Friday, November 20, 2009

What Is Phishing And How It Relates To Your Webmail Credentials ?

Recently, the webmail industry experienced what was believed to be a phishing incident where several thousands of credentials from Gmail, Yahoo and Hotmail accounts were exposed on a third-party site.

For those who are wondering exactly what phishing is, and how it relates to general spam: phishing  is a criminally fraudulent attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy person or institution in e-mail or on a website. These credentials are used for identity theft, financial transactions and other potentially harmful activities. While “spam” refers to being targeted with unwanted emails in general (eg the common “Viagra ads”), phishing refers to attempts to obtain your webmail credentials and other identity with fraudulent intent. And unfortunately, it isn't anything new.
Some of the most common types of phishing attacks

1. Attacks that rely on forging identities:

In one of the most common types of attacks, the attackers change the name that is associated with an email address to a trusted, familiar name, like for example, “Windows Live Customer Support” or "Bank of America," even though their e-mail address still is "". If you're not paying attention, it can be easy to mistake a message like this for a genuine request from Windows Live or your bank.

2. Attacks that use stolen accounts:

In a variant of phishing, the attacker uses a previously compromised user account to send a link to everyone in the contact list for that account. If you unknowingly click the link, you land on a spam, phishing, or malware download site. As you can imagine, an e-mail you get from a friend’s account significantly increases the credibility of that message, and increases the likelihood of a successful attack. So, watch out for odd or uncharacteristic e-mails that comes from a friend’s account.

3. Attacks that ask you to provide credentials via phone:

In a typical phone phishing scam, the scammer may direct you to call a customer support phone number, claiming that your account will be closed or other problems will occur if you don't call the number. A person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data.

4. Attacks via forged websites:

Many phishing attacks will convince you to trust them by including official-looking logos or other identifying information taken directly from legitimate websites. A common trick is to create a web address that resembles the name of a well-known company but is slightly altered by adding, omitting, or transposing letters. For example, the address "" could appear instead as: “” OR “” OR “”

5. Attacks using social engineering:

Sometimes a scammer will include convincing details about your personal life that they found on your social networking pages. It is easy for a user to think that they are getting an email from a friend wanting to reconnect and may inadvertently provide personal information.
Once the attackers have your credentials they typically use the account for various things.