:

• Educate users to understand how phishing attacks work and be alert when phishing-alike e-mails are received;
• Use legal methods to punish phishing attackers;
• Use technical methods to stop phishing attackers.

Social Responses

Users who are contacted about an account needing to be "verified" can take steps to avoid phishing attempts, by contacting the company that is the subject of the email to check that the email is legitimate, or by typing in a trusted web address for the company's website into the address bar of their browser, to bypass the link in the suspected phishing message. The Anti-Phishing Working Group, an industry and law enforcement association has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers. They propose that pharming and other uses of malware will become more common tools for stealing information.

Legal Responses

Microsoft has joined the effort to crack down on phishing. On March 31, 2005, Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of using various methods to obtain passwords and confidential information. March 2005 also saw Microsoft partner with the Australian government to teach law enforcement officials how to combat various cyber crimes, including phishing. Microsoft announced a planned further 100 lawsuits outside the U.S. in March 2006.

Technical Responses

If we can cut off one or several of the steps that needed by a phishing attack, we then successfully prevent that attack.

• Detect and block the phishing websites in time:

If we can detect the phishing Web sites in time, we then can block the sites and prevent phishing attacks. It’s relatively easy to (manually) determine whether a site is a phishing site or not, but it’s difficult to find those phishing sites out in time.

• Enhances the security of the websites:

One method to enhance the security is to use hardware devices. Another method is to use the biometrics characteristic (e.g. voice, fingerprint, iris, etc.) for user authentication. With these methods, the phishers cannot accomplish their tasks even after they have gotten part of the victims’ information. However, all these techniques need additional hardware to realize the authentication between the users and the Web sites hence will increase the cost and bring certain inconvenience. Therefore, it still needs time for these techniques to be widely adopted.

• Block the phishing e-mails by various spam filters:

The phishers hide their identities when sending the spoofed e-mails, therefore, if anti-spam systems can determine whether an e-mail is sent by the announced sender, the phishing attacks will be decreased dramatically. From this point, the techniques that preventing senders from counterfeiting their Send ID can defeat phishing attacks efficiently. The spoofed e-mails used by phishers are one type of spam e-mails. From this point of view, the spam filters, can also be used to filter those phishing e-mails. Most of these anti-spam techniques perform filtering at the receiving side by scanning the contents and the address of the received e-mails. Furthermore, spam filters are designed for general spam e-mails and may not very suitable for filtering phishing e-mails since they generally do not consider the specific characteristics of phishing attacks.

• Install online anti-phishing software in user’s computers:

Despite all the above efforts, it is still possible for the users to visit the spoofed Web sites. As a last defense, users can install anti-phishing tools in their computers. The anti phishing tools in use today can be divided into two categories: blacklist/white list based and rule-based.

Related links:

1. http://en.wikipedia.org/wiki/Phishing
2. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci916037,00.html
3. http://www.honeynet.org/papers/phishing/
4. http://www.microsoft.com/protect/yourself/phishing/identify.mspx
5. http://antivirus.about.com/od/emailscams/ss/phishing_9.htm
6. http://y2u.co.uk/Knowledge_Information/Technology/RN_Computer_Phishing_Scam.htm
7. http://research.microsoft.com/en-us/um/people/chguo/phishing.pdf