Phishing is one of the most easy to implement and mostly unpredictable for victims. Phishing is the word which rhymes with 'fishing'. Well, it is nearly same as what we do in fishing. Some kind of foodstuff is attached to one end of rope and it is dipped in water. Any unfortunate fish comes there and starts eating that foodstuff. At the same time, rope is pulled from other side causing fish to get trapped.
Same thing happens here. Attacker uses luring or some kind of technique to let the victim arrive in the fake environment. This environment is made such that victim believes that this is the original one. Please note that there may be slight difference between the original one and this duplicate one.
Anyways, the victim is asked to give private information here. It maybe in the form of login username-password or any other. The way of letting the victim give the information is not changed. So, the victim gives out sensitive information as they don't experience any change. As this is the duplicate one, the attacker has control over this virtual environment. As soon as the information is received, it is stored or conveyed to the attacker by one of the various ways. In the efficient traps, victim is redirected to original environement pretending the login was unsuccessful. Victim may also be authenticated to the original environment leaving no doubt in their mind. In some of the non-efficient traps, an error is shown to the victim or they are also told that 'we have received your private information. Thank you!' This may surely arise a doubt in victim's mind.
Phishing has a close relation with 'social engineering'. Social engineering is a process of pretending to be an authority, professional, needy or someone willing to help whom you can trust and give away private information for some of the reasons presented by the same. It is considered as easiest to perform as it requires little or no technical knowledge. Phishing and social engineering are very close concepts and are often implemented together.
Phishing should not be considered as any attack as it doesn't bypass any technical security. It is a part of hacking, but the word hacking should not be used instead of phishing as most of the people mistakenly consider hacking as defacing and disabling.
Phishing is just like stealing. Rather, it should be called as 'fooling by pretending'.
Other types of hacking such as buffer overflows, xss, sql injection may have any patches or solutions for them but phishing can't have any patch or fix as you cannot block each and every phishing site. Further, proxies are also there. Day by day, the use of web browsers is becoming the only medium between you and internet. Uploading, downloading, emailing, chatting etc. things are becoming web-based (some of them used to be software or telnet based like outlook and irc chat etc.). Therefore, cloning them and making phishing sites is also increasing. Phishing is very difficult to block from firewall or any such systems or softwares. The best way to detect phishing is by 'human'. But, it is also said that, "Humans are the weakest link in security chain".
No comments:
Post a Comment