What’s phishing? (15.11.2007)
Do you keep hearing & reading about “phishing”, and wondering what exactly it means? I’ve been asked about if often over the past few weeks, so decided to write a post on this topic.
To start, phishing’s a form of social engineering attack on computers and networks. Which invariably leads to the question: “What’s social engineering?” The best definition I’ve found of the term is: “Social engineering attacks are usually conducted by outsiders who use a variety of psychological tricks to get the computer user to give them the information they need to access a computer or network”(1).
The play-on-words term “phishing” refers to using psychological bait, lures, to convince individuals to provide the access information that hackers want. It used to mean using instant messaging to steal an individual’s on-line account information; these days email attacks are more common, because they can reach a much larger target audience(2).
Scare tactics are tools of the trade in phishing, to convince someone to click on a link – or log in to a fake website – where they’ll be asked for some personal information to ‘validate’ their identity. The personal or confidential information captured by phishers will then be used to get access to the victim’s computer or network. It can also lead to identity theft, and to criminal activities being committed by the phisher – while using their victim’s name and identity.
Some examples of phishing emails could be:
- Verify your account information before you’re locked out!
- There’s been system failure, and must immediately re-enter your information
- This is a reminder to update your personal information to keep your account with _____ (insert name of a real or fictitious company) in good standing
- There have been unauthorized purchases on your credit card – Click here to confirm that this is a fraud
- You’ve been authorized for a limited-time no-charge increase to the spending limit on your credit card – Click here today, to increase your credit limit
- And so many more…
Just as there are many kinds of fish, there are many kinds of phishing. The Office of the Privacy Commissioner of Canada (OPC) has published definitions of some common types of phishing(3), which I’ve simplified and shortened:
Phishing (basic type)
An e-mail that looks like it’s from a bank, credit card firm, or on-line company like Amazon. It will ask the target person to log-in to a (fake) account and check the account details. As in my examples above, there’s often a (fake) warning about unauthorized purchases or important security updates.
The easiest tool for hackers is a link to a website, that the individual can click on; because it’s easy for the potential victim to just click a link. The link will be to a fake website; it can be hard to tell some of these fake websites from the real ones – at least on the landing page.
Hackers use well-known companies, names that most (all?) of their target audience would recognize and that many would be likely to have made purchases from in the past. There will be sections for the individual to enter their user name, password, credit card information, and even their Social Insurance Number (SIN, for Canadians) or Social Security Number (SSN, for Americans).
Hackers can use information from an individual’s unprotected social networking platforms, like Facebook and MySpace, to learn about that person. And then send a friend request, maybe with the name of one of their old schools so it will look authentic.
Once the hacker has access to all the information on a victim’s social media, they can easily find photographs and personal details; sometimes even the birthday, city/town of residence, and mother’s maiden name (a popular security question for re-setting passwords).
“Spear phishing” is using a social networking site, by pretending to be an acquaintance or friend-of-a-friend of the victim.
This one will need a bit of an introduction. Internet Protocol (IP) addresses (strings of numbers, in a format like xxx.xxx.x.xxx) are identifiers on the internet and networks, like the SIN or SSN of an individual. The IPs are how computers can communicate with each other, to send emails and other information between them. And they’re also how computers find websites.
To make it easier for people to find & identify IP addresses, they’re given names; what we see on the internet is usually the name attached to the IP address. Let’s use an imaginary example. Imagine a cluster of lakefront rental cottages named “Beach Cabin”, “Lake Cabin”, and “Shore Cabin”. They all look the same, and were built to blend in with the forest around each of them.
Those cabins will also have civic addresses, right? Let’s say they’re located at 110, 112, and 114 Lakefront Road. But if you’ve rented Lake Cabin for a week, and see a “Lake Cabin” sign at the start of the long driveway, you’re likely to be fairly sure it’s the right cabin – and will turn into that driveway. The sign makes it easier to spot as you’re driving by.
The name of an IP address does kind of the same thing; it lets us quickly recognize the IP address we want to use. One you’ll probably recognize is Amazon.com. In my imaginary example above, the owner of the cottages could use “www.Rent-a-cabin.com”.
Are you still with me? We’re almost done with pharming! Pharming is when hackers are able to change an IP address, and redirect the internet traffic to a fake website. So even if the victim is careful, and doesn’t click on a link in an email, they can type in the correct website name – but end up on a fake/criminal website.
