Phishing

Spoofing: Fake Your Caller ID
Call anyone and fake your caller ID. Have any number show up. Very cheap rates and great service. Option to record call for free. Great for pranks or executives away from the office.
www.spoofcard.com

Warning: mkdir() [function.mkdir]: Permission denied in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: mkdir() [function.mkdir]: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: fopen(/home/templatecore2cache//*cluesnet.com/9f/9f3b80fc06b7f22b88e34b6fd77a73443b74c0c3.tc2cache) [function.fopen]: failed to open stream: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 130

Warning: fwrite(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 131

Warning: fclose(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 132

History and current status of phishing Early phishing on AOL Phishing on AOL was closely associated with the warez community that exchanged pirated software. Those who would later phish on AOL during the 1990s originally used fake, algorithmically generated credit card numbers to create accounts on AOL, which could last weeks or even months. After AOL brought in measures in late 1995 to prevent this, early AOL crackers resorted to phishing for legitimate accounts.{{cite web] to a potential victim, asking him to reveal his password.{{cite news| url=http://wired-vig.wired.com/news/technology/0,1282,9932,00.html| last=Stutz| first=Michael| title=AOL: A Cracker's Paradise?| date=January 29, 1998| publisher=Wired News--> In order to lure the victim into giving up sensitive information the message might include imperatives like "verify your account" or "confirm billing information". Once the victim had revealed the password, the attacker could access and use the victim's account for criminal purposes, such as spam (electronic)ming. Both phishing and warezing on AOL generally required custom-written programs, such as AOHell. Phishing became so prevalent on AOL that they added a line on all instant messages stating: "no one working at AOL will ask for your password or billing information".

After 1997, AOL's policy enforcement with respect to phishing and warez became stricter and forced pirated software off AOL servers. AOL simultaneously developed a system to promptly deactivate accounts involved in phishing, often before the victims could respond. The shutting down of the warez scene on AOL caused most phishers to leave the service, and many phishers—often young teens—grew out of the habit.{{cite web| title=History of AOL Warez| url=http://www.rajuabju.com/warezirc/historyofaolwarez.htm| accessdate=September 28 | accessyear=2006-->People would later "scam phish" for account information, using techniques such as insta kiss and youve got pictures.

Transition from AOL to financial institutions The capture of AOL account information may have led phishers to misuse credit card information, and to the realisation that attacks against online payment systems were feasible. The first known direct attempt against a payment system affected E-gold in June 2001, which was followed up by a "post-911 id check" shortly after the September 11, 2001 attacks.{{cite web| title=GP4.3 - Growth and Fraud - Case #3 - Phishing| work=Financial Cryptography| url=https://financialcryptography.com/mt/archives/000609.html| date=December 30, 2005--> Both were viewed at the time as failures, but can now be seen as early experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was recognized as a fully industrialized part of the economy of crime: specializations emerged on a global scale that provided components for cash, which were assembled into finished attacks.{{cite web| title=In 2005, Organized Crime Will Back Phishers| work=IT Management| url=http://itmanagement.earthweb.com/secu/article.php/3451501| date=December 23, 2004-->{{cite web| title=The economy of phishing: A survey of the operations of the phishing market| work=First Monday| url=http://www.firstmonday.org/issues/issue10_9/abad/| date=September 2005-->

Recent phishing attempts More recent phishing attempts have targeted the customers of banks and online payment services. E-mails supposedly from the Internal Revenue Service have also been used to glean sensitive data from U.S. taxpayers.{{cite web].{{cite web| title=What is spear phishing?| work=Microsoft Security At Home| url=http://www.microsoft.com/athome/security/email/spear_phishing.mspx| accessdate=July 10 | accessyear=2006--> Social network service are also a target of phishing, since the personal details in such sites can be used in identity theft;{{cite news ] a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details.{{cite web ] were committed by groups operating through the Russian Business Network based in St. Petersburg Shadowy Russian Firm Seen as Conduit for Cybercrime, by Brian Krebs, Washington post, October 13, 2007

Phishing examples PayPal phishing example

In an example PayPal phish (right), spelling mistakes in the email and the presence of an IP address in the link (visible in the tooltip under the yellow box) are both clues that this is a phishing attempt. Another giveaway is the lack of a personal greeting, although the presence of personal details would not be a guarantee of legitimacy.

