Phishing is an attempt to obtain sensitive information such as usernames, passwords and credit card details (and money), often for malicious reasons, masquerading as a trustworthy entity in electronic communications. The word is a neologism made as a fishing homophone because of the similarity of using bait in an attempt to catch the victim. According to Microsoft Computing Safety Index 2013, released in February 2014, the annual phishing impact worldwide could reach US $ 5 billion.
Phishing is usually done with email spoofing or instant messaging, and often directs users to enter personal information on fake websites, look and feel that are identical to legitimate ones and the only difference is the website URLs that are concerned about. Communications claiming to be from social websites, auction sites, banks, online payment processors, or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware.
Phishing is an example of social engineering techniques used to deceive users, and exploits weaknesses in today's web security. Efforts to address the growing number of phishing incidents reported include laws, user training, public awareness, and technical security measures.
Video Phishing
Teknik
Jenis phishing
Phishing tombak
Phishing attempts directed at a specific individual or company have been called phishing spears . Attackers can collect personal information about their targets to increase their likelihood of success. This technique is by far the most successful on the Internet today, accounting for 91% of attacks.
Threat Group-4127 used a spear phishing tactic to target email accounts associated with Hillary Clinton's 2016 presidential campaign. They attacked more than 1,800 Google accounts and applied the account-google.com domain to threaten targeted users.
Clone duplication
Phishing cloning is a type of phishing attack in which legitimate emails, and previously submitted, containing attachments or links already have recipient content and address (es) taken and used to create almost identical or cloned emails. Attachments or links in emails are replaced with malicious versions and then sent from a fake email address to appear to originate from the original sender. It may claim to resend the original or the latest version to the original. This technique can be used to rotate (indirectly) from a previously infected machine and gain a foothold in another machine, by exploiting the social trust associated with the inferred connection as both parties receive the original email.
Whaling
Some phishing attacks have been directed specifically at senior executives and other high profile targets in business, and the term whaling has been created for this type of attack. In the case of whaling, incognito web pages/emails will take the form of a more serious executive level. Content will be created to target top managers and the role of the person in the company. Email content whaling attacks are often written as official court calls, customer complaints, or executive issues. Curious fraudulent emails are designed to masquerade as important business emails, sent from legitimate business authorities. The content is intended to be tailored for upper management, and usually involves some kind of false corporate concern. Whalers have also forged official FBI call emails, claiming that managers need to click links and install special software to view court calls.
Link manipulation
Most phishing methods use some form of technical fraud designed to create links within an email (and the fraudulent website to which it belongs) appear to belong to a fake organization. Misspelled URLs or subdomain usage are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it seems as though the URL will take you to the example section of yourbank website; actually this URL points to the " yourbank " (ie phishing) section of the example website. Another common trick is to create the displayed text for the link (the text between the & lt; A & gt; tags suggests trusted destinations, when the link actually enters the phishers site.Many desktop email clients and web browsers will display the link target URL in the bar status when hovering over it.This behavior, however, may in some cases be overridden by phishers.The equivalent mobile app generally does not have this preview feature.
Further issues with URLs have been found in international domain name (IDN) handling in web browsers, which may allow visually identical web addresses to point to different websites, which may be harmful. Despite the publicity surrounding flaws, known as IDN spoofing or homograph attacks, phishers have taken advantage of the same risk, using open URL redirectors on trusted websites to disguise malicious URLs with trusted domains. Even digital certificates do not solve this problem as it is quite possible for phishers to purchase valid certificates and then change the content to spoof the original website, or, to host phish sites without SSL at all.
Filter avoidance
Phishers have even begun using images instead of text to make it hard for anti-phishing filters to detect text commonly used in phishing emails. However, this has led to the evolution of more sophisticated anti-phishing filters that can recover hidden text in images. This filter uses OCR (optical character recognition) to scan images and optically filter them.
Some anti-phishing filters have even used IWR (intelligent speech recognition), which is not meant to completely replace OCR, but this filter can even detect cursive, handwritten, rotated (including inverse text), or distorted (such as making wavy text, stretched vertically or laterally, or in different directions), as well as text on a colored background.
Website forgery
Once the victim visits the phishing website, the fraud is not over. Some phishing scams use JavaScript commands to change the address bar. This is done by placing a valid URL image above the address bar, or by closing the original bar and opening the new one with a valid URL.
An attacker can even use defects in his own trusted website scripts against victims. This type of attack (known as cross-site scripting) is very problematic, as they direct users to sign in on the bank's web pages or their own services, where everything from web addresses to security certificates appears correctly. In fact, links to websites are made to carry out attacks, making it very difficult to find without any special knowledge. Such flaws were used in 2006 against PayPal.
