Gone Phishing
56
Most folks know what phishing is... masquerading as a trustworthy entity, they send electronic communications to try and fraudulently acquire personal information like username, password and credit card details. Phishing is just another example of social engineering used by identity thieves and is growing by leaps and bounds.
You may not be surprised that phishing was born around AOL. As recently as the early ‘90s, users were generating fake credit card numbers to open new accounts that would last a week or a month. In 1995 they instated measures to prevent this, so hackers would pose as AOL employees asking users to ‘verify there account'.
After thieves saw the opportunity that phishing offered, it was not long until it migrated to the financial institutes. One of the first known direct attempts against a payment system was in June 2001 against E-Gold. This was considered a failed attempt, but in reality it was a test for bigger things to come. By 2004 it had a foot hold and attacks were being launched in the name of the IRS and any local bank you can think of.
Personally I get hit about once a month from a phish email in the name of PayPal. They are usually easy to spot because they are threats about closing and blocking my account unless I comply. Another give away is spelling mistakes of easy works. After all, the thief only needs to be one step smarter then the potential victim. Even when the emails look totally legit, if you were to hover over the link that they include (without clicking on it), you would notice in your browser window that it is directing you somewhere other then PayPal. . They have there own special fraud department for just such a thing at spoof@paypal.com
In late 2006, a computer worm surfaced on MySpace which altered links to direct users to a fake website for the sole purpose of stealing logon details. Social network sites are very popular with phishers because experiments show that social networking sites have over a 70% success rate for phishing attacks.
As seen in the PayPal example above, you can see how link manipulation is the most popular method of phishing. While the anchor text in the above 'e-mail' looks valid, it also shows the real website it is directing you to. Another way of tricking the reader is to misspell URLs or use subdomains as in:
http://www.yourbank.example.com/
or http://www.paypall.com
An older method was to use the '@' in the link. An unsuspecting victim might think that this site will take them to Yahoo while actually it is taking you to a clone site at tripod.com/ with www.yahoo.com as the user name.
http://www.yahoo.com@members.tripod.com/
Internet Explorer has disables the ability to even goto sites like this while Mozilla and Opera will just give a warning. While several other less efective methods are used, I want to mention one more that is growing in popularity. Just emailing an image with a flashy picture saying "CLICK ME!". People fall for it all the time.... So stay diligent, stay alert and be proactive.
