b.1 Description

The word "phishing" was first used around 1996 when hackers began stealing America On-Line accounts by sending email to AOL users that appeared to come from AOL. Phishing attacks now target users of online banking, payment services such as PayPal, and online e-commerce sites. Phishing attacks are growing quickly in number and sophistication. In fact, since August 2003, most major banks in the USA, the UK and Australia have been hit with phishing attacks.

Password/PIN Phishing

Phishers send email to get you to go to a web site where you are fooled into exposing your banking information so they can take the money in your account. They can also sue that technique to get data on your online accounts such as Hotmail, Yahoo, and eBay. Once they have your user name and password, the phishers will attempt to obtain a victims billing information. Once someone gets into your eBay account, for example, they have access to your past and current transactions, personal information such as your PayPal billing information, and your physical address.

VoIP phishing

A newer form of phishing replaces a web site with a telephone number. In this form of phishing, an email tells you to call a specific number where an audio response unit, at the end of a compromised VoIP phone line, waits to take your account number, personal identification number, password, or other valuable personal data. The person/audio unit on the other end of the VoIP phone line might claim that your account will be closed or other problems could occur if you don't respond.

Spear Phishing

Spear phishing is a highly targeted phishing attack. Spear phishers will send e-mail that includes information about staff or current organizational issues that make it appear genuine to employees or members within a certain company, government agency, organization, or group. The message may look like it comes from your employer or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or the person who manages the computer systems, and could include requests for user names or passwords. Spear phishing has become one of the most damaging forms of attacks on military organizations in the US and other developed countries. Attackers gain user name and password information and then break in to exfiltrate sensitive military information.

b.1 How to Prevent Phishing Attacks
The most promising method of stopping spear phishing is continuous periodic exercises for all your users in which they experience safe phishing. A child often learns not to touch a stove after he has burnt his finger. By making the phishing experience illuminating, but not too painful, you can get the same effect without doing real damage.

A second defense is universal two-factor authentication. If your organization is not economically strong and cannot afford two-factor authentication, another method used to prevent phishing and other types of comprises is the implementation of verification tools such as secret images, and or challenge questions. Secret Images works by having a user select one or more images in advance.

The images is only known to the customer and the authenticator, the process works by showing this images to the end user, the end user should be instructed that when this image is not present the site is NOT legitimate and to contact a customer service rep as soon as possible. Challenge Questions work by having a user select multiple secret questions in advance, that only the customer and the authenticator are aware of. When authenticating the users are then challenged and respond with the predefined answers.