This page has been robot translated, sorry for typos if any. Original content here.

Internet Phishing and methods of protection against it

Фишинг (Phishing)

The most popular form of fraud on the web at the moment is phishing . Cybercriminals use fraudulent websites, keyboard interceptors, email messages that are compiled according to the rules of social engineering, etc. Every day these methods become more diverse and dangerous.

Phishing , as defined by Dr. Web, is a technology of fraud on the Web, which involves the theft of personal information, such as identification and bank cards, access passwords, etc. Using email worms and spam emails, potential victims are sent letters from, allegedly, legal organizations. In these letters, they are asked to visit a fake website and confirm PIN codes, passwords and other personal information that will be used by fraudsters in the future to steal from the account of a victim of money or other crimes.

Phishing Not to be confused with fishing or pishing

Phishing (from phishing, from fishing - fishing, fishing) - a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is achieved by conducting mass mailings of e-mails on behalf of popular brands, as well as personal messages within various services, for example, on behalf of banks or within social networks. The letter often contains a direct link to a site that is apparently indistinguishable from the present, or to a site with a redirect. After a user gets to a fake page, fraudsters try with various psychological techniques to prompt the user to enter their username and password on the fake page, which they use to access a certain site, which allows fraudsters to gain access to accounts and bank accounts.

Phishing is one of the varieties of social engineering based on the user's ignorance of the basics of network security: in particular, many do not know a simple fact: services do not send letters asking them to provide their credentials, password, and so on.

Simply put, the attackers lure users to reveal their personal information themselves, such as phone numbers, numbers and secret codes of bank cards, logins and passwords of email and accounts in social networks.

To protect against phishing, manufacturers of major Internet browsers have agreed to use the same methods of informing users that they have opened a suspicious website, which may belong to fraudsters. New versions of browsers already have this feature, which is accordingly referred to as “anti-phishing”.

According to the company Websense, the most popular tool for creating phishing resources is the Rock Phish Kit . At the moment, the situation with phishing om is very similar to the situation that was several years ago when writing malicious codes when their designers appeared.

The essence of phishing is as follows: the attacker, deceiving the user, forces him to provide personal information (information about bank cards, names and passwords to various resources, etc.). The main difference of this type of fraud is the voluntary submission of information by the user. To achieve this, fraudsters are actively using the technique of social engineering.

Modern phishing can be divided into 3 types: online , email and combo .

The oldest is mail phishing : a letter is sent to the recipient with a request to send some information.

Online phishing involves the following scheme: fraudsters copy official resources using similar domain names and design. Then everything is simple. A user who has visited such a resource can leave their data here in full confidence that they will fall into good hands. In fact, this information is in the hands of cybercriminals. Fortunately, now there is a tendency to increase user knowledge about basic measures of information security, so this fraud scheme is gradually losing its relevance.

The third type is combined . Its essence lies in creating a fake website of a real organization, to which fraudsters are trying to lure potential victims. In this case, the attackers offer users to independently perform some operations. On the Internet, almost every day there are warnings about such resources, which make these methods of fraud well known. In connection with this, fraudsters began to use key-loggers more often - these are special programs that track user keystrokes and send this information to predetermined addresses.

How does Internet phishing work?

Specificity of phishing is that the victim of fraud provides its confidential data voluntarily.

To do this, attackers operate with such tools as phishing sites, e-mail distribution, phishing landing page, pop-ups, targeted advertising.

The user receives an offer to register for any benefit or to confirm his personal data on the websites of companies and institutions whose alleged customer he is.

As a rule, fraudsters disguise themselves as well-known companies, social networking applications, and email services.

The email address of the sender is really similar to the address of a familiar company user.

How not to get caught on the hook scam?


First of all, remember that no one should, under any circumstances, transfer such confidential data as a pin-code of a bank card, an email password or other personal accounts. Neither the bank nor the social network will not request this data via e-mail. If the caller appears to you as your provider and asks questions about sensitive data, then he is most likely a fraudster.


Always pay attention to the site design. If a site or a landing page seems strange, incomplete, quickened, or suspicious, then it may very well be that this is a phishing site.


Pay attention to the address bar in the link link. Minor changes in the email address may lead you to a completely different site (for example, instead of it could be


Letters from unknown addresses that "put pressure on emotions" or are of an emergency nature should, above all, be suspicious. All credit organizations by e-mail or telephone contact the customer by their first and last names. If this is not indicated in the appeal, then most likely the fact of fraud takes place. Letters that begin with statements such as “Your account has been hacked!” Or “Your profile will be blocked!” Or, on the contrary, declare you a big win, are in most cases fraudulent.


Do not call the security of your bank account or credit card at any given phone number. All payment cards contain a special phone number to which you must call.


Vishing is one of the methods of social engineering fraud, which is that attackers, using telephone communication and playing a certain role (bank employee, customer, etc.), under various pretexts, lure confidential information from the cardholder stimulate to perform certain actions with your card account / payment card.

