Phishing has become an increasingly rampant threat in recent years. It is an Internet fraudulent act for the purpose of gathering sensitive information such as usernames, passwords and credit card details. A typical phish sends a deceptive email falsely claiming to be from a legitimate bank or organization to a user. The email usually contains a link directing to a bogus website which looks like a legitimate site, but is in effect, set up by the phishers themselves for stealing users’ confidential information.
Here we describe a list of common phishing techniques:
1. Social engineering: is the act of manipulating people into performing actions or divulging confidential information[*]. E.g. the phishing email pictured below offers a faux cash reward in return to gain attention to readers but the link points to a fake bank website:
Phishing emails typically contain a attractive sentence like “Update Your Account(Online Banking Has Been Blocked)” in the email subject or body to ask readers to respond due to the “potential threat” to the readers’ bank account.
2. Link manipulation: is a method to make a URL link in a phishing email appear more legitimate. But in fact the link guides readers to open a forged site quite similar to the legitimate website. Phishers may use several ways to manipulate URL links into performing the above deception.
The following HTML format phishing email shows a popular method exploited by phishers. The hidden URL link (2) is the real link address and is totally different to the one (1) what you see in the email.
Misspelled URL is another way to spoof receivers. For example, in last two months SophosLabs witnessed a large number of phishing scams targeting one of Australia’s biggest banks , the Commonwealth Bank of Australia. While the original and legitimate URL is http://www.commbank.com.au, the phishers try and register similar domains such as commebank, conmbank or commbank-au etc. to give the scam an air of authenticity.
Also phishers may take advantage of the URL obfuscation tricks to perform URL manipulations. For instance, a phisher may place an encoded URL like :
in a phishing email. However, through URL decoding, we can unscramble the following URL as:
3. Email Spoofing: is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source[#]. Due to the lack of an authentication mechanism in SMTP, Simple Mail Transfer Protocol, phishers could send a spoofed e-mail that appears to be from a trusted bank/origination other than from themselves:
Received: from User ([85.214.61.xxx]) by mail.xxx.org with Microsoft SMTPSVC;
Thu, 30 Apr 2009 03:23:32 -0500
From: “HSBC Bank plc”<firstname.lastname@example.org>
Subject: Account Error:
4. Phone Phish: uses a different technique such as fax or VoIP (Voice over Internet Protocol) rather than a fake website to acquire victims’ identities. It is not new stuff but has existed for a period of time. Back in 2006 SophosLabs warned a phone phishing email that attempts to trick PayPal users into calling a phone number and parting with their credit card information. And then we witnessed another phone phishing targeting Commonwealth Bank of Australia this year.
Steps To Avoid being Phished
1. Never respond to an email that asks for any sensitive information such as usernames, passwords or credit card details. A reputable bank/organization does not require a password or account details of its customers in an e-mail.
2. Use bookmarks or type URLs in a browser address bar to visit bank/organizations’ website to avoid visiting forged websites.
3. Always treat emails where the “reply” address is different from the “from” address when replying an email with extreme caution.
4. Do not use simple passwords for your online bank accounts and use different passwords for different accounts.
5. Check your bank accounts regularly.
6. Secure your computer – Make sure your operating system, anti-virus and firewall application software are patched and up-to-date.