What is phishing?

Table of Contents

The story behind phishing

Similar fraud attempts such. B. “the grandchild trick” has existed before. The beginnings go back to the late 1990s.

ICQ users were asked by e-mail to enter access data. The hackers were thus able to use the chat access under a false identity.

The first attacks in online banking began with letters that looked official and were sent as e-mails. By transferring data such as username, password, PIN and TAN, money transfers could be made quickly.

How did the term come about?

Is an English made-up word (neologism of "fishing"). Combination of "password harvesting" and "fishing". Figuratively fishing for passwords with a bait. The spelling with Ph- also comes from hacker jargon (cf. Phreaking).

The basic principle

Fake e-mails, websites and even short messages are used to try to get personal data from a “user” in order to steal their identity.
The aim of the scam is mostly that plunder account and thus harm the “user”. Since this exploits the naivety of the victim, this method is a form of Social Engineering.

methods of data collection

A phishing attack begins with an email that is kept personal. The goal is for the recipient to visit a fraudulent website and enter their personal information. Conspicuous and recognizable are mostly clumsy formulations, but also orthographic or syntactic errors. Incorrect coding, such as individual Cyrillic letters instead of correct, Western special characters, can also be an indication of an attack. A successful attack is usually followed by a short confirmation or a false error message in order to dispel the victim's suspicions afterwards.
How about yours
Data security off?
We support you in protecting your data!
Go to page

Spear-Phishing

Under this attack means one targeted attack. It derives from the English translation of the term spear. Attackers obtain the e-mail addresses of the students from the student council of a university in order to send them a targeted phishing e-mail in the corporate design of a local bank.

The "hit rate" is higher because the probability that a student has his bank details at this institute is very high.

New methods

With the help of "Trojan horses“ you put yourself physically between the communication of the customer and the bank (Man-in-the-middle attack). Traffic can be tapped so that it never gets to the bank. Phishing attack targets are access data for:
Online banking or online payment systems (e.g. PayPal). Attacks are carried out on the following facilities:

  • Mail order companies
  • Internet auction houses
  • Web-based online consultations
  • packing stations
  • Dating site.
  • Consequences of identity theft:
  • Considerable damage in the form of financial losses
  • damage to reputation

obfuscation methods

An HTML email allows you to create emails graphically using web design. The link text represents the original address, but in reality the invisible link target is linked to the address of the fake website (Link spoofing).

The ambiguity of visible characters can be exploited in emails as well as in websites. This misleads the user about the real address of the sender of an email or the real URL of a website.

The link visible in the e-mail program can actually refer to a completely different website with the integration of HTML. Information about this can also be falsified using script techniques if the e-mail program executes such scripts. In other cases, the link is displayed as a graphic in order to make text recognition more difficult using automatic filter systems. Text then appears on the user's screen, but this is a graphic.

In phishing, the sender's email address is often faked to make the email look more genuine.

phishing website

Fake sites are very difficult to identify as fakes. Similar-sounding names or designations, such as the official pages or companies, are typical for fake landing pages.

With the possibility internationalized domain names in URLs to use, new possibilities for URL spoofing.

Example

Original address: http://www.ue-nationalbank.rlp.de/

fake: http://www.ü-nationalbank.rlp.de/

Protection against phishing

General tips IT security to phishing emails.

One should be able to discern the hallmarks of phishing by displaying a healthy level of suspicion. An e-mail without a salutation and in bad German that urges you to do something is an indication of this. This e-mail usually has a fake sender URL from abroad.

Newsletter form (#7)

Become a Cyber ​​Security Insider

Get early access and exclusive content!


By signing up, you agree to receive occasional marketing emails from us.
OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


By signing up, you agree to receive occasional marketing emails from us.