What is Phishing (phishing sites)?
Phishing is a method of Internet fraud aimed at receiving confidential user's data, namely theft of password, credit card number or bank account, etc.).
As a rule phishing is carried out by faked messages or emails informing about the urgent necessity of user's personal data updates. It can be messages from your bank, Internet provider or any other payment organization. Reasons for such necessity could be various (web site failure, loss of information, etc.). Social engineering methods are also used and they are becoming more and more sophisticated.
The technical side of phishing was described in 1987, but the correspondent term appeared in the Usenet network in 1996. Early phishing was connected with AOL Company. This American media company provides various online services, electronic bulletin boards and many other functions. Frauds pretended to be representatives of the company to gain passwords or other user's payment information. Then all received user's personal information was used for fraud or spam sending. Phishing had come up to such scale that the AOL had to develop a special system for detecting and blocking the false accounts. Getting AOL user accounts opens phishers' access to user's credit data and shows insufficient security level of such payment system.
As far as a person can't stay calm when it comes to them personally, frauds act so that their actions attract a user, turn their attention and cause certain reaction and panic.
The majority of phishing methods lie in masquerading or faking (misspelling) the links of official organizations. A user sees a visually identical address, uses the link and gets to a phishing site. Also frauds often use graphic files instead of text ones to make the detecting of faked emails more difficult. The most dangerous is using vulnerabilities in the script of a real site. A user is sure to notice nothing and authorize entering their secret personal data.
As a rule phishing sites don't last long. On average they exist 5 days. Taking into consideration the fact that anti-phishing systems update their phishing databases regularly they have to create new domains and sites all the time. Though new sites look the same as the legal site they have copied and they usually have the same main page. It is rather difficult for a user to notice such slight difference in links like an odd dash or letter and phishers make use of it.
Phishing attacks can be:
- accidental
Attack is performed at random and affects popular large systems like Ebay or PayPal, for there is high possibility of user's having an account there.
- targeted
In this case phishers receive information about the bank, payment system, provider or sites are used by a certain person. Of course, this method is more complicated but at the same time more successful.
Besides the theft of personal data a user can suffer a so-called "gift" of Trojans, spyware etc.
Today phishing is only one of many fraud methods. Vishing (voice phishing) is also widely spread. A user receives a faked letter masquerading as an official one from the bank asking to call the number stated above. The letter mentions some non-existing problem with the current account, for example, but the user is not aware of this fact and of course dials the number. An answering machine replies giving the user step-by-step instruction following which the victim enters the account number and PIN code. Or frauds can call the victim themselves pretending to be official representatives of the bank and demanding user's personal data. SMS phishing is carried out via SMS messages containing a web address visiting which a person enters their secret data and automatically becomes a victim of phishers.