Do you keep hearing & reading about “phishing”, and wondering what exactly it means? I’ve been asked about it often over the past few weeks, so decided to write a post on this topic. I’m studying bioethics, or biomedical ethics, and the protection of patients’ information is rapidly becoming an important facet of this field.
To start, phishing’s a form of social engineering attack on computers and networks. Which invariably leads to the question: “What’s social engineering?” The best definition I’ve found of the term is this:
“Social engineering attacks are usually conducted by outsiders who use a variety of psychological tricks to get the computer user to give them the information they need to access a computer or network”.(1)
The play-on-words term “phishing” refers to using psychological bait, lures, to convince an individual to provide access to the information that hackers want. It used to mean using instant messaging to steal an individual’s on-line account information; these days email attacks are more common, because they can reach a much larger target audience(2).
Scare tactics are tools of the trade in phishing, to convince someone to click on a link – or log in to a fake website – where they’ll be asked for some personal information to ‘validate’ their identity. The personal or confidential information captured by phishers will then be used to get access to the victim’s computer or network. It can also lead to identity theft, and to criminal activities being committed by the phisher – while using their victim’s name and identity.
Some examples of ‘trick’ messages in phishing emails could be:
- “Verify your account information before you’re locked out!”
- “There’s been a system failure, and must immediately re-enter your information”
- “This is a reminder to update your personal information to keep your account with (name of a real or fictitious company) in good standing”
- “There have been unauthorized purchases on your credit card – Click here to confirm that this is a fraud”
- “You’ve been authorized for a limited-time no-charge increase to the spending limit on your credit card – Click here today, to increase your credit limit”
- And so many more…
Just as there are many kinds of fish, there are many kinds of phishing. The Office of the Privacy Commissioner of Canada (OPC) has published definitions of some common types of phishing(3), which I’ve simplified and shortened.
Regular phishing
An e-mail that looks like it’s from a bank, credit card firm, or on-line company like Amazon. It will ask the target person to log-in to a (fake) account and check the account details. As in my examples above, there’s often a (fake) warning about unauthorized purchases or important security updates.
The easiest tool for hackers is a link to a website, which the individual can click on; because it’s easy for the potential victim to just click a link. The link will be to a fake website; it can be hard to tell some of these fake websites from the real ones – at least on the landing page.
Hackers use well-known companies, names that most (all?) of their target audience would recognize and that many would be likely to have made purchases from in the past. There will be sections for the individual to enter their user name, password, credit card information, and even their Social Insurance Number (SIN, for Canadians) or Social Security Number (SSN, for Americans).
Spear phishing
Hackers can use information from an individual’s unprotected social networking platforms, like Facebook and MySpace, to learn about that person. And then send a friend request, maybe with the name of one of their old schools so it will look authentic.
Once the hacker has access to all the information on a victim’s social media, they can easily find photographs and personal details; sometimes even the birthday, city/town of residence, and mother’s maiden name (a popular security question for re-setting passwords).
“Spear phishing” is using a social networking site, by pretending to be an acquaintance or friend-of-a-friend of the victim.
Pharming
This one may need a bit of an introduction. Internet Protocol (IP) addresses (strings of numbers, in a format like xxx.xxx.x.xxx) are identifiers that allow computers (or servers) to communicate over a network; in this case, the Internet. It’s kind of like the SIN or SSN of an individual. The IPs addresses are how computers can connect with each other, to send emails, files, and other information between them.
Are you still with me? We’re almost done with pharming! Pharming is when hackers are able to change an IP address, and redirect the internet traffic to another computer or server. So even if the victim is careful, and doesn’t click on a link in an email, they might type in the correct website name – but still end up on a fake/criminal website. This look similar to the real website (a counterfeit website), or have an “under construction” banner message.
Vishing
Vishing is the same idea as (regular) phishing, but using phone calls; “voice phishing” = “vishing”. A potential victim would be asked to call a phone number (usually provided in a faked email), because this might seem more trustworthy to many people. Especially because criminals using vishing will often pretend to be a credit card company or a bank.
