Module 5

Phishing and Identity Theft

Syllabus:
Module 5: Phishing and Identity theft: Introduction, Phishing,
Methods of Phishing, Phishing Techniques, Identity theft,
Types of Identity theft, Techniques of ID theft, Identity theft:
Countermeasures.

SLT: Personally Identifiable Information

Introduction:
• Phishing is one of the methods towards enticing netizens to reveal their
personal information that can be used for identity(ID) theft.
• ID theft involves unauthorised access to personal data.
• Section 66C of the Indian IT Act states that “whosoever fraudulently
dishonestly make use of an electronic signature, password or any other
unique identification features of any other person, shall be punished with
imprisonment of either description for a term which may extend to 3 years
and shall also be liable to fine which may extend to ₹1,00,000”.
• Section 66D of the Indian IT Act states that “whoever, by means for any
communication device or computer resource cheats by personation; shall
be punished with imprisonment of either description for a term which may
extend to 3 years and shall also be liable for fine which extend to
₹1,00,000”.
 • “Phishing” is the use of social engineering tactics to trick users into revealing
confidential information.
• The statistic about Phishing attacks/scam proves Phishing to be a
dangerous enemy among all the methods/techniques, because the prime
objective behind these attack is ID theft.
1. The world Phishing map available at www.avira.com illustrates that the
most phishing attacks are on the rise in Asia, Europe and North America.
2. The graphical illustrations available on www.m86security.com exhibits the
following facts:
Monitoring of continent of origin from where phishing emails are sent.
Facebook, HSBC, Paypal and Bank of America are most targeted
organization in Phishing attack.
US, India and China are most targeted countries to launch the Phishing
attacks.
3. The Phishing attack are monitored on daily basis and displayed on
www.phishtank.com. The statics displayed are “Phishes verified as valid” and
“suspected phishes submitted”.
4. According to May 2009 Phishing Monthly Report compiled by the Symantec
Security Response Anti-Fraud Team.
Total 3650 non-English Phishing websites were recorded in the month of
May 2009 and out of these, French language Phishing sites were the most
frequently recorded followed by the websites in Italian and Chinese
language.
5. Phishing Activity Threat Report of Q4-2009 published by Anti-Phishing
Working Group(APWG) states the Phishing attack trends and statics for the
quarter.
It is important to note that: financial organizations, payment services and
auction websites are ranked as the most targeted industry.
Port 80 is found to be the most popular port in use followed by Port 443
and Port 8080 among all the Phishing attacks.
 Phishing:
1. Wikipedia: It is the criminally fraudulent process of attempting to
acquire sensitive information such as usernames, passwords and credit
card details by masquerading as a trustworthy entity in an electronic
communication.
2. Webopedia: It is an act of sending an E-mail to a user falsely claiming to
be an established legitimate enterprise in an attempt to scam the user
into surrendering private information that will be used for ID theft.
3. TechEncyclopedia: It is a scam to steal valuable information such as
credit card and Social Security number(SSN), user IDs and passwords. It
is also known as “brand spoofing”.
 • E-Mail is the popular medium used in the Phishing attacks and such
E-Mails are also called as Spams; however, not all E-Mails are spam.
• There are 2 types of E-Mails:
1. Spam E-Mails
2. Hoax E-Mails

1. Spam E-Mails:
• Also known as “junk E-Mails” they involve nearly identical messages sent
to numerous recipients.
• Spam E-Mails have steadily grown since the early 1990s.
• Botnet, networks of virus-infected computers, are used to send about
80% of Spam.
 • Types of Spam E-Mails are as follows:
a) Unsolicited bulk E-Mail (UBE): It is synonym for SPAM-unsolicited E-Mail
sent in large quantities.
b) Unsolicited commercial E-Mail (UCE): Unsolicited E-Mails are sent in
large quantities from commercial perspective, for example, advertising.
• Spam E-mails proved to be popular medium for phishers to scam users to
enter personal information on fake websites using E-Mail forged to look like
as if it is from a bank or other organizations such as:
I. HSBC, Santander, CommonWealthBank
II. eBay
III. Amazon
IV. Facebook
 • To maximize the chances that a recipient will respond, the phisher might
employ any or all of the following tactics:
1. Names of legitimate organizations
2. ‘From’ a real employee
3. URLs that ‘look right’
4. Urgent messages

