Core

Essential
Joined
21.09.20
Messages
85
Reaction score
261
Points
53

Types of phishing


What is it?
Phishing is a type of email distribution under the name of a popular brand or social network administration. The goal is to get encrypted user data.
This is a subspecies of social engineering that relies on users ' poor knowledge of Internet security.

In practice, I have encountered three types of phishing:

  • Online - using an identical design and a similar domain;
  • Mail - creating emails with a fake string on behalf of any organization;
  • Combined - designing a fake site where a person must enter all the information themselves.
Most of the techniques are limited to distributing masked links.

A common trick is to use images instead of text. The security systems of some web resources do not recognize spam or threats in them. This way you can bypass the lock. But now there are servers that scan text on an image. This complicates our task.

Today, several types of phishing have appeared:

Vishing is the use of Internet telephony to transfer Bank funds to malicious accounts. The essence is quite simple: the Fraudster calls from an unknown number, confuses the client, and at the end asks for confirmation of the data - account number, password, code word, PIN code, etc.

Smishing - fraud by SMS. The phone receives a message supposedly from the Bank or the site administrator. The victim is asked to go to the specified web resource and enter data for initialization.

Pharmacy services - this method involves replacing the DNS address. When clicking on the "original" address, the user is redirected to the fake page. It is very difficult to recognize a fake in this case.

The most common form of phishing at the moment is mass mailing. It's effective because it doesn't have a specific purpose. If the attack is directed at one person, they may simply have doubts and not go to the fake page. This means that there will be no result. But when a large group of people is attacked, someone is bound to get caught.

How is it applied?
I want to explain the method to you:

  • The hacker sends the victim an email with a link to a fake site;
  • The victim goes to;
  • Enters all personal data without suspecting anything;
  • The attacker gets the information, and someone else's page is in his hands.
A fake site must be an exact copy of the original one, so that the person does not suspect anything. The domain must also be similar to the original one. For example: vk.com - inf.vk.com.

An important role in this operation is played by the email containing the link. It should be appropriately designed to inspire confidence. They often send a message under the guise of administration. Use prepositions such as:

  • Your page will be frozen;
  • Suspicious activity detected on your page;
  • Go through re-identification to secure your account.
In addition, they send messages on behalf of banks, well-known companies, or with offers to buy something at a discount.

Example:
"In our online store today discounts up to 60%! Have time to buy products at ridiculous prices! To get a discount coupon for all products of the store, just log in to the site via the social network and log in to your personal account!".

The secret of success is in the email that the hacker sends. It carries a large semantic load, so it should be as convincing as possible for the user. You should take a closer look at the style of letters from the administration. You can't make mistakes, it will immediately give out a fake. It is necessary to use strong arguments so that the user enters all the data without hesitation.

How can I help you?

The method is quite simple, but does it bring results? Let's discuss what it can give us:
  • Personal data (username and password) of a specific person;
  • Information for filling in a special database that is created for the purpose of subsequent sales;
  • Information about Bank cards;
  • Access to other people's accounts.
However, it should be noted that 100% of the result is not worth waiting for. Especially if you need a specific person's password. Not everyone is careless about information security. Even if you follow all the necessary precautions, a person may not click on the link. But the technique will work if it is aimed at a person who is ignorant and poorly versed in social networks. Some people also go to the address due to inattention.

Advantages of this method:


  • Easy to use, even a beginner can handle it;
  • This method is still quite effective, especially if you do mass mailing;
  • No programming skills required;
  • With a responsible attitude, the probability of a positive outcome increases.

Disadvantages:


  • Efficiency has been declining in recent years due to user awareness;
  • Social media security systems recognize phishing emails as spam and block them;
  • The method may not bring the expected result;
  • Information security filters can detect a fake site and remove it.
The method is becoming more sophisticated every day, changing, and taking on new forms. But the security systems of social networks also do not stand still. Therefore, when using this method of extracting information, think carefully about the strategy of actions.
 
Top Bottom