Phishing.

Internet Users Hbk - Chapter 6e. Various Types and Examples of Internet Scams

Chapter 6e. Various Types and Examples of Internet Scams

6.18 Phishing
"Phishing" is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). It is a form of social engineering attack.

The term was coined in the mid-1990s by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.

Phishing has been widely used by fraudsters using spam messages masquerading as large banks (Citibank, Bank of America) or PayPal. These fraudsters can copy the code and graphics from legitimate websites and use them on their own sites to create legitimate-looking scam web pages. They can also link to the graphics on the legitimate sites to use on their own scam site. These pages are so well done that most people cannot tell that they have navigated to a scam site.

Fraudsters will also put the text of a link to a legitimate site in an e-mail but use the source code to links to own fake site. This can be revealed by using the "view source" feature in the e-mail application to look at the destination of the link or putting the cursor over the link and looking at the code in the status bar of the browser.

Although many people don't fall for it, the small percentage of people that do fall for it, multiplied by the sheer numbers of spam messages sent, presents the fraudster with a substantial incentive to keep doing it.

Anti-phishing technologies are now available. In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Phishing is typically carried out by e-mail or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network based in St. Petersburg.

Phishing Techniques
People have a built-in reaction to things that seem important. Subject’s lines worded to arouse anxiety usually prompt immediate action. An email with the subject: "to restore access to your bank account ..." will usually get instant attention and prompt most people to click to read what happened.

Everyone can help educate the public by encouraging safe practices, and by avoiding dangerous ones. Unfortunately, even well-known players are known to incite users to hazardous behavior, e.g. by requesting their users to reveal their passwords for third party services, such as email. Wikipedia

Phishing Example
SpamX

Reply |Donald Loan Investment Company

Show details 6:37 PM (11 hours ago)

reply-tolic@mail2world.com

to (Empty)

date Wed, Nov 4, 2009 at 6:37 PM

subject Loan Offer

GMAIL Warning: This message may not be from who it claims to be. Beware of following any links in it or of providing the sender with any personal information. Learn more

ATTN: (Empty)

My names are KLARK DONALD; I am a certified loan lender. I offer secured and unsecured loans to individuals and companies at low interest rate. I offer long and short-term loans. My firm has recorded many breakthroughs in the provision of first class financial services to our clients especially in the area of Loan syndication and capital provision for individuals and companies.

In general, we offer mortgages, home loans, car loans, hotel loans, commercial loans, construction loans, start-up- working capital loans, business loans and bad credit loans, etc., at 0.5% interest rate. We would love to fund projects at hand and offer personal loans as well to you, your firm/partners and clients.

We offer the right solution to your financial needs. We stand apart from other lenders because we believe in customer service and we stay with you until you get the results you want. We are a group of energetic and experienced loan professionals with through knowledge of financial markets.

We have many partners in real estate; banking and technology fields that can assist obtain financing.

Almost all of our businesses are through referrals by satisfied and repeat customers. We have brought ailing industries back to life and we back good business ideas by providing funds for their upstart. We have a network of Investors that
are willing to provide funds of whatever amount discreetly to individuals and organizations to start business and operations.

As the leading provider of Commercial, Business and personal loans to individuals and corporations nationwide, we offer the right kind of financing in less amount of time it will take with traditional lenders. In our bid to be useful to you, Funds (Loan) will be electronically wired into your State account, which will be provided by you. Interested Persons should fill out the Application Form below.

APPLICATION FORM:

Donald Loan Investment Company

Don't Be a Phishing Victim
Was that email asking for your password really from your bank? Learn how phishing uses fraudulent email messages and spoofed Web sites to trick you into giving out private information. Better yet, learn to protect yourself from being a victim.

PHISHING IS REALLY OLD NEWS, when you think about it. In fact the term "phish" is actually a portmanteau of the words "phone" and "fish" and has nothing to do with the Internet at all. Rather, it stemmed from an age-old credit card scam in which a person pretending to be a representative of a credit card company would make dozens of calls to strangers, "fishing" for a victim. He would warn them that their credit card identities had been compromised and ask that they answer some security questions. Given enough psychological pressure, they eventually reveal their security numbers to him, and bang! – The victim was "phished".

Phishing works through the manipulation of our desires and fears. Although technology and banking has made significant progress since the first phone cons of the late 1980s, one thing remains the same: people are still susceptible to psychological trickery. And although the phone phish is still alive and well, the phishing we really have to watch out for these days takes place over the Web.

