Friday, June 20, 2008

Phishing: Examples and its prevention methods



What is phishing?

Phishing is a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individual into revealing credentials such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.


Besides, phishing is also consider as a THEFT, the act of sending an e-mail or instant messaging to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information for a purposes of identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site is bogus and set up only to steal the user information.

The Example of phishing
1. 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay site to update their account information. By spamming large groups of people, the phishing counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.






2. Another example would be if you received an e-mail that appears to be from your bank requesting you click a hyperlink in the e-mail and verify your online banking information. Usually there will be a repercussion stated in the e-mail for not following the link, such as "your account will be closed or suspended". The goal of the sender is for you to disclose personal and (or) account related information. This type of e-mail scam is also called phishing.























The prevention method


1. Prevent phising with mutual authentication-Efforts such as Extended Validation certificates are bound to fail in many cases because they rely on inconsistent visual aids and not strong cryptography. One-time passwords alien have also proven to be vulnerable to real-tome MITM attacks. To prevent phising consistently requires strong mutual authentication for validating the host to the user and the user to the host.

2. Eliminating phishing mail-Specialized spam filters can reduce the number of phishing e-mails that reach their addressees' inboxes. To classify phishing e-mails is relying on machine learning and natural language processing approaches. Besides, never ever click the link within the text of e-mail. Always delete the e-mail immediately.

3.Using IP addresses instead of domain names in hyperlinks that address the fake web site. Many innocent users will not check (or know how to check) that an IP address is registered and assigned to the target organisation that the branded fake web site claims to represent.Besides that copy the apperance of another wedsite.


4.Use malware to manipulate the hosts file on a victim's PC that is used to maintain local mappings between DNS names and IP addresses. By inserting a fake DNS entry into a user's hosts file, it will appear that their web browser is connecting to a legitimate web site when in fact it is connecting to a completely different web server hosting the fake phishing web site.



5.Configuring the fake phishing web site to record any input data that the user submits (such as usernames and passwords), silently log them and then forward the user to the real web site. This might cause a "password incorrect, please retry" error or even be totally transparent, but in either situation many users will not be overly worried and put this event down to their own poor typing, rather than intervention by a malicious third party.

References:
1.http://www.webopedia.com/TERM/p/phishing.html
2.http://www.honeynet.org/papers/phishing/
3.http://en.wikipedia.org/wiki/Phishing
Prepared by Lew Pei Ean
All right reservced by EnT02 Group Rui,Ean and Agu™

No comments: