The basic idea

Most people have at some moment received the infamous phishing email in their mailbox. Perhaps it is an email from a Nigerian prince that asks you to transfer a small amount of money, promising a reward later. Or maybe it is an email from a ‘Dankse Bank employee’ asking you to provide your credit card on ‘http://dånsksebånk.dk’.

Whatever variant you have encountered before, the purpose of these so called phishing attacks is to obtain sensitive information through electronic communication. The sensitive information can be anything from passwords to credit card information, or from company secrets to social security numbers.

Perhaps the most well-known variant of a phishing attack is sending legitimately looking emails to a victim. In this email, the victim is asked to enter sensitive information on some website. This website in turn looks very similar to a legitimate website, but is in fact under the control of the attacker - or the phisher.

Phishing techniques

People are more inclined to disclose their social security numbers or creditcard number if they believe that they are actually interacting with a real, legitimate person or website. Phishers use different techniques to improve the realism, or trustworthiness of their phishing attacks, of which the following are just a few examples:

• Spoof the source email address. This means that the email seems to be originating from an email address that the attacker does not actually control. An example would be to send an email with the source email address as ceo@danksebank.dk instead of phisher@evil.com. There exist techniques to prevent email spoofing, but these countermeasures may not always be configured or can be misconfigured. In well protected cases, a phisher may resort to very similar email addresses (such as ceo@danskbank.dk instead of ceo@danksebank.dk)
• Include a link in an email to a legitimate domain instead of some bogus link (such as danskbank.dk instead of evil.com or even IP addresses). When ARP spoofing or DNS spoofing is possible, the phishing email may even contain a link to the actual legitimate domain, and will allow the attacker to redirect all traffic to a web server under his control.
• Hosting a website that looks very similar to a legitimate webserver. For a phisher, it is easy to copy the source HTML and CSS of an existing website to create a visually identical website. Using the techniques described above the attacker then simply has to trick his victims into visiting this copy of a legitimate website and can steal their information.