PHISHING

Ajay Muthureddy – I MBA B

Meaning:

Phishing is a fraudulent attempt to acquire personal information of others such as

username, password and credit card details of the person, usually made through emails.

Technique:

Phishers, falsely claiming to be an established legitimate organization, send emails to

the users, which direct the users to visit a website where they are asked to update personal
information, such as passwords and credit card details, and bank account numbers that the
legitimate organization already has. The website is bogus and is setup only to steal the
user’s information.

Examples:

1) In 2003, users received e-mails supposedly from eBay claiming that the user’s
account was about to be suspended unless he clicked on a link provided and
updated the credit card information that the genuine eBay already had. The
scam counted on people being tricked into thinking that they were actually being
contacted by eBay. By spamming large groups of people, the phisher counted on
e-mail being read by a percentage of people who actually had listed credit card
numbers with eBay legitimately.
2) Facebook users were hit with phishing attack last year, where phishers tried to
steal names and passwords from users of this popular social network. People are
sent phoney e-mail messages, appearing to come from facebook, that try to send
them to a malicious website, Fbaction.net, which looks like Facebook login page.
Facebook however warned its users about the attack and took preventive
measures in no time.
3) Recently a new securybank phishing Trojan called “The Banker-AJ” has been
reported by the antivirus company Sophos for targeting online customers of few
British banks such as Abbey, Barclays, Egg, HSBC, Lloyds TSB, Nationwide and
NatWest. This Trojan, called as “the next generation of phishing attacks”, waits
for users to visit their online banking web sites, then captures passwords and
takes screenshots of the session. The information is relayed to the hackers
behind the plot.
4) The Xrenoder Trojan spyware resets your homepage and / or your search
settings to point to other sites usually for commercial purposes or porn traffic.
 5) The Cpanel Google Trojan spyware is a Trojan that changes the DNS entry in your
Hosts file to its own site. If Google gets redirected, there is a chance you have a
version of this hijacker.
6) Another example of ICICI being phished:

How to spot the scam?

1) The “from” field appears to be from legitimate company but a close observance
can find the difference between the two.
2) The e-mail will usually contain logos or images, taken from the website of the
company mentioned in the scam e-mail.
3) The e-mail will contain a clickable link with text suggesting you to use the
inserted link to validate your information.
4) Other tiny changes like logos that mismatch with actual company’s logo, spelling
errors, percentage signs followed by numbers or @ signs within the hyperlink,
random names or e-mail addresses in body of the text or even e-mail headers.
 The golden rule to avoid being phished is to “never click the links within text of an
e-mail”. Always delete such mails immediately and empty the trash box even to
prevent accidental clicks.

Signs of Phishing:

 Unsolicited requests for personal information

 Generic greeting
 Alarmist warnings
 Mistakes
 Sense of urgency
 Forged link
 Addressed as “customer”
 Words like “verify your account”
 Phrase like “click the link below to gain access to your account”

Types of Phishing:
 Deceptive Phishing- Account theft using instant messaging.
 Malware-based phishing-running malicious software on user’s PCs.
 Key-loggers and Screen-loggers-malwares that track keyboard input and
send relevant information to the hacker.
 Web Trojans-pop up invisibly when users are attempting to login.
  Hosts file poisoning-hackers transmit bogus address of url (IP address), takes
user unwittingly to a fake “look alike” website where their information can be
stolen.
 System reconfiguration attacks-modify settings on user’s pc for m malicious
purposes.
 Data theft-unsecured PCs are used to access servers where their information
is stored.
 DNS based phishing-hackers tamper with a company’s host files or domain
name system so that requests for URLs return a bogus address and
subsequent communication are directed to any fake site.
 Content-Injection phishing-hackers replace part of the content of a
legitimate site with false content designed to mislead the user into malicious
code.
 Man-in-the-middle phishing-hackers position themselves between the user
and the legitimate website or system. They record the information being
entered but continue to pass it on so that users’ transactions are not
affected.
 Search engine phishing-phishers create websites with attractive sounding
offers and have them indexed legitimately with search engines.
 Spear Phishing-This newer type of phishing scam focuses on single user or a
department within an organization. The phish appears to be from someone
within that company, in a position of trust and requests information. It may
ask users to click a link which deploys spyware that can steal data.

