Phishing and Pharming Information Site

Phishing

Phishing is the activity of fraudulently presenting oneself online as a legitimate enterprise in order to trick consumers into giving up personal financial information that will be used for identity theft or other criminal activity. Phishing is most commonly perpetrated through the mass distribution of e-mail messages directing users to a web site, but other venues are utilized as well.

When phishing is perpetrated via email, the criminal sends out a large number of messages that appear to come from a legitimate source such as a trusted business or financial institution. The emails include an urgent request for personal information to be submitted -- usually the phisher mentions that there is some critical need to update an account immediately. A link is provided in the email message to an official-looking website where the information is actually entered by users; personal information provided to this site, however, goes directly to the criminal perpetrating the phishing attack, and not to the legitimate business being impersonated.

Phishing is, therefore, a form of social engineering attack that exploits a human weakness; technology is used as means of communications.

As mentioned earlier, phishing can be perpetrated through email, but can also be carried out through instant messenger messages, blog posting, and pharming.

The term "Phishing"

The term phishing is derived from the fact that Internet scammers "fish" for users' financial information and password data. The first mention on the Internet of phishing was on the alt.2600 hacker newsgroup in January of 1996, however, the term may have been used earlier in printed materials. By March of 1997 the term phishing had found its way into mainstream media -- appearing in an article in the Florida Times-Union.

"Ph" is a common replacement for the letter "f" in hacker lingo; one of the earliest forms of hacking was known as "phone phreaking."

Early Phishing

In the early 1990s, hackers using multi-user computer systems were able to trick users into surrendering their access credentials by writing programs that impersonated the login process by displaying "login" and "password" prompts and emailing to the hacker the information entered by the user.

Around the same time, hackers attempting to steal America Online accounts began to pose as AOL staff members and sent instant messenger messages to potential victims. The message would ask intended victims to reveal their passwords or to "confirm billing information". Once the victim surrendered the requested information, the attacker could access the victim's account and use it for criminal purposes such as sending large volumes of spam emails, distributing pirated software (warez), or committing other crimes.

By 2002, phishing attacks began to proliferate en masse. At that point, phishing attacks still utilized emails containing numerous spelling and/or grammatical errors. They also usually directed users to web sites whose URLs were not correct (i.e., they did not match the URLs of the impersonated legitimate sites) -- but rather very similar in nature. For example www.ebay.com may have been impersonated by www.ebaycom.com. As phishing techniques and technologies advanced, the errors made by phishers in this regard began to disappear and detection of phishing attacks became more complicated.

Phishing Damage Reaches $1 Billion Annually

In 2004, Gartner estimated that about 57 million Americans were targeted for phishing in a 12-month period, and that phishing-related fraud has already reached $1.2 billion annually.

Anti-Phishing

Anti-phishing refers to techniques and technology used to combat phishing. There are numerous forms of anti-phishing technologies on the market today.

Experts on Fighting Phishing

Joseph Steinberg, CEO of Green Armor Solutions, a vendor of anti-phishing technology, and inventor of several anti-phishing technologies, is considered a leading expert in combating phishing.

Authorities Respond to Phishing

In January of 2004, the United States Federal Trade Commission filed the first lawsuit against a suspected phisher. The defendant, a teenager from California, allegedly created and used a webpage that he designed to look like the America Online website in an effort to trick people into giving him their credit card numbers.

In Match of 2005, United States Senator Patrick Leahy introduced the Anti-Phishing Act of 2005. The anti-phishing bill proposes that criminals who utilize phishing in order to defraud consumers be fined up to $250,000 and receive jail terms of up to five years.

In March of 2005, Microsoft filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse as-of-yet unnamed defendants of using various techniques to obtain passwords and confidential information via the Internet.

Links

Blog about phishing and pharming

Phishing Examples (coming January 2006)

Phishing Solutions (coming January 2006)

Pharming

Pharming Overview

Pharming is the exploitation of a vulnerability in Domain Name Service (DNS) server software that allows a hacker to redirect that website's traffic to another web site. DNS servers are the machines responsible for resolving Internet names into their real addresses, and are used anytime a user types the name of a website into his or her web browser and attempts to view a web page.

Pharming Examples

In January 2005, the Domain Name for a large New York ISP, Panix, was hijacked to point users to a site in Australia. In 2004 a German teenager hijacked the eBay.de Domain Name.

Hushmail, a provider of secure email services, was also attacked with pharming. In April of 2005 a hacker (the "pharmer") -- through inappropriate communications with the domain registrar -- was able to redirect users to a defaced webpage.

While defaced web pages may be a problem, pharming can be leveraged to commit far more sinister crimes. If the web site receiving the traffic is a fake web site, such as a copy of a bank's website, it can be used to commit a phishing-type crime such as stealing users' credit card numbers, PIN codes, or username-password combinations.

Anti-Pharming Techniques

Traditional methods for combating pharming include: Server-side software to protect users from pharming and DNS protection. One recently introduced offering uses visual cues that leverage psychology to make obvious to users whether they are accessing a legitimate site or a pharming (or phishing) site.

Server-side software is typically used by enterprises to protect their customers and employees who use their web-based systems from pharming and phishing.

DNS protection mechanisms help ensure that a specific DNS server cannot be hacked and thereby become a facilitator of pharming attacks. While organizations should protect their DNS servers from tampering, the reality is that until every DNS server on the Internet is protected from hacking, pharming remains a serious risk, and that even those organizations who have protected their DNS servers need to implement additional protection to protect their users from being pharmed through the hacking of other DNS servers (e.g., at the users' Internet Service Providers).

Note: Spam filters typically do not provide users with protection against pharming, as pharming is not perpetrated through the spreading of spam emails.

Authorities Respond to Pharming (and Phishing)

In Match of 2005, United States Senator Patrick Leahy introduced the Anti-Phishing Act of 2005. The anti-phishing / anti-pharming bill proposes that criminals who utilize phishing and related hacker techniques such as pharming in order to defraud consumers be fined up to $250,000 and receive jail terms of up to five years.