On the Internet, phishing and fraud have become the most serious threats. The online shopping safety report released online by Kingsoft Internet Security Center in 2010 reveals that more than 100 million users have encountered online shopping traps in China alone and the resultant direct economic losses exceeded 150 billion RMB; Internet users in China, in 2011, just exceeded 400 million. How to fight in such a harsh environment against phishing is particularly important.
Many site owners whose sites are duplicated feel they are not to be blamed for phishing: “Phishing sites imitate my page not because my website is vulnerable; users are fooled, because they are fools.”
In many cases, that the phishing sites come into being is not the fault of websites. But the problems have already here: Any complaint is in vain, and eventually will bring harm to the users. Therefore, the site can take the initiative to take responsibility as much as possible to deal with the problem of phishing.
In Internet security, phishing is still a difficult issue to address because it manipulates the weaknesses of humans; phishing sites disguise themselves as authentic sites and lure people into the attack site. As phishing is not a technical problem, it is difficult to deal with at a technical level.
Like horse hanging, phishing has also become an industry with a clear division of labor: Some produce, some sell, some spread these sites through mails or IM, and some launder money from the bank.
According to the statistics of China’s antiphishing alliance, phishing concentrates mainly on online shopping, online banking, and other similar commercial online ventures.
Phishing in the online payment industry provides an opportunity for cheats to trick users for money; hence, it is the hardest hit by phishing. Taobao is China’s largest e- commerce site accounting for half of China’s online shopping market. Many phishing sites imitate Taobao for this reason. According to the statistics of the antiphishing Alliance of China in April 2011, majority of phishing sites are based on Taobao.
Many phishing websites have pages imitating the log-in form of an authentic site to cheat users for passwords. However, with the diversification in cybercrime, many phishing sites have begun to imitate pages other than the log-in page, and their goal is not just to get a password. Such fraudulent websites can also be considered phishing sites because their basic technique is to imitate the pages of a target website.
URL of a phishing site imitating Taobao:
Phishing sites tend to use deceptive domain names and deformed text to trick users.
If the user is inexperienced, he may not differentiate an authentic site from a phishing site; sometimes even some avid Internet users get fooled because of their carelessness. Of the many cases of stolen accounts involving phishing sites we have come into contact with, users stressed that they could distinguish phishing sites, but the truth is that often a user is not aware as to when they were navigated away to phishing sites. Phishing sites leave traces on the route of transmission. Cheats always want to fool more people and they also have target customers. For example, if they want to trick users to buy game cards, they may advertise on an online gaming site. IMs and e-mails are also used for phishing. IM in Taobao shopping, Taobao Want, is also contaminated with phishing sites that are imitations of those in Taobao. In QQ, many phishing sites use QQ to spread fake ppaid.com and tenpay.com loan links, but the trend is not absolute; it depends on specific circumstances.