Gone Phishin'

For the past few months I've been beta-testing Microsoft Internet Explorer 7. It comes with a number of new features but, because I'm a language watcher, the feature that most interested me was the Phishing Filter. Huh? Could Microsoft, as corporate and mainstream as a tech company can get, be using the jargon term phishing in its flagship Web browser? At first I figured that it must be some sort of internal code name, but no, it's the actual mass-market name of the feature.

This small ripple in the linguistic pool is a reflection not of a newfound coolness on Microsoft's part but of the phishing phenomenon itself, particularly how pervasive it has become and how most folks grasp the theory and seriousness of this vulnerability.

"Phishing" refers to creating a replica of an existing Web page to fool users into submitting personal, financial, or password data to what they think is their bank or a reputable online retailer. The term comes from the fact that Internet scammers use (increasingly sophisticated) lures to "fish" for users' sensitive data. Hackers have an endearing tendency to change the letter "f" to "ph," so "fishing" becomes "phishing." (The f-to-ph transformation is not new among hackers; it first appeared in the late 1960s among the hackers of the telephone system, who called themselves phone phreaks. There are still plenty of these phreaks around today, but often their targets are more modern. A good example is VoIPhreaking, which involves hacking voice-over-Internet-Protocol telephony systems.)

The most common ploy used by phishers is to copy the page code from a major Web site--such as AOL or eBay--and use that code to set up a replica page that appears to be legitimate. (This is why phishing is also called brand spoofing.) Fake e-mail is distributed with a link to this page, which solicits the user's credit card data or password. (If it's the latter, then the page is called a password trap.) When the user submits the form, the data go to the scammer, and the user ends up on an actual page from the company's site, so he or she doesn't suspect a thing.

The easiest way to detect a phishy page is to look at the page address. A legitimate page will have the correct domain--such as aol.com or ebay.com--while a spoofed page will have only something similar--such as aol.whatever.com or blah.com/ebay. However, some phishers employ tricks such as domain spoofing, replacing the lowercase letter "L" with the number "1" or the uppercase letter "O" with the number "0." This is also called homograph spoofing or a look-alike attack. A similar ploy is IDN spoofing, which uses domain name ambiguities in the user's chosen browser language. ("IDN" is short for "international domain names," which refers to domain names written in languages other than English.)

Another good way to detect phishing e-mail is to examine the address of the link that you're supposed to click on. Again, this address will point to an obviously nonlegitimate site. Or will it? Recent phishing attempts have used a technique called DNS cache poisoning, a Domain Name System exploit where a "poisoned" DNS server is configured to redirect surfers from a legitimate site to the scammer's site. Because the switch occurs somewhere in the network between the user's computer and the Internet at large, it can be very hard to spot.

As people become more aware of phishing, they're less likely to fall for obvious ploys such as requests for passwords and credit card data. So the world's dot con artists are revising their schemes to compensate. The latest tool in their nefarious arsenal is spear phishing, which refers to phishing that is targeted at a specific person. This usually consists of sending an e-mail message that has a subject line, body text, and return address that make it appear as though it were sent by someone the recipient knows. For example, you might get a message that appears to come from the head of your IT department, requesting that you visit a particular site to update your password.

Another reason people are less likely to fall for a phishing scam is that big corporations are doing a better job of warning their customers and teaching them how to spot fraudulent requests. Scammers are hip to this, so they're trying a new tactic: targeting smaller companies that might not do as good a job warning their customers. These smaller-scale attacks are called puddle phishing. Phishers are also breaking out of the "fake e-mail and Web site" paradigm and turning to fraudulent phone calls that attempt to con people out of sensitive data such as their credit card's three- or four-digit security number. This is called phone phishing.

So Microsoft is right to include antiphishing technology in Internet Explorer 7, because clearly we need all the help we can get. Maybe the folks there will really get into the spirit of things and hack the company's name, too. Microsopht, perhaps?