Phishing (password harvesting fishing) is the practice of luring computer users into revealing sensitive information such as usernames, passwords, or credit card numbers, by sending them fake emails that appear to come from banks or other trustworthy organizations. The user will usually be directed to a web page that mimics that of the target organization's, where they will input their information thinking it is a secure site.

Phishing attacks are often used by criminals who use the information to make fraudulent transactions, and may steal the entire identity of the user.

History

Attackers have been tricking computer users into unknowingly handing out their personal information for many years. "In the 1990s, with the increasing growth in interconnected systems and the popularity of the Internet, attackers started to automate this process and attack the mass consumer market." 1

Early phishing attacks were mainly aimed at gaining access to user's AOL accounts, or occasionally trying to obtain credit card information. The phishing messages often preyed upon unskilled computer users who were accustomed to "automated" system functions from reputable sites. The hackers may use a story involving the failure of a database, and most users would trust the feigned tale would enter sensitive information quickly to avoid the "serious problem" the story presented.

Currently, the strategy used by most phishers it to bulk email their lures to several users at a time, possibly appearing as a trusted brand. The phishers will send a request for urgent action, often ironically to protect the user's sensitive data from hackers. The spoof email will contain a link to a web page that masquerades as the public website of the targeted brand. Phishers hope that the user will be tricked into submitting their confidential information into a false, but secure looking website for the trusted brand. Examples of organizations targeted by phishers include:

well-known banks
credit card companies
Internet traders such as eBay and PayPal

Examples of phishing emails can be found at the Anti-Phishing Working Group website.

Phishing Methods

Phishers rely on many simple tools and techniques to trick users. However, phishers must use a number of methods to trick the user into using their server and/or page content.2

Man-in-the-middle Attacks

Possibly the most successful ways of gaining user information, the man-in-the-middle attack involves the phisher situated between the user and the real web site, and proxies all communication between the systems. From there, the phisher can observe and record all data.

According to an article at TechinicalInfo.net, "this form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-based application server - typically in real-time." 2

In some cases, where there is a secure HTTPS communication, an SSL connection is created between the user and the phisher's proxy (this allows the attack to record all traffic in an unencrypted state), while the phisher's proxy establishes its own SSL connection between itself and the real web site.

URL Obfuscation Attacks

The basis of phishing attacks is to get the message recipient to follow a hyperlink to the phisher's server, without the user realizing they have been sent to a malicious site. The most common methods of URL obfuscation include:

Bad domain names

One method of URL obfuscation is through the registration and use of bad domain names. For example, MyBank with the registered customer transactional site privatebanking.mybank.com. The phisher could set up a domain with privatebanking.mybank.com.ch, and the user may not suspect anything.

Friendly login URL's

Many web browsers allow for complex URLs to include authentication information such as a username and password. Usually using the format, URI://username:password@hostname/path. A phisher may substitute the username name and password fields for details associated with the target web site.

Third-party shortened URL's

Because many web-based application URLs are lengthy, there are a number of third-party organizations which offer free services providing shorter URLs. Phishers use these free services to obscure the intended destination of the user.

Host name obfuscation

Phishers may use the IP address as part of a URL to obscure the host, possibly bypass content filtering systems, and hide the true destination from the end user.

Cross-site scripting

Cross-site scripting attacks use custom URL or code injection into a valid web site URL or embedded data field. These attacks are usually done on web sites that include a flaw in the scripting.

Preset Session Attack

Because HTTP and HTTPS are stateless protocols, web sites must use custom tracking methods to guide users through its pages and manage resource access requiring authentication. The most common way of accomplishing this is through Session Identifiers (SessionID's).

Phisher can take advantage of this process by sending a message containing a web link to the real web site, but also containing a predefined Session ID field. According to TechnicalInfo.com, "the phishing attacker must wait until a message recipient follows the link and authenticates themselves using the SessionID. Once authenticated, the application server will allow any connection using the authorised SessionID to access restricted content (since the SessionID is the only state management token in use). Therefore, the attacker can use the preset SessionID to access a restricted page and carryout his attack." 2

Hidden Attacks

A phisher may use HTML and other scriptable code that can be interpreted by the victim's web browser and use it to manipulate the displayed information. Often, the phisher uses these techniques to disguise fake content.

Using Spyware

Often by installing spyware software on a user's computer, phishers can observe the user as they enter data into web sites. Two common methods include:

Key-logging: Records all keys pressed by the user, particularly when they are entering authentication data into web sites. With this information, the phisher can use the account for their own purposes anytime they choose.

Screen Grabbing: Some phishing attacks use a code designed to take a screen shot of data that has been entered into a web site. This is used to combat some of the more secure financial applications that have special features built-in to prevent against key-logging attacks.

Browser Vulnerabilities

In several cases, phishing attacks can be conducted because of vulnerabilities in the web browser. And even though software vendors have painstakingly tried to present users with software updates and patches (that would protect from phishing attacks), home users often neglect to apply them.

Preventing Phishing Attacks

There are a wide variety of anti-phishing efforts and technologies. For example, the Anti-Phishing Working Group is an organization that brings together businesses who have been affected by phishing attacks and businesses who provide security products to prevent phishing attacks.

For more information on the Anti-Phishing Working Group, visit the organization's web site

Anti-phishing technologies

Anti-phishing technology is now most often included in browsers, or as toolbar extensions. These technologies can do several things to protect users from phishing, including:

Helping users identify legitimate sites

Because most phishing efforts circulate around the malicious web site pretending to be a trustworthy one, preventing it depends on the users ability to identify the sites they are searching. Some anti-phishing toolbars display the real domain name for the visited web site 3, while others, like the petname extension for Mozilla Firefox, allows users to type in their own names for web sites so they can recognize and verify it is the correct web site later.3

Letting you know you've come to a bad web site

Another anti-phishing approach is to have an updated list of recognized phishing sites and to check web sites against the list. Microsoft IE7, Mozilla Firefox 2.0, and Opera all implement this kind of anti-phishing tool.

Increasing Login Security

There are many ways web sites have began to increase their login security. One such way is to ask users to select a personal image and display this image with password request forms. The web sites tell users to only input their information if they see the image they selected.

Blocking Spam Mail

Spam filters built into your email provider can also reduce the amount of phishing emails that you receive.

Desktop Protection Software

Because there are many phishing attacks that involve malware, antivirus software, antispyware software, and the like can also be beneficial in those attacks.This software includes:

Antivirus protection
Personal Firewall
Personal IDS
Anti-Spam
Spyware protection

References

Know Your Enemy:Phishing.1. Retrieved on 2007-19-09.
The Phishing Threat.2. Retrieved on 2007-19-09.
Phishing.3. Retrieved on 2007-19-09.
Brandt, Andrew. Protect Yourself with an Antiphishing Toolbar. 4. Retrieved on2007-20-09.

Phishing

Table of Contents