by: Paul. McFedries
For the past few months I’ve been beta-testing Microsoft Internet Explorer 7.
It comes with a number of new features but, because I’m a language watcher, the feature that most interested me was the Phishing Filter. Huh?
Could Microsoft, as corporate and main-stream as a tech company can get, be using the jargon term phishing in its flagship Web browser?
At first I figured that it must he some sort of internal code name, but no, it’s the actual mass-market name of the feature.
This small ripple in the linguistic pool is a reflection not of a newfound coolness on Microsoft’s part but of the phishing phenomenon itself, particularly how pervasive it has become and how most folks grasp the theory and seriousness of this vulnerability.
‘Phishing” refers to creating a replica of an existing Web page to fool users into submitting personal, financial, or password data to what they think is their bank or a reputable online retailer.
The term comes from the fact that Internet scammers use (increasingly sophisticated) lure s to ‘fish” for users’ sensitive data. Hackers have an endearing tendency to change the letter ‘f” to “ph,” so “fishing” becomes “phishing.”
(The f-to-ph transformation is not new either among hackers; it first appeared in the late 1960s among the hackers of the telephone system, who called themselves phone phreaks. There are still plenty of these phreaks around today, but often their targets are more modern. A good example is VolPhreaking, which involves hacking voice-over-Internet -Protocol telephony systems.)
The most common ploy used by phishers is to copy the page code from a major Web site—such as AOL or eBay—ancl use that code to set up a replica page that appears to be legitimate. (This is why phishing is also called brand spoofing.) Fake e-mail is distributed with a link to this page, which solicits the user’s credit card data or password. (If it’s the latter, then the page is called a password trap.) When the user submits the form, the data go to the scammer, and the user ends up on an actual page from the company’s site, so he or she doesn’t suspect a thing.
The easiest way to detect a phishy phge is to look at the page address. A legitimate page will have the correct domain—such as aol .com or ebay.com—while a spoofed page will have only something ---- such as aol. whatever.com or blab .com/ebay. However, some phishers employ tricks such as domain spoofing, replacing the lowercase letter “L” with the number “1” or the uppercase letter “O” with the number ‘o.” This is also called homograph spoofing or a look-alike attack. A similar ploy is ION spoofing, which uses domain name ambiguities in the user’s chosen browser language. (‘JDN” is short for “international domain names, which refers to domain names written in languages other than English.)
Another good way to detect phishing e—mail is to examine the address of the link that you’re supposed to click on. Again, this address will point to an obviously nonlegitinvtte site. Or will it?
Recent phishing attempts have used a technique called DNS cache poisoning, a Domain Name System exploit where a ‘poisoned” DNS server is Confifured to redirect surfers from a legitimate site to the scammer’s site. Because the switch occurs somewhere in the network between the user’s computer and the Internet at large, it can be very hard to spot.
As people become more aware of phishing, they’re less likely to fall for obvious ploys such as requests for passwords and credit card data. So the world’s dot con artists are revising their schemes to compensate. The latest tool in their nefarious arsenal is spear phishing, which refers to phishing that is targeted at a specific person.
This usually consists of sending an e-mail message that has a subject line, body text, and return address that make it appear as though it were sent by someone the recipient knows . For example, you might get a message that appears to come from the head of your IT department, requesting that you visit a particular site to update your password.
Another reason people are less likely to fall for a phishing scam is that really big corporations are doing a better job of warning their customers and teaching them how to spot fraudulent requests. Scammers are hip to this, so they’re trying a new tactic: targeting smaller companies that might not do as good a job warning their customers. These smaller-scale attacks are called puddle phishing.
Phishers are also breaking out of the “fake e-mail and Web site” paradigm and turning to fraudulent phone calls that attempt to con people out of sensitive data such as their credit card’s three—or four—digit security number. This is called phone phishing.
So Microsoft is right to include antipbishing technology in Internet Explore r 7 because clearly we need all the help we can get. Maybe the folks there will really get into the spirit of things and hack the company’s name, too . Microsopht, perhaps?
PAUL MCFEDRIES is a technical
and language writer with more than
40 books to his credit . He also run Word Spy, a Web site and mailing
list that tracks new words and phrases
IEEE Spectrum Magazine
April 2006. NA (pg. 80)
Church of the Science of God
La Jolla, California 92038-3131
© Church of the Science of GOD, 1993