The 'Phishing'
scam
From
Wikipedia:
|
In
computing, phishing is a criminal activity using social
engineering techniques. eBay and PayPal are two of the most
targeted companies, and online banks are also common targets.
Phishing is typically carried out using email or an instant
message.
[1] Phishers attempt to
fraudulently acquire sensitive information, such as usernames,
passwords and credit card details, by masquerading as a
trustworthy entity in an electronic communication.
[2]
Phishers often direct users to give details at a website,
although phone contact has been used as well.
[3] Attempts to deal
with the growing number of reported phishing incidents include
legislation, user training, and technical measures. |
and
|
Most
methods of phishing use some form of technical deception
designed to make a link in an e-mail (and the spoofed website
that it leads to), appear to belong to the spoofed organization.
Misspelled URLs or the use of subdomains are common tricks used
by phishers, such as this example URL,
http://www.yourbank.com.example.com.
Another common trick
is to make the anchor text for a link appear to be a valid URL
when the link actually goes to the phishers' site.
An old method of spoofing links used links containing the @
symbol, originally intended as a way to include a username and
password in a web link (contrary to the standard). For example,
the link http://www.google.com@members.tripod.com might
deceive a casual observer into believing that the link will open
a page on www.google.com, whereas the link actually
directs the browser to a page on members.tripod.com,
using a username of www.google.com: the page opens
normally, regardless of the username supplied. |
A typical bank account phish. As you can see
below, the spamvertised URL looks legitimate with a domain name of nwolb.com
BUT, when the mouse is hovering over this URL, the
correct URL in the bottom left
hand corner of the browser window.
In this case the actual domain that the phish goes to is located at
netsolhost.com !
Once at the phishing website, you are asked
for your online account ID, your online pin number and your security word.
A standard PayPal account phish. The scammer quotes an
unauthorised attempt to access my account, which I have to
check by going the the website www.paypal.com........BUT......the
actual website hidden in the html coding of the spam, is
at www.paypal.com|account-registration´00@webmail.daedong.ac.kr/account-verification/
A good quality eBay phish. As stated
above, the spamvertised URL looks legitimate with a domain name of ebay.com
BUT, when the mouse is hovering over this URL, the
correct URL in the bottom left
hand corner of the browser window.
In this case the actual domain that the phish goes to is located at
security-validation-your-account.com !
Once at the phishing website, you are asked
for your eBay user ID and password. A second page then asks for other
details such as name, address, phone number, credit card number, credit card
security code, bank name, bank account number, bank account sort code, bank
card number, bank card security code, bank card pin number, date of birth,
mother's maiden name and social security
number !
|