Over the past few years there has been a transition of telephone service, from land-lines, to Voice over Internet Protocol (VoIP). Many large corporations have made this change, for cost savings. And hackers have found ways to track and save information from those calls.
A common example would be to get the victim to enter their credit card number and expiry date using their phone’s keypad, along with the cardholder name. All that information would then be stolen.
More phish in the sea!
Once the general public becomes aware of a new criminal activity, the criminals find a new way to try to scam people. So there are new types of phishing coming up all the time. This is a list of some additional types of phishing, from a recent article in PC Magazine(4):
- Deceptive Phishing
- Malware-Based Phishing
- Key-loggers and Screenloggers
- Session Hijacking
- Web Trojans
- Host File Poisoning
- System Reconfiguration Attacks
- Data Theft
- DNS-Based Phishing (Pharming)
- Man-in-the-Middle Phishing
- Search Engine Phishing
Protect yourself
The OPC has issued 6 general tips, for individuals to better protect themselves from phishing attacks. These are all taken directly from the OPC website(3); I haven’t modified any of them:
- “Be suspicious of e-mails from financial institutions, Internet service providers and other organizations asking you to provide personal information online. Reputable firms never ask for personal information in this manner. If you are at all uncertain, look up their phone number in the phone directory, or use the number printed on the back of the credit card or account statement, and call. Clues to fraudulent e-mails include a lack of personal greetings and spelling or grammatical errors.”
- “Never click on links in the e-mail or cut and paste them into your browser – chances are the link will take you to a fake web site. It is generally safer to log onto the web site directly by typing the web address in your browser.
- “Always ensure you are using an authentic, secure web site when submitting credit card or other sensitive information. Start by typing the web address into the browser address bar manually. Once you are at the site, make sure you’re on a secure web server by checking the beginning of the web address in your browser’s address bar – it should be “https://” rather than just “http://”. There should also be a small yellow padlock symbol in the lower-right hand portion of your screen.”
- “Never call a telephone number provided in a phone call or an e-mail regarding possible security issues with a credit card or bank account. Only the phone number on the back of a credit card or bank statement is a valid number to discuss credit card account information.”
- If any suspicious or unfamiliar “buttons” or other “clickable” items appear on a web site that you frequent, such as a MySpace page, do not click on them until you have verified their authenticity. (You can refer to the phishing sites listed in the next section to accomplish this). If you accidentally click one of these items do NOT provide any information that you may subsequently be prompted for. Spear phishers may have embedded malicious code directly in personal web pages”
- “If, for any reason, you believe or suspect your personal information may have been compromised, contact the relevant institutions (i.e., your bank, credit card issuer, credit reporting bureaus, or utility provider) as soon as possible. If you believe a crime has been committed or attempted, you should also contact local law enforcement. You can also report any suspicious activity to one of the online organizations, listed in the next section, after contacting these authorities.”
By now you should have a good grasp of what phishing is. Feel free to share this information; the more people know about it, the fewer will fall victim to these criminal hackers! The OPC encourages the sharing of information on its website as well.
References
(1) Thomas R. Peltier CISSP, CISM. Social Engineering: Concepts and Solutions. Information Systems Security, Vol. 15, Iss. 5, 13-21. 07 Jan 2007, pp 13-21. Web: http://www.tandfonline.com/doi/abs/10.1201/1086.1065898X/46353.15.4.20060901/95427.3
(2) Computer Associates International. Types of Phishing Attacks. In PC Magazine. 12 Sep 2007. Web:
https://www.pcworld.com/article/135293/article.html
(3) Government of Canada: Office of the Privacy Commissioner of Canada (OPC). Recognizing Threats to Personal Data Online. 01 Mar 2007. Web: https://www.priv.gc.ca/en/privacy-topics/technology-and-privacy/online-privacy/phishing/
(4) Computer Associates International. Types of Phishing Attacks. In PC Magazine. 12 Sep 2007. Web: https://www.pcworld.com/article/135293/article.html”https://www.pcworld.com/article/135293/article.html