The article is mainly divided into three parts. They are social engineering, phishing and anti-phishing. In social engineering, we point out the phenomenon and its common techniques, which are pretexting, diversion theft, phishing, IVR or phone phishing, baiting, Quid pro quo and common confidence tricksters or fraudsters. Phishing is what the topic we focus on. Phishing techniques are link manipulation, filter evasion, website forgery and phone phishing. Damage caused by phishing will also be introduced. To avoid phishing, we have anti-phishing, which are in social responses, technical responses and legal responses. Last but not least, we have suggestion against phishing.
Have you ever received an email from a bank that required you to verify your personal information? Please watch out as you may be a victim in the case of phishing, which is one of a technique of social engineering. It is the act of manipulating people into divulging confidential information rather than using technical hacking techniques. Similar to simple fraud, social engineering typically applies to trickery for the purpose of information gathering. In most cases, the attacker never comes face-to-face with the victim. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware”. There are mainly 7 types of social engineering techniques, which are pretexting, diversion theft, phishing, Interactive Voice Response (IVR) or phone phishing, baiting, quid pro quo as well as common confidence tricksters or fraudsters.
Pretexting is the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim divulges information. Diversion theft is another technique, which is a "con" exercised by professional thieves. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner". Furthermore, IVR or phone phishing uses a rogue Interactive voice response system to recreate other institution's IVR system. What is more, baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim while Quid pro quo from the Latin meaning "something for something" indicates a more-or-less equal exchange. Last but not least, common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people.
Pretexting is the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim divulges information. Diversion theft is another technique, which is a "con" exercised by professional thieves. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner". Furthermore, IVR or phone phishing uses a rogue Interactive voice response system to recreate other institution's IVR system. What is more, baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim while Quid pro quo from the Latin meaning "something for something" indicates a more-or-less equal exchange. Last but not least, common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people.
Phishing
The most a popular technique of fraudulently obtaining private information is phishing. The phisher may send an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from your home address to your ATM card's PIN. This phishing case includes some of phishing technique while the main four techniques are link manipulation, filter evasion, website forgery and phone phishing, which are defined as follows.
Website forgery
Link manipulation is making a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs, use of subdomains and making anchor text for a link appear to be valid and the link actually goes to the phishers' site.
Filter evasion is that using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.
Website forgery is that some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.
Phone phishing is that messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
Phishing can be a disaster that everyone should learn how to recognize phishing and avoid being caught as the damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. Phishing becomes so popular that unsuspecting users often reveal personal information including credit card numbers, identify numbers and accounts passwords to phishers unintentionally. The consequences of disclosing confidential information can be serious. Once you reveal this to phishers, what they might do is to prevent you from accessing your own accounts, run up charges on your account, open new accounts and sign utility or loan contracts in your name. What is more, they can use a false ID and commit crimes using your personal information. It is estimated that, between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing totaling approximately $929 million.
Fortunately, there are three useful ways to implement anti-phishing, which are social responses, technical responses and legal responses so that the harm caused by phishing can be avoid.
Social responses can be done by the public, the companies and the industries. For public, people can slightly modify their browsing habits. For example, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message. For companies, they can provide a way for the consumer to validate that the E-mail is legitimate, such as visual or audio personalization of e-mail, etc. For example PayPal, always embed consumer name in E-mail. For industries, there are some organizations to fight phishing such as PhishTank, etc. Take APWG as an example. The Anti-Phishing Working Groupfocuses on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.
The technical responses are also important to reduce the risk of phishing. The followings are some of the main approaches to combat phishing. Firstly, implement good quality anti-virus, spyware detection applications, content filtering at the Internet gateway. They improve identification of phishing messages and sites, and restrict risky behavior with suspicious content. Secondly, browser security upgrades, such as distinctive display of potentially deceptive content and providing a warning when a potentially unsafe link is selected, could substantially reduce the efficacy of phishing attacks. Thirdly, two-factor authentication is to have a device identifier, such as a checksum of all available machine information, which can authenticate the device. Device identifier must be transmitted only to a secure location, or employ other measures to prevent man-in-the-middle attacks.
Legal responses are another means to conflict phishing. The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy, calls for the criminalization of two essential parts of phishing attacks: Establishing and creating web sites with the intent to gather information from victims to be used for fraud or identity theft; and the creation or soliciting of e-mail that represents itself as a legitimate business with similar intent.
It is hoped that the insight into phishing operations will assist in the fight against online fraud. The phishing economy is a decentralized and self–organized social network. You may think that Phishing e–mails are the aspect that has been seen by the most people and it is only a small aspect of the overall phishing economy. However, it can be a tragic if we ignore,if not neglect, it. Being wise, think twice before you sent some personal information to the Internet.
Please click here to see the exercise section.
Please click here to see the references of the article.
Filter evasion is that using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.
Website forgery is that some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.
Phone phishing is that messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
Phishing can be a disaster that everyone should learn how to recognize phishing and avoid being caught as the damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. Phishing becomes so popular that unsuspecting users often reveal personal information including credit card numbers, identify numbers and accounts passwords to phishers unintentionally. The consequences of disclosing confidential information can be serious. Once you reveal this to phishers, what they might do is to prevent you from accessing your own accounts, run up charges on your account, open new accounts and sign utility or loan contracts in your name. What is more, they can use a false ID and commit crimes using your personal information. It is estimated that, between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing totaling approximately $929 million.
Fortunately, there are three useful ways to implement anti-phishing, which are social responses, technical responses and legal responses so that the harm caused by phishing can be avoid.
Social responses can be done by the public, the companies and the industries. For public, people can slightly modify their browsing habits. For example, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message. For companies, they can provide a way for the consumer to validate that the E-mail is legitimate, such as visual or audio personalization of e-mail, etc. For example PayPal, always embed consumer name in E-mail. For industries, there are some organizations to fight phishing such as PhishTank, etc. Take APWG as an example. The Anti-Phishing Working Groupfocuses on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.
The technical responses are also important to reduce the risk of phishing. The followings are some of the main approaches to combat phishing. Firstly, implement good quality anti-virus, spyware detection applications, content filtering at the Internet gateway. They improve identification of phishing messages and sites, and restrict risky behavior with suspicious content. Secondly, browser security upgrades, such as distinctive display of potentially deceptive content and providing a warning when a potentially unsafe link is selected, could substantially reduce the efficacy of phishing attacks. Thirdly, two-factor authentication is to have a device identifier, such as a checksum of all available machine information, which can authenticate the device. Device identifier must be transmitted only to a secure location, or employ other measures to prevent man-in-the-middle attacks.
Legal responses are another means to conflict phishing. The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy, calls for the criminalization of two essential parts of phishing attacks: Establishing and creating web sites with the intent to gather information from victims to be used for fraud or identity theft; and the creation or soliciting of e-mail that represents itself as a legitimate business with similar intent.
It is hoped that the insight into phishing operations will assist in the fight against online fraud. The phishing economy is a decentralized and self–organized social network. You may think that Phishing e–mails are the aspect that has been seen by the most people and it is only a small aspect of the overall phishing economy. However, it can be a tragic if we ignore,if not neglect, it. Being wise, think twice before you sent some personal information to the Internet.
Please click here to see the exercise section.
Please click here to see the references of the article.
RSS Feed