Phishing is a cybercrime that targets Internet user communities worldwide by deceiving these users into providing online account usernames, passwords and/or other personal information to websites impersonating legitimate websites, by stealing such information via mounted malware or through social engineering means. Generally, phishing harms users by disclosing sensitive information to illegitimate parties, posing a risk of financial loss (e.g. phishing to steal client credit card information and using it to carry illegitimate monetarily transactions), and/or impersonation (e.g. impersonating an Internet user to open a bank account, or the like, for laundering money or for other nefarious activities).
The Anti-Phishing Working Group (APWG) defines Phishing as “a criminal mechanism employing both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials”. Pharming is a phishing tactic, described by the Chinese University of Hong Kong (CUHK) as an attack that redirects users to a bogus website such as fraudulent websites or proxy servers, typically through DNS server hijacking or poisoning.
Presently, more than a dozen tactics are available in phisher arsenals, some of them are broad tactics and others are tailored to special purposes. These tactics can be broadly classified into three general classes based on the approach followed, including sensitive data collection tactics, social engineering tactics, and attacking tactics.
Sensitive data collection tactics might include: so-called Domain Name System (DNS) poisoning; host file poisoning; content injection, causing page redirects, pop-up windows, etc.; malware, such as keystroke loggers, screen capturers, etc.; rogue software, also known as “rogue-ware,” such as “Rogue DHCP” service in a LAN, which may disclose sensitive information; rogue hardware, such as, rogue Wi-Fi access points, enabling phishers to redirect packets and thereby decode content therein; inline packet sniffing, such as tapping into a wire to eavesdrop on transmitted information; and/or direct system hacking.
Social engineering tactics might include: search engine poisoning; spam Uniform Resource Locators (URLs); and/or direct fraud, such as Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM) fraud that targets Short Message Service (SMS) based one time passwords sent to users with the intent of providing stronger authentication.
Attacking tactics might include: so-called Man-in-the-Middle (MitM) passive attacks; MitM active attacks; and/or so-called Man-in-the-Browser (MitB) attacks that may include one or more of the previously mentioned tactics.
Generally, large organizations and governments typically strive to protect their information and operations, and raise client trust, by following strict rules and policies in parallel with adopting latest technological means to protect information from phishing and similar online fraud. Anti-Phishing solutions can be classified based on the front upon which they fight phishing For example, network-based solutions may employ intrusion detection and/or intrusions prevention systems, network access control, and/or the like. Application-based solutions may include phishing filters, anti-virus software, and the like. Infrastructure-based solutions might make use of DNS security extensions, gateway URL filters, and the like. Hardware-based solutions might employ one-time password tokens, integrated circuit chip cards under EUROPAY®, MASTERCARD® and VISA® (EMV) standards, and/or the like. Regulations and Enterprise Policies may require mutual and/or multifactor authentication as a solution. Cyber intelligence services such as provided under the tradename FRAUDACTION® by RSA® may also be employed as one solution. User-focused solutions might employ phishing and/or online fraud awareness campaigns, or the like.
Since phishing can be carried out by varied tactics on varied fronts, it is difficult to contain. Furthermore, phishing has become highly organized, with rings being formed that span multiple countries, employing thousands of nodes connected to the Internet. These nodes have their roles rotated in implementing the various tactics discussed above to avoid tracking and shutdown operations by authorities. Thus, at present, virtually no solution is capable of effectively preventing phishing and similar online fraud.