Dictionary Home » Computer Definitions » phishing

phishing - technical definition

Also known as brand spoofing and carding. A popular Internet e-mail scam that involves unsolicited e-mail (i.e., spam) contact in which the scam artist attempts to gain valuable information from the 0 90 180 270 360 0 90 180 270 360 target by gaining that person's confidence through various social engineering techniques and technical subterfuge. The term phishing was coined in the 1996 timeframe by crackers (malicious computer hackers) to describe the process of fishing for suckers by using some sort of lure or bait. (Hackers commonly replace f with ph, phor reasons that are entirely unphathomable to the rest of us.) Phishing commonly involves phony e-mails from banks, credit card companies, e-tailers, insurance companies, mortgage brokers, or other financial institutions warning that your account has been subjected to fraud or perhaps that your credit card is due to expire, and that you must confirm certain information such as an account number and password, or perhaps your social security number. The mail includes a hyperlink to a phony website that quite closely matches the legitimate website. If the scam is successful, the unsuspecting target clicks on the link and divulges information necessary for the scam artist to perhaps wipe out a bank account, max out a credit card, or even steal a person's identity, incur extraordinary debts in his name, and generally ruin his credit. See also e-mail, hyperlink, Internet, pharming, pretexting, scam, social engineering, and spam.

See phishing in Webster''s New World Hacker Dictionary

A form of identity theft whereby a scammer uses an authentic-Âlooking email from a large corporation to trick email receivers into disclosing online sensitive personal information, such as credit card numbers or bank account codes.

According to a 2004 report released by Gartner, Inc., an IT marketing research firm, phishing exploits cost banks and credit card companies an estimated $1.2 billion in 2003. Moreover, according to the Anti-Phishing Working Group (a nonprofit group of government agencies and corporations trying to reduce cyber fraud), more than 2,800 active phishing sites were known to exist.

In April 2005, a new Â“cousinÂ” of phishing was defined and called Â“WiPhishingÂ” (pronounced Â“why phishingÂ”)Â—an act executed when an individual covertly sets up a wireless-enabled laptop computer or access point to get other wireless-enabled laptop computers to associate with it before launching a crack attack. About 20% of wireless access points use default SSIDs. Because users failed to rename them, a cracker can quite easily guess the name of a network that target computers are normally configured to, thereby gaining access to the laptop computer and putting malicious code into it. Intrusion detection appliances such as AirPatrol Enterprise have been designed to detect wireless exploits.

Firms having wired networks are at risk of being cracked if employeesÂ’ laptop computers are left on. Instead of exploiting wireless networks with WiPhishing, crackers could do even more damage by hijacking the legitimate connection to a wired computer network, exploiting the soft underbelly of that network, and launching an invasive attack.

See Also: Cracking; Exploit; Electronic Mail or Email; Fraud; Identity Theft or Masquerading.

Levinsky, D. Hacker Teenage Pleads Guilty. [Online, May 14, 2005.] Calkins Media, Inc. Website. http://www.phillyburbs.com/pb-dyn/news/112-05142005-489320.html; Leyden, J. WiPhishing Hack Risk Warning. [Online, April 20, 2005.] http://www .theregister.co.uk/2005/04/20/wiphishing; MarketingSherpa, Inc. The Ultimate Email Glossary: 180 Common Terms Defined. [Online, 2004.] MarketingSherpa, Inc. Website. Reg SETI Group Website. http://www.marketingsherpa.com/sample.cfm?contentID=2776.

See phishing in Computer

Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their bank or retail establishment. E-mails can be sent to people on selected lists or any list, expecting some percentage of recipients will actually have an account with the organization.

E-Mail Is the "Bait"
The e-mail states that due to internal accounting errors or some other pretext, certain information must be updated to continue your service. A link in the message directs the user to a Web page that asks for financial information. The page looks genuine, because it is easy to fake a valid Web site. Any HTML page on the Web can be copied and modified to suit the phishing scheme. Rather than go to a Web page, another option is to ask the user to call an 800 number and speak with a live person, who makes the scam seem even more genuine.

Anyone Can Phish
A "phishing kit" is a set of software tools from phishing developers that help the novice phisher copy a target Web site and make mass mailings. It may even include lists of e-mail addresses (how thoughtful of people to create these kits!). In the meantime, if you suspect a phishing scheme, you can report it to the Anti-Phishing Working Group at www.antiphishing.org. See pharming, vishing, smishing and twishing.

The "Spear" Phishing Variant
Spear phishing is more targeted and personal. The e-mail supposedly comes from someone in the organization everyone knows such as the head of human resources. It could also come from someone not known by name, but with a title of authority such as a LAN administrator. Once one employee falls for the scheme and divulges sensitive information, it can be used to gain access to more of the company's resources.