Phishing is a way of fraudulently acquiring sensitive
information using social engineering and technical
subterfuge.
It tries to trick users with official-looking messages
Credit card Bank account eBay PayPal
Some phishing e-mails also contain malicious or
unwanted software that can track your activities or slow your computer. India lost around $53 million (about Rs 328 crore) due to phishing scams with the country facing over 3,750 attacks in July-September last year
4th Largest target of phishing attacks in the world
7% of global phishing attacks are targeted in India
US tops the rank with 27% of phishing attacks
RSA identified 46,119 phishing attacks in
September globally with a 36 per cent increase as compared with August (33,861) Three components
Mail sender: sends large volume of fraudulent
emails Collector: collect sensitive information from users Casher: use the collected sensitive information to en-cash Creating Fake URLs and send it Misspelled URLs www.sbibank.statebank.com www.micosoft.com www.mircosoft.com Creating anchor text <a href = "anchor text" > Link Text </a> Link Text Fake SSL lock Simply show it so that users feel secure Getting valid certificates to illegal sites Certifying agency not being alert Sometimes users overlook security certificate warnings URL Manipulation using JavaScript "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam.
If you don't respond within 48 hours,
your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
"Click the link below to gain access to your
account."HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. Spear phishing Clone phishing Phone phishing Whaling Spear phishing is a targeted form of phishing in which fraudulent emails target specific organizations in an effort to gain access to confidential information.
Spear phishing focuses on specific individuals or
employees within an organization and social media accounts such as Twitter, Facebook, and LinkedIn to specifically customize accurate and compelling emails.
These emails contain infected attachments and links.
Once the link is opened, it executes malware that leads the target to a specific website. The attackers can then establish their networks and move forward with the targeted attack. A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.
The attachment or Link within the email is replaced with a
malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original.
This technique could be used to pivot (indirectly) from a
previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email. Phone phishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is sometimes referred to as 'vishing a word that is a combination of "voice" and phishing. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Whaling is a type of fraud that targets high- profile end users such as C-level corporate executives, politicians and celebrities. The term whaling is a play-on-words because an important person may also be referred to as a "big fish." In gambling, for examples, whales describe high-stakes rollers who are given special VIP treatment. Due to their focused nature, whaling attacks are often harder to detect than standard phishing attacks. Banks and their customers lose crores of rupees every year They hire professional security agencies who constantly monitor the web for phishing sites Regularly alert the users to be alert and not to fall fray Use best state of the art security software and hardware White list and blacklist of phishing sites Misleading e-mails No check of source address Vulnerability in browsers No strong authentication at websites of banks and financial institutions Limited use of digital signatures Non-availability of secure desktop tools Lack of user awareness Vulnerability in applications No single technology will completely stop phishing. However, a combination of good organization and practice, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it.