So someone who typed http://www.Rent-a-cabin.com could end up being redirected to a hacker’s website. And it would most likely look similar to the real website, or have an “under construction” banner message.
This will be a quick explanation, to make up for that last one! Vishing is the same idea as (regular) phishing, but using phone calls; “voice phishing” = “vishing”. A potential victim would be asked to call a phone number (usually in a fake email), because this might seem more trustworthy to many people. Especially because criminals using vishing will often pretend to be a credit card company or a bank.
More and more individuals and companies are using Voice over Internet Protocol (VoIP) for phone calls, and hackers have found ways to track and save the confidential/personal information from those calls. A common example would to get the victim to enter their credit card number and expiry date using their phone’s keypad, along with the cardholder name. All that information would then be stolen.
More types of phishing are cropping up all the time!
Once the general public becomes aware of a new criminal activity, the criminals find a new way to try to scam people. So there are new types of phishing coming up all the time. This is a list of some additional types of phishing, from a recent article in PC Magazine(4):
- Deceptive Phishing
- Malware-Based Phishing
- Keyloggers and Screenloggers
- Session Hijacking
- Web Trojans
- Hosts File Poisoning
- System Reconfiguration Attacks
- Data Theft
- DNS-Based Phishing (“Pharming)
- Man-in-the-Middle Phishing
- Search Engine Phishing
Some tips, to protect yourself from phishing
The Office of the Privacy Commissioner of Canada (OPC) issued 6 general tips, for individuals to better protect themselves from phishing attacks. These are all taken directly from the OPC website(3); I haven’t modified any of them:
- Be suspicious of e-mails from financial institutions, Internet service providers and other organizations asking you to provide personal information online. Reputable firms never ask for personal information in this manner. If you are at all uncertain, look up their phone number in the phone directory, or use the number printed on the back of the credit card or account statement, and call. Clues to fraudulent e-mails include a lack of personal greetings and spelling or grammatical errors.
- Never click on links in the e-mail or cut and paste them into your browser – chances are the link will take you to a fake web site. It is generally safer to log onto the web site directly by typing the web address in your browser.
- Always ensure you are using an authentic, secure web site when submitting credit card or other sensitive information. Start by typing the web address into the browser address bar manually. Once you are at the site, make sure you’re on a secure web server by checking the beginning of the web address in your browser’s address bar – it should be “https://” rather than just “http://”. There should also be a small yellow padlock symbol in the lower-right hand portion of your screen.
- Never call a telephone number provided in a phone call or an e-mail regarding possible security issues with a credit card or bank account. Only the phone number on the back of a credit card or bank statement is a valid number to discuss credit card account information.
- If any suspicious or unfamiliar “buttons” or other “clickable” items appear on a web site that you frequent, such as a MySpace page, do not click on them until you have verified their authenticity. (You can refer to the phishing sites listed in the next section to accomplish this). If you accidentally click one of these items do NOT provide any information that you may subsequently be prompted for. Spear phishers may have embedded malicious code directly in personal web pages.
- If, for any reason, you believe or suspect your personal information may have been compromised, contact the relevant institutions (i.e., your bank, credit card issuer, credit reporting bureaus, or utility provider) as soon as possible. If you believe a crime has been committed or attempted, you should also contact local law enforcement. You can also report any suspicious activity to one of the online organizations, listed in the next section, after contacting these authorities
By now you should have a good grasp of what phishing is. Feel free to share this information; the more people know about it, the fewer will fall victim to these criminal hackers!
(1) Thomas R. Peltier CISSP, CISM. Social Engineering: Concepts and Solutions. Information Systems Security, Vol. 15, Iss. 5, 13-21. 07 Jan 2007, pp 13-21. Web: http://www.tandfonline.com/doi/abs/10.1201/1086.1065898X/46318.104.22.16860901/95427.3
(2) Computer Associates International. Types of Phishing Attacks. In PC Magazine. 12 Sep 2007. Web: https://www.pcworld.com/article/135293/article.html
(3) Government of Canada: Office of the Privacy Commissioner of Canada (OPC). Recognizing Threats to Personal Data Online. 01 Mar 2007. Web:
(4) Computer Associates International. Types of Phishing Attacks. In PC Magazine. 12 Sep 2007. Web: https://www.pcworld.com/article/135293/article.html