Hey there !!
This here is a layman’s Guide to most common types of hacking. This is Not a tutorial on hacking, Just a Guide to keep our fellow Netizens aware and safe.
First Chapter of this Guide is about :
PHISHING
Just like the name suggests Phishing, a crossover between fishing and phreaking (term used back in day by the pioneers of hacking) is a fraud used to literally ‘fish’ out the sensitive data like usernames, passwords or even credit card or banking details from you computer.
“What do they use for bait “, you ask?
The answer is Anything !, including the kitchen sink .
You see we humans have evolved to a point where, free worms don’t exactly ‘entice’ us like they do a fish. We on the other hand fall for Fraud Emails , Link Manipulation, Website forgery and in some cases even Fake phone calls. We’ll look at each of these one by one.
Fraud Emails
All of us at one point or the other have received mails suggesting A Big lottery win, Some elderly couple looking for a heir, A manager of some big bank willing to share some moolah with you, or In some cases a miraculous cure for Baldness , Obesity and even Cancer and AIDS
Following is an example of a poorly constructed Fraud Email :
Though some Fraud emails might not be this obvious but all of them follow a few basic patterns.
1. Eye Catching Subject.
2. Official and convincing language.
3. Some Enticing Offer or A problem that demands immediate action on your part.
4. Demand for crucial or in some cases just basic information.
5. A chance to start an interaction with the user, that may be later exploited by the fraudulent using his/her social engineering skills.
Link Manipulation
Like most methods of phishing this also uses a ‘technical’ fraud specially related to URLs. Wrongly Spelled URLs or some subdomain are commonly used by phishers.
1. In the following example URL, http://www.xyz.abc.com/, it looks like the URL will take you to the abc section of the xyz website; actually this URL points to the "xyz" (i.e. phishing) section of the abc website. This ‘xyz’ maybe be anything, your bank , your social networking site , your email provider etc. Once you are in their playground, They will ask you to put some matching page there and ‘phish’ you of your sensitive data like this
2. An old method of spoofing used links containing the '@' symbol, eg: , the link http://www.google.com@members.tripod.com/ might deceive a casual observer into believing that it will open a page on www.google.com, whereas it actually directs the browser to a page on members.tripod.com.
The link in the above image may 'resemble' that of google adwords but its NOT , its a phishing attempt, anyone who enters his/her username and password in that page can kiss it goodbye
Website Forgery
Once a victim visits the phishing website the fraud is still on. Some phishers use commands in various computer languages to alter the address bar. To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have started to use Flash-based websites. These look much like the real website, but hide the text in a multimedia object. A new Trick used is called Tabnapping, It uses multiple tab feature of the browser to secretly direct the user to the phishing page
Following are the Genuine and fake pages of a Nationalized Bank in India
Other Techniques
1. Phone phishing using VoIP to stealth area code and SMS phishing (Smishing)
2. Keyloggers and Screenloggers that can attack themselves with the browser and pass on sensitive data to the phisher
3. DNS-bases phishing (Pharming), phishers tamper with a company's hosts files or domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site.
4. Search Engine Phishing occurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines.
the list goes on n on n on ........ in short, more techniques are being thought everyday, some even as you read this
These are a precautions that you can take
- If you get an email or pop-up message that asks for personal or financial information, do not reply
- Area codes can mislead.So don't trust legitimate looking phone numbers
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly
- Don’t email personal or financial information.
- Review credit card and bank account statements as soon as you receive them
- Be cautious about opening any attachment or downloading any files from emails
- If you believe you’ve been scammed, file your complaint at concerned authorities
- Details of Cyber cells in India can be found here
The following is a free Non-commercial video from Commoncraft.com hosted on Youtube explaining PHISHING in Plain English
No comments:
Post a Comment