Phishing, also known as 'Brand Spoofing,' is a variation on the word fishing. The idea is that bait is thrown out with the hopes that a user will grab it and bite into it. In most cases, bait is either an e-mail or an instant messaging site, which will take the user to hostile websites. Phishing changed with malware. Bait such as an open site that is not secure will be compromised and have a hostile code installed on it so that it could attack a machine and steal information.

In a general sense, someone sends the user an e-mail that looks like it is from the user's bank:

' This is so-and-so bank. We have a problem with your security. We need you to login to reset your security settings'.

Phishers mainly use three web attack methods, with minor variations. The three attack methods are called impersonate, forward, and popup. This does not include malware.

First is the impersonation of a respected company. It targets the reputation. It weakens customer confidence, because the customer does not know whether they are real bankers or a phishing banker, especially when banks themselves send out e-mails. It gives mixed messages. It is fraud to misplace trust to gain customer accounts. In most cases, identity theft results where a user's identity has been stolen, whether it is a credit card, social security number or driver's licence.

When phishers set up a website, they take the images and add a link to the target images so that they really come from a target. This looks real because it is real. These are X bank's images and sometimes they will mirror to a phishing server to prevent the target site from removing the images. This looks real but could get outdated when the target site updates its website.
Lots of the scam kits will have all the pictures included and sometimes there will be a difference between the font sizes because the scam kit is six months old. Phishing web pages link to the target server's web page.

Many times phishers create a man-in-the-middle POST. This logs the user into the real site, so the user is at a fake PayPal site for a second. The user is logged into the real site afterwards, so that it prevents victim detection, after they disclose information. The victim will not notice this as a phishing site, because they are logged back into the PayPal site, but their credentials have been stolen.

The phishing flow works as follows:

• Phishers develop a phishing server, usually using CGI, PHP, or HTML types of images. It will mirror the bank site and put it together so that it is configured to go on any server the phishers hack into or buy.
• Phishers then configure a blind drop. This is an e-mail address, an ISD channel, or another server somewhere that drops the information. A blind drop is where the data is going to go once someone is logged in. That is what those phishers are hiding. They know where their data is and most of the time it is done to an e-mail as well as a text file on the server.
• Phishers configure the hostile server. It is typically compromised, so many times they will break into it via a PHP or C-channel attack. When they do not hack into it, they will buy a legitimate server. However, they will use a stolen credit card from a previous phish.
  Either way, they have access to being undetectable, either having broken into the server, or they have stolen access to money. They can get it set up quickly. All they need is 24 to 48 hours before it is discovered.
• Phishers then test the configuration. It is kind of a complex system. They are making it easier but it is still somewhat complex. If it is a blind drop, there is the hostile server, the target which is the bank and the victim.
• Then there is the e-mail message, which requires testing. The phisher has to test those e-mails.
• After testing everything, the phisher then sends bulk mailings. Many people will receive the e-mail; a good number will get this e-mail and ignore it, but a few people will take the bait. When victims log in, phishers collect the data from the blind drop.

The forward attack is more sophisticated. This happened to Amazon and eBay and to some banks in 2004 and 2005. Typically what the phishers do is collect via phishing e-mail. It is not as effective because the victim's anti-virus software may pick up some of that code. Also it is not as effective because, depending on the e-mail client, it may not parcel that data that a person used in the mail until the information is sent.
There will be an e-mail that has all the logos, the actual 'Submit' button in there, so the login and the password will be within the e-mail.

Then the site collects data. It performs a meta-refresh to the target, which is an HTTP redirect. Once the victim has logged-in, it takes the user back to the real site. But a lot of times it will also perform a man-in-the-middle POST to login, so that it can prevent victim detection.
When the user logs in, it will take the person to the real site, where he is logged-in as well. This attack has been seen more frequently with e-commerce, like the auction type setup, because a lot of those people are used to getting e-mails with search engines and other such things.

The popup is a more creative attack. It was first seen in 2003. It was one of the first phishing attacks.
Hackers figured out how to get around a lot of popup blockers. What happens is they will put the legitimate site, such as www.xbank.com, on the back, and then they will have a hostile popup in front of that with the login credentials. The 'real' site gives it credibility and prevents it from victim detection because the user cannot tell that the hostile popup is not valid.
The user is quickly redirected to the real site, including the hostile popup. Then it will perform the man in-the-middle POST login.

Technically, with the hostile popup it is a visual man-in-the-middle and it mirrors the links and the images for credibility. Once the user signs in to that popup program, it just says, thank you for submitting your credentials.