Social Engineering
Social Engineering is a method of manipulating a person or a group of people into performing some actions - commonly to reveal confidential information. While traditional hacking involves finding "holes" in the system to exploit, social engineering techniques involves psychological techniques to exploit "human bugs".
What is Phishing and How it Works
Phising is a Social Engineering technique which involves creating and deploying fraudulent websites to deceive users. These fake websites are setup to look exactly like the real one. Victims will be expected to input information in these fake websites like they would in the real ones. These inputs will be logged or sent to the scammer.
For example, let's assume you want to hack someone's Gmail account. What you do is create a login page that looks exactly like Gmail's login page. The login form submits the input data entered by the victim to a server-side script that logs that user's input. This website should be stored in a web server so the victim can access.
The website's URL must be very similar to Gmail's URL or the victim will become suspicious when he sees the URL of the page asking him to login. What you can do is register a domain that looks like "google.com", since "gmail.com" redirects you to "mail.google.com". You also need to copy the parameters in the URL of the original login page to avoid the victim from getting suspicious.
Once the user logs in to your fake Gmail page, his username and password will be logged or emailed to you (the hacker). Another important thing to consider is where the fake login page goes after the victim sends his input because this can cause another suspicion from the victim. Of course, you don't want the victim to find out that you logged his username and password even before you have access to it or the victim will just login to his Gmail account and change his password.
Large Scale Phishing
Some of the known phishing scams that occurred involved victimizing eBay and Paypal users. "Phishers" sent out emails to large groups of people in an attempt to deceive eBay and Paypal users from these groups into clicking the link in the email, which actually directs to a fake eBay or Paypal website. Victims were expected to give away confidential information such as credit card and account login details.
Another tricked they used to make the fake link look legitimate is by putting an actual eBay / Paypal URL. But the URL is pointed to another location - the fake website. This was done using HTML email message.
Protection from Phising
The only thing you can do to avoid getting your account details stolen through phishing is by making sure you won't fall for any traps. One sound advice would be not to click on email links if the site concerned involves confidential information such as Paypal, eBay, and others. Also, make it a habit to always look at the URL of the page before logging in to any membership site.
Yahoo Mail started using an anti-phishing system to protect their users. This anti-phishing system uses a "magic seal" which is actually an image uploaded by the user. Every time the user visits Yahoo Mail's login page, he or she should be able to see the correct magic seal. The idea is to raise suspicion when a user visits a Yahoo Mail login page that doesn't have the seal.
Any techniques used by websites to protect their users are still not perfect. This is because it still all depends on the user. An uninformed and unsuspecting user can still fall victim to phishing scams. So the best weapon to protect your self from these types of scams in knowledge and awareness.
Comments ( 0 )