This page has been robot translated, sorry for typos if any. Original content here.

Internet-Phishing and methods of protection from it

Фишинг (Phishing)

The most popular form of fraud on the web at the moment is phishing . Cybercriminals use fraudulent websites, keyboard interceptors, email messages that are compiled according to the rules of social engineering, etc. Each day, these methods become more diverse and dangerous.

Phishing , according to the definition of Dr. Web, is a technology for online fraud, which involves the theft of personal private information, for example, identity and bank card data, access passwords, etc. With the help of postal "worms" and spam mailings, potential victims are sent letters from the person allegedly legal organizations. In these letters they are asked to visit a fake site and confirm PIN-codes, passwords and other personal information that will be used by fraudsters in the future to steal from the account of a victim of money or other crimes.

Phishing. Not to be confused with Fishing or Pishing

Phishing (English phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is achieved by mass mailing emails on behalf of popular brands, as well as personal messages within various services, for example, on behalf of banks or within social networks. The letter often contains a direct link to a website that is indistinguishable from the present, or to a website with a redirect. After the user enters the fake page, scammers try to encourage the user to enter their login and password on the fake page, which they use to access a certain site, which allows scammers to access their accounts and bank accounts.

Phishing is one of the forms of social engineering based on the users' ignorance of the basics of network security: in particular, many do not know the simple fact: services do not send out letters with requests to provide their credentials, password and so on.

Simply put, hackers entice users to disclose their personal information, for example, phone numbers, numbers and secret codes of bank cards, logins and passwords of e-mail and accounts on social networks.

To protect against phishing, manufacturers of major Internet browsers have agreed on using the same methods to inform users that they have opened a suspicious site that may belong to scammers. New versions of browsers already have this capability, which is called "antiphishing".

According to Websense, the most popular tool for creating phishing resources is the Rock Phish Kit . At the moment, the situation with phishing is very similar to the situation that was several years ago when writing malicious codes when their designers appeared.

The essence of phishing is as follows: the attacker, deceiving the user, forces him to provide personal information (information about bank cards, names and passwords to various resources, etc.). The main difference of this type of fraud is the voluntary provision by the user of their information. To achieve this, scammers actively use the method of social engineering.

Modern phishing can be divided into 3 types: online , postal and combined .

The oldest is mail phishing : a letter is sent to the recipient's address with a request to send some information.

Online phishing involves the following scheme: scammers copy official resources using similar domain names and design. Then everything is simple. A user who visits such a resource can leave his data here in full confidence that they will fall into reliable hands. In fact, this information is in the hands of cybercriminals. Fortunately, now there is a tendency to increase knowledge of users about basic measures of information security, therefore this fraud scheme gradually loses its relevance

The third type is combined . Its essence lies in creating a fake website of a real organization, to which scammers are trying to lure potential victims. In this case, attackers offer users to perform some operations on their own. On the Internet, almost every day, there are warnings about similar resources that make these methods of fraud well known. In this regard, scammers have become more used key-loggers - these are special programs that track user keystrokes and send this information to pre-established addresses.

How does Internet phishing work?

The specificity of phishing is that the victim of fraud gives his confidential information voluntarily.

To do this, attackers operate with tools such as phishing sites, e-mail delivery, phishing landing page, pop-up windows, targeted advertising.

The user receives an offer to register for any benefits or to confirm their personal data on the websites of companies and institutions, the client allegedly who he is.

As a rule, scammers masquerade as well-known companies, social networking applications, e-mail services.

The sender's email address is really similar to the address of a company familiar to the user.

How not to get hooked to scammers?


First of all, remember that no one and under any circumstances can not transfer such confidential data as a PIN-code of a bank card, e-mail password or other personal accounts. Neither the bank nor the social network will request this data via e-mail. If the caller seems to be your ISP and asks questions about confidential data, he is most likely a fraudster.


Always pay attention to the design of the site. If the site or lending seems strange, unfinished, riveted, or causes some suspicion, it can very well be that this is a phishing site.


Pay attention to the address bar in the referral link. Minor changes in the e-mail address can lead you to a completely different site (for example, can be replaced by


Letters from unknown addresses that "put pressure on emotions" or are of an emergency nature should first of all raise suspicions. All credit institutions by e-mail or telephone address to the client by name and surname. If this is not indicated in the appeal, then, most likely, there is a fact of fraud. Letters that begin with statements such as "Your account is hacked!" Or "Your profile will be blocked!" Or, conversely, announcing a major winnings, in most cases are fraudulent.


Do not call the security of your bank account or credit card at the suggested phone number. All payment cards indicate a special telephone number, according to which you should call.


VISHING is one of the methods of social engineering fraud, which consists in that, by using a telephone communication and playing a certain role (a bank employee, a buyer, etc.), the attackers, using various pretexts, entice the holder of the payment card to disclose confidential information or stimulate to perform certain actions with your card account / payment card.

