PHISHING

1. Phishing:

Phishing is a form of social engineering practice done by cyber criminals for gaining access into bank accounts by stealing sensitive information.
Customers of leading banks, through out the world have been a target of phishing


1.1 Definition:
Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.


1.2 History of phishing:
The word “phishing” originally comes from the analogy that early Internet criminals used email lures to “phish” for passwords and financial data from a sea of Internet users. The use of “ph” in the terminology is partly lost in the annals of time, but most likely linked to popular hacker naming conventions such as “Phreaks” which traces back to early hackers who were involved in “phreaking” – the hacking of telephone systems.

The term was coined in the 1996 timeframe by hackers who were stealing America Online (AOL) accounts by scamming passwords from unsuspecting AOL users. The popularized first mention on the Internet of phishing was made in alt.2600 hacker newsgroup in January 1996

2. Phishing Threat:
The use of the phishing medium as a money laundering tool appears to be emerging, where volumes of compromised user data is sold to crime groups who aggregate the stolen funds into centralized false accounts by a principal organizer or “dump leader”. The use of false employment websites, encouraging users to sign up and provide their banking facilities to forward money to other accounts for a 20% administration fee has also been revealed


2.1 Social Engineering Factors:
Phishing attacks rely upon a mix of technical deceit and social engineering practices. In the majority of cases the Phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information.Communication channels such as email, web-pages, IRC and instant messaging services are popular. In all cases the Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favorite online retailer, etc.) for the victim to believe

To date, the most successful Phishing attacks have been initiated by email – where the Phisher impersonates the sending authority (e.g. spoofing the source email address and embedding appropriate corporate logos). For example, the victim receives an email supposedly from support@mybank.com (address is spoofed) with the subject line 'security update’, requesting them to follow the URL www.mybank-validate.info (a domain name that belongs to the attacker – not the bank) and provide their banking PIN number


3. Phishing Message delivery:

3.1 Email and spam:
Phishing attacks initiated by email are the most common. Using techniques and tools used by Spammers, Phishers can deliver specially crafted emails to millions of legitimate “live” email addresses within a few hours (or minutes using distributed Trojan networks). In many cases, the lists of addresses used to deliver the phishing emails are purchased from the same sources as conventional spam


3.2 Web based delivery:
An increasingly popular method of conducting phishing attacks is through malicious web-site content. This content may be included within a web-site operated by the Phisher, or a third-party site hosting some embedded content.

3.3 Fake Banner Advertising:
Banner advertising is a very simple method Phishers may use to redirect an organisations customer to a fake web-site and capture confidential information. Using copied banner advertising, and placing it on popular websites, all which is necessary is some simple URL obfuscation techniques to obscure the final destination.

3.4 Trojaned Hosts:
While the delivery medium for the phishing attack may be varied, the delivery source is increasingly becoming home PC’s that have been previously compromised. As part of this compromise, a Trojan horse program has been installed which allows Phishers (along with Spammers, Warez Pirates, DDoS Bots, etc.) to use the PC as a message propagator. Consequently, tracking back a Phishing attack to an individual initiating criminal is extremely difficult.
4 Phishing attack techniques:
4.1 Man-in-the-middle Attacks
One of the most successful vectors for gaining control of customer information and resources is through man-in-the-middle attacks. In this class of attack, the attacker situates themselves between the customer and the real web-based application, and proxies all communications between the systems. From this vantage point, the attacker can observe and record all transactions.
4.2 URL Obfuscation Attacks:
The secret for many phishing attacks is to get the message recipient to follow a hyperlink (URL) to the attacker’s server, without them realizing that they have been duped. Unfortunately phishers have access to an increasingly large arsenal of methods for obfuscating the final destination of the customer’s web request.
4.3 Cross-site Scripting Attacks:
Cross-site scripting attacks (commonly referred to as CSS or XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these CSS techniques are the result of poor web-application development processes.

4.4 Preset Session Attack:

In this class of attack the phishing message contains a web link to the real application server, but also contains a predefined SessionID field. The attackers system constantly polls the application server for a restricted page using the preset SessionID. Until a valid user authenticates against this SessionID, the attacker will receive errors from the web-application server .

4.5 Hidden Attacks:
Extending beyond the obfuscation techniques discussed earlier, an attacker may make use of HTML, DHTML and other scriptable code that can be interpreted by the customers web browser and used to manipulate the display of the rendered information. In many instances the attacker will use these techniques to disguise fake content as coming from the real site – whether this is a man-in-the-middle attack, or a fake copy of the site hosted on the attackers own systems.


5 Defence Mechanisms:

5.1 Client-side:

The client-side should be seen as representing the forefront of anti-phishing security. Given the distributed nature of home computing and the widely varying state of customer skill levels and awareness, client-side security is generally much poorer than a managed corporate workstation deployment. However, many solutions exist for use within both the home and corporate environments.

5.2 Server-side:

By implementing intelligent anti-phishing techniques into the organisations web application security, developing internal processes to combat phishing vectors and educating customers – it is possible to take an active role in protecting customers from future attack. By carrying out this work from the server-side, organisations can take large steps in helping to protect against what is invariably a complex and insidious threat.At the client-side, protection against Phishing can be afforded by:
Using strong token-based authentication systems
Keeping naming systems simple and understandable




5.3 Enterprise Level:

Businesses and ISP’s may take enterprise-level steps to secure against Phishing scams – thereby protecting both their customers and internal users. These enterprise security solutions work in combination with client-side and server-side security mechanisms, offering considerable defence-in-depth against phishing and a multitude of other current threats.

Key steps to anti-phishing enterprise-level security include:
Automatic validation of sending email server addresses,
Digital signing of email services,
Monitoring of corporate domains and notification of “similar” registrations,
Perimeter or gateway protection agents,
Third-party managed services
CONCLUSION:
Phishing started off being part of popular hacking culture. Now, as more organisations provide greater online access for their customers, professional criminals are successfully using phishing techniques to steal personal finances and conduct identity theft at a global level. By applying a multi-tiered approach to their security model (client-side, server-side and enterprise) organisations can easily manage their protection technologies against today’s and tomorrows threats – without relying upon proposed improvements in communication security that are unlikely to be adopted globally for many years to come.

BIBLIOGRAPHY:
Cyveillance the brand monitoring network www.cyveillance.com
The Open Web Application Security Project www.owasp.org/images/a/ad/Phishing-a_new_age_weapon
Wikipedia, the free encyclopedia www.wikipedia.org
4. The phishing Guide www.ngssoftware.com