Damage caused by phishing The damage caused by phishing ranges from denial of access to email to substantial financial loss. This style of identity theft is becoming more popular, because of the readiness with which unsuspecting people often divulge personal information to phishers, including credit card numbers, social security numbers, and mothers' maiden names. There are also fears that identity thieves can add such information to the knowledge they gain simply by accessing public records.{{cite web ], or even deny the victims access to their own accounts.{{cite news | url=http://www.washingtonpost.com/ac2/wp-dyn/A59349-2004Nov18| last=Krebs| first=Brian| title=Phishing Schemes Scar Victims| date=November 18, 2004| publisher=washingtonpost.com-->

It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims.{{cite news ] losses from web banking fraud—mostly from phishing—almost doubled to £23.2m in 2005, from £12.2m in 2004,{{cite news | url=http://www.finextra.com/fullstory.asp?id=15013| title=UK phishing fraud losses double| date=March 7, 2006| publisher=Finextra--> while 1 in 20 computer users claimed to have lost out to phishing in 2005.{{cite news | url=http://www.theregister.co.uk/2005/05/03/aol_phishing/| last=Richardson| first=Tim| title=Brits fall prey to phishing| date=May 3, 2005| publisher=The Register-->

The stance adopted by the UK banking body APACS is that "customers must also take sensible precautions … so that they are not vulnerable to the criminal."{{cite web ] initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do sohttp://applications.boi.com/updates/Article?PR_ID=1430), although losses to the tune of euro11300 were made good.http://www.vnunet.com/vnunet/news/2163714/bank-ireland-backtracks

Anti-phishing There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing.

Social responses One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be promising, especially where training provides direct feedback.{{cite web| title=Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System.| work=Technical Report CMU-CyLab-06-017, CyLab, Carnegie Mellon University.| date = November 2006.| author = Ponnurangam Kumaraguru, Yong Woo Rhee, Alessandro Acquisti, Lorrie Cranor, Jason Hong and Elizabeth Nunge.| url=http://www.cylab.cmu.edu/files/cmucylab06017.pdf| accessdate=November 14 | accessyear=2006--> One newer phishing tactic, which uses phishing emails targeted at a specific company, known as spear phishing, has been harnessed to train individuals at various locations, including United States Military Academy. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake email were tricked into revealing personal information.{{cite news | url=http://online.wsj.com/public/article/0,,SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817,00.html?mod=blogs| last=Bank| first=David| title='Spear Phishing' Tests Educate People About Online Scams| date=August 17, 2005| publisher=The Wall Street Journal-->

People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" (or any other topic used by phishers), it is a sensible precaution to contact the company from which the email apparently originates to check that the email is legitimate. Alternatively, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected phishing message.{{cite web], always address their customers by their username in emails, so if an email addresses the recipient in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing.{{cite web| title=Protect Yourself from Fraudulent Emails| work=PayPal| url=https://www.paypal.com/us/cgi-bin/webscr?cmd=_vdc-security-spoof-outside| accessmonthday=July 7 | accessyear=2006--> Emails from banks and credit card companies often include partial account numbers.However, recent research{{cite web || title=What Instills Trust? A Qualitative Study of Phishing.| author = Markus Jakobsson, Alex Tsow, Ankur Shah, Eli Blevis, Youn-kyung Lim.| work = USEC '06| url=http://www.informatics.indiana.edu/markus/papers/trust_USEC.pdf--> has shown that the public do not typically distinguish between the first few digits and the last few digits of an account number—a significant problem since the first few digits are often the same for all clients of a financial institution.People can be trained to have their suspicion aroused if the message does not contain any specific personal information. Phishing attempts in early 2006, however, used personalized information, which makes it unsafe to assume that the presence of personal information alone guarantees that a message is legitimate.{{cite news | url=http://isc.incidents.org/diary.php?storyid=1194| last=Zeltser| first=Lenny| title=Phishing Messages May Include Highly-Personalized Information| date=March 17, 2006| publisher=The SANS Institute--> Furthermore, another recent study concluded in part that the presence of personal information does not significantly affect the success rate of phishing attacks,{{cite web |url=http://www2006.org/programme/item.php?id=3533| title=Designing Ethical Phishing Experiments| author=Markus Jakobsson and Jacob Ratkiewicz| work=WWW '06--> which suggests that most people do not pay attention to such details.

The Anti-Phishing Working Group, an industry and law enforcement association, has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers.{{cite news ] and other uses of malware will become more common tools for stealing information.

Technical responses Anti-phishing measures have been implementedas features embedded in browsers,as extensions or toolbars for browsers,and as part of website login procedures.The following are some of the main approaches to the problem.

