What Is Phishing (Or, How to Fight Phishing at the User-Interface Level)by Simson Garfinkel, Lorrie Faith Cranor, authors of Security & Usability
- Phishing (also known as carding or spoofing) derives its name from the use of sophisticated lures (such as emails designed to look like they come from a real company or institution) that are created by unsavory characters to "fish" for users' financial information, credit card details, and passwords.
In This Article:
As people increasingly rely on the internet for business, personal finance, and investment, internet fraud becomes a greater and greater threat. Internet fraud takes many forms, from phony items offered for sale on eBay, to scurrilous rumors that manipulate stock prices, to scams that promise great riches if you will help a foreign financial transaction through your own bank account.
One interesting and fast-growing species of Internet fraud is phishing. Phishing attacks use email messages and web sites designed to look as if they come from a known and legitimate organization, in order to deceive users into disclosing personal, financial, or computer account information. The attacker can then use this information for criminal purposes, such as identity theft, larceny, or fraud. Users are tricked into disclosing their information either by providing it through a web form or by downloading and installing hostile software.
A phishing attack succeeds when a user is tricked into forming an inaccurate mental model of an online interaction and thus takes actions that have effects contrary to the user's intentions. Because inferring a user's intentions can be difficult, building an automated system to protect users from phishing attacks is a challenging problem.
Phishing attacks are rapidly increasing in frequency; many are good enough to fool users. According to the Anti-Phishing Working Group (APWG),  reports of phishing attacks increased by 180% in April 2004 alone, and by 4,000% in the six months prior to April. A recent study done by the antispam firm MailFrontier Inc. found that phishing emails fooled users 28% of the time.  Estimates of losses resulting from phishing approached $37 million in 2002. 
Anatomy of a Phishing Attack
The Anti-Phishing Working Group collects and archives examples of phishing attacks, a valuable service because the web site used in an attack exists only for a short time. One example on APWG is an attack against eBay customers, first reported on March 9, 2004. 
The attack begins when the potential victim receives an email (Figure 1), purporting to be from eBay, that claims that the user's account information is invalid and must be corrected. The email contains an embedded hyperlink that appears to point to a page on eBay's web site. This web page asks for the user's credit card number, contact information, Social Security number, and eBay username and password (Figure 2).
Beneath the surface, however, neither the email message nor the web page is what it appears to be. Figure 3 breaks the deception down schematically. The phishing email resembles a legitimate email from eBay. Its source (listed in the "From:" header) appears to be S-Harbor@eBay.com, which refers to the legitimate domain name for eBay Inc. The link embedded in the message also appears to go to eBay.com, even using an encrypted channel ("https:"). Based on these presentation cues and the content of the message, the user forms a mental model of the message: eBay is requesting updated information. The user then performs an action, clicking on the embedded hyperlink, which is presumed to go to eBay. But the user's action is translated into a completely different system operation—namely, retrieving a web page from IP address 18.104.22.168, a server from a communication company registered in Seoul, South Korea. This company has no relationship with eBay Inc.
The phishing web site follows a similar pattern of deception. The page looks like a legitimate eBay web page. It contains an eBay logo, and its content and layout match the format of pages from the actual eBay web site. Based on this presentation, the user forms a
Figure 1. Screenshot of a phishing email (source: Anti-Phishing Working Group)
mental model that the browser is showing the eBay web site and that the requested information must be provided in order to keep the user's eBay account active. The user then performs an action, typing in personal and financial data and clicking the Submit button, with the intention of sending this information to eBay. This action is translated by the web browser into a system operation, encoding the entered data into an HTTP request sent to 22.214.171.124, which is not a legitimate eBay server.