The Email Phish
The most common kind of phish today is carried out by email. A message arrives in your inbox cautioning you about a security breach in your financial service provider's system, or maybe just to tell you that your account is about to be suspended due to lack of activity. The message asks that you log in to the website immediately to change your password as a precautionary measure. Click the link; and you will be directed to a fake website that looks identical to the official bank's website. The moment you key in your "current" username and password, the criminals behind the scam will have all they need to clean out your bank account.

And unless you log on to the real website within the next few minutes and change your password again, that is precisely what they will do.

Most banks are well aware of the risks of email phishing. Nonetheless, you can help stem the menace by forwarding any email that you receive to your bank's customer service center. This will allow them to investigate the origin of the email and (hopefully) take action against the perpetrators.

The Malware Phish
Email systems these days generally block any attachment with an ".exe" extension, so it's been a long time since we've experienced a massive virus outbreak via email. Not to be outdone, however, phishers have resorted to sending out ZIP archive attachments that purportedly contain important shipping information, wire transfer information, or even PDF documents. Look inside these ZIP archives and you will see Excel icons, PDF icons and Word icons: files that looks like ordinary office documents, but are in fact malware executable loaded with evil Trojans.

These Trojans are typically variants of "Zeus", "BredoLab" and the infamous "Microsoft Online Helper!” Once installed, they work together to steal data from your computer and record your online username-password combinations. The criminals behind the scheme can also remotely operate your computer to engage in other criminal activity such as sending spam while propagating the phish by sending itself to everyone in your address book.

To avoid being fooled into running malicious programs disguised as ordinary office documents, make sure you can see file extensions on your PC. Go to any Windows Explorer window and select Folder Options from the Tools menu. Click the View tab and uncheck the "Hide extensions for known file types" option, then click OK. You'll notice that all the files on your PC will now show their extensions such as ".doc", ".xls" or ".pdf". If you see something that looks like an Excel spreadsheet or PDF document but has an ".exe" extension, you'll know it's a virus.

Of course, ".exe" extensions are not the only kind of file you should watch out for. There are many other executable file types that can wreak havoc on your computer if activated.. Microsoft Business

Don't Get Caught By the Phishing Scams
In the wake of this week’s large-scale phishing theft of online e-mail accounts from Hotmail, Gmail, Yahoo and more, we contacted Microsoft to ask how concerned readers might protect themselves.

According to the most recent version of Microsoft’s Security Intelligence Report, more than 97 percent of e-mail messages sent over the internet are unwanted, have malicious attachments, are phishing attacks, or are spam. Adapted below are the company’s recommendations on how to avoid getting caught by the phishers, and what to do if your online identity is compromised by thieves?

How Can You Recognize A Phishing Scam?
Any e-mail asking for your name, birth date, social security number, e-mail username, e-mail password, or any other type of personal information, no matter who the e-mail appears to be from, is almost certainly a scam.

E-mails that are poorly worded, have typos, or have phrases such as "this is not a joke" or "forward this message to your friends" are generally scam e-mails. Phishing mail often includes official-looking logos and other identifying information taken directly from legitimate Web sites, and it may include convincing details about your personal information that scammers found on your social networking pages. A few phrases to look for if you think an e-mail message is a phishing scam are: "Verify your account." "If you don't respond within 48 hours, your account will be closed."; "You have won the lottery.”

What Should You Do If You Have Received A Phishing E-Mail?
Take some time to check up on the e-mail. Most importantly, NEVER click on the link or give out personal information. It is possible for your computer to become infected with malicious software simply by visiting a phishing site – without you even realizing it. Sites like snopes.com list common e-mail scams. Go to the website of the company you received the e-mail from and contact their customer service reps via phone or online to verify the validity of the e-mail.

Make sure you have created a strong password for your account by using more than 7 characters and having a combination of upper and lower case characters, numbers, and special characters, like the @ or # symbols. It's also a good idea to change your password on a regular basis.

Report the phishing scam and help identify new scams. If you use Windows Live Hotmail and received a phishing e-mail, you can select the dropdown next to "Junk,” and select "Report phishing scam.” Whatever you do, do not reply back to the sender. UK Times Online

Author:.

Founder/Director The Internet Crime Fighters Organization

Partner/Founder The ICANetwork A Web3.0 product and service provider

Partner FreeQRCodes Essential for mobile marketing

DrDonys Reviews and Resources

Go Deeper | Website

Have a question for Dr Don?

* Required information
Name:
Email Address:
(never displayed)

Your question or comment:
Human? Enter the fifth word of this sentence.
 
Enter answer:
 
Tell me when Dr Don responds to me.
 
Remember my form inputs on this computer.
 
 
 
New Graphic
Subscriber Counter