Recently, the webmail industry experienced what was believed to be a phishing incident where several thousands of credentials from Gmail, Yahoo and Hotmail accounts were exposed on a third-party site.
For those who are wondering exactly what phishing is, and how it relates to general spam: phishing is a criminally fraudulent attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy person or institution in e-mail or on a website. These credentials are used for identity theft, financial transactions and other potentially harmful activities. While “spam” refers to being targeted with unwanted emails in general (eg the common “Viagra ads”), phishing refers to attempts to obtain your webmail credentials and other identity with fraudulent intent. And unfortunately, it isn't anything new. If you want to get a bit more background on the subject have a look at this interview we conducted with online security expert James Turner.
Thanks to coordinated efforts across the tech industry, and partnerships between industry players who are a part of the Anti-Phishing working group, over the years most web services, users and other applications have become smarter at spotting tricks like link manipulation, phone phishing, and forged websites. Cybercriminals have adapted to improved vigilance by focusing on the consumers as easier targets than battling technology.
Unfortunately, even technologically unsophisticated attacks can be successful because people traditionally underestimate the value of their online identities, and the gates that this information can open.
In most cases, this type of phishing attack is carried out by sending a simple e-mail that appears to be from someone you know. It might appear to be from the customer support department of Hotmail or another webmail provider, or it may even appear to come from a friend of yours (most likely, the message went to their entire contact list) and asks you to provide the credentials for your webmail service or it instructs you to click a link. Probably every one of us has seen an attack like this by now, so in the next piece of our phishing special we're going to have a look at some of the most common types of attacks.
Krish Vitaldevara is a member of the Windows Live Hotmail team and a contributor to Windows Live Wire.
Home