What Is Password Phishing?

Phishing, which is similar to the English pronunciation of phishing, also known as phishing or phishing attacks, is designed to entice the recipient to give sensitive information (such as by sending a large number of deceptive spam messages that claim to come from a bank or other well-known institution) Username, password, account ID, ATM PIN, or credit card details).

Phishing attackers use spoofed emails and fake Web sites to conduct

As early as 1987, phishing technology described in the form of papers and presentations delivered to the international under the Interex system.

As early as 1987, phishing technology was described in the form of papers and presentations delivered to the international HP user group under the Interex system. The term "net fishing" was first mentioned on the alt.online-service.America-online Usenet newsgroup on January 2, 1996, although the term may appear earlier in the written version of Hacker Magazine 2600.

Early net fishing at AOL

AOL phishing is closely related to the warez community that exchanges pirated software. Since AOL took measures in late 1995 to prevent the use of algorithm-generated fake credit card numbers to open accounts, AOL crackers have resorted to phishing to obtain legitimate account numbers.

A phisher may disguise himself as an AOL worker and send an instant message to a potential victim asking them to reveal their password. In order to seduce the victim to give up their personal sensitive data, the communication content inevitably has something like "verify your account" or "confirm billing information". Once the victim's password is found, the attacker can obtain and use the victim's account for fraud or send spam. Both phishing and warez generally need to develop their own applications at AOL, such as AOHell. As online fishing on AOL has become so common, the company added a statement on all of its instant messaging: "No AOL employee will ask for your password or billing information. (No one working at AOL will ask for your password or billing information) ".

After 1997, AOL noticed that Netfish and Warez and tightened their policies to force pirated software to be isolated from AOL servers. AOL, on the other hand, has developed a system that can immediately disable accounts linked to phishing, which is often achieved before victims can respond. The shutdown of AOL's warez background caused most of the phishers to leave the service. Many phishers are usually young teenagers. When they grow up, they quit this bad habit.

Transformation from AOL to financial institutions

The captured AOL account information may lead to phishing attackers misusing credit card information, and these hackers recognize that it is feasible to attack online payment systems. The first known attack that directly attempted to deal with the payment system was in June 2001, affecting the system as E-gold. The incident occurred immediately after the September 11 attack, a "post-911 identity check." Both attacks at the time were considered failures, but now they can be seen as early experiments against more mainstream banks. By 2004, phishing was considered to be part of the complete industrialization of economic crime: specialization appeared in the global market, it provided the basic component of finding money, and this component was assembled into the final perfect attack.

Recent phishing attacks

Phishers target customers of banks and online payment services. It should have come from the Internal Revenue Service email and has been used to collect sensitive data from US taxpayers. Although the first such example was sent indiscriminately, the goal was to expect that some of the customers who received it would leak their bank or service data, and recent research suggests that phishing attacks may basically identify potential victims Which banks will be used and deliver fake emails based on the results. A targeted version of phishing has been called spear phishing. Several recent phishing attacks have specifically targeted top management and other large corporate players, and the term "whaling" has been coined to describe this type of attack.

Social networking sites are the target of phishing attacks, because the details of personal data at these sites can be used for identity theft; a computer worm took over the pages on MySpace at the end of 2006 and modified the links to direct the netizens of the site to designing to steal logins Information website. Experiments show that the success rate of phishing for social networking sites exceeds 70%.

Almost half of the phishing thieves were identified in 2006 as being manipulated by the Russian Business Network Group in St. Petersburg ^[1]

According to the "2009 Survey Report on Internet Security Status of Chinese Internet Users" released by the China Internet Network Information Center and the United Nations Internet Emergency Response Center, more than 90% of Internet users have encountered phishing in 2009. Among the Internet users who have encountered phishing incidents, 4,500 Ten thousand netizens suffered economic losses, accounting for 11.9% of the total number of netizens. The losses caused by phishing to netizens have reached 7.6 billion yuan.