Helping to identify legitimate sites Since phishing is based on impersonation,preventing it depends on some reliable wayto determine a website's real identity.For example, some anti-phishing toolbarsdisplay the domain name for the visited website.{{cite web | author=Brandt, Andrew| title=Privacy Watch: Protect Yourself With an Antiphishing Toolbar| work=PC World - Privacy Watch| url=http://www.pcworld.com/article/125739-1/article.html| accessdate=September 25 | accessyear=2006--> The petname extension for Firefox lets users type intheir own labels for websites,so they can later recognize when they have returned to the site.If the site is suspect, then the software may either warn the user or block the site outright.

Browsers alerting users to fraudulent websites Another popular approach to fighting phishingis to maintain a list of known phishing sitesand to check websites against the list.Internet Explorer,Mozilla Firefox 2.0, and Opera (Internet suite)all contain this type of anti-phishing measure.{{cite web | author=Franco, Rob| title=Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers| work=IEBlog| url=http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx| accessmonthday=May 20 | accessyear=2006-->{{cite web | title=Bon Echo Anti-Phishing| work=Mozilla| url=http://www.mozilla.org/projects/bonecho/anti-phishing/| accessmonthday=June 2 | accessyear=2006-->{{cite news | url=http://www.3sharp.com/projects/antiphish/index.htm| title=Gone Phishing: Evaluating Anti-Phishing Tools for Windows| date=September 27, 2006| accessdate=October 20 | accessyear=2006| publisher=3Sharp--> Firefox 2 uses Google anti-phishing software.Opera 9.1 uses live blacklists fromPhishtank and GeoTrust,as well as live whitelists from GeoTrust.Some implementations of this approachsend the visited URLs to a central service to be checked,which has raised concerns about privacy.{{cite web ] to block web adverts.

To mitigate the problem of phishing sites impersonating a victim site by embedding its images (such as logos), several site owners have altered the images to send a message to the visitor that a site may be fraudulent. The image may be moved to a new filename and the original permanently replaced, or a server can detect that the image was not requested as part of normal browsing, and instead send a warning image. {{cite news |last=Krebs| first=Brian| url=http://blog.washingtonpost.com/securityfix/2006/08/using_images_to_fight_phishing.html| title=Using Images to Fight Phishing| date=August 31, 2006| publisher=Security Fix-->{{cite news |last=Seltzer| first=Larry| url=http://www.eweek.com/article2/0,1759,1630161,00.asp| title=Spotting Phish and Phighting Back| date=August 2, 2004| publisher=eWeek-->

Augmenting password logins The Bank of America's website{{cite web| author = Bank of America| title = How Bank of America SiteKey Works For Online Banking Security| url = http://www.bankofamerica.com/privacy/sitekey/| accessmonthday = January 23| accessyear = 2007-->{{cite news | url=http://www.washingtonpost.com/wp-dyn/content/article/2005/07/13/AR2005071302181.html| last=Brubaker| first=Bill| title=Bank of America Personalizes Cyber-Security| date=July 14, 2005| publisher=Washington Post--> is one of severalthat ask users to select a personal image,and display this user-selected imagewith any forms that request a password.Users of the bank's online services are instructed to enter a passwordonly when they see the image they selected.However, a recent study suggests few users refrainfrom entering their password when images areabsent.{{cite web| last = Stone | first = Brad| title = Study Finds Web Antifraud Measure Ineffective| url = http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss| publisher = New York Times| accessmonthday = February 5 | accessyear = 2007| date = February 5, 2007-->{{cite web]) is susceptible to other attacks, such as those suffered by Scandinavian bank Nordea in late 2005,{{cite news | url=http://www.finextra.com/fullstory.asp?id=14384| title=Phishers target Nordea's one-time password system| date=October 12, 2005| publisher=Finextra--> and Citibank in 2006.{{cite news |last=Krebs| first=Brian| url=http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html| title=Citibank Phish Spoofs 2-Factor Authentication| date=July 10, 2006| publisher=Security Fix-->

Security skins{{cite web| author = Schneier, Bruce| title = Security Skins| work = Schneier on Security| url = http://www.schneier.com/blog/archives/2005/07/security_skins.html| accessmonthday = December 3 | accessyear = 2006-->{{cite web| author = Rachna Dhamija, J.D. Tygar| title = The Battle Against Phishing: Dynamic Security Skins| url = http://people.deas.harvard.edu/~rachna/papers/securityskins.pdf| work = Symposium On Usable Privacy and Security (SOUPS) 2005| accessmonthday = February 5 | accessyear = 2007| date = July, 2005--> are a related techniquethat involves overlaying a user-selected imageonto the login form as a visual cue that the form is legitimate.Unlike the website-based image schemes, however,the image itself is shared only between the user and the browser,and not between the user and the website. The scheme also relies on a mutual authentication protocol, which makes it less vulnerable to attacks that affect user-only authentication schemes.

