Carding 4 Carders
Professional
The first phishing attacks appeared at the end of the last century, and now, according to Google estimates, about 12.4 million users worldwide fall victim to phishing every year. Despite the fact that traditional phishing methods are gradually becoming a thing of the past, this type of fraud still poses a serious threat to individuals and companies.
Rusbase offers to understand the term in more detail.
Navigating the article:
1. What is phishing
2. The history of phishing
3. What is the purpose of phishing
4. Types and schemes of phishing attacks
5. Protection against phishing
6. Phishing in World
7. Conclusion
What is phishing
Phishing (phishing, from fishing) is a type of Internet fraud, the purpose of which is to obtain user identification data (logins and passwords to bank cards, accounts).
Most often, phishing is a mass mailing of letters and notifications on behalf of well-known brands, banks, payment systems, mail services, and social networks. Such letters, as a rule, contain a logo, a message and a direct link to a site that looks indistinguishable from the real one. The link is required to go to the site of the "service" and, under various pretexts, enter confidential data in the appropriate forms. As a result, fraudsters gain access to user accounts and bank accounts.
Phishing history
The term “phishing” appeared in 1996 on the alt.online-service.America-Online Usenet newsgroup. The first mentions of phishers were associated with the media company AOL, when the scammers presented themselves as AOL employees, addressed users via instant messaging programs, and on behalf of the company's employees asked for their account passwords. After gaining access to the account, it was used to send spam.
In the early 2000s, phishing spread to payment systems, and in 2006, users of the MySpace social network were subjected to phishing attacks, as a result of which their credentials were stolen.
What is the purpose of phishing
Phishing attacks can target both individuals and individual companies. The purpose of attacks on individuals organized by fraudsters, as a rule, is to gain access to logins, passwords and account numbers of users of banking services, payment systems, various providers, social networks or postal services. In addition, the purpose of a phishing attack can be to install malware on the victim's computer.
Not all phishers self-cash the accounts they access. Cashing out accounts is a difficult process from a practical point of view. In addition, a person who is engaged in cashing out is easier to catch and bring a criminal group to justice. Therefore, having received confidential data, some phishers sell them to other scammers who use proven schemes for withdrawing money from their accounts.
In cases where phishing attacks are directed at companies, the goal of cybercriminals is to obtain the account information of an employee and then an extended attack on the company.
Types and schemes of phishing attacks
The main phishing techniques and techniques include:
Social engineering techniques
Posing as representatives of well-known companies, phishers most often inform recipients that, for whatever reason, they urgently need to transfer or update their personal data. This requirement is motivated by data loss, system breakdown, or other reasons.
A person always reacts to events that are significant for him. Phishing organizers try to alert the user and provoke an immediate response. For example, it is believed that an email with the heading “to regain access to your account ...” grabs attention and forces the person to follow the link for more information.
Phishing with deception
This is the most common type of phishing attack. Fraudsters can spam millions of email addresses in a matter of hours with messages based on this method. In this case, the phisher sends a fake letter on behalf of the organization asking to follow the link and verify the account details.
To steal personal data, special phishing sites are created, which are placed on a domain that is as close as possible to the domain of a real site. To do this, phishers can use URLs with small typos or subdomains. A phishing site has a similar design and should not arouse suspicion from the user who lands on it.
It should be noted that fraudulent phishing is the most traditional method of phishers' work, and at the same time the least safe for attackers, so it is gradually becoming a thing of the past.
Harpoon phishing
Harpoon phishing targets specific people rather than broad groups of users. Most often, this method is the first stage to overcome the company's defenses and conduct a targeted attack on it. Attackers in such cases study their victims using social networks and other services and thus adapt messages and act more convincingly.
"Whaling"
The hunt for confidential information of top managers and other important persons is called "whale hunting". In this case, phishers spend a lot of time identifying the personality traits of the target victim in order to find the right moment and methods to steal credentials.
Virus distribution
In addition to identity theft, fraudsters also aim to harm individuals or groups of individuals. A link in a phishing email can, when clicked, download a malicious virus to your PC: a keylogger, Trojan, or spyware.
Farming
This is a new type of phishing. Using this method, phishers receive personal data not through a letter and following a link, but directly on the official website. Farmers change the digital address of the official website on the DNS server to the address of the spoofing site, and as a result, the unsuspecting user is redirected to the fake site. Such phishing is more dangerous than traditional phishing, since it is impossible to see the spoofing. Ebay auction, PayPal payment system and well-known world banks already suffer from such attacks.
Wishing
Vishing is a phishing technique that uses telephone communication to obtain information. The notification letter specifies the phone number to call back in order to eliminate the "problem that has arisen." Then, during the conversation, the operator or answering machine asks the user to provide identification data to solve the problem.