The Universal Man-in-the-middle (MITM) Universal Phishing Kit (MITM), which was discovered in 2007, provides an easy-to-use interface that allows phishers to reproduce websites convincingly and capture incoming details entered on fake sites.
To avoid anti-phishing techniques that scan websites for text related to phishing, phishers have begun using Flash-based websites (a technique known as phlashing). It looks like an actual website, but it hides text in a multimedia object.
Hidden redirects
Covert redirects are a subtle method of phishing attacks that make links appear legitimate, but actually lead victims to the attacker's website. Defects are usually disguised under log-in popups based on the domain of the affected site. It can affect OAuth 2.0 and OpenID based on well known exploit parameters as well. This often takes advantage of open redirect and XSS vulnerabilities on third-party app websites. Browsing is another way to steer users to phishing websites secretly through malicious browser extensions.
A normal phishing attempt can be easily recognized because the malicious page URL will typically be different from the actual sitelink. For covert transfers, an attacker can use the actual website, not by damaging the site with a malicious pop-up dialog box. This makes the secret diversion different from the others.
For example, the victim clicks a dangerous phishing link that begins with Facebook. A popup window from Facebook will ask if the victim wants to authorize the app. If the victim chooses to authorize the application, "tokens" will be sent to the attacker and the victim's personal sensitive information may be exposed. This information may include email address, date of birth, contacts, and job history. If "token" has greater privileges, the attacker can get more sensitive information including mailbox, online presence, and friends list. Worse, the attacker can control and operate user accounts. Even if the victim does not choose to authorize the app, he will still be redirected to a website controlled by the attacker. This could potentially further compromise the victim.
This vulnerability was discovered by Wang Jing, a Ph.D. Mathematics. students at the School of Physics and Mathematical Sciences at Nanyang Technological University in Singapore. Covert redirection is an important security hole, though it is not a threat to the Internet that is worth noting.
Social engineering
Users can be encouraged to click on various types of unexpected content for various technical and social reasons. For example, a malicious attachment may be disguised as a benign linked Google document.
Other users may be angry with fake news, click on links and become infected.
Phishing sound
Not all phishing attacks require a fake website. Messages claimed to be from a bank tell users to call a phone number related issue with their bank account. Once the phone number (owned by phishers, and provided by the voice over IP service) has been contacted, ask the user to enter their account number and PIN. Vishing (phishing sound) sometimes uses false caller ID data to provide the view that the call is coming from a trusted organization.
phishing SMS
Smishing, also known as phishing sms, uses mobile phone text messages to persuade people to divulge their personal information.
Other techniques
- Another successfully used attack is forwarding clients to legitimate bank websites, then placing a pop-up window asking for credentials at the top of the page in a way that many users think the bank is requesting this sensitive information.
- Tabnabbing takes advantage of tabbed browsing, with many tabs open. This method secretly redirects the user to the affected site. This technique operates in reverse with most of the phishing techniques because it does not directly lead users to fraudulent sites, but loads fake pages in one of the open tabs in the browser.
- Evil twins are a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that can be found in public places such as airports, hotels or coffee shops. Every time someone logs on to a fake network, fraudsters try to capture their password and/or credit card information.
Maps Phishing
History
1980s
Phishing techniques are described in detail in papers and presentations submitted to the 1987 International HP Users Group, Interex.
1990s
The term 'phishing' is said to have been created by famous spammers and hackers in the mid-90s, Khan C Smith. The first mention of the word recorded in this term is found in the AOHell (according to its creator) hack tool, which includes the functionality to try to steal America Online user's password or financial details.
Early AOL Phishing
Phishing on AOL is closely tied to the warez community that trades unlicensed software and black hat hacking scenes that perpetrate credit card fraud and other online crimes. AOL enforcement will detect the words used in the AOL chat room to suspend accounts of people involved in counterfeit software and trading of stolen accounts. This term is used because '& lt; & gt; & lt; ' is the most common HTML tag found in all native chat transcripts, and therefore can not be detected or filtered by AOL staff. Symbol & lt; & gt; & lt; replaced for words that refer to a stolen credit card, account or activity. Because the symbol looks like a fish, and because of the popularity of phreaking it is adapted as 'Phishing'. AOHELL, released in early 1995, is a program designed to hack AOL users by allowing attackers to file as AOL staff members, and send instant messages to potential victims, asking them to reveal their passwords. To entice victims to submit sensitive information, they may include commands like "verify your account" or "confirm your billing information".
There are anti-phishing websites that publish exact messages that have recently circulated on the internet, such as FraudWatch International and Millersmiles. Such sites often provide specific details about certain messages. To avoid directly dealing with web page source code, hackers are increasingly using phishing tools called Super Phisher which makes the job easier than the manual method of creating a phishing website.
