There are two kinds of phishing: targeted and non-targeted. Non-targeted phishing is blind because it is broadcast to all Internet users. Targeted phishing on the other side of the coin, is broadcast to selected users which could be either staffs of a particular bank or health institution.
There are two ways phishers obtain the mailing lists of potential victims. They either use software available freely on the Internet called email extractors to mine email addresses and create a notepad database or they visit an online black market: these are online fora that sell criminal software and email addresses they stole from web servers or mail servers belonging to different organizations. Targeted emails ranges form $1 – $5 per single email, and non target email are far cheaper as $20 could buy you a notepad of a thousand non targeted emails.
In the next stage, the phisher fraudulently deploys his phishing software by hacking into someone’s computer preferably a web server or email server that is carelessly protected and installs the phishing software. The software will automatically extract and transport emails to the phisher. The phishing software could also be embedded on a webpage which contains a form that visitors will be required to fill. The forms will send user’s personal information which is sorted by the phishing software and sent to the phisher. The phisher will never plant the phishing software on a machine that could be traceable to him so that the police don’t close in on him.
When the online form goes live, the phisher experiments by phishing himself to make sure there are no operational issues. The mechanism of the phishing software is built to collect personal data, parse, arrange, tabulate and mail them to the phisher in a manner that will easily be consumed.
The phisher broadcasts his phony webpage to his email list, the phisher includes his email in the broadcast for monitoring purposes. Remember, your antivirus and firewall can do nothing about most phishing attacks. In broadcasting or sending mails to his list, the phisher prefers mailing during closing time on Friday so as to enjoy ample time before any response can be made to bring down the page which is likely going to be on Monday morning, but in developing countries, the fraudulent page could float for weeks, due to the lackadaisical attitude of organizations towards security. The phishing software can also create a popup which just appears on your screen without invitation asking you to fill a form. Sophisticated phishers have the ability to make his planted phishing software invisible on any server. The phishing software can sort responses by PIN number, by time of response, by IP address, by financial institutions, etc.
A phisher keeps his phishing software private, because the more private it is, the more its ability to garner responses, and hence the more money the phisher will make. More so, there are custom-built phishing softwares that target only credit and debit cards. The stolen credit card details when cashed could be used by the phisher to buy server space from ISPs or hosting companies which could not be traced to him. Usually, ISPs confirm your purchase or server space account name to make sure the name a phisher uses on the server space rhymes with the credit card details; else, they pull down your site. This is in the case where a phisher needs to host his phishing site.
Let’s now go into the details of how this phishing software extracts credit or debit card numbers. But in the first place, how does the credit card system work? A credit card is different from a debit card, because with a credit card you can make purchases whether there is money or not in your account. But a debit card only gives you access to your fund stashed in some account. A credit card company or a credit card processor like VISA, MasterCard, American Express, etc, establishes a network that allows different banks to plug in and communicate. Therefore, this is what happens: Your bank issues you with a credit card displaying your name, issuing bank, credit card number, expiry date, and a verification number. If you enter a phone store to buy a Nokia Lumia phone which costs N100,000 for instance, and the store accepts a credit card like VISA, it means the store has an account with a bank called an acquirer bank that is plugged into the VISA network. They are called acquirer banks because they acquire retailers and authorize them to accept credit card payment by supplying them with a swiping machine called Point of Sale (POS) or a code on their websites called payment gateway.
Now this is what happens: the phone store takes your card and swipes it into a machine (POS). The machine sends the message to the acquirer bank, from the acquirer bank to VISA network. VISA will recognize the card owner and transmit the signal to the issuer bank where the buyer is maintaining an account. The issuer bank checks its database in other to okay your transaction.
It is important to realize that the issuer bank is only offering you a credit which must be repaid with an interest at a future date. Therefore if the Nokia phone cost N100,000, there will be a 2-3 percent commission deduction on the N100,000 depending on the processor which will be shared between the issuer bank, the acquirer bank and the credit card company in this case VISA. In the commission sharing formula, the issuer bank will get about 70 percent of the commission, followed by the acquiring bank, and the least percentage goes to VISA. Looking at the bigger picture, credit card companies make tremendous amounts of money as they handle millions of credit card transactions from different banks on daily basis. The 70 percent commission charge that goes to the issuer bank is called the interchange rate which is set by the credit card company. Therefore, the issuer bank will transfer N100,000 less the interchange fee to VISA; VISA then transfers the remaining fund less its own commission to the acquirer bank which also credits the phone retailer’s account less its commission. It seems like a cumbersome process, but all transactions are completed within few seconds.