How you can protect yourself from phishing
First of all, experts advise service users to learn how to recognize phishing on their own.
In response to an email requesting "confirmation" of an account or any other similar request, experts advise users to contact the company on whose behalf the message was sent to verify its authenticity. In addition, we recommend that you enter your organization's URL yourself in the address bar instead of using any hyperlinks.
Almost all authentic messages from the services contain mentions of some information that phishers cannot access, for example, the mention of a name or the last digits of an account number. At the same time, any letters that do not contain any specific personal information should cause suspicion.
It should also be remembered that phishing sites can hide behind pop-ups. Targeted advertising can run on them. There are cases when in the "login" column the user already sees his email address and he is only asked to enter the password in the lower column. It is possible to see a link to a phishing site in comments on forums and on social networks. A link can also be sent to you by a friend or acquaintance whose account has been hacked. If a letter or link has made you suspicious, it is better not to follow it.
The fight against phishers also takes place at a technical level:
Mikhail Tereshkov, head of information security at ER-Telecom Holding JSC, in a column on Rusbase, gave such effective, but simple for the user, methods of protection against phishing:
Phishing in World
In September 2020, experts of the ONF project "For the Rights of Borrowers" named five fraudulent schemes that were most often used in 2020. Phishing took the first place (34% of mentions), the purpose of which is to gain access to user logins and passwords. A classic example of phishing is malicious links. Its varieties also include advertising on video hosting, promising payment for participation in surveys, and calls on behalf of banks.
It is reported that the authors of the rating analyzed about 50 thousand messages of citizens and more than 20 thousand publications in the media and other open sources.
In 2021, during the coronavirus pandemic, the number of thefts from users' bank cards increased sixfold, according to the Group-IB company, which specializes in preventing cyberattacks. According to experts, scammers lure users to phishing sites where buyers enter payment information. Attackers use this data to access public p2p services of banks and transfer money to their accounts.
Conclusion
Cyberattacks have long been a part of our life. Fraud protection is a global challenge for corporations and startups that develop financial, e-commerce and other services. But users should not forget about the simple steps in order not to fall for the hook of an intruder.
Rusbase offers to understand the term in more detail.
Navigating the article:
1. What is phishing
2. The history of phishing
3. What is the purpose of phishing
4. Types and schemes of phishing attacks
5. Protection against phishing
6. Phishing in World
7. Conclusion
What is phishing
Phishing (phishing, from fishing) is a type of Internet fraud, the purpose of which is to obtain user identification data (logins and passwords to bank cards, accounts).
Most often, phishing is a mass mailing of letters and notifications on behalf of well-known brands, banks, payment systems, mail services, and social networks. Such letters, as a rule, contain a logo, a message and a direct link to a site that looks indistinguishable from the real one. The link is required to go to the site of the "service" and, under various pretexts, enter confidential data in the appropriate forms. As a result, fraudsters gain access to user accounts and bank accounts.
Phishing history
The term “phishing” appeared in 1996 on the alt.online-service.America-Online Usenet newsgroup. The first mentions of phishers were associated with the media company AOL, when the scammers presented themselves as AOL employees, addressed users via instant messaging programs, and on behalf of the company's employees asked for their account passwords. After gaining access to the account, it was used to send spam.
In the early 2000s, phishing spread to payment systems, and in 2006, users of the MySpace social network were subjected to phishing attacks, as a result of which their credentials were stolen.
What is the purpose of phishing
Phishing attacks can target both individuals and individual companies. The purpose of attacks on individuals organized by fraudsters, as a rule, is to gain access to logins, passwords and account numbers of users of banking services, payment systems, various providers, social networks or postal services. In addition, the purpose of a phishing attack can be to install malware on the victim's computer.
Not all phishers self-cash the accounts they access. Cashing out accounts is a difficult process from a practical point of view. In addition, a person who is engaged in cashing out is easier to catch and bring a criminal group to justice. Therefore, having received confidential data, some phishers sell them to other scammers who use proven schemes for withdrawing money from their accounts.
In cases where phishing attacks are directed at companies, the goal of cybercriminals is to obtain the account information of an employee and then an extended attack on the company.
Types and schemes of phishing attacks
The main phishing techniques and techniques include:
Social engineering techniques
Posing as representatives of well-known companies, phishers most often inform recipients that, for whatever reason, they urgently need to transfer or update their personal data. This requirement is motivated by data loss, system breakdown, or other reasons.
A person always reacts to events that are significant for him. Phishing organizers try to alert the user and provoke an immediate response. For example, it is believed that an email with the heading “to regain access to your account ...” grabs attention and forces the person to follow the link for more information.
Phishing with deception
This is the most common type of phishing attack. Fraudsters can spam millions of email addresses in a matter of hours with messages based on this method. In this case, the phisher sends a fake letter on behalf of the organization asking to follow the link and verify the account details.
