419 Scam Named for section 419 of Nigerian law which makes confidence schemes illegal. This is a scam where someone pretends to be a wealthy foreigner who wants help moving a large amount of money overseas. Usually, the scammer requests bank account information to pay for fees supposedly incurred in the large-sum transfer. The large sum transfer never happens and the victim is taken for as much ‘fee’ money as possible.
Anti-virus Software Computer software that attempts to locate, disable and remove from a computer any malicious software (such as viruses and worms). Anti-virus software typically relies on so-called signature files that allows the software to detect malware based on particular code segments that are only present in unwanted programs. Since it is not possible to know what these code segments are before the malware start infecting machines on the Internet (and is analyzed by anti-virus companies), this type of prevention mechanism does not help early on as a new malware version spreads. Some types of anti-virus software also performs so-called behavioral checks to detect yet-unseen strains of malware based on what they are trying to do. This is possible since malware is typically accessing and storing data at computer memory locations that other types of software do not.
Authentication Token A security device carried by an authorized user. The device has a changing value or a secret algorithm that cannot be copied — thus requiring a valid token to be possessed by whomever wants to authenticate. An example of an authentication token is the RSA SecurID token. Also see “second-factor autentication”.
DNS Poisoning A way of forcing users to a malicious site by injecting bad data into a domain name server’s cache in order to change (for users of that server) the destination a domain resolves to. The effect of DNS poisoning is that the conversion from a URL to an IP address fails. For example, instead of translating the address www.americanexpress.com to the IP address corresponding to the actual site of American Express, a server that has been a victim of DNS poisoning will supply the incorrect IP address. The URL that the user types will still be printed in the address bar, and if the content of the fraudulent website to which the translation is done looks the same as that of the legitimate site, then the user will not notice that the attack took place. Moreover, the fraudulent website will be able to harvest all the cookies intended for the legitimate website, which will allow it to impersonate the user’s machine to the real site as well. Also see man-in-the-midddle attacks. DNS poisoning is sometimes referred to as pharming, and can be performed in a large number of ways. One of the recently discovered ways in which an attacker can mount an attack of this sort is by uploading malware to a person’s router (or access point). These are devices that have no inherent protection against malware, but which are very powerful in that all the user’s Internet traffic passes through these machines. Therefore, an infected router can easily cause incorrect IP address information to be returned to an unsuspecting user.
DNS server A server that translates DNS names (such as stop-phishing.com) into an IP address that is actually used for communication on the Internet.
Favicon The small icon displayed next to a URL in the address bar of a browser. Phishers can place a ‘lock’ icon here to pretend the connection is secure, or they can set this icon appropriately to mimic a real site. This means that seeing a lock in the address bar does not automatically mean that the corresponding site is secure.
IP address A set of four numbers from 0-255 separated by periods (.) that are used to identify each computer on a network. (Example: 18.104.22.168). An IP address instead of a Domain Name (like bank.com) can be used in a phishing URL to hide the fact that a given website is not legitimate. In a DNS poisoning or pharming attack, the IP address returned by a DNS server is changed to direct victims to a phisher’s site.
Keyboard logger Also known as ‘keylogger’, a piece of software (or hardware) that records all keys pressed on a computer’s keyboard. Often, keyloggers will report the sequence of keys to an ‘owner’ of the malicious logger. The intent of this is to steal passwords and PINs, but also other confidential information types by the victim user.
Lock icon A small padlock icon displayed by a web browser to indicate that the browser has established a secure connection to the currently loaded website. This suggests to the user that nobody can ‘eavesdrop’ on their communications with the server.
Malware Malicious software such as a virus, worm, trojan horse, or spyware that is installed on a system with harmful or malicious intent. Some malware uses technical vulnerabilities (such as buffer overflow) to attack a machine, whereas other types of malware instead uses social vulnerabilities, i.e., attempts to make the victim willingly install and run the software. To do this, various types of deception is used. Commonly, the user is told that the software has a beneficial purpose, such as a screen saver, an Internet optimizer, or spyware detector. While the malware may perform some of these functions, it also performs other functions, unbeknownst to the victim user.
Man-in-the-middle attack An attack where an attacker relays all messages back and forth between a client and server. During the attack, messagesmay be changed or simply recorded for later use. An example of this attack is where a victim contacts a web server that is controlled by an attacker, thinking that this is his bank. The web server then immediately establishes a connection to the user’s bank. It send any information it receives from the bank to the victim, who thinks he received the information from the bank. Any information sent from the victim to the attacker’s web server is immediately forwarded to the bank, who then thinks it receives the information from the user in question. There is no noticeable delay, so this is not detectable. As the web server sends information back and forth, it may also save all the information it receives. While SSL may help protect against man-in-the-middle attacks, there are also ways by which an attacker can cause two sessions to be started by the victim at the same time, where one of them results in a connection with the bank and the other results in the theft of information sent to the bank. Man-in-the-middle attacks can be performed by malware, whether residing on the victim’s machine, on a router or access point he connects to, or on another machine on the Internet.