Steps to avoid Phishing:

 Keep antivirus up to date
 Do not click on hyperlinks in e-mails
 Take advantage of anti-spam software
 Verify https
 Get educated about recent attacks
 Firewall
 Use backup system images
 Secure the hosts file
 Protect against DNS phishing attacks
 Don’t enter sensitive or financial information into pop-up windows.

Note: Visit www.zimbio.com/phish/articles/7 to learn the method of phishing orkut page.

Vishing
Meaning:
 Vishing is a criminal practise, just like phishing, uses social engineering techniques
and phishing techniques to steal people’s identities using Voice over Internet Protocol (VoIP)
phone lines, to gain access to their private, personal and financial information. The term
Vishing itself is a combination of Voice and Phishing.

Technique:
Vishing is very hard for legal authorities to monitor or trace. In this vishing,
unsuspecting users are sent voice mails to call telephone number which appears to be a
bank but is spoofed to a thief. The hacker simulates or “spoofs” using a friendly IP address.

Simply saying, in Vishing, instead of being redirected to addresses, e-mail messages

ask the user to make a telephone call. The call triggers a voice response system that asks for
the user’s credit card number. Vishing also allows criminals to spoof caller-ID making a
vishing scam hard to detect as everything appears to be legitimate. VoIP is used for vishing
because caller Ids can be spoofed and the entire operation can be carried out in a short
time.

Steps to avoid Vishing:

To protect from Vishing, use some of the same techniques as listed above for
Phishing.

 Don’t give information to anybody unless you are certain oh whom you are
dealing with.
 If you get a phone call about any of your accounts, hang up and call the
institution.
 Dial the number that appears on back of your credit card or on your
statements whenever you get such calls.

Spoofing
It’s the act of creating a website, as a hoax, with the intention of performing fraud.
Phishers use names, logos, graphics and even code of the actual website to make spoof sites
seem legitimate. This can even fake the URL that appears in the address field and the
Padlock that appears at the bottom right corner.

Smishing
 This newest form of scam is a combination of phishing and SMS and s initiated via
text message. The consumer receives a text message stating an account is in danger and
prompts the recipient to respond by verifying personal information.

Another type may be like the consumer receives a text message on his cell phone or
other mobile access device confirming enrolment in a service and stating the user will be
charged unless the order is cancelled. Once the recipient clicks to cancel the order, a Trojan
horse virus is downloaded that allows criminal access to mobile device. It enables the
criminal to listen to calls and access information stored on the phone.

Skimming
It’s a method used by fraudsters to capture your personal information from your
credit card. When your card is swiped through skimmer, the information in magnetic strip
on the card is read into and stored on the skimmer or an attached computer. Skimmers
operate at ATMs and restaurants or shopping outlets.

Tips to protect from skimming:

 Sign on reverse of credit card as soon as you receive it.
 Collect your receipts/ charge slips at ATMs, restaurants and shopping outlets.
 Use your card with merchants that you know and can trust.
 Never allow a shopkeeper to take your card to a different room/shop for swiping.

How to find out if an e-mail is genuine:

Finding out whether an e-mail is genuine or not is not very difficult. Every e-mail
message contains headers that have the following information:

 Origin, which shows information about the machine that, sent it,
  Relay, which shows the sender machine relaying it to another, and

 Final destination, which shows the machine that, receives it, the IP address and the
domain name.

Observe Closely: Spoofed Website and original website

Source:
 www.business.rediff.com
 www.en.wikipedia.org
 www.cacu.com
 www.netsecurity.about.com
 www.banking.about.com