As recently as 2007, the adoption of anti-phishing strategies by businesses that need to protect personal and financial information is low. There are now several different techniques to combat phishing, including laws and technologies tailor-made to protect against phishing. These techniques include steps that can be taken by individuals, as well as by organizations. Phones, websites, and email phishing can now be reported to the authorities, as described below.
Social response
One strategy to combat phishing is to train people to recognize phishing attempts, and to handle it. Education can be effective, especially where the training emphasizes conceptual knowledge and provides direct feedback. A newer phishing tactic, which uses phishing emails targeted at certain companies, known as phishing spears , has been used to train individuals in various locations, including the United States Military Academy in West Point, NY. In a June 2004 experiment with phishing spears, 80% of the 500 West Point cadets who were sent fake emails from a Colonel Robert Melville who was not on West Point were deceived to click on links that should take them to a page where they would enter personal information. (Page tells them that they have been captivated.)
People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about accounts that need to be "verified" (or other topics used by phishers), it is a reasonable precaution to contact the company where the email originated to check that the email was legitimate. Or, the address that an individual knows is the company's original website can be typed into the address bar of the browser, rather than trusting any links in suspected phishing messages.
Almost all legitimate e-mail messages from the company to their customers contain information items that are not available to phishers. Some companies, such as PayPal, always handle their customers with their usernames in emails, so if an email of recipient addresses in general (" Dear PayPal subscriber ") is likely to be a phishing attempt. Furthermore, PayPal offers a variety of methods for determining spoof emails and suggests users to forward suspicious emails to their spoof@PayPal.com domain to investigate and alert other customers. Emails from banks and credit card companies often include partial account numbers. However, recent research shows that the public usually does not distinguish between the first few digits and the last few digits of the account number - a significant problem since the first few digits are often the same for all clients of the financial institution. People can be trained so that their suspicions are aroused if the message does not contain certain personal information. Phishing attempts in early 2006, however, used personalized information, which made it unsafe to assume that the existence of personal information alone ensures that the message is legitimate. Furthermore, other recent studies conclude that the presence of personal information has no significant effect on the success rate of phishing attacks, which shows that most people do not pay attention to such details.
The Anti-Phishing Working Group, an industry association and law enforcement, has suggested that conventional phishing techniques can become obsolete in the future as people become more aware of the social engineering techniques used by phishers. They estimate that the use of drugs and other malware would be a more common tool for stealing information.
Everyone can help educate the public by encouraging safe practices, and by avoiding harmful habits. Unfortunately, even famous players are known to incite users to malicious behavior, for example by asking their users to reveal their passwords for third party services, such as email.
Browser alerting users to fake websites
Another popular approach to fight phishing is to maintain a list of known phishing sites and to check websites against the list. One such service is the Safe Browsing service. Web browsers like Google Chrome, Internet Explorer 7, Mozilla Firefox 2.0, Safari 3.2, and Opera all contain this type of anti-phishing action. Firefox 2 uses Google anti-phishing software. Opera 9.1 uses live blacklisting from Phishtank, cyscon and GeoTrust, as well as direct whitelisting from GeoTrust. Some implementations of this approach send visited URLs to the service center to be checked, which has raised privacy concerns. According to a report by Mozilla in late 2006, Firefox 2 was found to be more effective than Internet Explorer 7 in detecting fraudulent sites in a study by independent software testing companies.
An approach introduced in mid-2006 involves switching to a dedicated DNS service that filters out known phishing domains: it will work with any browser, and in principle is similar to using host files to block web ads.
To reduce the problem of phishing sites that imitate victim sites by embedding their images (such as logos), some site owners have changed the image to send a message to visitors that the site may be deceiving. Images can be moved to a new and original file name permanently replaced, or the server can detect that the image was not requested as part of a normal search, and instead send a warning image.
Adding password login
The Bank of America website is one of the few that asks users to choose a personalized image (marketed as SiteKey), and display this user-selected image in any form that asks for a password. Users of online banking services are instructed to enter passwords only when they see the images they choose. However, some studies show that some users do not enter a password when the image is not there. In addition, this feature (like other forms of two-factor authentication) is vulnerable to other attacks, such as those of Nordea Scandinavian banks at the end of 2005, and Citibank in 2006.
A similar system, in which an automatically generated "Identity Cue" comprising a colored word in a colored box is displayed to every user of the website, is being used in other financial institutions.
Skin safety is a related technique that involves overlaying a user-selected image into a login form as a visual cue that the form is legitimate. Unlike website-based image schemes, however, the images themselves are only shared between users and browsers, and not between users and websites. This scheme also relies on a shared authentication protocol, which makes it less vulnerable to attacks that affect the user authentication scheme only.
