Author Topic: What is Phishing ?  (Read 10060 times)

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
What is Phishing ?
« on: October 11, 2005, 01:12:32 PM »
Quote
I think everyone is talking about their solution to certain Phishing attempts. But no one has really defined the problem. In other words, what would constitute a phishing attempt, or what kind of attempt could be used. In yet other words, I guess we need a definition of the situation.
So, here it is.  This is a topic to define phishing.  We are not looking for a solution here, just a definition of phishing.  You have heard of, or may be even been tricked by phishing.  This is the place, where you can tell about it.  How was the attempt made?  Please give as much detail as possible.

Once we have a definition of how hackers try to phish personal infomration from the user, we can talk about solutions.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
What is Phishing ?
« Reply #1 on: October 11, 2005, 01:21:46 PM »
Wiki

Quote
Phishing
From Wikipedia, the free encyclopedia.

This phishing attempt, disguised as an official email from Charter One Bank, attempts to trick users into giving away their account information by "confirming" it at the phisher's linked website.
Enlarge
This phishing attempt, disguised as an official email from Charter One Bank, attempts to trick users into giving away their account information by "confirming" it at the phisher's linked website.

In computing, phishing (also known as carding and spoofing) is a form of social engineering, characterised by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.

With the growing number of reported phishing incidents, additional methods of protection have been needed. Attempts include legislation, user training, and technical measures.

Avoiding and spotting phishing attempts

A user who is contacted about an account needing to be "verified" could either contact the company that is the subject of the email, or could type in a trusted web address for the company's website into the address bar of their browser, to bypass the link in the suspected phishing message. Many companies, including eBay and PayPal, always address their customers by their username in e-mails, so if an e-mail addresses a user in a generic fashion ("Dear valued eBay member") it is likely to be an attempt at phishing.

It is possible to spot some phishing attempts from the make up of links in the message. One method of spoofing links used web addresses containing the @ symbol. For example, the link http://[email protected]/ may deceive a casual observer into believing that the link will open a page on www.google.com, whereas the link actually directs the browser to a page on members.tripod.com. This method has since been closed off in the Mozilla[3] and Internet Explorer[4] browsers. Misspelled URLs or the use of subdomains are other common tricks used by phishers, such as this example URL, http://www.yourbank.com.example.com/.

Technical responses

Several anti-phishing software programs are available. The programs work by identifying phishing contents on websites and emails; anti-phishing software may be integrated with web browsers and email clients as a toolbar that displays the real domain name for the visiting website. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive. There is also a solution that leverages a blend of psychology and technology to help prevent users from falling prey to phishing.

Many organizations, including Bank of America, have introduced a feature called challenge questions. Challenge questions ask the user for information, which would only be known to the user and the bank. Many sites have also added verification tools that allow users to see a secret image (a simple form of two-way authentication) that the user selected in advance; if the image does not appear, then the site is not legitimate.

The Anti-Phishing Working Group, an industry and law enforcement association, has noted that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers.[14] They propose that pharming and crimeware will become more common tools for stealing information.




Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
What is Phishing ?
« Reply #2 on: October 11, 2005, 01:26:44 PM »
Thank you quixin.  That is a very good definition, to start off with.  I think we are more looking for things like:

Code: [Select]
http://[email protected]/
Code: [Select]
http://www.yourbank.com.example.com/ <- why can't they just ban example.com? :lol:

I for one, hadn't even thought abut the first one, even thought I knew about it.
It is impossible to create a fool-proof system, because fools are ingenious.

Online Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
What is Phishing ?
« Reply #3 on: October 11, 2005, 04:05:06 PM »
Or for those trying to phish PWM users using accounts:
Code: [Select]
http://www.example.com/.google.com/
"I'm not drunk, just sleep deprived."

PasswordMaker Forums

What is Phishing ?
« Reply #3 on: October 11, 2005, 04:05:06 PM »