Figure 1 : Phishing Process (From Anti-phishing Working Group)Social engineering is not a technological attack; it is a method by which human weaknesses in information security system are exploited. It is a process where attacker develops belief within you, guessing to be a person or organization you recognize or trust. Frequently, Social engineering attacks are carried out by means of common communication technologies .i.e. phone or email.
These attacks are easy to launch, up till now the most hard to avoid. Phishing is mainly general
examples of social engineering attacks. The goal is to obtain your financial login credentials. Criminals then utilize your credentials to access your bank account and steal your money, or other possible is to sell your banking login credentials to other criminals.
One of the most common remote attract against financial online services is called phishing. Spoofed messages which supposedly come from financial organization and which are created in such a way that the user gives confidential information.
Phishing is not directly only against customer anymore. Phishing is normally processed through instant messaging or e-mail and it repeatedly redirects the users to go into particulars fake website whose look and feel are almost the same as the genuine one. In a typically phishing operation (see figure 1 above) perpetrators use a verity of tactics to obscure the fake web site making it to look like a genuine web site.
It is very difficult to detect the fake websites; it requires great skill to detect. Phishing is an example of social engineering techniques which is used to trick users and trap the poor usability of current web security technologies.
There are quite a few different theories about the origin of word “phishing”. Some analysts believed the term is an acronym for “password harvesting fishing” and other believed as “hacking spelling” of the word “fishing” to “phreaking”. HoneyNet project has published a paper called as “Know your Enemy: Phishing”, this give a comprehensive guide to present day pushing attacks.
In past few years, the most common methods developed:
Phishers uses many variety of techniques and shareware tools so that the phishing e-mails appears legitimate, for example: customerservies@TARGETEDCOMPANY.COM
Many techniques had originated to spoof URLs. One technique requires using JavaScript that covers URL windows at top of the users’ browser with graphic or text. Others use browser exact vulnerabilities to confuse the URL. Both results in valid URL being displayed instead of fake URL. On top it, it is likely to have URL that contains encoded characters that resembles American Standard code for Information Interchanges (ASCII), which can also be done with International Domain Names (IDNs) to make address display nearly identical to web site being spoofed.
In this case, fake website has a URL that sounds alike to that of targeted website. This was initially was very ordinary exercise but in falling out of season due to increasing complicated and improved efforts by companies to purchase such a domain name.
HoneyNet Project says that many attackers make use of other grouping methods of attacks. For Example: attack can happen through hijack server add in with port redirection functionality that forward to malicious web site and use botnet to send email designed to tempt recipients to fake a website.
- Phishing through port redirection:
Port redirection service is installed in server. This redirects the guest to a different server that has the malicious content in a challenge to make the phishing harder to trace.
- Phishing using only IP address:
Rather considering URL, the web site uses IP address. This might confuse non technical user, who might trust a website recognized as a string of numbers as a opposed to a web site with a doubtful URL.
While using pop-up windows, phishers forwards the user to a web site that opens the genuine bank’s website with fake pop-up window over it. This holds the field for entering the user’s login and password
No comments:
Post a Comment