Information, Computer and Network Security Terms Glossary and Dictionary

 

Phishing and Anti-phishing Mitigations and Technologies

Phishing is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card information, pretend as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). Phishing is considered a criminal behavior. In the United States, the Anti-Phishing Act of 2005 was introduced. The federal anti-phishing bill proposes that those criminals who create fake Web sites and spam bogus e-mails in order to defraud consumers could be fined up to $250,000 and have jail terms of up to five years imposed upon them.

Phishing is a form of social engineering attack, which often uses spam to spread out numerious emails or other electronic notifications and then use spoofed identity (such as spoofed web sites and URL) to collect the sensitive information.Besides URL spoofing, it is also possible for the attacker to utilize the true business鈥檚 own scripts against them. These attacks are particularly problematic because they actually direct the user to sign in at their business service's own web pages, where everything from the URL to the SSL certificate are correct. The phisher then forward the authenticated request to another domain/server and phishers will change this to their own server where they specially craft a page to steal user details.

Pharming is another way on the Internet for criminals to steal people鈥檚 sensitive information. Pharmers have two main ways of operating: directly on users' computers or on domain name servers that resolve Web site addresses for users. Details of pharming will be introduced in a separate article.

Mitigations to Prevent Identity Theft from Phishing:

  • If you are contacted about an account needing to be "verified" or 鈥渁ctivated鈥? you should contact the company directly, or type in the address of their webpage, instead of click the provided link from the email or other notifications.
  • View the Source Code of an HTML e-mail message to determine where the link actually takes you.
  • Be wary of e-mails that contain misspelled words, incomplete sentences, and awkward phrases.
  • Don't give your personal information to anyone unless you trust them and have initiated the contact yourself via a telephone number or web address that you know to be valid.

Anti-Phishing Technologies

There are two general categories of anti-phishing technologies: to prevent phishing e-mail from reaching users in the first place, and to eliminate the possibility of users being deceived by spoofed Web sites.

Filtering: Email filters intended to combat spam are often effective in combating phishing as well. Signature-based anti-spam filters may be configured to identify specific known phishing messages and prevent them from reaching a user. Statistical or heuristic anti-spam filters may be partially effective against phishing, but to the extent that a phishing message resembles a legitimate message, there is a danger of erroneously blocking legitimate email if the filter is configured to be sufficiently sensitive to identify phishing email.

Authentication: Message authentication techniques such as Sender-ID can prevent return address forgery by checking DNS records to determine whether the IP address of a transmitting mail transfer agent is authorized to send a message from the sender鈥檚 domain. Yahoo! Domain Keys provides similar authentication, using a domain-level cryptographic signature that can be verified through DNS records. Some form of lightweight message authentication may be very valuable in the future in combating phishing.

Signing: Cryptographic signing of email (e.g. S/MIME signing) is a positive step in the short run, and an effective measure if it becomes widely deployed in the long run.

 

 


Related Terms

Phishing, Pharming, Spam, Social Engineering, Anti-phishing