Jul 19, 2007

[Security] Forms of phishing

In the last episode, you have tested yourself if you can spot phishing at its face or not. This post will discuss the forms of phishing and their combinations.

Note that this is not a comprehensive discussion.

The goal of a phisher is to get your login credentials. That is usually a user name and a password. To do this, a phisher can do several things: (1) fool you into giving your user name and password, and (2) sniff your credentials without you knowing it.

The first form of phishing involves an elaborate way of fooling a person. It is usually done by sending an email asking the user to log on to the phishing site. Depending on the phisher, it can be convincing or an obvious phish. Under this scenario, a phisher spams a fake email purporting to have come from a known Web company (like eBay or PayPal). The email is a social engineering trick to force you to click on a given link. This link is masked so that on first inspection, you won't realize that the URL is not as what it seems. Clicking on the link will divert you to an authentic looking Web site. When you enter your user name and password, the phisher gets your credentials.

In order for this method to work, the email must be convincing enough for the user to click on the link. Also, since the attack is via spam, this is a hit-or-miss affair. The phisher will have no idea if the recipient has an account for that Web company.

Now there is such a thing as a targetted attack. This scenario is scary because the phisher knows you have an account, and the fact that the phisher knows your email address means your online security has been compromised. Note the conjunction. The implication is grim, though this scenario is very rare.

The second form is more insidious. It invariably involves a malicious software (malware) commonly known as spyware. A spyware is a program that attempts to collect information about a computer user. It can do a lot of things to gather whatever information it needs. Most common is to sniff network packets, or monitor Web surfing habits of a user.

For example, the Bancos or Banker family of spyware are notorious in information stealing. Most of them monitors whatever Web sites a user views. When a user views a bank Web site, it can either display a spoof login page - a phish - or intercept the data that is submitted when a user logs in. You will probably never know that you have been compromised.

(Crossposted from here.)

No comments:

Post a Comment