- Phishing has become a big problem in recent times. In 2004, the estimated losses due to phishing were to the tune of USD 137 million, according to tower Group. Attackers set up fake Web sites, which look like real Web sites. It is quite simple to do so, since creating Web pages involves relatively simple technologies such as HTML, JavaScript, CSS (Cascading Style Sheets), etc. Learning and using these technologies is quite simple. The attacker’s modus operandi works as follows.
- The attackers decides to create his/her own Web site, which looks very identical to a real Web site. For example, the attacker can clone Citibank’s Web site. The cloning is so clever that the human eye will not be able to distinguish between the real (Citibank’s) and fake (attacker’s) site.
- The attack can use many techniques to attack the bank’s customer. We illustrate the most common one below.
- The attacker send an email to the legitimate customers of the bank. The email itself appears to have come from the bank. For ensuring this, the attacker exploits
The email system to suggest that the sender of the email is some bank official (e.g. accountmanager@citibank.com). This fake email warns the user that there has been some sort of attack on Citibank’s computer systems and that the bank wants to issue new passwords to all it customers, or verify their existing PINs, etc. For this purpose, the customer is asked to visit a URL mentioned in the same email. This is conceptually shown in Fig. below.
- When the customer (i.e. the victim) innocently clicks on the URL specified in the email, he/she is taken to the attacker’s site, and not the bank’s original site. There, the customer is prompted to enter confidential information, such as his/her password or PIN. Since the attacker’s fake site looks exactly like the original bank site, the customer provides this information. The attacker gladly accepts this information and displays a Thank you to the unsuspecting victim. In the meanwhile, the attacker now uses the victim’s password or PIN to access the bank’s real site and can perform any transaction as he/she is the victim!
