Santosh Kolisetty
Venkata Ravi kotha

---

[attachment=11154]
Abstract:
In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL. Phishing generally requires the fake website but, not all phishing attacks require a fake website .The term phishing is a variant of fishing, probably influenced by phreaking, and alludes to the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing.
What is Phishing?
In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures. The first recorded mention of phishing is on the alt.online-service.america-online Usenet newsgroup on January 2, 1996. The term phishing is a variant of fishing, probably influenced by phreaking, and alludes to the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
Early phishing on AOL:-
Those who would later phish on AOL during the 1990s originally used fake, algorithmically generated credit card numbers to create accounts on AOL, which could last weeks or even months. After AOL brought in measures in late 1995 to prevent this, early AOL crackers resorted to phishing for legitimate accounts. Phishing on AOL was closely associated with the warez community that exchanged pirated software. A phisher might pose as an AOL staff member and send an instant message to a potential victim, asking him to reveal his password. In order to lure the victim into giving up sensitive information the message might include text such as "verify your account" or "confirm billing information". Once the victim had submitted his password, the attacker could access and use the victim's account for criminal purposes, such as spamming. Both phishing and ware zing on AOL generally required custom-written programs, such as AOHell. Password or billing information"
Types of Phishing:-
Website forgery
Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL. In another popular method of phishing, an attacker uses a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the page link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal. A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple to use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site. The below is the webpage of Yahoo services and Google services
that has been made forgery.
Phone phishing
Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told users to dial a phone number regarding a problem with their bank account. Once the phone number (owned by the phisher, and provided by a Voice over IP provider) was dialed, prompts told users to enter their account numbers and PIN. “Fear is the #1 tactic “this is problem observed cell phones