Phishing Overview
Date: August 16, 2005Source: greenarmor.com
Phishing is the activity of fraudulently presenting oneself online as a legitimate enterprise in order to trick consumers into giving up personal financial information that will be used for identity theft or other criminal activity. Phishing is most commonly perpetrated through the mass distribution of e-mail messages directing users to a web site, but other venues are utilized as well.
When phishing is perpetrated via email, the criminal sends out a large number of messages that appear to come from a legitimate source such as a trusted business or financial institution. The emails include an urgent request for personal information to be submitted -- usually the phisher mentions that there is some critical need to update an account immediately. A link is provided in the email message to an official-looking website where the information is actually entered by users; personal information provided to this site, however, goes directly to the criminal perpetrating the phishing attack, and not to the legitimate business being impersonated.
Phishing is, therefore, a form of social engineering attack that exploits a human weakness; technology is used as means of communications.
As mentioned earlier, phishing can be perpetrated through email, but can also be carried out through instant messenger messages, blog posting, and pharming.
The term "Phishing"
The term phishing is derived from the fact that Internet scammers "fish" for users' financial information and password data. The first mention on the Internet of phishing was on the alt.2600 hacker newsgroup in January of 1996, however, the term may have been used earlier in printed materials. By March of 1997 the term phishing had found its way into mainstream media -- appearing in an article in the Florida Times-Union.
"Ph" is a common replacement for the letter "f" in hacker lingo; one of the earliest forms of hacking was known as "phone phreaking."
Early Phishing
In the early 1990s, hackers using multi-user computer systems were able to trick users into surrendering their access credentials by writing programs that impersonated the login process by displaying "login" and "password" prompts and emailing to the hacker the information entered by the user.
Around the same time, hackers attempting to steal America Online accounts began to pose as AOL staff members and sent instant messenger messages to potential victims. The message would ask intended victims to reveal their passwords or to "confirm billing information". Once the victim surrendered the requested information, the attacker could access the victim's account and use it for criminal purposes such as sending large volumes of spam emails, distributing pirated software (warez), or committing other crimes.
By 2002, phishing attacks began to proliferate en masse. At that point, phishing attacks still utilized emails containing numerous spelling and/or grammatical errors. They also usually directed users to web sites whose URLs were not correct (i.e., they did not match the URLs of the impersonated legitimate sites) -- but rather very similar in nature. For example www.ebay.com may have been impersonated by www.ebaycom.com. As phishing techniques and technologies advanced, the errors made by phishers in this regard began to disappear and detection of phishing attacks became more complicated.
Phishing Damage Reaches $1 Billion Annually
In 2004, Gartner estimated that about 57 million Americans were targeted for phishing in a 12-month period, and that phishing-related fraud has already reached $1.2 billion annually.
Anti-Phishing
Anti-phishing refers to techniques and technology used to combat phishing. Identity Cues is an example of an anti-phishing system.
Authorities Respond to Phishing
In January of 2004, the United States Federal Trade Commission filed the first lawsuit against a suspected phisher. The defendant, a teenager from California, allegedly created and used a webpage that he designed to look like the America Online website in an effort to trick people into giving him their credit card numbers.
In Match of 2005, United States Senator Patrick Leahy introduced the Anti-Phishing Act of 2005. The anti-phishing bill proposes that criminals who utilize phishing in order to defraud consumers be fined up to $250,000 and receive jail terms of up to five years.
In March of 2005, Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse as-of-yet unnamed defendants of using various techniques to obtain passwords and confidential information via the Internet.
Add comment Email to a Friend