When phishing is perpetrated via email, the criminal sends out a large number of messages that appear to come from a legitimate source such as a trusted business or financial institution. The emails include an urgent request for personal information to be submitted -- usually the phisher mentions that there is some critical need to update an account immediately. A link is provided in the email message to an official-looking website where the information is actually entered by users; personal information provided to this site, however, goes directly to the criminal perpetrating the phishing attack, and not to the legitimate business being impersonated.
Phishing is, therefore, a form of social engineering attack that exploits a human weakness; technology is used as means of communications.
As mentioned earlier, phishing can be perpetrated through email, but can also be carried out through instant messenger messages, blog posting, and pharming.
"Ph" is a common replacement for the letter "f" in hacker lingo; one of the earliest forms of hacking was known as "phone phreaking."
Around the same time, hackers attempting to steal America Online accounts began to pose as AOL staff members and sent instant messenger messages to potential victims. The message would ask intended victims to reveal their passwords or to "confirm billing information". Once the victim surrendered the requested information, the attacker could access the victim's account and use it for criminal purposes such as sending large volumes of spam emails, distributing pirated software (warez), or committing other crimes.
By 2002, phishing attacks began to proliferate en masse. At that point, phishing attacks still utilized emails containing numerous spelling and/or grammatical errors. They also usually directed users to web sites whose URLs were not correct (i.e., they did not match the URLs of the impersonated legitimate sites) -- but rather very similar in nature. For example www.ebay.com may have been impersonated by www.ebaycom.com. As phishing techniques and technologies advanced, the errors made by phishers in this regard began to disappear and detection of phishing attacks became more complicated.
In Match of 2005, United States Senator Patrick Leahy introduced the Anti-Phishing Act of 2005. The anti-phishing bill proposes that criminals who utilize phishing in order to defraud consumers be fined up to $250,000 and receive jail terms of up to five years.
In March of 2005, Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse as-of-yet unnamed defendants of using various techniques to obtain passwords and confidential information via the Internet.
Blog about phishing and pharming
Phishing Examples (coming January 2006)
Phishing Solutions (coming January 2006)
Hushmail, a provider of secure email services, was also attacked with pharming. In April of 2005 a hacker (the "pharmer") -- through inappropriate communications with the domain registrar -- was able to redirect users to a defaced webpage.
While defaced web pages may be a problem, pharming can be leveraged to commit far more sinister crimes. If the web site receiving the traffic is a fake web site, such as a copy of a bank's website, it can be used to commit a phishing-type crime such as stealing users' credit card numbers, PIN codes, or username-password combinations.
Server-side software is typically used by enterprises to protect their customers and employees who use their web-based systems from pharming and phishing.
DNS protection mechanisms help ensure that a specific DNS server cannot be hacked and thereby become a facilitator of pharming attacks. While organizations should protect their DNS servers from tampering, the reality is that until every DNS server on the Internet is protected from hacking, pharming remains a serious risk, and that even those organizations who have protected their DNS servers need to implement additional protection to protect their users from being pharmed through the hacking of other DNS servers (e.g., at the users' Internet Service Providers).
Note: Spam filters typically do not provide users with protection against pharming, as pharming is not perpetrated through the spreading of spam emails.