This page has been robot translated, sorry for typos if any. Original content here.

Internet Phishing and Anti-Phishing Techniques

Фишинг (Phishing)

The most popular form of online fraud at the moment is phishing . Cybercriminals use fraudulent websites, keyboard interceptors, and e-mail messages that are compiled according to the rules of social engineering and others. Every day these methods become more diverse and dangerous.

Phishing as defined by Dr. Web, is a technology of fraud on the Web, which consists in the theft of personal information that’s private, for example, identification data and bank cards, access passwords, etc. Using “worms” and spam mailings, letters are sent to potential victims on behalf of allegedly legal organizations. In these letters, they are asked to visit a fake website and confirm PIN codes, passwords and other personal information that will be used by scammers in the future to steal money from the victim’s account or other crimes.

Phishing Not to be confused with Fishing or Pishing

Phishing (eng. Phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is achieved by conducting mass mailings of emails on behalf of popular brands, as well as private messages within various services, for example, on behalf of banks or within social networks. The letter often contains a direct link to a site that is apparently indistinguishable from the present, or to a site with a redirect. After a user lands on a fake page, scammers try by various psychological tricks to prompt the user to enter their username and password on a fake page, which he uses to access a particular site, which allows scammers to access accounts and bank accounts.

Phishing is one of the types of social engineering based on users not knowing the basics of network security: in particular, many do not know a simple fact: services do not send letters asking for their credentials, password, and more.

Simply put, attackers lure users to reveal their personal data, for example, phone numbers, numbers and secret codes of bank cards, usernames and passwords of email and social network accounts.

To protect against phishing, manufacturers of major Internet browsers have agreed to use the same methods to inform users that they have opened a suspicious site that may belong to scammers. Newer versions of browsers already have this feature, which is accordingly called "anti-phishing."

According to Websense, the most popular tool for creating phishing resources is the Rock Phish Kit . At the moment, the situation with phishing is very similar to the situation that was several years ago when writing malicious codes when their designers appeared.

The essence of phishing is as follows: an attacker, deceiving a user, forces him to provide personal information (information about bank cards, names and passwords to various resources, etc.). The main difference between this type of fraud is the voluntary provision by the user of his information. To achieve this, scammers actively use the technique of social engineering.

Modern phishing can be divided into 3 types: online , email and combined .

The oldest is mail phishing : a letter is sent to the recipient's address with a request to send some information.

Online phishing involves the following scheme: scammers copy official resources using similar domain names and design. Then everything is simple. A user who visits such a resource can leave their data here in complete confidence that they will fall into reliable hands. In fact, this information is in the hands of cybercriminals. Fortunately, now there is a tendency to increase user knowledge about basic information security measures, so this fraud scheme is gradually losing its relevance

The third type is combined . Its essence is to create a fake website of a real organization, on which scammers are trying to lure potential victims. In this case, the attackers offer users to independently perform some operations. On the Internet almost every day there are warnings about such resources that make these methods of fraud well known. In this regard, fraudsters began to use key-loggers more often - these are special programs that track user keystrokes and send this information to pre-set addresses.

How does internet phishing work?

The specificity of phishing is that the victim of fraud provides his confidential data voluntarily.

To do this, attackers use such tools as phishing sites, e-mail newsletters, phishing landing pages, pop-ups, and targeted advertising.

The user receives an offer to register to receive any benefit or to confirm their personal data on the websites of companies and institutions of which he is allegedly a client.

As a rule, scammers disguise themselves as well-known companies, social networking applications, and email services.

The sender’s email address really looks like the address of a company familiar to the user.

How not to get hooked by scammers?

one

First of all, remember that under no circumstances should anyone transmit such confidential data as a bank card pin code, email password or other personal accounts. Neither the bank nor the social network will request this data by e-mail. If the caller appears to you as your provider and asks questions regarding sensitive data, then he is most likely a scammer.

2

Always pay attention to the site design. If the site or landing page seems strange, unfinished, riveted in haste or causes some suspicion, then it may very well be a phishing site.

3

Pay attention to the address bar in the jump link. Minor changes in the email address may lead you to a completely different site (for example, ukl.net may be instead of ukr.net).

four

Letters from unknown addresses that “press on emotions” or are of an emergency nature should, first of all, be suspicious. All credit organizations by e-mail or phone contact the client by name and surname. If this is not indicated in the appeal, then, most likely, there is a fact of fraud. Emails that begin with statements such as “Your account has been hacked!” Or “Your profile will be blocked!” Or, conversely, announce you a large win, are in most cases fraudulent.

five

In no case do not call on the security of your bank account or credit card at the proposed phone number. All payment cards indicate a special phone number that you must call.

Vishing

Wishing is one of the methods of fraud using social engineering, which consists in the fact that cybercriminals using telephone communication and playing a role (bank employee, customer, etc.), under various pretexts, deceive confidential information from the payment card holder or stimulate to perform certain actions with your card account / payment card.