Eliminating phishing mail Spam filters can reduce the number of phishing emails that reach their addressees' inboxes.{{cite web| work = NYS Cyber Security Symposium| title = Phishing Email Detection Based on Structural Properties| author = Madhusudhanan Chandrasekaran, Krishnan Narayanan, Shambhu Upadhyaya| date = March 2006| url = http://www.albany.edu/iasymposium/chandrasekaran.pdf-->{{cite web| work = Carnegie Mellon University Technical Report CMU-ISRI-06-112| title = Learning to Detect Phishing Emails| author = Ian Fette, Norman Sadeh, Anthony Tomasic| date = June 2006| url = http://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf-->

Monitoring and takedown Several companies offer banks and other organizations likely to suffer from phishing scams round-the-clock services to monitor, analyze and assist in shutting down phishing websites.{{cite web || title=Anti-Phishing Working Group: Vendor Solutions| work=Anti-Phishing Working Group| url=http://www.antiphishing.org/solutions.html#takedown| accessmonthday=July 6 | accessyear=2006--> Individuals can contribute by reporting phishing to both volunteer and industry groups,{{cite news | url=http://www.linuxworld.com.au/index.php/id;1075406575;fp;2;fpid;1.| last=McMillan| first=Robert| title=New sites let users find and report phishing| date=March 28, 2006| publisher=LinuxWorld--> such as PhishTank.{{cite web || title=PhishTank - A New Collaborative Phishing Workgroup| work=limited-exposure| url=?-->

Legal responses On January 26, 2004, the U.S. Federal Trade Commission filed the first lawsuit against a suspected phisher. The defendant, a Californian teenager, allegedly created a webpage designed to look like the America Online website, and used it to steal credit card information.{{cite news ] for leading one of the largest phishing criminal organizations, which in two years stole between US$18 million and US$37 million.{{cite news | url=http://www.channelregister.co.uk/2005/03/21/brazil_phishing_arrest/| last=Leyden| first=John| title=Brazilian cops net 'phishing kingpin'| date=March 21, 2005| publisher=The Register--> UK authorities jailed two men in June 2005 for their role in a phishing scam,{{cite news | url=http://www.eweek.com/article2/0%2C1895%2C1831960%2C00.asp| last=Roberts| first=Paul| title=UK Phishers Caught, Packed Away| date=June 27, 2005| publisher=eWEEK--> in a case connected to the United States Secret Service Operation Firewall, which targeted notorious "carder" websites.{{cite web | title=Nineteen Individuals Indicted in Internet 'Carding' Conspiracy| url=http://www.cybercrime.gov/mantovaniIndict.htm| accessmonthday=November 20 | accessyear=2005--> In 2006 eight people were arrested by Japanese police on suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting themselves 100 million yen ($870 thousand USD).{{cite news| title=8 held over suspected phishing fraud| date=May 31, 2006| publisher=The Daily Yomiuri--> The arrests continued in 2006 with the Federal Bureau of Investigation Operation Cardkeeper detaining a gang of sixteen in the U.S. and Europe.{{cite web | title=Phishing gang arrested in USA and Eastern Europe after FBI investigation| url=http://www.sophos.com/pressoffice/news/articles/2006/11/phishing-arrests.html| accessmonthday=December 14 | accessyear=2006-->

In the United States, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing Bill (proposed law) proposes that criminals who create fake web sites and send bogus emails in order to defraud consumers could be fined up to $250,000 and be jailed for up to five years.{{cite news | url=http://informationweek.com/story/showArticle.jhtml?articleID=60404811| title=Phishers Would Face 5 Years Under New Bill| date=March 2, 2005| publisher=Information Week-->The UK strengthened its legal arsenal against phishing with the Fraud Act 2006,{{cite web ], 2005, Microsoft filed 117 federal lawsuits in the United States District Court for the Western District of Washington. The lawsuits accuse "John Doe" defendants of obtaining passwords and confidential information. March 2005 also saw a partnership between Microsoft and the Government of Australia teaching law enforcement officials how to combat various cyber crimes, including phishing.{{cite web | title=Microsoft Partners with Australian Law Enforcement Agencies to Combat Cyber Crime| url=http://www.microsoft.com/australia/presspass/news/pressreleases/cybercrime_31_3_05.aspx| accessmonthday=August 24 | accessyear=2005--> Microsoft announced a planned further 100 lawsuits outside the U.S. in March 2006,{{cite news | url=http://news.zdnet.co.uk/0,39020330,39258528,00.htm| last=Espiner| first=Tom| title=Microsoft launches legal assault on phishers| date=March 20, 2006| publisher=ZDNet--> followed by the commencement, as of November 2006, of 129 lawsuits mixing criminal and civil actions.{{cite news | url=http://www.theregister.co.uk/2006/11/23/ms_anti-phishing_campaign_update/| last=Leyden| first=John| title=MS reels in a few stray phish| date=November 23, 2006| publisher=The Register-->