Still other techniques rely on dynamic grid of different images for each login attempt. Users must identify images that match their previously selected categories (such as dogs, cars, and flowers). Only after they have correctly identified the image that matches their category, they are allowed to enter an alphanumeric password to complete the login. Unlike the static images used on the Bank of America website, dynamic image-based authentication methods create a one-time login code for login, requiring active participation from users, and it is very difficult for phishing websites to replicate correctly as it will need to display the image grid that generated at random which includes the user's confidential category.
Eliminate phishing mail
Custom spam filters can reduce the number of phishing emails that reach their recipient's inbox, or provide post-delivery remediation, analyze and remove spear phishing attacks during transmission through email provider level integration. This approach relies on machine learning and natural language processing approach to classify phishing emails. Email address authentication is another new approach.
Monitoring and deletion
Some companies offer banks and other organizations that may suffer phishing scams throughout the service time to monitor, analyze and assist in closing phishing websites. Individuals can contribute by reporting phishing to volunteer and industry groups, such as cyscon or PhishTank. Individuals can also contribute by reporting phishing attempts to Phone Phishing, Federal Trade Commission. Phishing and email web pages can be reported to Google. The announcement board of the Internet Crime Treatment Center carries phishing and ransomware warnings.
Verification and signing of the transaction
The solution also appears using mobile (smartphone) as the second channel for verification and authorization of banking transactions.
Limited technical responses
An article in Forbes in August 2014 argues that the reason the phishing problem persists even after a decade of anti-phishing technology is that phishing is a "technology medium to exploit human weakness" and that technology can not completely offset the weakness human.
Legal response
On January 26, 2004, the US Federal Trade Commission filed its first lawsuit against a suspected phisher. The defendant, a California teenager, allegedly created a web page designed to look like an America Online website, and used it to steal credit card information. Other countries have followed these instructions by tracking down and capturing phishers. The troubling king, Valdir Paulo de Almeida, was arrested in Brazil for leading one of the largest phishing crime groups, who in two years stole between US $ 18 million and US $ 37 million â ⬠<â ⬠. The British authorities jailed two people in June 2005 for their role in phishing scams, in the case connected to the US Secret Service Operations Firewall, which targeted the notorious "carder" website. In 2006, eight people were arrested by Japanese police on suspicion of phishing fraud by creating a fake Yahoo Japan website, capturing themselves Ã, à ¥ 100 million ( US $ 870,000 ). The arrests continued in 2006 with the FBI Card Operating Holder holding a group of sixteen people in the US and Europe.
In the United States, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 in Congress on 1 March 2005. This bill, if passed into law, would make criminals who create fake web sites and send fake emails to trick consumers with fines up to US $ 250,000 and a prison term of up to five years. Britain strengthened its legal arsenal against phishing by the Fraud Act 2006, which introduced a common fraud breach that could carry a ten-year prison term, and prohibit the development or possession of phishing tools for the purpose of fraud.
The company has also joined efforts to crack down on phishing. On March 31, 2005, Microsoft filed 117 federal lawsuits in the US District Court for the Western District of Washington. The lawsuit accused the defendant "John Doe" of obtaining passwords and confidential information. March 2005 also sees a partnership between Microsoft and the Australian government that teaches law enforcement on how to combat cybercrimes, including phishing. Microsoft announced 100 lawsuits planned outside the US in March 2006, followed by the start of November 2006, out of 129 lawsuits that mixed criminal and civil offenses. AOL strengthened its fight against phishing in early 2006 with three lawsuits seeking a total of US $ 18 million under the 2005 Virginia Computer Crimes Act amendment, and Earthlink has joined forces to help identify six people who were later charged with phishing scams in Connecticut.
In January 2007, Jeffrey Brett Goodin of California became the first defendant to be convicted by a jury under the terms of the CAN-SPAM Act of 2003. He was found guilty of sending thousands of emails to America Online users, while posing as AOL's billing department, prompting customers to submit information personal and credit cards. Facing a possible 101 years in prison for CAN-SPAM violations and ten other charges including wire fraud, unauthorized use of credit cards, and AOL trademark abuse, he was sentenced to serve 70 months. Goodin has been detained since failing to appear for the previous trial and began serving prison terms soon.
See also
Note
References
- Ghosh, Ayush (2013). "Seclayer: A plugin to prevent phishing attacks". IUP Journal of Information Technology . 9 (4): 52-64.
External links
- Anti-Phishing Working Group
- Identity and Information Protection Management Center - Utica College
- Insert a "phishing" hole: legislation versus technology - Duke Law & amp; Technology Reviews
- Know Your Enemy: Phishing - A case study of the Honeynet project
- A Profitless Endeavor: Phishing as Tragedy of the Commons - Microsoft Corporation
- Database for information about phishing sites reported by public - PhishTank
- Incentive Impacts in Notice and Retrieval - Computer Laboratories, Cambridge University (PDF, 344 kB)
Source of the article : Wikipedia