Identification A Phishing Email or a Real Email

One of the problems about trying to teach people to avoid Phishing attacks is that the banks often use the exact same tactics that the phishers use. It is mind-numbingly stupid of them to do so, but still we see emails from banks that contain links in them. As a rule I tell people not to click on the links in these emails, but rather to log into their account by typing in the address of their bank by hand.

I had a question for my credit union about one of my accounts with them. The response came back and contained a link that I had to follow in order to reply. The email specifically said not to reply to the email because it wouldn’t be read. So, how do I know this isn’t a phishing attack? First of all I looked at exactly who the email came from. Believe me, this is far from foolproof. Email addresses can be spoofed. The more important sign was that when I followed the link I was not asked for any information at all. I did not have to login, I did not have to verify anything. In addition to this, the email came in response to an inquiry that I initiated and not out of the blue. The reply was relevant to the question I had asked.

How to handle Phising Attack

Consequences

As the phishers can use so many techniques and can even combine them, it is rather difficult to tell if an email request comes from officials or not.

What are the consequences of disclosing confidential information?
$ The phishers can run up charges on your account.
$ They can open new accounts, sign utility or loan contracts in your name.
$ They can use a false ID and commit crimes using your personal information.

Do not bite the bait!
Do not fill in email forms concerning confidential information. Any trustful service provider uses secure websites and digital certificates.
Do not click on links provided by email, especially if you were not expecting that email. Contact the sender to verify if it was his/her intention to send this email (use the contact number the company gave you, not the one in the email).
Do not reply. Delete the message and check with the real company (use the contact number the company gave you, not the one in the email).
Do not click to follow the link provided in such a message. Type the address in the browser yourself.

Phising Definition, Concept and Techniques

What is phishing

Phishing, also known as "brand spoofing", is an elaborate form of data theft, targeting possible clients of ISP companies, banks, online banking services, government agencies etc.

When submitting your email address on the Internet, filling in online forms, accessing newsgroups or websites, your data can be stolen by Internet crawling spiders and then used without your permission to commit fraud or other crimes.

The Phishing Concept

Phishers develop counterfeit webpages, which imitate the corporate image of well-known, trusted service providers. Then, using collected or random generated email addresses, they "throw the bait".

How the Web Spoofing Attack Works

URL Rewriting

STEP I
# A Phisher could insert a malicious script inside a product review to attack the user.

# The Script would modify the host site so that the user believes he/she is interacting with secure site. this technique is also called as “Cross-Scripting.”

STEP II
# This done by using encoded characters to hide the destination address of a link.
Ex-“abc” = "abc”

Web Spoofing Attack

Web Spoofing is Tricking Someone into visiting a Website other than one they intend to visit , by creating a similar website. Web Spoofing is a Phishing Scheme.

The attacker must somehow lure the victim into the attacker’s false web. there are several ways to do this.

# An attacker could put a link to false Web onto popular Web page.
# If the victim is using email, the attacker could email the victim a pointer to false Web.
# Finally, the attacker could trick a web search engine into indexing part of a false Web.

Computer crime - Forms of Attack

The growing economic value of information, products, and services accessible through computer systems has attracted increased attention from opportunistic criminals. In particular, the many potential vulnerabilities of online systems and the Internet have made computer crime attractive and pose significant challenges to professionals whose task it is to secure such systems.

The motivations of persons who use computer systems in unauthorized ways vary. Some hackers primarily seek detailed knowledge of systems, while others (often teenagers)
seek “bragging rights.” Other intruders have the more traditional criminal motive of gaining access to information such as credit card numbers and personal identities that can be used to make unauthorized purchases (see identity theft). Computer access can also be used to intimidate (see cyberstalking and harassment), as well as for extortion, espionage, sabotage, or terrorism (see cyberterr orism).