Phishing

Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a
seemingly legitimate email than trying to break through a computers defenses. Although some phishing emails
are poorly written and clearly fake, sophisticated cybercriminals employ the techniques of professional marketers
to identify the most effective types of messages -- the phishing "hooks" that get the highest "open" or click
through rate and the Facebook posts that generate the most likes. Phishing campaigns are often built around the
year's major events, holidays and anniversaries, or take advantage of breaking news stories, both true and
fictitious.
Bangladesh is one of the world's largest producers of fish; but lately, its government has also become an
inadvertent exporter of phish. Over the past week, several phishing sites have popped up on Bangladeshi
government websites, under the .gov.bd second-level domain. These fraudulent sites have been used in phishing
attacks against customers of Wells Fargo bank, Google, AOL, and other email providers. Domain name
registrations under .gov.bd are restricted to government-related entities in Bangladesh, although it is unlikely that
the government is directly responsible for these attacks. As with most phishing sites, the fraudulent content has
probably been placed on these government sites by remote hackers; nonetheless, this would make the Bangladesh
government at least responsible for poor security.
The vast majority of websites under .gov.bd are hosted within Bangladesh, but the apparently-compromised server
involved in these attacks is one of a few that are hosted in the United Kingdom, on a static IP address used by the
hosting company Nibs. No Bangladeshi servers are currently serving phishing sites from .gov.bd domains.
After more than a week since this spate of phishing attacks started appearing on UK-hosted .gov.bd sites, none of
the fraudulent content has been removed. The presence of multiple live phishing sites on the affected server, and
the fact that the previous compromises have not yet been cleaned up, suggests that whatever security
vulnerabilities might have affected the server are yet to be resolved.
Avoiding Phishing Scams
Phishing Scams (that promise money, gifts, or prizes):
There are different types of scams promise incredible financial or other rewards in exchange for just a few small
things you have to do .Which include turning over your personal information to an identity thief.
There are two types of scams:
1) Advance fee fraud scams.
2) Stock tips in e-mail and text messages

Advance fee fraud scams:

Advance fee fraud is a scam that clasps you with the false guarantee of large sums of money. But in the return you
have to do little or no effort on your part. After you're deeply involved in the scam, you're asked to pay certain
amounts of money to accelerate the process. You end up making nothing, losing your money, and perhaps turning
over your personal information to fraudsters.
Here are a few examples of the most popular advance fee frauds:
A foreign government official would like your assistance in transferring funds and will pay you a hefty
commission if you agree.
You stand to inherit millions of dollars from a relative you don't remember.
You've won a prize or a lottery (perhaps one from a foreign country) that you don't remember entering.
Stock tips in e-mail and text messages:
The pump-and-dump stock scam is a common form of spam these days. Spammers send 100 million of these email messages per week.
How pump-and-dump scams work:
Scammers buy stock in a small company, often with stock prices of only a few dollars per share. Then they send
out millions of e-mail or text messages across the globe to encourage recipients to buy that stock. These messages
can even be disguised as confidential information that was sent to the recipient by mistake.
When enough people buy the stock, the price of the stock goes up. When the price is high enough, the spammers
sell their shares. The price goes back down, and people who purchased the stock as a result of the tip suffer.
It can be difficult to find out who's behind pump-and-dump e-mail scams. Thats because spammers can take
control of large numbers of computers and turn them into zombies that can work together as powerful 'botnets' to
send the spam messages out.

International Context on Phishing

Brazil is high up on the list of countries in the world where companies are most targeted by phishing attacks,
according to a study released today.
According to the RSA online fraud report, Brazil shares the fourth place with Australia as a top country by
attacked companies, with four percent of phishing volume.

The other countries on the top five lists are India, with seven percent of all incidents, followed by the UK (10
percent) and the US (29 percent).
According to the report, 571 brands have been attacked in Brazil during the period between March and April with
260 and 311 companies attacked each month respectively, reflecting a 20 percent monthly increase.
In terms of the cost associated to these attacks, a separate report by Symantec and the Ponemon Institute released
last month suggests that the maximum cost of such an incident in Brazil in 2012 was R$ 9.74mi ($4.53mi) and
the minimum expense was R$ 230,000 ($108,000).
Government websites and databases in Brazil have also been under attack in the last few months: in March,
underground marketplaces whereby passwords to the Brazilian Public Security database (Infoseg) were sold by
R$2,000 ($931), was uncovered by Brazilian TV channel SBT.
Infoseg contains millions of citizen records, with information ranging from prison mandates to firearm ownership
and vehicle registration data. After the scheme was made public and the government pledged that the data
leakages would end, rumor has it that the fees practiced by the criminals are even higher nowadays, with financial
transactions taking place via digital payment tools to minimize any clues left by the crackers.
Once your personal details have been accessed, criminals can then record this information and use it to commit
fraud crimes such as identity theft and bank fraud.

