Phishing
Social-engineering hacking done through e-mail.
A hacker sends out bogus e-mail, or phish, that looks like it's from the billing or security department of a popular Web destination, advising the recipient that his or her credit-card information is needed to clear up a billing or security problem. The recipient is advised to click on a link that typically looks like it might be from that destination; if he or she does, the hacker then collects credit-card data.
Sometimes, the phish makes the link look even more authentic by using a quirk of Internet addressing that allows for a redirect away from a legitimate site - if you put an "at" symbol after a legitimate address, then follow that by another URL, the browser will send the user to the other URL.
A July, 2003 report from the IDG News Service explains the workings of one such effort:
The boy's scam allegedly worked like this: Posing as AOL, he sent customers e-mail saying there had been a problem with the billing of their AOL account. The e-mail warned AOL customers that if they did not update their billing information, they risked losing their AOL accounts, and it directed customers to click on a hyperlink to connect to the AOL Billing Center.
When customers clicked on the link, they ended at the defendant's site, which included AOL's logo, type style, and links to real AOL Web pages. The defendant's AOL look-alike page directed consumers to enter the numbers from the credit card they had used to charge their AOL account, then asked consumers to enter numbers from a new card to correct the problem. The defendant's page also asked for consumers' names, mothers' maiden names, billing addresses, social security numbers, bank routing numbers, credit limits, personal identification numbers, and AOL screen names and passwords.
The defendant used the information to charge online purchases and open accounts with PayPal, and he used consumers' names and passwords to log on to AOL in their names and send more spam. He also recruited others to participate in the scheme by convincing them to receive fraudulently obtained merchandise he had ordered for himself.
From FTC settles with young ID thief, IDG News Service, 07/21/03.
Additional resources:
Phear of phishing
More detailed look at phishing. Network World, 05/31/04.
Anti-phishing.org
Latest anti-phishing news from an industry group trying to curb the practice. Site has examples of phishing messages and links to related resources.
Latest phishing news from Network World Fusion
Will Facebook's $711 Million Antispam Win Matter?
Oct. 30, 2009
After slapping a restraining order on the Spam King last March, Facebook walloped notorious Sanford Wallace, yesterday winning its $711 million lawsuit for Wallace's violations of the Computer Fraud and Abuse Act, the ...
Twitter Warns of New Phishing Scam
Oct. 29, 2009
Twitter is warning users of a new phishing scam spreading through direct messages on the network, which redirect users to a fake log-in page to steal their passwords.
Twitter warns of new phishing attack
Oct. 28, 2009
Twitter warned users Tuesday of a new phishing scam on the social networking site.
Phishing attacks go down by 45 percent: Symantec
Sep. 16, 2009
Symantec observed a 45 per cent decrease from the previous month in all phishing attacks, according to its September State of Phishing report.
A clever way to increase employee awareness about phishing
Feb. 02, 2009
A Gartner survey shows that phishing attacks soared in 2007, ultimately costing victims of the attacks at least $3.2 billion. As we start 2009, corporate spear phishing - the practice of targeting specific workers in ...
1 2 3 4 5 6 7 8 9 10 
Add a comment
Network World on Twitter: Get our tweets and stay plugged in to networking news