AOL reinforced its efforts against phishing{{cite web ] has joined in by helping to identify six men subsequently charged with phishing fraud in Connecticut.{{cite web ]. He was found guilty of sending thousands of e-mails to America Online users, while posing as AOL's billing department, which prompted customers to submit personal and credit card information. Facing a possible 101 years in prison for the CAN-SPAM violation and ten other counts including wire fraud, the unauthorized use of credit cards, and the misuse of AOL's trademark, he was sentenced to serve 70 months. Goodin had been in custody since failing to appear for an earlier court hearing and began serving his prison term immediately.{{cite news | url=http://www.pcmag.com/article2/0,1895,2085183,00.asp| last=Prince| first=Brian| title=Man Found Guilty of Targeting AOL Customers in Phishing Scam| date=January 18 2007| publisher=PCMag.com-->{{cite news | url=http://www.theregister.co.uk/2007/01/17/aol_phishing_fraudster/| last=Leyden| first=John| title=AOL phishing fraudster found guilty| date=January 17 2007| publisher=The Register-->{{cite news | url=http://www.theregister.co.uk/2007/06/13/aol_fraudster_jailed/| last=Leyden| first=John| title=AOL phisher nets six years' imprisonment| date=June 13 2007| publisher=The Register-->{{cite news | url=http://www.informationweek.com/story/showArticle.jhtml?articleID=199903450| last=Gaudin| first=Sharon| title=California Man Gets 6-Year Sentence For Phishing| date=June 12 2007| publisher=InformationWeek-->

See also

References External links

Anti-Phishing Working Group
Bank Safe Online - Advice to UK consumers
SecurityFocus - forensic examination of a phishing attack.
Center for Identity Management and Information Protection – Utica College
Plugging the "phishing" hole: legislation versus technology – Duke University School of Law
E-scams and Warnings Update - Federal Bureau of Investigation
How the bad guys actually operate – Ha.ckers.org Application Security Lab
Phishing Group at Indiana University
Know Your Enemy: Phishing - Honeynet project case study
The Phishing Guide: Understanding and Preventing Phishing Attacks – TechnicalInfo.net
Phishing mailing list signup page
Phishing Threats: Overview - TriCipher.com

Phishing - Antiphishing Protection
Phishing is an illegal activity to trick people into divulging sensitive information, such as bank and credit card accounts. Learn more about Norton antiphishing protection.

Consumer Direct - Phishing
Phishing involves email or pop-up messages appear that claim to be from a business or organisation you may deal with, for example, an internet service provider, bank or online ...

Phishing - Wikipedia, the free encyclopedia
In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a ...

Halifax - Online Security - Phishing
Halifax - Online Security - Phishing ... Home > Security and Privacy; Phishing. At Halifax, we know fraudsters are constantly trying new tricks to get customers to divulge their ...

phishing from FOLDOC
phishing < security > ("brand spoofing", "carding", after "fishing") /fishing/ Sending e-mail that claims to be from some well-known organisation, e.g. a bank, to trick the ...

Recognizing Phishing Scams and Fraudulent / Hoax Emails - Microsoft ...
Tips to help recognize phishing scams and fraudulent or hoax emails. Learn to install Microsoft Phishing Filter and help protect yourself from Web fraud and the risks of personal ...

Gone phishing - vnunet.com
Phishing is becoming ever more prevalent and ever more dangerous ... Gone phishing. Phishing is becoming ever more prevalent and ever more dangerous

Tiscali Scambusters
How to spot a phishing email Shown below, is a recent phishing email purporting to be from Halifax building society. Everything about this communication and the website it links to ...

Tiscali Scams and phishing
Scambusters, phishing emails, internet scams ... Tiscali Quicklinks. Please visit our Accessibility Page for a list of the Access Keys you can use to find your way around the site ...

Lloyds TSB - Phishing
Phishing scams are on the increase. Be aware that we will NEVER send you an email or website asking you to enter you Internet Banking details. If you receive anything of the kind ...