Everyone knows what fishing means. It’s when a man tries to convince a fish that this fat warm had nothing better to do but diving ten feet into the river.
Phishing is somewhat similar. Someone assumes that you are as stupid as an average fish and believe that every incoming email is a legitimate one and will happily bite into it. If you don’t like my definition of the term Phishing, read what the Wikipedia has to say:
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
Now let’s consider a real world example. I just got this email in my Yahoo! account (this is a reason why I decided to write this blog):
If I was a regular fish, I’d simply clicked on the “Click Here” link and obediently followed all further instructions. But I’m as smart as a dolphin and immediately figured out that someone was trying to trick me. Let’s give this email a closer look.
First, the email came from some weird URL – @email.yahoo-inc.com and not from yahoo.com.
Second, it has this gibberish at the bottom: “Terms Privacy About our ads Advertise Developers”. These words are not even links to the articles Terms, Privacy et al.
Third, Yahoo! knows my name, and would address me as “Dear Yakov”, but not “Dear valid Customer”.
Fourth, the text of the email starts with “Due to so many complains on our server upgrades”. What a BS! Even if Yahoo! had many complains about their server upgrades, their award winning legal team would find better wordings to turn negative into positive, like “Due to our continuous efforts to imrove our service we’ve recently upgraded our state of the art server farms…”
If you are still not convinced, take a look at the following snapshot of my desktop. I’ve hovered (not clicked!) the mouse pointer over the “Click Here” link and took the following screen snapshot. Looked at the content of the Browser’s status bar at the bottom – this is a URL of the Web page that would be opened should I clicked on that link.
Now we know the name of the phisherman! It’s http://www.highstreetproperties.com. If you’ll just try to enter this URL in your browser, you’ll see the page that reads “Error establishing the database connection”. I’m sure you’re dying to know were the actual “Click Here” link would have taken me, right? OK, as a good Samaritan, I’ll do it for you. On the count of 3, I’ll click. One. Two. Three.
Boooring… Now even a fish with an avarage IQ can figure out that after entering Yahoo! ID and password, this information will be sent to the phisherman’s database located at highstreetproperties.com. Then these low class people will use this info to get access to your Yahoo! contacts and send them email (from your name) offerring to purchase these really nice blue pills that make miracles happen!
If you’ll examine the source code of the page, you’ll see that that name of the script at the phisherman’s site is called process.php. But do you want to know more details about this phisherman? Just go to the Networksolutions.com and use their whois service: http://www.networksolutions.com/whois to see who registered the domain name highstreetproperties.com.
I hope you’ve enjoyed my real-world explanation of the Web security term Phishing. For more technical introduction to Web security read this chapter from our upcoming book on Enterprise Web development.