Phishing

"Phishing" is a term that refers to a type of attack made against unsuspecting individuals that coerces them to divulge sensitive information.

The name comes from the word "fishing," where one casts a line or net in the water hoping to fool a fish to take the bait.

The Bait

Here is an example of a phishing attempt being done over email.

As you can see, this is a seemingly innocent email that appears to be from a popular online bill payment site, Paypal.  An unsuspecting victim may decide to click on the message "Click here to Log In."  If they did, they would be taking the Bait.  This link would no doubt bring them to a page that looked exactly like Paypals.  Upon logging in, though, the perpetrator would harvest the victim's username and password.  The account is compromised and the phish was successful.

The Red Flag

So, how do you tell if an email is legitimate or if it is a juicy worm on the end of a sharp fishhook?  A few tell tale signs could help you avoid falling for this attack.

First, you will notice that my email client, Thunderbird, posted a message at the top of the email stating that it believes the email may be a scam.  If your email client shows a message like this, be wary.

Second, when you hover over the "Click here to Log In" link, you will see an address pop up at the bottom of your screen, as shown here.

The address at the very bottom of the picture should say it is from http://www.paypal.com, but instead it says it is from hxxp://82. 141.17 3.118.  This is a good sign that this may be a scam.

Third, log into Paypal directly by going to your browser and typing in the correct address.  Typically, sites like this will alert you when you log into them if there is a pending question or if you have to do something with your account.  If there is no message there, most likely it is a fraudulent email.

Warning others about the phish

The best thing to do when you receive an email like this is to forward a copy of the email to the abuse team at whatever company the phish is claiming it is from.  Typically, this address is abuse@<company>.com.  You may not receive a response, but at least you reported it.  Then delete it from your mailbox.  You can also look at reporting it to a fraud database like snopes.com to spread the knowledge.

Spear fishing

Phishing is useful to a perpetrator when all you want is to catch a fish.  When you want to catch a very specific fish, a spear would be a better weapon of choice.  Spear phishing is a new method to an old attack where specific information is gathered about the target and used against that target.

For example, let's suppose that a malicious person would like to steal your identity.  In order to do so, they need your social security number, birthdate, and other identifying information about you.  They realize you won't give this information out to anyone, so they begin to do some research on you.  They see from your Facebook page that you have 3 children and their names and birtdays.  From your recent MySpace Blog post, they know that you work for a major financial company in New York City.  By searching Google, they even found an email you posted to a newsgroup 3 years ago that included your office telephone number and work address.

This malicious person then sends you an email seeming to be from a major credit card company.  It addresses you by name and says that they have reason to suspect your teenage son (again referenced by name and age) used your credit card and the number was stolen in the process.  They see from their records that it was last used at your company address and the phone number that made the call was your deskphone.  They immediately need your social security number and birthdate in order to proceed.  Perhaps they even leave you a voicemail message saying the same information.  Oh, and you have to respond within 24 hours, or you will be held responsible for the full $9,000 charge.

If you get a targeted email like this, follow the same steps as above.  Call the number on the back of your credit card and ask about the email.  You will probably be connected with the fraud department.

Asking for your account passwords

A popular phish going around Universities and schools appears to come from your schools Information Technology (IT) group.  It asks you for your username and password.  There are very few instances where your IT department would need your password to troubleshoot.  If they do ask you for it, you should feel every right to ask why and ask them for some other method.  Most importantly, your IT group should never ask for your password over email.

If it's too good to be true, it probably is

If you get a feeling that something is not right, follow your instinct.  Feel free to contact me for help at <security@ias.edu>.  Thanks!