Phishing messages generally try to convince the beneficiary that they are from a trusted source. Spear-phishing
is a technique whereby criminals use personal information to earn trust and lower the intended victims defenses
increasing the chances they may open attachments or embedded links
Criminals have stepped up their activity by targeting business users by claiming that they have specific
knowledge of the business. These may be business critical issues: customer feedback, requests for information,
staffing or legal notices.

Case:
The name of the scam comes from the original form of this scam, which consisted of emails outlining a situation
in Nigeria that required a massive transfer of money from that country into the United States for safety. For
assisting with the money transfer, the recipient of the email is promised a percentage of the transfer amount,
usually totaling hundreds of thousands of dollars to a few million.
Once this came became widely known, it immediately evolved and continues to evolve even today. It now takes a
very wide variety of forms including the elderly sick person looking to transfer their entire estate into your bank
account.

Then there is one, the young woman in danger who is seeking a savior to help her and of course she has a very
large sum of money to offer as a reward. Here is an email from Miss Diana of West Africa, who has a DC worth
$5.9 million, and is seeking to escape her country and live in the United States.

The scammers put together storylines and plots that appeal to the basic human emotions of greed, goodwill and
love. In some cases they almost always reference God in some way in an effort to appeal to western Christian

values. In the end, the many variations of the Nigerian scam end in only one place if you offer up any of your
contact information or, even worse, your bank account information an empty bank account.

Legal Actions
In the United States, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The
federal anti-phishing bill proposes that criminals who create fake web sites and spam bogus emails in order to
defraud consumers could receive a fine up to $250,000 and receive jail terms of up to five years. The UK has
strengthened the legal arsenal against phishing with the Fraud Act 2006, which introduces a general offence of
fraud that can carry up to a ten year sentence, and prohibits writing or possessing phishing kits with intent to
commit fraud.
Companies have also joined the effort to crack down on phishing. On March 31, 2005, Microsoft filed 117 federal
lawsuits in the U.S. District Court for the Western District of Washington. The lawsuits accuse John Doe
defendants of using various methods to obtain passwords and confidential information. March 2005 also saw
Microsoft partner with the Australian government to teach law enforcement officials how to combat various cyber
crimes, including phishing. Microsoft announced a planned further 100 lawsuits outside the U.S. in March 2006,
followed by the commencement, as of November 2006, of 129 lawsuits mixing criminal and civil actions.

Bibliography
1. Ramzan, Zulfikar (2010). "Phishing attacks and countermeasures". In Stamp, Mark & Stavroulakis, Peter.
Handbook of Information and Communication Security. Springer. ISBN 9783642041174.
2. Van der Merwe, A J, Loock, M, Dabrowski, M. (2005), Characteristics and Responsibilities involved in a
Phishing Attack, Winter International Symposium on Information and Communication Technologies,
Cape Town, January 2005.
3. "Safe Browsing (Google Online Security Blog)". Retrieved June 21, 2012.
4. "Landing another blow against email phishing (Google Online Security Blog)". Retrieved June 21, 2012.
5. J Tan, Koontorm Center. "Phishing and Spamming via IM (SPIM)". Retrieved December 5, 2006.
6. Jsang, Audun; et al. "Security Usability Principles for Vulnerability Analysis and Risk Assessment."
(PDF). Proceedings of the Annual Computer Security Applications Conference 2007 (ACSAC'07).
Retrieved 2007.
7. Felix, Jerry & Hauck, Chris (September 1987). "System Security: A Hacker's Perspective". 1987 Interex
Proceedings 8: 6.
8. "Prison terms for phishing fraudsters". The Register. November 14, 2006.
9. "Microsoft Partners with Australian Law Enforcement Agencies to Combat Cyber Crime". Archived from
the original on November 3, 2005. Retrieved August 24, 2005.
10. Espiner, Tom (March 20, 2006). "Microsoft launches legal assault on phishers". ZDNet.