[Securing Internet Banking] Part 4 – Phishing

Phishing is probably the most well-known and familiar method used to compromise Internet banking sites. The Gartner Group estimated that the direct phishing-related loss to US banks in 2003 to be $1.2 billion though indirect losses are much higher. The word ‘phishing’ comes from the analogy that Internet scammers are using email lures to ‘fish’ for passwords and financial data from the sea of Internet users[1]. The term was coined around 1996 by crackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users[2].

There are various phishing methods but at a basic level phishing tries to get the Internet user to reveal personal, financial or password information by pretending to be something else. The phisher will usually pretend to be the official website of the bank or organization and tries to persuade by fear, threat or working on the greed of the Internet user, to reveal his personal details.

A typical trick is to send an official looking email or instant message to a bank customer that links to a website that looks like the actual Internet banking application, but is in fact, a replica of it. The replica is designed to steal passwords when the bank customer tries to log into the Internet banking application. The replica can be exactly the same as the original website down to the images that are linked directly from the original website. The only difference could be that any forms submitted from that website would be posted to a different application than expected, which will harvest the personal and confidential information of the bank customer.

Figure 1 – Typical phishing attack

If done well, the bank customer will not even realise that he has been ‘phished’ as the fake application will redirect him to the real application. Phishing is not unique to Internet banking – it is widespread in many Internet-based applications including PayPal and eBay and the information that is phished varies from credit card numbers to bank account numbers to identification numbers such as social security or passport numbers.

Most methods of phishing use some form of diversionary deception that tricks the user to believe that the email or website belongs to the actual organization. Phishers often use misspelled URLs such as or sub-domains. Another common trick uses the @ symbol. In the URL syntax the @ divides the actual URL from a username and password. A casual observer might assume that this is the bank’s website whereas it is actually the scam website, which replicates the bank’s website. A variant of this trick inserts a null or other unprintable character before the @ symbol, which prevents the host information from being displayed at the address bar. These methods have since been closed off in the new browsers. In a simpler trick, some phishers do not even put in a URL, instead they use an IP address, which normal Internet users will not check for its validity.

Type of deception Example
Misspelled URL http://www.c1t1bank.com
Sub-domain http://www.citibank.com.fakesite.com
Using @ http://www.citibank.com@ fakesite.com
Using @ with null http://www.citibank.com%00@fakesite.com (will be shown as http://www.citibank.com)
Using IP address http://

Table 1 – Common URL deceptions

These methods work for some because links are often (and designed to be) clicked than typed, and there is no correlation between the text on the website and the actual link that it will go to when clicked, other than a small status bar display at the bottom of the browser.

Slightly more sophisticated tricks use Javascript, the client-side scripting language used by many web applications, for various deceptive hiding or camouflage. For example, the phisher might use the onMouseOver event handler to show a fake URL in the status bar. Other tricks with Javascript include using Javascript to close the address bar, while the fake site contains a very similar looking ‘address bar’ that is in fact part of the web page, or even open another smaller browser that completely covers the address bar.

Another related phishing attack is IDN spoofing or a homograph attack[3]. IDN stands for internationalized domain name and is a method that allows characters other than English to be displayed as the domain name of the website. However in some languages the characters look the same as in another English character but in fact represent a different character. For example, газета.ру is the Cyrillic equivalent of gazeta.ru. The Russian letters а,е,р,у are indistinguishable in writing from their English counterparts. Some of the letters (such as a) are close etymologically, while others look similar by sheer coincidence. For instance, Russian letter ? is actually pronounced like English r, but the glyphs of the two letters are identical. This leads to situations where the URL might look the same on the browser but in fact are completely different websites!

Many people make the mistake by assuming that phishing attacks on Internet banking services does not cause harm if no unauthorized transactions or funds transfers occur. Funds transfers is probably the lesser harm done because generally if money is taken from an account, the account owner will likely know relatively quickly and act to stop the transfer or prevent further harm. Also, funds transfers will normally go to another bank account and is often traceable and recoverable.

The greater harm comes in the form of identity theft activities. The phished account might be used for money laundering or other illegal activities. Other information might also be extracted such as credit card information, account and personal information. There is also evidence that ATM cards are falsely reproduced from information ‘phished’ from the unsuspecting victim[4]. The kind of damage and the extent of the damage are not immediately evident and can be dormant for a long period of time, which will make it very difficult to trace and stop these illegal activities. For example, money can be transferred from a larger corporate account that is compromised, to more than one phished accounts, after which ATM card transactions and withdrawals can be made throughout the country or even outside of the country using cross-borders electronic funds transfers facilities such as PLUS or Maestro.

Phishers usually actively target multiple systems and organizations at the same time, and are well organized[5]. There is also evidence that organized crime is getting increasingly active in phishing and a thriving market for phished data trading exists[6]. Amateur phishers who were previously balked by their inability to convert the data to monetary benefits are now able to Phishing was originally predominantly by amateurs and adolescents, but this activity has ‘grown up’ and is considered one of the more dangerous online security threats[7].

[1] From Word Spy at http://www.wordspy.com/words/phishing.asp

[2] From the Anti-Phishing Working Group at http://www.antiphishing.org/word_phish.html

[3] See Evgeniy Gabrilovich and Alex Gontmakher (February 2002). The Homograph Attack. Communications of the ACM 45(2): 128 and Johanson, Eric. The State of Homograph Attacks Rev1.1. The Shmoo Group. URL accessed on August 11, 2005.

[4] See Christopher Abad, The Economy of Phishing : A survey of the operations of the phishing market (2005) at http://www.firstmonday.org/issues/issue10_9/abad/

[5] See The Honeypot Project & Research Alliance, Know Your Enemy: Phishing (2005) at http://www.honeynet.org/papers/phishing/

[6] Id.

[7] See the Anti-Phishing Working Group at http://www.antiphishing.org