The first case of this Internet fraud was fixed in 2006. It is a kind of phishing and implemented with the use of war diallers (auto dialers), as well as Internet telephony (VoIP). With the help of this type of fraud, intruders get access to personal information, like passwords, identification and bank cards, etc. The scheme of fraud is not much different from phishing : users of the payment system receive messages from the supposedly administrators by mail, where they are recommended to send their passwords and account. But if in the case of phishing it is attached a link to a fake site, then when phishing e user offers to call the city number. When you call, a message is read out, in which the person is asked to reveal their confidential data. The difficulty in disclosing this type of fraud is that the development of Internet telephony allows you to redirect calls to a city number anywhere in the world, and the caller will not even suspect about it.

The company Secure Computing reported the most sophisticated method of fraud according to the scheme of the vashing - email was not used at all here, as the attackers programmed the PC to dial telephone numbers from the database and lose a pre-recorded message to which the subscriber was warned that the information about his credit card were in the hands of scammers, so he needs to enter the number from the telephone keypad.

Using the VoIP protocol can significantly reduce the cost of telephony, but it also makes the company much more vulnerable to attacks. Banks and other organizations that use IP telephony for voice communication may be subjected to a vyshin attack, which does not yet have protection. In particular, The Grugq - an expert in information security, who spoke about fraud at the Hack In The Box Security Conference (HITB) conference in Malaysia, spoke about this. "Attackers will be able to freely enter banking networks and exercise control over bank telephone channels," says Grugq. According to him, the wishing attacks via VoIP will occur before the end of 2009. Scammers will have full access to confidential information, including accounting bank data and credit card numbers. To prevent them from doing this can only be a professional in the field of information security. "Theoretically, the customer calls the bank, and the phone line is already under the control of hackers," - says The Grugq. In this case, the fraudster asks the caller to provide some accounting information in order to contact the bank's support service.

"There is no technology that can guarantee companies protection from this problem," the expert is sure, noting that existing systems can not determine a VoIP attack. To organize it, attackers require standard software to support billing of telephone conversations and IP telephony.

According to Secure Computing, scammers configure a war dialler that dials numbers in a particular region. At the time of the response, the following occurs:

  • The answering machine informs the user that fraudulent actions are being carried out with his credit card and he recommends quickly calling back at a certain number;
  • After the victim calls back to the number, the "computer voice" responds to it, saying that the user must undergo reconciliation and enter the card number from the phone's keypad;
  • Once the card number is entered, the scammer gets all the information (address, phone number, full name);
  • Using this call, the viser can also collect other additional information, such as the validity period of the card, PIN code, bank account number and date of birth.

The basic "triggers" of a vashing

  • You are asked for card details ... any;
  • You are persistently compelled to perform an action that you did not intend to do a minute ago.

Additional "triggers" of a vashing

  1. Employees of the bank will never under any circumstances ask for the security code on the back of the card and the code from the bank's SMS message.
  2. Alarming topic of treatment. To scare the victim and get them to commit the desired action, scammers come up with frightening scenarios. It is reported that the card is blocked, the account is hacked, the relative is in trouble, and so on.
  3. Promise is easy to get money that you either did not expect to receive, or did not think to get so easily. To lure the victim, scammers promise to easily and quickly transfer money to your account: for example, an unexpected pension premium is added to the pensioner.
  4. You are hurried and very persistently trying to change your mind.
  5. The call comes from an unknown number or mobile number.
  6. You are assured that with the help of an ATM you can transfer money from someone else's card - to your own.

The main "method" of how to protect yourself from vishing

  1. Finish the conversation. To continue it, call the bank by the phone number indicated on the back of the card or on its official website, the company / state. structure - by the number indicated on the official website.

How to protect yourself from vishing

  • Remember that employees of banks and government bodies never, under any circumstances (including force majeure), make calls to the holders of payment cards with the requirement to provide the number of the payment card, its validity period and CVC2 / CVV2-code.
  • Remember that to get a transfer to the card when selling the product or winning it is enough to specify only the card number.
  • Never under any circumstances disclose a three-digit security code on the back of the card (CVV2 / CVC2), as well as codes from bank sms.
  • Do not panic if you are called about blocking the card or attempting to break the account. Instead, you need to call back to the bank by the phone number indicated on the bank's official website or on your plastic card.
  • Be rational and reasonable - do not believe the promises of money, which you did not expect to receive.
  • Check the phone number from which the call came: it is really a familiar phone number of the bank or it just looks like it, and also check the phone number through the search engines, perhaps this phone number is already "exposed" by scammers.
  • Do not hurry. Take the time to check and call the bank / state institution by the phone number indicated on the site or card and ask to switch to the person who called you.

What if you became a victim?

Immediately block the card, write an application to the bank and the cyberpolicy

Finally! If you find a phishing email allegedly from a company or service known to you, report it to the information security department at your job or at the provider.

Via & wiki