Pharming In computer security, this is an attack where an attacker compromises domain name values and redirects many people to the wrong IP for a given domain. Often this is accomplished with DNS poisoning or by modifying the hosts files on peoples’ computers. This is a special case of DNS poisoning, and is often the result of malware infections.
Phishing Tricking someone into giving up private data by masquerading as an authority. This is mostly accomplished using email or instant messages, directing the recipient to a fraudulent website that appears legitimate. Phishing is related to conning, but is taking place at a much grander scale, due to the use of the Internet, and is harder to track back to the criminal.
Phishing IQ test A test where emails are displayed to a participant who is then asked to classify each as fraud or real. Usually these tests are used to illustrate the difficulty of identifying phishing emails. Recent research shows that phishing IQ tests are not measuring susceptibility to phishing very well, but rather, simply measure fear of phishing.
Puddle Phishing A phishing attack targeting the clients of a small financial institution, typically with very limited geographical coverage. Smaller institutions typically have lesser resources to fight phishing attacks than large banks do, and their clients are less accustomed to being targeted. This makes puddle phishing often more successful for the phisher.
SSL Post A form submission that originates from an unencrypted ‘http’ page but posts to an encrypted page (https). Encryption only occurs in this case after the submission button is pressed. Some phishers try to make it appear that the sites they manage (and which impersonate legitimate brands) perform SSL posts, whereas they do not. It is difficult for typical users to determine whether a given webpage will perform an SSL post or not, which makes SSL posts less secure than traditional SSL connections.
Screen scraper Software that analyzes the graphics displayed on a computer screen and translates displayed images into text. This is often used to steal information from users, in particular in a user uses an on-screen keypad to enter a PIN.
Second Factor Authentication Second factor authentication demands more than just a password from a user logging in. It could be something he or she knows, something he or she has, or something he or she is. Examples of these three possibilities are: knowing one’s mother’s maiden name; to have a device that displays frequently changing passwords only known by the service provider and the person with the device; and use of a thumbprint to provide evidence of identity. There are many other forms of second factors, but not all are equally secure. Recent banking regulation demands that banks use some form of second factor authentication, but do not specify what type.
Secure Sockets Layer (SSL) A communication protocol developed by Netscape that is used to establish cryptographically secure communications between a client (usually a web browser) and server. This protects against data from being stolen by eavesdroppers. Additionally, when a web browser starts an SSL session, a small lock is displayed in the frame of the browser. However, phishers know that it can be hard to know exactly where the lock should be placed, and even though phishers cannot easily place locks in the browser frame, it is trivial to place lock images in the content portion of the webpage. Many people do not notice the difference.
Signature-based malware detection A method of detecting malware that identifies malware by analyzing behavior of software, configuration and software patterns. See malware.
Spear phishing This attack is to phishing what targeted advertising is to advertising. Namely, in spear phishing, the attacker infers or manipulates the context of his intended victim, and then “personalizes” his attack. It is possible for attackers to learn information about the victim in many ways, and it is difficult to know when this has taken place. This makes spear phishing very dangerous.
Spoofed email Assuming the identity of another person while sending email; often used to disguise the actual sender of a message. It is trivial to spoof an email, and it can be done to make the email appear to come from anywhere, whether it is your best friend, your system administrator, your bank, or whitehouse.gov.
Spyware Malware installed on a computer that covertly gathers information about the computer’s user.
Subdomain A subdivision of a master domain, e.g. ‘cs’ in cs.indiana.edu and ‘informatics’ in informatics.indiana.edu
Synthetic identity fraud Posing as someone using identity that is completely fabricated — making up a new identity and assuming it. While not commonly in the news, this is one of the predominant types of fraud.
Yield (phishing) The percentage of targets in a scam that fall victim. If email asking for credit card details is sent to 100 people and 2 of them respond, the yield is 2%. Phishers, of course, hope for a high yield. It is not known exactly what the yield of phishing attacks are, but researchers and security specialists believe that it is in the range of a few percent, but believe that the increased use of spear phishing can increase the yield well above 20%. Given that phishers target huge numbers of potential victims at the same time, even a yield of just a few percent create a sufficient profit for the phishers to be attracted to committing this crime again and again.