To steal personal data, special phishing sites are created, which are placed on a domain that is as close as possible to the domain of a real site. To do this, phishers can use URLs with small typos or subdomains. A phishing site has a similar design and should not arouse suspicion from the user who lands on it.
It should be noted that fraudulent phishing is the most traditional method of phishers' work, and at the same time the least safe for attackers, so it is gradually becoming a thing of the past.
Harpoon phishing
Harpoon phishing targets specific people rather than broad groups of users. Most often, this method is the first stage to overcome the company's defenses and conduct a targeted attack on it. Attackers in such cases study their victims using social networks and other services and thus adapt messages and act more convincingly.
"Whaling"
The hunt for confidential information of top managers and other important persons is called "whale hunting". In this case, phishers spend a lot of time identifying the personality traits of the target victim in order to find the right moment and methods to steal credentials.
Virus distribution
In addition to identity theft, fraudsters also aim to harm individuals or groups of individuals. A link in a phishing email can, when clicked, download a malicious virus to your PC: a keylogger, Trojan, or spyware.
Farming
This is a new type of phishing. Using this method, phishers receive personal data not through a letter and following a link, but directly on the official website. Farmers change the digital address of the official website on the DNS server to the address of the spoofing site, and as a result, the unsuspecting user is redirected to the fake site. Such phishing is more dangerous than traditional phishing, since it is impossible to see the spoofing. Ebay auction, PayPal payment system and well-known world banks already suffer from such attacks.
Wishing
Vishing is a phishing technique that uses telephone communication to obtain information. The notification letter specifies the phone number to call back in order to eliminate the "problem that has arisen." Then, during the conversation, the operator or answering machine asks the user to provide identification data to solve the problem.
How you can protect yourself from phishing
First of all, experts advise service users to learn how to recognize phishing on their own.
In response to an email requesting "confirmation" of an account or any other similar request, experts advise users to contact the company on whose behalf the message was sent to verify its authenticity. In addition, we recommend that you enter your organization's URL yourself in the address bar instead of using any hyperlinks.
Almost all authentic messages from the services contain mentions of some information that phishers cannot access, for example, the mention of a name or the last digits of an account number. At the same time, any letters that do not contain any specific personal information should cause suspicion.
It should also be remembered that phishing sites can hide behind pop-ups. Targeted advertising can run on them. There are cases when in the "login" column the user already sees his email address and he is only asked to enter the password in the lower column. It is possible to see a link to a phishing site in comments on forums and on social networks. A link can also be sent to you by a friend or acquaintance whose account has been hacked. If a letter or link has made you suspicious, it is better not to follow it.
The fight against phishers also takes place at a technical level:
- Browsers warn about phishing threats, most of them maintain their own lists of phishing sites, after checking with them, services warn users about going to dangerous sites;
- Email services fight phishing in messages by improving their spam filters and analyzing phishing emails;
- Large services and companies are also complicating the authorization procedure, offering users additional protection of personal data.
Mikhail Tereshkov, head of information security at ER-Telecom Holding JSC, in a column on Rusbase, gave such effective, but simple for the user, methods of protection against phishing:
- Pay attention to the security certificate of the payment system - in the address bar of the browser, the site name looks like https: // ...
- Always change the default factory passwords of the router to more complex ones, and install updated software versions at least every six months.
- Do not shop over public Wi-Fi. Antivirus for your smartphone can provide additional protection.
- Before making a payment in an unfamiliar online store, read reviews about it online.
Phishing in World
In September 2020, experts of the ONF project "For the Rights of Borrowers" named five fraudulent schemes that were most often used in 2020. Phishing took the first place (34% of mentions), the purpose of which is to gain access to user logins and passwords. A classic example of phishing is malicious links. Its varieties also include advertising on video hosting, promising payment for participation in surveys, and calls on behalf of banks.
It is reported that the authors of the rating analyzed about 50 thousand messages of citizens and more than 20 thousand publications in the media and other open sources.
In 2021, during the coronavirus pandemic, the number of thefts from users' bank cards increased sixfold, according to the Group-IB company, which specializes in preventing cyberattacks. According to experts, scammers lure users to phishing sites where buyers enter payment information. Attackers use this data to access public p2p services of banks and transfer money to their accounts.
On average, one bank records 400-600 attempts of this type of fraud per month. The average bill of one transfer is $ 7 thousand. Often, attackers created fake online store pages with masks, gloves, and sanitizers.
- data from Group-IB.
Conclusion
Cyberattacks have long been a part of our life. Fraud protection is a global challenge for corporations and startups that develop financial, e-commerce and other services. But users should not forget about the simple steps in order not to fall for the hook of an intruder.
Last edited by a moderator: