What is Phishing: A noobs introduction to phishing and
scamming.
Source: Hacking Exposed 6: Network Security Secrets &
Solutions.
Feel free to sticky this in the Scamming section
considering it is pretty useful =p
Socio-Technical Attacks: Phishing and Identity Theft.
Although we think it's one of the more unfortunate terms
in the hacker vernacular, social engineering has been
used for years in security circles to describe the
technique of using persuasion and/or deception to gain
access to information systems. Social engineering
typically takes place via human conversation or other
interactions. The medium of choice is usally the
telephone, but it can also be communicated via an e-mail
message, a telecision commercial, or countless other
media for provoking human reaction.
Social-engineering attacks have garnered an edgy
technical thrust in recent years, and new terminology
has sprung up to describe this fusion of basic human
trickery and sophisticated technical sleight-of-hand.
The expression that's gained worldwide popularity is
phishing, which is defined as follows by the
Anti-Phishing Working Group (APWG)
[http://www.antiphishing.org]
Phishing attacks use "spoofed" e-mails and fraudulent
websites designed to fool recipients into divulging
personal financial data such as credit card numbers,
account user names and passwords, social security
numbers and in OUR case Warcraft and Steam and other
account details.
Thus, phishing is essentially classic social engineering
married to Internet technology. This is not to minimize
its impact, however, which by some estimates costs
consumers over $1 Billion annually, an amount that is
growing steadily. This section will examine some classic
attacks and countermeasures to inform your own personal
approach to "avoiding" such scams.
PHISHING TECHNIQUES
APWG is probably one of the best sites for cataloging
recent widespread scams. The common themes to such scams
include:
- Targeting financially consquential online users.
- Invalid or laundered source addresses.
- Spoof authenticity using familiar brand imagery.
- Compelling action with urgency.
As one might imagine, phishing scam artists have very
little desire to get caught, and thus most phishing
scams are predicated on invalid or laundered source
addresses. Phishing e-mails typically bear forged "From"
addressed resolving to nonexistent or invalid e-mail
accounts, or are typically sent via laundered e-mail
engines on compromised computers and are thus irrelevant
to trace via standard mail header examination
techniques. Similarly, the websites to which vistims get
directed to enter sensitive information are temorary
bases of operation on hacked systems out on the
Internet. If you think phishing is easy to stomp out
simply by tracking the offenders down, think again.
The success of most phishing attacks is also based on
spoofing authenticity using familiar brand imagery.
Again, although it may appear to be technology driven,
the root cause here is pure human trickery.
Even more deviously, more sophisticated attackers will
use a broawser vulnerablilitu or throw a fake script
window accross the address bar to dis***** the actual
location.
Regards,
iTerrorist