The first case of this online fraud was recorded in 2006. It is a type of phishing and is implemented using war diallers (dialers), as well as Internet telephony (VoIP). Using this type of fraud, cybercriminals gain access to personal information, such as passwords, identification cards and bank cards, etc. The fraud scheme is not much different from phishing : users of the payment system receive messages from the ostensible administration, in which they are advised to send their passwords and bills. But if, in the case of phishing , a link to a fake site is attached, then when phishing , the user is prompted to call the city number. When you call, a message is read out in which the person is asked to disclose their confidential data. The difficulty in revealing this type of fraud lies in the fact that the development of Internet telephony allows you to redirect calls to a landline number anywhere in the world, and the caller will not even suspect this.

Secure Computing reported on the most sophisticated method of cheating using the vishing scheme - e-mail was not used here at all, since the attackers programmed the PC so that they dialed phone numbers from the database and played a pre-recorded message to which the subscriber was warned that information about his credit the card was in the hands of fraudsters, so he needs to enter a number from the telephone keypad.

Using the VoIP protocol can significantly reduce telephone costs, but it also makes the company much more vulnerable to attacks. Banks and other organizations that use IP-telephony for voice communications may be subject to vishing attacks, which do not yet have protection against them. In particular, The Grugq, an information security expert who spoke about the fraud at the Hack In The Box Security Conference (HITB) in Malaysia, spoke about this. “Attackers will be able to freely enter banking networks and exercise control over bank telephone channels,” says Grugq. According to him, vishing attacks through VoIP will occur before the end of 2009. Fraudsters will gain full access to confidential information, including bank credentials and credit card numbers. Only pros in the field of information security can prevent them from doing this. “Theoretically, the client calls the bank, and the telephone line is already under the control of hackers,” says The Grugq. In this case, the fraudster asks the caller to provide some credential information in order to contact the bank support service.

“There is no technology that can guarantee companies protection from this problem,” the expert is sure, noting that existing systems cannot detect a VoIP attack. To organize it, attackers require standard software to support telephone billing and IP telephony.

According to Secure Computing, scammers configure a war dialler dialing numbers in a specific region. At the time of the response, the following occurs:

  • The answering machine informs the user that fraudulent activities are being carried out with his credit card and recommends that you quickly call back to a certain number;
  • After the victim calls back the number, a “computer voice” answers him, saying that the user must go through verification and enter the card number from the telephone keypad;
  • As soon as the card number is entered, the fraudster receives all the information (address, phone number, full name);
  • Using this call, the visher can also collect other additional information, such as the card expiration date, PIN code, bank account number and date of birth.

The main “triggers” of vishing

  • You are asked for card details ... any;
  • You are persistently forced to perform the action that you were not going to take a minute ago.

Additional "triggers" of vishing

  1. Bank employees will never, under any circumstances, ask for a security code on the back of the card or a code from a bank SMS message.
  2. An alarming topic of appeal. To scare the victim and make him sooner take the necessary action, scammers come up with frightening scenarios. They report that the card is blocked, the account is hacked, a relative is in trouble, etc.
  3. The promise is easy to receive money that you either did not expect to receive, or did not think to receive so easily. To lure the victim, scammers promise to easily and quickly transfer money to your account: for example, a pensioner received an unexpected allowance for retirement.
  4. You are rushed and very persistently trying to convince.
  5. The call comes from an unfamiliar number or mobile.
  6. You are assured that with the help of an ATM you can transfer money from someone else's card to your own.

The main "way" how to protect yourself from vishing

  1. End the conversation. To continue, call the bank at the phone number indicated on the back of the card or on its official website, company / state. structure - by the number indicated on the official website.

Additional "ways" to protect yourself from vishing

  • Remember that employees of banks and government bodies never, under any circumstances (including force majeure), make calls to payment card holders with a request to provide a payment card number, its expiration date and CVC2 / CVV2 code.
  • Remember that to receive a transfer to a card when selling goods or winning, it is enough to indicate only the card number.
  • Never under any circumstances disclose a three-digit security code on the back of the card (CVV2 / CVC2), as well as codes from bank SMS messages.
  • Do not panic if you get a call about blocking a card or trying to break into an account. Instead, you need to call the bank back at the phone number listed on the bank’s official website or on your plastic card.
  • Be rational and reasonable - do not believe the promises of money that you did not expect to receive.
  • Check the phone number from which the call came: it is, indeed, a familiar phone number of the bank or it just looks like it, and also check the phone number through search engines, perhaps this phone number has already been "spotted" by scammers.
  • Do not hurry. Take the time to check and call the bank / government agency at the phone number listed on the website or card and ask to switch to the person who called you.

What if you become a victim?

Immediately block the card, write a statement to the bank and cyber police

Finally! If you find a phishing email allegedly from a company or service known to you, notify the information security department at your work or from your provider.

Via facebook.com & wiki