Phishing: Examples and its prevention methods.
In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. More of the phishing attack is by way of forged email and fake web sites, has exploded in popularity within the criminal sector of the Internet. The Anti-Phishing Working Group estimates that the volume of phishing e-mail is growing at a rate of over 30%, month after month. Furthermore, the attacks are becoming more sophisticated as attackers leverage vulnerabilities in client software (mail user agents and web browsers) as well as design vulnerabilities in targeted website applications.
One of a real-life phishing example is spam of email sent to many thousands of Westpac banking customers in May 2004. While the language sophistication is poor (probably due to the writer not being a native English speaker), many recipients were still fooled.
The email was sent in HTML format and the lower-case L’s have been replaced with upper-case I’s. This is used to help bypass many standard anti-spam filters, and in most fonts. It also hidden within the HTML email was many random words. Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to an escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index.htm. Recipients that clicked on the link were then forwarded to the real Westpac application. However a JavaScript popup window containing a fake login page was presented to them. This fake login window was designed to capture and store the recipient’s authentication credentials.
The other example of the phishing is by the web-based delivery. An increasingly popular method of conducting phishing attacks is through malicious web-site content. This content may be included within a web-site operated by the Phisher, or a third-party site hosting some embedded content. Web-based delivery techniques include the inclusion of HTML disguised links within popular web-sites or message boards, the use of web-bugs to track a potential customer in preparation for a phishing attack, the use of pop-up or frameless windows to disguise the true source of the Phishers message, Embedding malicious content within the viewable web-page that exploits a known vulnerability within the customers web browser software and installs software of the Phishers choice example such as key-loggers, and abuse of trust relationships within the customers web-browser configuration to make use of site-authorized scriptable components or data storage areas.
To prevent phishing, the following is the way to defense yourselves from the phishing.
• Don’t reply to email or pop-up messages that ask for personal or financial information, and don’t click on links in the message. Don’t cut and paste a link from the message into your Web browser – phishes can make links look like they go one place, but they actually send you to a different site.
• If you are concerned about your account, contact the organization using a phone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address yourself.
• Use anti-virus software and a firewall, and keep them up to date.
• Don’t email personal or financial information.
• Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
• Be cautious about opening any attachment or downloading any files from email you may receive, regardless of who sent them.
One of a real-life phishing example is spam of email sent to many thousands of Westpac banking customers in May 2004. While the language sophistication is poor (probably due to the writer not being a native English speaker), many recipients were still fooled.
The email was sent in HTML format and the lower-case L’s have been replaced with upper-case I’s. This is used to help bypass many standard anti-spam filters, and in most fonts. It also hidden within the HTML email was many random words. Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to an escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index.htm. Recipients that clicked on the link were then forwarded to the real Westpac application. However a JavaScript popup window containing a fake login page was presented to them. This fake login window was designed to capture and store the recipient’s authentication credentials.
The other example of the phishing is by the web-based delivery. An increasingly popular method of conducting phishing attacks is through malicious web-site content. This content may be included within a web-site operated by the Phisher, or a third-party site hosting some embedded content. Web-based delivery techniques include the inclusion of HTML disguised links within popular web-sites or message boards, the use of web-bugs to track a potential customer in preparation for a phishing attack, the use of pop-up or frameless windows to disguise the true source of the Phishers message, Embedding malicious content within the viewable web-page that exploits a known vulnerability within the customers web browser software and installs software of the Phishers choice example such as key-loggers, and abuse of trust relationships within the customers web-browser configuration to make use of site-authorized scriptable components or data storage areas.
To prevent phishing, the following is the way to defense yourselves from the phishing.
• Don’t reply to email or pop-up messages that ask for personal or financial information, and don’t click on links in the message. Don’t cut and paste a link from the message into your Web browser – phishes can make links look like they go one place, but they actually send you to a different site.
• If you are concerned about your account, contact the organization using a phone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address yourself.
• Use anti-virus software and a firewall, and keep them up to date.
• Don’t email personal or financial information.
• Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
• Be cautious about opening any attachment or downloading any files from email you may receive, regardless of who sent them.