Phishing is an on-line attempt to extract personal identity information from someone by masquerading as a legitimate organization. Most commonly, an email is sent designed to mimic the style and logo of a well known orga- nization, such as a bank. The email contains an urgent request for the user to access a remote system and input personal information. For example, an alleged security breach at a bank requires the victim to log in, using a link en- closed in the email, to immediately change their password. The link connects the victim to a fraudulent machine, which collects personal information from bank clients. Often the link closely resembles a legitimate URL. For example, it can use a Unicode character that look like a normal Latin character, but with a different binary value. Visually, the real and fraudulent URLs will be identical. In the first half of 2009, an industry working group identified over 210,000 websites being used for phishing scams; in Australia alone there were over 30,400 victims of phishing scams in 2007.
Tools exist that identify and flag phishing URLs, frequently relying on pub- lished black lists of known phishing sites. They are currently not very reliable. Ones that identify more than 50 percent of the blacklisted sites tend to have high false positive rates as well. Most users will eventually learn to ig- nore these tools, when they realize that the information provided is unreliable. In spite of this, these tools could be effective at stopping users from giving information to phishers, if they could correctly identify phishing URLs.
On a positive note, economics-based analysis of phishing indicates that the more heavily phishers use this attack, the better known and less profitable it becomes. It appears that less than four people are victimized for every thousand contacted, which gives phishing a better hit rate than Nigerian 419 scam. The analysts feel that phishing may result in attackers losing money, if you consider the possible revenues they could make by investing their time elsewhere.
Published on Tue 12 April 2011 by Elliot Wood in Security with tag(s): phishing