Phishing…..Don’t Take the Bait

“Give a man a fish and you feed him for a day. Teach a man to phish and he’ll eat your food every day.” – slight variation of old Chinese proverb

Image

Phishing, simply defined, is the act of attempting to acquire personal information, through fraudulent means, via electronic communications and, like so many aspects of personal internet usage, its’ origins can be traced back to the good old days of America Online (AOL).  

During the 1990s, a group calling themselves Warez was very active on AOL. They primarily dealt with the exchange of pirated software and worked closely with the hacking scene that was committing credit card fraud and other online crimes.  At the time, AOL allowed up to seven different users, or screen names, per paid account, and it was easy to create a user name that appeared to be “official”.  Under the guise of being an AOL employee, these individuals would send instant messages, to legitimate users, seeking user names, passwords, and credit card information.  Following their early success with AOL account information, the phishers then began to target online payment systems and financial institutions, and finally branching out to web mail domains, governmental agencies and social networks.  These days, an agency or business can measure its’ popularity by the number of phishing attacks they have endured.  Not many are immune.

Phishing, as is the case with all things “tech”, has become more sophisticated and is constantly evolving in order to circumvent security measures.  Methods used by phishers may include link manipulation, filter evasion, website forgery, and phone phishing (Vishing). 

 

List of phishing techniques:

 

 

Phishing

 

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

 

Spear phishing

 

Phishing attempts directed at specific individuals or companies have been termed spearphishing.  Attackers may gather personal information about their target to increase their probability of success.

 

Clone phishing

 

A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original.

 

This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

 

Whaling

Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.

 

Example of a phishing attempt via email:

Image

 

Apparently, all of these methods and techniques are paying off. Damage caused by phishing ranges from denial of access to email & social network sites, to substantive financial losses.  RSA, , the security division of EMC, reports a global loss of 1.5 billion dollars, in 2012, to phishing scams.

Regardless of their sophistication, understand this:  Every person involved with phishing, and every phishing scam requires one thing –  YOU.  You and your willingness to readily share your personal data.  I’ve said this before, and you’ll hear it from me many times going forward: Banks, financial institutions, credit card companies, payment processing services, and email providers will never ask for personal data verification via email. 

Every now and then I receive a call from a customer who states that they are having difficulties with an email log in or with signing into their financial institution because they can’t remember their password.  For some people, it may be just as well.

2 thoughts on “Phishing…..Don’t Take the Bait

  1. Hey there! I know this is kinda off topic nevertheless I’d figured I’d ask.
    Would you be interested in trading links or maybe guest
    authoring a blog post or vice-versa? My website addresses
    a lot of the same subjects as yours and I believe we could greatly
    benefit from each other. If you happen to be interested feel
    free to shoot me an e-mail. I look forward to hearing from you!
    Fantastic blog by the way!

  2. You’re so cool! I do not think I’ve read a single thing like this before.
    So nice to find somebody with some original thoughts on this topic.
    Seriously.. many thanks for starting this up. This site is
    something that is needed on the internet, someone with
    some originality!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.