Information Technology Reference
In-Depth Information
victim. Sometimes a credit card firm or retail store is used. In any case, the idea
is to present a convincing story that will cause the victim to provide personal in-
formation such as a bank account, social security number, or something else.
Perhaps the most sophisticated form of phishing appears to come from a bank
used by the victim. However, if the victim clicks on the email to respond, he or she
is diverted to a phony website that is designed to look like the real bank's website.
Even worse, some phishing emails with web links direct the user to their own ac-
tual bank but secretly insert a pop-up screen that appears to be a request from the
bank for personal information.
Phishing may have become an adjunct to cyberwarfare. There are reports on
the web, not verified by me, that the Chinese government and military have been
involved with attempts to target the Gmail accounts of U.S. government officials
and military personnel. China denies this, of course. A study from 2006 showed
a high frequency of phishing attacks originating from Russia from a group called
the Russian Business Network, based on U.S. website accounts.
Early phishing was fairly common on the AOL system circa 1995. This was
initially successful, but soon AOL and other internet hosts began to add text to
their screens and messages that said “XXX will never ask for your password and
billing information . . .” This phrase is now a part of almost every commercial in-
ternet service provider (ISP) and messaging service.
The nominal senders of phishing emails include the Internal Revenue Service,
the FBI, many banks, the government of Nigeria, and many social networks.
These, of course, are all hoaxes. In fact, users of social networks seem to be at
greater risk from phishing than nonusers.
It is not uncommon to get a phishing email along the lines of “Contact this of-
fice of the IRS about an unclaimed tax refund.” Anyone who clicks on the site is
at risk of losing at least their email address and possibly worse if they supply data
such as social security numbers or bank account information.
There is an organization called the Anti-Phishing Working Group that includes
both industry and law enforcement organizations that work to prevent phishing.
What we lack, though, is an effective way of tracking backward to the phishing
site or exposing the site to law enforcement personnel without putting the nominal
recipients at risk.
A useful feature of email services would be a “Suspected Phishing” command
that would alert enforcement personnel and possibly track the message back to its
origin point and do so without putting the target at additional risk.
Search WWH ::




Custom Search