Similarly, when it comes to making a purchase on the phone store’s website, the processes are slightly different. This is because the phone store has a direct contact with the credit card company which places a payment gateway on the phone store’s website. During purchase on the phone retailer’s website, the buyer is expected to choose a payment option for any credit card company on the phone retailer’s website. The buyer punches in his VISA number into a box on the retailer’s website, the gateway runs a check and displays the cost of the phone plus a commission charge to be deducted. The buyer okays the deduction and the transaction is completed awaiting delivery or instant download. Both the buyer and the retailer have an online dash board they use to manage their accounts.
Phishing software can differentiate a MasterCard number from a VISA card number or an ATM number. This is because all MasterCard start with 5 digits and all VISA cards start with 4 digits. The software can be able to check the expiry dates of the card and decide not to email them when expired. Also, in the case of ATM card, if the PIN is less than 4 digits, the entry will not be emailed.
The software form usually requests for the following input:
1. Card number
2. Expiry date
3. CVV (Card Verification Value which is printed behind card)
4. ATM PIN
5. Token Password
Credit card companies perform a check on credit card you enter online to see of it is in accordance with published algorithm of the card type to ensure fake entries and mistakes don’t proceed. Unfortunately, phishers have these coding skills too. Also, credit card companies employ tracking systems on cards they issue. When cards are created, information is written to their magmatic strip. Unless you are equipped with a card reading device, you can never get the tracking information. If a phisher is looking for a card’s tracking details, then he definitely has access to a card reader and a machine that can clone an ATM card with stolen data.
Furthermore, there is a variant of phishing called SMiShing, that is using phone SMS to obtain confidential information. The phisher informs mobile phone users that their bank account has been compromised or their credit card or ATM has been deactivated. The victim is directed to call a number or go to a spoofed website to reactivate the card. Once on the site the victim is required to enter his PIN and other card detail and then the game is over. And when you approach your bank because of your carelessness, your bank will be routing you from the regional office to the head office, and you are likely going to experience lots of sleepless nights. In countries that are organized, immediately you suspect you have given your details to phishers, you immediately file an Identity Theft Report and you will enjoy some certain legal protection.
After collecting cashable credit card information, the phisher mostly employs money mules to monetize his stolen data. Money mules specialize in the act of moving monies from one account to the other across the globe with no come backs. Some phishers have the guts to use stolen credit cards to order for goods using the real card holder’s address, but they intercept these goods before they get to the victims.
The last stage of the phishing attack is when the phisher is trying to cover his tracks and make a quick getaway. The phisher has to delete the phishing software planted on the compromised server so that law enforcement agents cannot get the phishing kit. This is because with the phishing kit, law enforcement agents will try to recreate or study the phishing scene. Phishing is a corporative venture because all phishers are not the same. Therefore, most phishers rely on few sophisticated phishers for tasks they cannot perform.
Having discussed the anatomy of a phishing attack, let’s now move to the antidotes, and how we can proactively protect ourselves against phishers. There are three components in a system of computer-human interaction. These are: the technology, the regulations and the people. Technology and the regulations mostly are innocent in scenarios of online attacks; the problem always lies with the people. I mean you are the problem and at the same time the solution. But before delving into regulatory compliance, I would like to explain some technological innovation against criminally minded Internet users, there are lots of security components that come with our computing devices some of which are described here:
Secure Socket Layer (SSL) – is the world standard for Internet security and it is the technology used to encrypt and protect information transmitted over the web through HTTP. Encryption means twisting information into an unreadable format to anyone except the person the information is intended for. HTTP is a software component that makes it possible for you to browse the Internet. But when browsing the Internet with HTTP malicious hackers sniffing your conversation will see what you are browsing. This is why we combine HTTP component and SSL to get HTTPS. In this case, even if the malicious hacker is able to sniff your conversation with another website, he will not be able to interpret the information. When you are browsing, all your websites addresses begin with HTTP, but when you need to communicate securely always make sure there is an “s” attached to HTTP it means your conversation is encrypted.
But the issue goes beyond you communicating securely with another website, what of if you are communicating securely with a criminal website? This is because phishers can also buy SSL. This is when Certificate Authorities (CA) comes into play. CA is an entity or websites on the Internet that issues digital certificate, signatures or codes. These codes or electronic documents bind your website identity to a code on servers belonging to CAs. There is a model of trust relationship on the Internet where a third party websites certifies the validity of websites. In essence, the CA is responsible for saying “yes, this website is who they say they are, and we the CA certify that.
