Phishing


Phishing is a method by which personal information is obtained from a user through fictitious websites, e-mail or other messages. This information is then mostly used for illegal purposes. The term is derived from the word “fishing” and refers to the baiting and fishing for information.

Principle[edit]

Phishers create authentic looking websites to raise user confidence. Then, specific and general emails are used to encourage users to visit the fraudulent provider’s site. You could get a message displayed, warning users about an alleged attack. For authentication and to activate the security system it is then expected that the you enter your personal data. These are often intercepted by malware such as a Trojan horse. On malignant websites, malware will be automatically installed upon visiting the site to control and monitor subsequent user actions. A frequent target of phishers is to obtain user names and passwords for online banking or credit card information, and then to abuse these to steal. In the man-in-the-middle technique, the attacker gets access to the server of the user and then forwards him or her to fake websites. This is the most demanding type of phishing, since you cannot see any changes on the local computer.

Methods of camouflaging attacks[edit]

There are some ways to disguise phishing attacks.

  • E-mail

A camouflage through emails is done by writing HTML emails. The user is linked to counterfeit invisible addresses although the original website has been displayed in the link text. Furthermore, usually the email address of the sender is falsified to be more similar to the original.

  • Websites

Fake websites are usually characterized by the fact that these fake names and designations are similar to the impersonated company. This means that the website will be difficult to identify as a fraud. An imitation of the original domain is usually done by spelling out umlauts (ä is ae) or the use of identical letters in the URL (I as uppercase i, l as lowercase L). This means that the user thinks he is visiting the authentic website, but is actually directed to a fake one.

  • SMS

A confirmation of a permanent contract gets sent through SMS. In order to opt out of this contract, a link is named which the user is supposed to click. Through this visit, the malware is then released.

Protection[edit]

Since HTML or scripts are usually used in the e-mails, you can disable it to protect against phishing attacks. Also, some antivirus programs can detect phishing emails, which is why we recommend the use of these. However, they must always be up to date. Financial institutions increasingly use the Extended Validation SSL Certificates. These allow an additional field to be opened in the address line, indicating the domain holder and the certification body alternately. The address bar is sometimes displayed in green, so as to direct the eye of the user to it, to make sure it is correct. Other programs can also recognize phishing emails based on typical criteria. Other means of protection for online banking is the signature-protected HBCI process with a smart card. This type of online banking transactions dispenses with entering TANs. The iTAN method can be applied as well. However, this is ineffective against man-in-the-middle attacks.

Consequences[edit]

A successful phishing attack can have devastating consequences. For one, the account of the person concerned may be charged. Furthermore, contracts may be entered in the name of the user. Another possibility is that the user’s ID is used for criminal activities.

Relevance to SEO[edit]

Usually all phishing-suspect sites are excluded from the index of the search engine, so that searchers are not put at risk. For website operators there is a risk of linking to malware or phishing sites unknowingly. It is therefore advisable to routinely examine the website for internal outbound links. If you link to such a website, it can happen that the search engine associates the website with spam sites and the site gets excludes from the index.

Web Links[edit]