This is version 1 2 3 . It is not the current version, and thus it cannot be edited.

Back to current versionRestore this version

Overview[1]#

Phishing (Spear-Phishing) is a Social Engineering Attack to obtain data including Sensitive Data such as usernames, passwords, and Payment Card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an Telecommunications like Email.

Phishing is an example of Social Engineering Attack used to deceive users and exploits weaknesses in current Website security.

Phishing typically directs users to enter personal data at a fake website, the look and feel of which are almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are infected with malware.

Phishing may involve use of a HTML link to Malicious Website which then deploys Malicious Software

Phishing may use Punycode so HTML links appear to be reputable Organizational Entity

Phishing Attacks#

More than 2/3 of the incidents in 2015 involved Phishing (Verizon Data Breach Investigations Report).

One-Time passwords and other Multi-Factor Authentication help against your account being used to perform Phishing but not from you being the subject of Phishing

Phishing leads to other Attacks#

Phishing is often just the entry point to more attacks. For example, To obtain a perform such attacks like pass-the-hash or pass-the-ticket, the attacker needs credentials of a user to get in the door.

Phishing Example#

One trick that bad guys use a lot is called CEO Fraud. CEO Fraud involves a scam in which cybercriminals impersonate executives in order to fool an employee into executing unauthorized wire transfers, or sending out confidential Sensitive Data. A sense of urgency is usually employed, pressuring the victim to act before thinking. According to FBI statistics, CEO fraud is now a $12 billion scam.

More Information#

There might be more information for this subject on one of the following:

• 3D Secure
• Acr_values
• Attack
• Authentication Context Class Values
• DNS cache poisoning
• Domain-based Message Authentication, Reporting & Conformance
• DomainKeys Identified Mail
• FAPI Read Write API Security Profile
• FIDO2
• IDN homograph attack
• Impersonation-resistant
• Internationalized Resource Identifiers
• Password Anti-Pattern
• Public Key Infrastructure Weaknesses
• Punycode
• QUANTUM
• SIM Swap
• Sender Policy Framework
• Smishing
• Social Engineering Attack
• Spear-Phishing
• Tailgating
• Threat Model
• Unvalidated redirects and forwards
• Verizon Data Breach Investigations Report
• Vishing
• Web Authentication API

---

• [#1] - Phishing - based on information obtained 2017-05-05-