Home > Fraud Info > Phishing
Phishing Web Site Methods
The fraudulent web site that supports the phishing email is designed to mirror the legitimate web site it is purporting to be. The fraudsters use multiple methods to do this, including using genuine looking images and text, disguising the URL in the address bar or removing the address bar altogether. The purpose of the web site is to trick consumers into thinking they are at the company's genuine web site, and giving their personal information to the trusted company they think they are dealing with.
1. Genuine Looking Content
Phishing web sites utilize copied images, text and in some cases simply mirror the legitimate web site. This will contain the normal links on the web site such as contact us, privacy, products, services etc. The user recognizes the website content from the genuine site and are unaware they are not on the genuine web site.
2. Similar looking URL to Genuine URL
Some phishing web sites have registered a domain name similar to that of the organization they are appearing to be from. For example, one phishing scam we received targeting Barclays Bank used the domain name “http://www.barclayze.co.uk”. Other examples include using a sub-domain such as “http://www.barclays.validation.co.uk”, where the actual domain is “validation.co.uk” which is not related to Barclays Bank.
3. Form - Collection of Information
The most common method used to collect information in phishing scams is by the use of forms on the fake web site. The form is normally displayed in the same format as that used on the genuine web site. This may be an Internet Banking log-in, or a more detailed form for verification of personal details, with many fields for personally sensitive information.
4. Incorrect URL, not disguised
Some phishing scam web sites do not even attempt to deceive users with their URL, and hope that the user does not notice. Some simply use I.P Addresses displayed as numbers in the users address bar.
5. URL Spoofing of Address Bar (Fake)
This form of URL spoofing involves the removal of the address bar combined with the use of scripts to build a fake address bar using images and text. The link in the phishing email opens a new browser window, which closes and re-opens without the address bar, and in some case the status bar. The new window uses HTML, HTA and JavaScript commands to construct a false address bar in place of the original. (See figure 1 below)
As this method utilizes scripts, it is only possible to stop this form of deception by disabling active x and JavaScript in browser settings. As most web pages utilize these normal tools, this is impractical.
6. Hovering Text Box over Address Bar
This form of URL spoofing involves the placement of a text object with a white background over the URL in the address bar. The text object contains the fake URL, which covers the genuine URL.
As this method utilizes scripts, it is only possible to stop this form of deception by disabling Active X and JavaScript in browser settings. As most web pages utilize these normal tools, this is impractical.
7. Pop Up Windows
This form of deception involves the use of script to open a genuine webpage in the background while a bare pop up window (without address bar, tool bars, status bar and scrollbars) is opened in the foreground to display the fake webpage, in an attempt to mislead the user to think it is directly associated to the genuine page. (See figure 6 below)
As this method utilizes scripts, it is only possible to stop this form of deception by disabling Active X and JavaScript in browser settings. As most web pages utilize these normal tools, this is impractical.
8. Trojans / Spyware
Trojan and worm viruses are sent to the user as an email attachment, purporting to be for some type of purpose, such as greetings, important files or other type of SPAM email. The attachment is a program that exploits vulnerabilities in Internet Browsing software to force a download from another computer on the Internet. This file downloads other files and codes, which eventually installs a fully functional Trojan virus.
The Trojan is designed to harvest, or search for personal banking information and passwords, which many people keep on their computer. This information is then sent to a remote computer on the Internet.
Other worms have been known to hijack the user's HOST file, which causes an automatic redirection to a fake phishing web site when the user types in a specific URL (normally for a specific financial institution) into the address bar of their Internet browser.
Spyware, such as keyboard loggers, capture information entered at legitimate web sites, such as Internet banking sites. This type of spyware can be planted on a user's computer using a previous worm or Trojan infection. Any information the spyware captures is sent to a predetermined computer on the Internet.
A recent phishing scam used the link in the email to direct the users browsers to a site to first download keyboard logging spyware before redirecting the user to the genuine Internet banking web site. This spyware captured the login information entered, and sent this information to the fraudsters via a remote computer on the Internet.
Phishing Site Statistics
| Current Active | 4,124 |
| Total Detected | 723,005 |
FWI Fraud Shield v1.04
Powerful Anti-Phishing Software
Online Privacy & ID Theft Protection.
intelliPHISH
Exclusive Free Membership: Law Enforcement & FI's:
- Phishing Basics, Stats, Intel
- Trend Analysis, Response Tips
Report a fraudulent email
Nigerian 419 Scam letters, Lottery emails, Phishing emails and other fraudulent emails should be forwarded to our Investigation Team at:
