Phishing is one of the luring techniques used by phishing artists with the intention of exploiting the personal details of unsuspected users. Phishing is a form of identity theft that occurs when a malicious Web site impersonates a legitimate one in order to acquire sensitive information such as passwords, account details, or credit card numbers. Though there are several anti-phishing software and techniques for detecting potential phishing attempts in emails and detecting phishing contents on websites, phishers come up with new and hybrid techniques to circumvent the available software and techniques. This section provide the detail study about the online phishing and their deployment techniques.
Phishing: General Description
Now a day’s attacks have become major issues in networks. Attacks will intrude into the network infrastructure and collect the information needed to cause vulnerability to the networks. Security is needed to prevent the data from various attacks. Attacks may either active attack or passive attack. One type of passive attack is phishing. Phishing is a continual threat and is larger in social media such as facebook twitter. Phishing emails contain link to the infected website. Phishing email direct the user to the infected website where they are asked to enter the personal information, so that the website will hack the information whatever the user enters. Phishing email is send to large number of people and the phisher will count the percentage of people who read that email and entered the information. It is very difficult to find that we are actually visiting an actual site or malicious site. Phishing is also known as brand spoofing or carding. As a result researchers are attempting to reduce the risk and vulnerabilities.
Phishing is a deception technique that utilizes a combination of social engineering and technology to gather sensitive and personal information, such as passwords and credit card details by masquerading as a trustworthy person or business in an electronic communication. Phishing makes use of spoofed emails that are made to look authentic and purported to be coming from legitimate sources like financial institutions, ecommerce sites etc., to lure users to visit fraudulent websites through links provided in the phishing email. The fraudulent websites are designed to mimic the look of a real company webpage. Here we illustrate the example of facebook URL phishing in figure 1.
Figure 1: Example of Facebook Phishing
Lets take Facebook as an example, Creating a page which perfectly looks like Facebook login page but putting it in a different URL like fakebook.com or faecbook.com or any URL which pretends to be legit. When a user lands on such page, he/she might think that is real Facebook login page and asking them to provide their username and password. So the people who don’t find the fake login page suspicious might enter their username, password and the password information would be sent to the hacker/attacker who created it, simultaneously the victim would get redirected to original Facebook page.
There are many definitions of phishing website; we want to be very careful how we define the term, since it is constantly evolving. One of these definitions comes according to the Anti-Phishing Working Group (APWG)’s definition, “Phishing attacks use both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials”. Typically a phishing attack is a combination of fraudulent emails, spoofed websites, and identity theft. Internet users or customers of many banks and financial institutions are the targets of phishing attacks.
Nevertheless, there are lots of definitions of a phishing website from different perspectives. Hereunder we mention some of these definitions to get better understanding of its features and attack tactics.
Phishing websites use a number of different techniques to hide the fact that they are not authentic including overwriting or disguising the true URL shown in the browser, overlaying the genuine web site with a crafted pop-up window, drawing fake padlock images on top of the browser window to give the impression that SSL is enabled, and registering SSL certificates for domain names similar to the real organization etc. In practice, these tricks make it extremely difficult for the average user to distinguish a phishing site from a genuine one.
Figure 2: Phishing Websites
 Engin Kirda and Christopher Kruegel 2005 ,” Protecting Users Against Phishing Attacks with AntiPhish”, Computer Software and Applications Conference, COMPSAC 2005. 29th Annual International (Volume: 1).
 APWG, (2005) Phishing Activity Trends Report, available online at: http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf.
 Gundel, T. (2005) Phishing and Internet Banking Security, Technical Security report, IBM Crypto Competence Center.