• Examples of phrases:
1. ‘Verify your account’.
2. “You have won the lottery’
3. “If you don’t respond within 48 hours, your account will be closed’.
 • The ways to reduce the amount of Spam E-Mails we receive:
1. Share personal email address with limited people and/or on public
websites-the more it is exposed to the public, the more spam emails will
be received.
2. Do not forward any E-Mails from unknown recipients.
3. Never use E-Mail address as the screen name in chat groups of rooms.
4. Never reply or open any Spam E-Mail. Any spam E-Mails that are opened
or replied to inform the phishers not only about your existence but also
about validity of your email address.
5. Use alternate E-Mail addresses to register for any personal or shopping
website. Never ever use business E-Mail addresses for these sites but
rather use E-Mail addresses that are free from Yahoo, Hotmail or Gmail.
6. Make a habit to preview an E-Mail before opening it.
 2. Hoax E-Mails:
• These are deliberate attempt to deceive or trick a user into believing or
accepting that something is real when the hoaxer knows it is false.
• Hoax Emails may or may not be Spam Emails. It is difficult sometimes to
recognize whether an email is ‘Spam’ or a hoax’.
• The websites mentioned below can be used to check the validity of such
‘Hoax’ Emails- for example, chain Emails.
a. www.breakthechain.org
b. www.hoaxbestos.org
Methods of Phishing:
• The most frequent methods used by the phishers to entice the
netizens to reveal their personal information on the internet are:
1. Dragnet
2. Rod-and-Reel
3. Lobsterpot
4. Gillnet
1. Dragnet:
• This method involves the use of spammed E-Mails, bearing falsified
corporate identification, which are addressed to a large group of people to
websites or pop-up windows with similarly falsified identification.
• Dragnet phishers do not identify specific prospective victims in advance.
• Instead, they rely on false information included in an email to trigger an
immediate response by victims-typically, clicking on links in the email.

2. Rod-and-Reel:
• In this method, phishers identify specific prospective victims in advance,
and convey false information to them to prompt their disclosure of
personal and financial data.
3. Lobsterpot:
• This method focuses upon use of spoofed websites.
• It consists of creating of bogus/phony websites, similar to legitimate
corporate ones, targeting a narrowly defined class of victims, which is
likely to seek out.
• The other attacks launched on legitimate websites to grab the user’s
personal information are website-spoofing, cross-site scripting and
cross-site requesting forgery.
• These attacks are also known as ‘content injection Phishing’.

4. Gillnet:
• This technique relies far less on social engineering techniques and
phishers introduce malicious code into emails and websites.
 Phishing Techniques:
• The common techniques used by phishers to launch phishing attacks are:
1. URL (weblink) Manipulation
2. Filter Evasion
3. Website Forgery
4. Flash Phishing
5. Social Phishing
6. Phone Phishing
1. URL (weblink) manipulation:
• URLs are the weblinks that direct the netizens/users to specific website.
• In phishing attack, these URLs are usually supplied as misspelled, for
example instead of www.abcbank.com URL is provided as
www.abcbank1.com.
• Phishers use lobsterpot method of Phishing and make the difference of
one or two letters in the URLs, which is ignored by netizens.
• This makes a big difference, and it directs user to a fake or bogus
website or a webpage.
2. Filter Evasion:
• This technique use graphics(i.e., images) instead of text to obviate from
netting such emails by anti-phishing filters.
• Normally, these filters are inbuilt into the web browsers.
• For example,
Internet Explorer version 7 has inbuilt Microsoft phishing filter.
Firefox 2.0 and above has inbuilt Google phishing filter.
Opera phishing filter is dubbed opera fraud protection and is included in
the version 9.5+.
3. Website Forgery:
• In this technique, the phisher directs the netizens to the website design and
developed by him, to login into the website by altering the browser address bar
through JavaScript commands.
• As the user logs into the fake or bogus website, phisher gets the confidential
information very easily.
• Another technique used is known as “cloaked” URL-domain forwarding and/or
interesting control characters into the URL while concealing the website(weblink)
address of the real website.
4. Flash Phishing:
• Anti-phishing toolbars are installed/enabled to help checking the webpage content
for signs of phishing but have limitations that they do not analyse flash objects at
all.
• Phishers use it to emulate the legitimate website. Netizens believe that the
website is ‘clean’ and is real website because anti-phishing toolbar is unable to
detect it.
 5. Social Phishing:
• Phishers entice the netizens to reveal sensitive data by other means and
it works in a systematic manner.
a) Phisher sends a mail as if it is sent by a bank asking to call them back
because there was a security breach.
b) The victim calls the bank on the phone numbers displayed in the mail.
c) The phone number provided in the mail is false number and the victim
gets directed to the Phisher.
d) Phisher speaks with the victim in the similar fashion as the bank
employee, asking to verify that is the customer of the bank.
e) Phisher gets the required details swimmingly.
6. Phone Phishing:
• We know about ‘Mishing’-mobile phone attack (Vishing and smashing)
beside such attacks, phisher can use a fake caller ID data to make it
appear that the call is received from a trusted organization to entice the
user to reveal their personal information such as account numbers and
passwords.
Identity Theft (ID Theft):
• This term is used to refer to fraud that involves someone pretending
to be someone else to steal money or get other benefits.
• The person whose identity is used can suffer various consequences
when he or she is held responsible for the perpetrator’s actions.
• According to 2010 report published by Javelin Strategy and Research,
the number of “identity fraud victims” were increased by 12% during
2009, and “amount of fraud” increased by 12.5%.
• The key statistics noted about total identity frauds in the US are as
mentioned below:
• Federal trade commission(FTC) has provided the statics about each
one of the identity fraud mentioning prime frauds presented below
• Personally Identifiable Information (PII):
• The fraudster always has an eye on the information which can be used
to uniquely identify, contact or locate a single person or can be used
with other sources to uniquely identify a single individual.
• The fraudsters attempts to steal the elements mentioned below, which
can express the purpose of distinguishing individual identity:

1. Full Name; 6. Digital Identity;

2. National identification number; 7. Birth date/birth day;

3. Telephone number and mobile phone 8. Birthplace;

number;

4. Driver’s license number; 9. Face and fingerprint.

5. Credit card numbers;

 • The information can be further classified as
a) Non-classified and
b) Classified

Non-classified Information: Classified Information:

1. Public information 1. Confidential
2. Personal information 2. Secret
3. Routine business information 3. Top Secret
4. Private information
5. Confidential business information
Types of Identity Theft:
1. Financial identity theft;
2. Criminal identity theft;
3. Identity cloning;
4. Business identity theft;
5. Medical identity theft;
6. Synthetic identity theft;
7. Child identity theft.
1. Financial Identity Theft:
• Financial ID that includes bank fraud, credit card fraud, tax refund fraud, mail
fraud and several more.
• Financial identity occurs when the fraudster makes a use of someone else’s
identifying details, such as name, SSN and bank account details to commit
fraud that is detrimental to a victim’s finances.
2. Criminal Identity Theft:
• It involves taking over someone else’s identity to commit a crime such as
enter a country, get a special permit, hide one’s own identity or commit acts
of terrorism.
• These criminal activities can include:
1. Computer and cybercrimes; 2. Organized crime;
3. Drug trafficking; 4. Alien Smuggling;
5. Money Laundering.
3. Identity Cloning:
• Instead of stealing the personal information for financial gain or
committing crimes in the victim’s name, identity clones compromise the
victim’s life by actually living and working as the victim.
• An identity clone will obtain as much information about the victim as
possible.
• They will look to find out what city and state the victim was born and what
street he or she grew up on where he or she attended the school and what
relationship he or she may have been involved in, etc.
4. Business Identity Theft:
• ‘Bust-out’ is one of the schemes fraudsters use to steal business identity;
it is paid less importance in comparison with individuals ID Theft.
• Business Sensitive Information(BSI) is the information about the
business/organization, privileged in nature which, if it is compromised
through alteration, corruption, loss, misuse or unauthorized disclosure
could cause serious damage to the organization.
• Identity theft in the business context occurs most often when someone
knocks off the victim’s product and masquerades their shoddy goods as
victim’s. It is a kind of intellectual property theft.
• The consequences of business ID theft may call for a disaster to the
business, such as call out from market and damage to the reputation, and
hence it is extremely important to employ countermeasures for such type
of attacks.
5. Medical Identity Theft:
• Healthcare facilities now are very different compared to how they were
used a decade back.
• There are greater opportunities for protected health information changing
hands when multiple agencies are connected over a computer networks and
the Internet-for example medical representatives, health officers, doctors,
medical insurance organization, hospitals, etc.
• Medical facilities providers are moving from cumbersome paper records to
faster and easier files and trace electronic records; however, the concern
over medical ID theft is growing.
• The stolen information can be used by the fraudster or sold in the black
market to people who ‘need’ them. This could lead to many more cases.
 • According to 2008 Identity Theft Resource Centre survey, some of the
reasons why medical ID theft is particularly damaging the victims
include:
1. Approximately 1/3rd of victims of medical ID theft surveyed had
someone else’s medical information or medical history on their
medical record, increasing the possibility of patients being treated
incorrectly because of incorrect medical records.
2. More than 10% of victims of the medical ID theft surveyed were
denied health or life insurance for unexplained reasons.
3. More than 2/3rd of victim surveyed receive a bill for medical services
that were provided to an imposter.
6. Synthetic Identity Theft:
• This is an advance form of ID theft in the ID theft world.
• The fraudster will take parts of personal information from many victims
and combine them.
• The new identity is not any specific person, but all the victims can be
affected when it is used.

7. Child Identity Theft:

• Parents might sometimes steal their children’s identity to open credit
card account, utility accounts, bank accounts, and even to take loans or
secure leases because their own credit history is insufficient or too
damaged to open such accounts.
Techniques of ID Theft:
• Identity theft can affect all aspects of a victim’s daily life and often
occurs far from its victims.
• The attackers use both traditional, that is,
1. Human-based Methods
2. Computer-based Techniques
1. Human-based Methods:
• These methods are techniques used by an attacker without and/or
minimal use of technology.
a) Direct access to information
b) Dumpster diving
c) Theft of a purse or wallet
d) Mail theft and re-routing
e) Shoulder Surfing
f) False or disguised ATMs(Skimming)
g) Dishonest or mistreated employees
h) Telemarketing and fake telephone calls
2. Computer-based Techniques:
• These techniques are attempts made by the attacker to exploit the
vulnerabilities within existing processes and/or systems.
a) Backup theft
b) Hacking, unauthorized access to systems and database theft
c) Phishing
d) Pharming
e) Redirectors
f) Hardware
Identity Theft: Countermeasures:
• Identity theft is growing day by day and people think simple steps as
keeping the credit card and PIN safely will protect them from ID theft.
• One should be always vigilant and should take optimum key towards
protecting this self-identity.