With the increasing popularity of the Internet, commercial offers are being used more and more often. This includes the areas of trade and service in particular. Good examples of this could be online auction systems and online banking.
These types of offerings are enjoying growing popularity worldwide. Within the course of such developments, however, certain individuals will always attempt to use these new possibilities for criminal purposes. One phenomenon in this arena is “phishing”.
Different variations on phishing
Phishing is composed of the words "password” and “fishing”. It is used to symbolise the concept of "fishing for" a legitimate user's password. However, phishing no longer sets its sights merely on acquiring password information; it goes far beyond this. For instance, phishing also includes:
- The obtainment of complete user registration information (e.g. user name and password)
- The obtainment of account information (information records such as name, postal address, authorisations)
- The obtainment of transaction numbers (TANs) used in online banking transactions
- and the obtainment of credit card information
Phishing is generally a precursor to other dubious follow-up activity. For example, the data obtained could be used in order to gain access to restricted online areas, make money transfers at the expense of others, or make online purchases using stolen credit card information. In some cases, data obtained are also sold.
Millions of phishing mails are sent each month
The data are obtained by deceiving authorised users. When delivering this information, the user does not realise that the data are, in fact, being forwarded to the “phisher”; rather, the user assumes that the information is being sent to the destination they have been deluded into thinking is requesting the information (e.g. their bank's server).
In order to help users better understand how phishing works, the most commonly occurring variations are presented below. When phishing occurs, the affected users are forwarded to a website where they are requested to enter their account information. This information is then forwarded to the offender unbeknownst to the victims.
First of all, victims must have a reason for visiting this website. This is often accomplished by sending them an e-mail. This e-mail could possibly contain information stating that their user data was deleted due to a technical problem and requesting that they visit a website on the Internet in order to verify their data.
The link pointing to this page is included in the e-mail. To the victim, it appears as if this link leads to the corporate website of the company requesting the information, but in reality, the link leads the user to a spurious website. Users who follow the link eventually wind up on the “phisher’s” website. It is designed in such a way as to convince the users that they are on the corporate website of the company that they believe has sent them the e-mail.
After entering the data and clicking on a button, the data are not sent – as the user would assume – to the company’s server, but to the “phisher”. Another variation on this ploy is presenting the user with a new page that tricks them into believing that they have logged in successfully and requests that they enter their account information (registration information, credit card information, bank account information, etc.). Once the victim has entered this information, the data are also sent to the "phisher".
naiin in the fight against phishing
Above all, the task of educating users and sensitising them to the problem of “phishing” remains an important aspect of naiin’s work. This is because anyone who knows about the dangers of the phishing threat and exercises caution minimises the risk of becoming the victim of an online swindler.
But – as experience shows – since even experts are occasionally fooled by these methods, naiin is engaged in directly combating phishing attacks. naiin makes every effort to uncover phishing campaigns as quickly as possible, block websites that are used for the purpose of phishing, and identify the individuals behind these activities.
But the initiative relies on the support of Internet users. Users that receive phishing mails can forward them to hotline@naiin.org.
|