|
PHISHING FAQ
What is phishing?
Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, fake Web sites, crimeware and other techniques to trick people into divulging sensitive information, such as bank and credit card account details. Once they've captured enough victims' information, they either use the stolen goods themselves to defraud the victims (e.g., by opening up new accounts using the victim's name or draining the victim's bank accounts) or they sell it on the black market for a profit.
How does phishing work?
In most cases, phishers send out a wave of spam email, sometimes up to millions of messages. Each email contains a message that appears to come from a well-known and trusted company. Usually the message includes the company's logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the email often makes a request of the user's personal information. Sometimes the email directs the recipient to a spoofed Web site. The Web site, like the email, appears authentic and in some instances its URL has been masked so the Web address looks real.
The bogus Web site urges the visitor to provide confidential information - social security numbers, account numbers, passwords, etc. Since the email and corresponding Web site seem legitimate, the phisher hopes at least a fraction of recipients are fooled into submitting their data. While it is impossible to know the actual victim response rates to all phishing attacks, it is commonly believed that about 1 to 10 percent of recipients are duped with a "successful" phisher campaign having a response rate around 5 percent. To put this in perspective, spam campaigns typically have a less than 1 percent response rate.
How has "phishing" changed over the years?
Phishers have become much more sophisticated. Crimeware is now used in conjunction with their phony, hostile Web sites, leveraging common Web browser vulnerabilities to infect victim machines. By simply following the link in a phishing email to a bogus Website, a user's identity can be stolen without the phisher needing to get you to enter your personal information - the Trojan or spyware placed onto your machine would captures it for them the next time you visit the legitimate Web site of your bank or other online service.
Throughout the past year, this genre of crimeware has become more targeted (capturing just the information the phisher wants) and more silent, using rootkit and other aggressive stealth techniques to remain hidden on an infected system.
|
