advertisement

Print

What Is Phishing (Or, How to Fight Phishing at the User-Interface Level)
Pages: 1, 2, 3, 4, 5, 6

Attack Techniques

Phishing attacks use a variety of techniques to make the presentation of an email message or web page deceptively different from its implementation. In this section, we catalog a few of the techniques that have been seen in the wild:



Copying images and page designs
Similar domain names

Another way that users authenticate web sites is by examining the URL displayed in the address bar. To deceive this indicator, the attacker may register a domain name that bears a superficial similarity to the imitated site's domain. Sometimes a variation in capitalization or use of special characters is effective. Because most browsers display the URL in a sans-serif font, paypaI.com has been used to spoof paypal.com, and barcIays.com to spoof barclays.com. More commonly, however, the fake domain name simply embeds some part of the real domain: ebay-members-security.com to spoof ebay.com, and users-paypal.com to spoof paypal. Most users lack the tools and knowledge to investigate whether the fake domain name is really owned by the company being spoofed.

URL hiding

Another way to spoof the URL took advantage of a little-used feature in URL syntax. A username and password could be included before the domain name, using the syntax http://username:password@domain/. Attackers could put a reasonable-looking domain name in the username field, and obscure the real domain amid noise or scroll it past the end of the address bar (e.g., http://earthlink.net%6C%6C...%6C@211.112.228.2). Recent updates to web browsers have closed this loophole, either by removing the username and password from the URL before displaying it in the address bar or (in the case of Internet Explorer) by simply forbidding the username/password URL syntax entirely.

IP addresses

The simplest expedient to obscuring a server's identity is to display it as an IP address, such as http://210.93.131.250. This technique is surprisingly effective. Because many legitimate URLs are already filled with opaque and incomprehensible numbers, only a user knowledgeable enough to parse a URL, and alert enough to actually do so, is likely to be suspicious.

Deceptive hyperlinks

The text of a hyperlink is completely independent from the URL to which it actually points. Attackers exploit this built-in distinction between presentation and implementation by displaying one URL in the link text, while using a completely different URL underneath. Even a knowledgeable user, having seen an explicit URL in the message, may not think to check its true URL. The standard means for checking the destination of a hyperlink—hovering over it and examining the URL in the status bar—may also be spoofed, using JavaScript or URL hiding techniques.

Obscuring cues

Instead of tweaking URLs, a sophisticated attack may spoof identification cues like the address bar or the status bar by replacing them entirely. One recent attack used JavaScript to create a small, undecorated window on top of Internet Explorer's address bar, displaying a completely innocent URL. [6]

Pop-up windows

A recent attack against Citibank customers [7] has taken page copying a step further, by displaying the true Citibank web site in the browser but popping up an undecorated window on top to request the user's personal information.

Social engineering

Phishing attacks also use nontechnical approaches to persuade users to fall for the attack. One tactic is urgency so that the user will feel rushed to comply and be less likely to take time to check the message's authenticity. Another tactic is a threat of dire consequences if the user fails to comply, such as terminating service or closing accounts. A few attacks promise big rewards instead ("You've won a great prize!"), but threatening attacks are far more common. It may be human nature that users would be more suspicious of getting something for nothing.

Phishing attacks to date have several other noteworthy properties:

Short duration

Most phishing web sites exist for a very short period of time, on the order of days or even hours.

Sloppy language

Many phishing messages have misspellings, grammar errors, or confusing wording.

Pages: 1, 2, 3, 4, 5, 6

Next Pagearrow