Link manipulation

Most phishing methods use some form of technical deception, designed to make one

Response after being phished

1. Stop sharing sensitive information. If employees have leaked sensitive information, they should report it immediately. Enterprises should educate employees to contact managers, help desk staff, or network administrators and security personnel immediately. The latter has to take measures to change the password or monitor the network for abnormal activities.

2. Ask banks and other institutions to take measures. If employees share financial information or believe that financial information has been leaked, they should contact the relevant agency immediately. Ask them to monitor the account for unusual activity and expenses, and even close the account if necessary.

3. Protect password. If you suspect that your password has been compromised, change it immediately. Companies should educate employees not to use the same password on multiple systems or accounts. Do your best to ensure that all passwords are completely different.

Earlier cases occurred mainly in the United States, but as Internet services became more common in Asia, the attacks began to appear throughout Asia. Viewed from the outside, it is no different from a real bank website, but when the user thinks that it is a real bank website and uses services such as online banking, the user's account number and password are stolen, thus causing the user to lose. The best way to prevent victimization on this type of website is to remember the URL of an authentic website and carefully compare the URLs when linking to a bank website. In 2003, there were also many cases in Hong Kong where banks that had faked websites and had not yet opened online banking services used false websites to lure customers to make online transfers, but actually transferred funds to the account of the website owner. Since 2004, related fraud has also begun to appear in mainland China. There have been many fake bank websites, such as the fake Industrial and Commercial Bank of China website.

Phishing phishing

Phishing is not a new method of intrusion, but its scope of harm is gradually expanding, and it has become one of the biggest threats to network security. Do you know Phishing? Compared with traditional intrusion methods, what are its salient features? What are the typical Phishing cases? How to prevent being Phishing?

Early spring in the south is always accompanied by drizzle. Rarely today is a sunny day. Manager Zhang of a clothing company took dozens of important employees to a fishing pond in the suburbs for fishing activities. After Zhang put the fishing tackle in place, he opened his laptop and connected it to the Internet. He wanted to use this time to deal with the most recent business. When the secretary saw that he could not do without work at this time, he persuaded him: "Manager, today is a day of play. Rarely relax. Today, do not deal with the company's business ... Are you afraid that the fishing rod will be taken away by the fish?" Manager Zhang smiled at the secretary and looked at the fishing rod in front of him slowly and said, "Everyone said that Jiang Taigong was fishing, and he wished to hook, but if he didn't know the timing of lifting the rod, the fish that was about to slip away would wait. When the business is settled, I won't rest too late. "He continued to lower his head and hit the keyboard.

The business was finally settled, and the customer transferred the payment to Manager Zhang's bank account. Manager Zhang smiled: "This fish was finally caught by me." Then he went to the online bank account to check the transfer.

When the remaining amount of the account was displayed on the page, Manager Zhang was nervous, and then felt dizzy: the original deposit in the account was missing, and the only payment on the page that the customer had just transferred was as if laughing at Manager Zhang .

Manager Zhang never dreamed that this time, he became a fish caught by others, and it was a big fish.

Explaining phishing

Phishing is not a new method of intrusion, but its scope of harm is gradually expanding, becoming one of the most serious cyber threats. Phishing refers to intruders using deliberate technical means to forge some fake websites and emails to entice victims to operate according to specified methods, so that victims voluntarily hand over important information or steal important information (such as bank account passwords) s method. The intruder didn't need to take the initiative to attack, he just had to wait for the response of these fishing rods and lift up one fish after another, just like "Jiang Taigong fishing, and those willing to hook".

Seeing this, some readers may say, isn't this social engineering? Both are deceptive. Yes, there is a shadow of social engineering in phishing, but compared to the latter, phishing is more technical, because it is not only a deception, it must also incorporate technical elements, otherwise if you even "fisherman" If you ca nt control the fishing rod, how can you catch fish?