It means every responsible website or server should buy a digital certificate
(Digital signature) that will bind his website with a particular identity on websites belonging to CAs. Web Browsers like Mozilla Firefox or Opera update themselves automatically with these servers belonging to CAs. In this case these servers will tell your Web Browsers to tell you that you are on the right website
Extended Validation SSL (EVSSL) – is the advancement on SSL certificates. It gives website visitors easy and reliable way to establish trust online by triggering high security web browsers to display a green bar with the name of the organization that owns the SSL certificate and the name of the Certificate Authority that issued it. The green bar demonstrates to site visitors that the transaction is encrypted and your business has been authenticated according to the most rigorous industry standard. Phishers cannot display their own names on the address bar because the information shown is outside their control and they cannot obtain a legitimate EVSSL certificate because of the stringent certification processes. When web browsers like Firefox display red it means you are visiting that website at your own risk.
As an individual, you owe yourself the responsibility of protecting yourself online; because when you are careless, you will always have yourself to blame. Therefore, always take the following precautions:
- Make sure you check your address bar when transacting online to make https is displayed not http.
- Always forward suspicious emails to your financial institutions
- Visit Internet security awareness websites regularly like: FBI.com, CERN.com, firewall.cx, governmentsecurity.org or just go to Google home page and type “Internet security and phishing awareness blogs” to get multiple website that provide advice on online protection.
- By default, treat any email requiring your personal details as suspicious
- Don’t click on links or emails you are not expecting or aware of, just delete them.
- When you are in doubt, pick up a phone and verify.
- Make it a habit to enter the address of your financial institution in the address bar, don’t follow any link. There is a yellow padlock you will normally see near the bottom of your screen on a secure site, when you double click the lock you can view the digital certificate of the website. When you get any warning that the address doesn’t match the certificate, please don’t continue.
To get a complete list on the Dos and the Don’ts of the Internet world, you can obtain the book titled HACK NO MORE, or Moving into the Internet Market place by Aliyu Ahmed Ahmed visit http://techtrendsng.com/review-of-the-bookhack-no-more/ for the review.
- Be suspicious of emails that have grammatical errors because financial organizations perform multiple grammatical reviews when sending their mail.
- Phishers also employ the use of psychological threat to instill a situation of urgency, so that the victim can respond in a timely manner. They use phrases like “your account will be immediately deactivated”, or “the promo will be closing tomorrow”.
At corporate level, there are few things that need to be done in order to guard against phishing attacks among which are:
- Organizations should train their staffs to be able to recognize common phrases used in phishing attacks and also notify their clients.
- Organizations should try to obtain a black list of phishing sites
- Organizations should place notifications on their websites to warn staffs and clients on popular phishing attacks.
- Organizations should make company’s email account auto responds with a warning of phishing attacks.
- Organizations should have a security team ready to tackle phishing attacks against staffs or clients.
- Organizations should have a special email address for reporting phishing activities which goes straight to the security team.
- Organizations should train their call centre personnel or helpdesk team to liaise closely with the security team to help staffs and clients affected by phishing attacks
- An organization should notify all its staffs that it is a policy that the organization will never request for passwords by phone or by email. This is called “No Credential Request Policy”.
- Organizations are advised to implement what we call the “Password of the Day”, this is a communication code that comes before any conversation by phone or email. This is to certify that you are communicating to a fellow staff not a fake staff. The password could be changed at some interval.
- Organizations should maintain clear and constant communication with their clients and staffs, because the more they know, the less they are likely to be phished.
- The online security team in an organization should be regularly trained and should stay updated about recent phishing attacks.
- The security team should regularly monitor the web and email server.
- Organizations should train their staffs and customers on how to recognize valid websites.
In the light of all that has been said, organizations should know that phishing attacks that pose as their official website diminish their brand value and deter customers from using their site out of fear of becoming fraud victims. Also, an organization faces other risks like a drop in online revenue or usage due to decreased customer trust. Also, there could be expenses on legal fees when some clients that are victims of phishing attacks choose to take legal actions.
Finally, I am always glad to be helpful, and the only help you can render now is to spread this message like the gospel of Moses. This is my contribution as a Nigerian to help weed Nigeria of Internet career criminals, and to this I am committed.
About the Author
Ahmed Aliyu is the author of the book Hack No More.