Deep Focus: Phishing Technique

Deep Focus: Phishing Technique

Phishing is one well-known technique that is used by cyber criminals in order to get your credentials. This method attempts to make the users fill in information form, such as ID details, passwords, or financial details on their website. The most common or popular way is by sending an email that states some interesting things (winning a lottery, asking for help, etc) and ask people to click on the available link. When they click on the link, they will be redirected to the spammers’ website, where, usually, they are asked to fill in their information. In addition of email, this link can also be sent through chat board, social network services, email, or appear on the website. At the moment, phishing is mostly targeting on the customers of bank and online payment services.

Although this is not new things, time by time, there are always victims on this technique. It is not only because the hackers who use this method has become more and more sophisticated in their techniques, it is also about the ignorance related to cyber security. Phishing has become a continual threat that keeps growing to this day.

Phishing was first known in 1987 and first implemented on 1995 by Jason Shannon of AST Computers. He expected that the victim would click on the link and share their financial information and passwords. Firstly, hackers use phishing through AOL, where users share pirated software and then followed by the misuse of credit card and other e-payment in financial services. For the last few years, phishing has also found as one technique that is used against retail banks and other financial institutions.

There are many types of phishing, such as:

–  Link manipulation

A condition where the hackers try to create a link that looks like a credible link, whereas, it is not. It is just a manipulated link that will deliver you to the phisher’s web. Pay attention on the link name. Usually it looks similar with a little mistype on it. When this happens, it has high probability as a manipulated link.

– Website forgery

When you visit a website, the phishers can create a fake website which actually redirects you to their website. An attacker can even use flaws in a trusted website’s own scripts against the victim. The link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge.

–  Spear phishing

Spear Phishing is the one that is directed to specific individuals or companies. Hackers may try to collect all personal information about the victims in advance before they do the action. So far, this method is the most successful method in phishing.

–  Clone phishing

This is a method where a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address taken and used to create an almost identical (clone) email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.

–  Whaling

This term refers to all phishing action that is done to target executives and other high managerial position.

–  Rogue WiFi (MitM)

This done by creating a free wifi point, then configure them to run man-in-the-middle (MitM) attacks, often with tools like sslstrip, to compromise all access point users.

Considering that phishing can cause huge losses, starting from loss of email credentials to financial loss, it is wise to take preventive action to avoid it.

In general, there are two approaches that are necessary to be done in order to avoid phishing.

First is the social approach, where education and training play roles to boost people awareness on phishing techniques and consequences. Take more attention on details, such as the sender name (is it legitimate or not, etc), browsing habit, and URL address. When you find yourself in doubt, it is better to contact the company and confirm it before taking any further action.

Second approach is the technical approach by installing anti-phishing software on your devices. This software will help to identify the legitimate website, secure connection, fundamental security alert, and eliminating phishing mails by putting it to spam folders.