Visual trap: the fishing rod behind the web

Police are analyzing the data on the hard disk of Manager Zhang's laptop. Manager Zhang himself was admitted to the hospital because of a heart attack when he reported the crime. The case became a little confusing as it was impossible to know when Manager Zhang last logged on to online banking, and there was no backdoor procedure that infected any stolen account in the system.

An analyst accidentally opened Foxmail and found that the last letter was sent by the bank with the subject "Announcement of XX Online Banking on Strengthening Account Security". The analyst predicted that the case had a significant relationship with this letter and immediately opened it for reading. This is a letter of an HTML web page template. The content is to upgrade the system for banks to enhance account security. Customers are requested to reset their account passwords as soon as possible. A URL link to set a password is also provided at the end.

Behind the scenes, the black hand is here! The analyst immediately checked the source code of the letter and quickly found out the messiness in it: as often said, "the set said, the set made", the author of this e-mail adopted the "look set, enter the set This simple deceptive method, and this so-called change password page, of course, is forged exactly the same as the real bank page, but its "change password" function is to send the account number and password to the "fisherman" behind the scenes , And then the "fisherman" logged on to the real online bank and changed the password set by the victim, and took the money to transfer the deposit in the bank account.

Even small fish can make "fishermen" laugh in their dreams. Even if one is too small, the accumulated number will become considerable. Under the temptation of money, the "fisherman" raised the rod again and again. As everyone knows, he is also a fish caught by the money fishing rod.

The key to poor success

Why does such poor technology succeed so often? Have you encountered a similar situation in your actual life? What precautions would you take?

Because phishing takes full advantage of people s psychological loopholes, first of all, people are almost nervous when they receive business emails with a high impact, such as banks. Many people have never doubted the authenticity of the letter, and will open the email subconsciously as required Specify the URL to operate; Secondly, after the page is opened, we usually only pay attention to the content of the page and do not pay attention to the display of the browser's address bar. This is what gives the "fisherman" an opportunity.

In fact, "fishermen" can use IE's URL spoofing vulnerability to disguise themselves more like one thing, but now IE generally applies a patch. In this case, using this vulnerability will "not make a move" So, only a few "fishermen" will use this method. Some "fishermen" do not even have a domain name that looks "more formal". Instead, they use IP addresses and even directly display the real address in the browser. Browser s address barbecause they know that most people simply do nt pay attention to the browser s address bar unless something unexpected happens.

Here by the way, that email, why is Manager Zhang going to be fooled? Even if the sender's address of the email is not from the bank website, the idiot can see that this is a fake email.

But the problem lies here. The sender address of this email clearly writes the technical support mailbox address of the bank's website! How did the "fisherman" do it? Quite simply, some unconfigured email servers will not verify the authenticity of the user information, so it is easy for scammers to send a letter with a forged sender address using such a mail server. Anti-phishing attacks are an important security update for IE 7. Every time you open a new page, in order to detect whether there is a phishing attack on this page, we can see that an alert sign will be displayed in the lower right of the IE window.

Seeing this alert prompt, we can manually perform anti-phishing detection procedures or turn on automatic detection detection. In addition, you can also report to Microsoft a URL with a phishing attack, and Microsoft's online database will collect this address and provide it to other users for reference. By adopting this method of coordinating forces against system threats, the possibility of being attacked is greatly reduced. ,

Phishing Desktop Phishing

Zer0 Thunder, a Sri Lankan security officer, discovered a more subtle way of deceiving and named it: desktop phishing. The steps are roughly as follows:

1. Modify the HOSTS file, map some pages that need to be phished to the local public IP, and make phishing pages on this machine.

2. Make the HOSTS file into a self-extracting file (the decompression path is set to the original HOSTS path)

3. Bundle other software and induce users to install by any means.

Here, because the phishing page is redirected via HOSTS, it is very hidden! ^[6]

IN OTHER LANGUAGES

• English
• Čeština
• Dansk
• Deutsch
• Svenska
• Français
• Italiano
• Nederlands
• Norsk
• Polski
• Português
• Español
• 日本語
• 한국어