Phishing is an attempt to grab sensitive information and identity, such as credit card details (while doing online transactions or e-marketing- indirectly money), username, and password (while using a personal email account or other social networking sites). The term Phishing sounds similar to fishing due to the use of bait to catch the victim as people for a while catching a fish.
This chapter is not about motivating you for phishing; it educates you to keep yourself safe from such attacks.
Areas Where Phishing Can Be Performed
Auction websites, online buying sites, social networking websites, bank websites, online payment processing websites are commonly the target area of hackers to tempt unsuspected victims in a large number. This technique is carried out by instant messaging (IM), or e-mail is spoofing and often compels users (of that website(s)) to enter their username, password, PIN, other secret codes; at a fake website which looks and feels precisely similar to the legitimate website. Phishing is the logical form of social engineering attack to deceive the victim. Now think like a victim, where phishing scams will send links to you that will suppose o take you to a trusted site. It could also be an email that seems like it came from a bank and could force you to log-in to your account. As you use your username and password to sign-in, the hackers at once get your Username and password and take malicious access to your account.
Types of Phishing
To become an Ethical Hacker or Cybersecurity expert, you must know the possible techniques to perform under a Phishing attack. Let's check out some of the phishing types and sub-categories:
- Instant Messaging: is the method by which the user gets a message with a link that directs the target user to a fake phishing website that looks similar to the original website. If the user doesn't see the URL (Uniform Resource Locator), it seems hard to identify the difference between counterfeit and the original one.
- Spamming: Phishers or digital criminals performing phishing activity sends the same e-mail to millions of users requesting them to fill the personal details. These details are used by phishers to do illicit activities.
- Trojan horse as Hosts: These are invisible hacker's program which logs into user accounts to collect the victim's information; the acquired information is obtained and transferred to its creator or the phisher who sends it.
- Web-based Delivery: Also termed as 'Man in the Middle' (MITM) attack, where the attacker secretly relays and or alters the communication between two parties. Here the phisher stands between the legitimate website and the user. As the sensitive data is passed, the phisher receives that information without the user's consent or knowledge.
- Phishing using Keylogger: Key loggers are malicious programs that record every keystroke made by the computer user, which is infected by keylogger o gain fraudulent access. These keystrokes are then sent by the keylogger program directly to
- Phishing using Content Injection: Content injection is a method used by phishers to replace the part(s) of content on a trusted website's page, usually done to mislead the user to go to a page outside the legitimate webpage where the user is asked to enter personal information.
- Phishing through Search Engines: Search engines are also used for phishing scams, where users are directed to product sites offering low-cost products or services. When the user tries to buy the products by entering credit card details, then it is collected by the phisher site. For doing this type of phishing, PHP, ASP, JSP, etc. languages are used to develop this page.
- Phone-based phishing: In this technique, the phisher calls the targeted user and asks to dial a number. Here, the phisher's purpose is to get bank account information through the phone. Phone phishing is mainly done with a fake caller ID.
Protection and Countermeasures Against Phishing
- Use trusted Security Software.
- Never Ever give personal information over e-mail or private messages.
- Be cautious while opening malicious links and attachments.
- Use an on-screen keyboard to type sensitive information, passwords, PIN, etc.