The first case of this online fraud was recorded in 2006. It is a type of phishing and is implemented using war diallers (auto-dialers), as well as Internet telephony (VoIP). With this type of fraud, attackers gain access to personal information, such as passwords, identification and bank cards, etc. The scheme of deception is not much different from phishing : users of the payment system receive messages from the administration by mail, in which they are encouraged to send their passwords and accounts. But if in the case of phishing , a link to a fake website is attached, then during phishing , the user is prompted to call the city number. When you call a message is read, in which a person is asked to disclose their confidential data. The difficulty in disclosing this type of fraud is that the development of Internet telephony allows you to redirect calls to a city number to anywhere in the world, and the caller will not even suspect it.

Secure Computing reported on the most sophisticated method of cheating under the vishing scheme - email was not used at all, as the attackers programmed a PC to dial phone numbers from the database and play a pre-recorded message to which the subscriber warned that information about his credit The card was in the hands of fraudsters, so he needs to enter a number from the telephone keypad.

Using the VoIP protocol can significantly reduce the cost of telephone communications, but it also makes companies much more vulnerable to attacks. Banks and other organizations operating IP telephony for voice communications may be subject to a virus attack, which does not yet have protection against them. In particular, The Grugq, an information security expert who spoke about fraud at the Hack In The Box Security Conference (HITB) in Malaysia, spoke about this. “The attackers will be able to penetrate freely into banking networks and exercise control over banking telephone channels,” says Grugq. According to him, vising attacks via VoIP will occur before the end of 2009. Fraudsters will receive full access to confidential information, including bank account data and credit card numbers. Prevent them from doing so can only professionals in the field of information security. “Theoretically, a customer calls the bank, and the telephone line is already under the control of hackers,” says The Grugq. In this case, the fraudster asks the caller to provide some account information to contact the bank support service.

“There is no technology that can guarantee companies protection from this problem,” the expert is sure, noting that the current systems cannot determine the VoIP attack. To organize it, attackers require standard software to support billing of telephone conversations and IP telephony.

According to Secure Computing, fraudsters configure a war dialler that dials numbers in a specific region. At the time of the answer, the following happens:

  • The answering machine informs the user that fraudulent activities are being carried out with his credit card and recommends quickly calling back to a certain number;
  • After the victim calls back to the number, the “computer voice” answers there, saying that the user must go through the verification and enter the card number from the telephone keypad;
  • Once the card number is entered, the fraudster receives all the information (address, phone number, full name);
  • Using this call, the checker can collect and other additional information, such as the card’s expiration date, PIN code, bank account number and date of birth.

Basic Vishing Triggers

  • You are asked card details ... any;
  • You are being persistently forced to perform the action that you were not going to perform just a minute ago.

Additional Visting Triggers

  1. Bank employees will never, under any circumstances, ask for the security code on the back of the card and the code from the bank SMS message.
  2. Troubling topic of treatment. To scare the victim and get more likely to perform the desired action, fraudsters come up with frightening scenarios. The card is reported to be blocked, the account is hacked, the relative is in trouble, and so on.
  3. A promise to easily get money that you either did not expect to receive, or did not think to receive so easily. In order to lure the victim, the fraudsters promise to transfer money to your account easily and quickly: for example, an unexpected pension supplement has been accrued to the pensioner.
  4. You are in a hurry and very persistently trying to convince.
  5. The call comes from an unfamiliar number or mobile.
  6. You are assured that with the help of an ATM you can transfer money from someone else's card to yours.

The main "way" how to protect yourself from vishing

  1. End the conversation. To continue it, call the bank at the phone number listed on the back of the card or on its official website, company / state. structure - by the number listed on the official site.

Additional "ways" how to protect against vishing

  • Remember that employees of banks and government agencies never, under any circumstances (including force majeure) make calls to payment card holders with the requirement to provide a payment card number, its validity period and CVC2 / CVV2 code.
  • Remember that to receive a transfer to the card when selling goods or winning it is enough to specify only the card number.
  • Never under any circumstances disclose a three-digit security code on the back of the card (CVV2 / CVC2), as well as codes from bank SMS messages.
  • Do not panic if they call you about blocking a card or trying to hack an account. Instead, you must call back to the bank at the phone number listed on the official website of the bank or on your plastic card.
  • To be rational and reasonable - not to believe the promises of money, the receipt of which you did not expect.
  • Check the phone number from which the call came: it is really a familiar phone number of the bank or it just looks like it, and also check the phone number through search engines, perhaps this phone number is already “lit up” by fraudsters.
  • Do not hurry. Take the time to check and call the bank / state institution on the phone number listed on the website or card, and ask to switch to the person who called you.

What to do if you become a victim?

Immediately block the card, write a statement to the bank and cyberpolice

Finally! If you find a phishing email allegedly from a company or service known to you, report it to the information security department at your job or with your provider.

Via & wiki