Script

Intro Scene
Starting
Since the past, one of the most profitable crimes is ‘identity theft’ [1]. Identity theft is the crime in which
criminals steal personal identity or financial information such as banking details [56]. In traditional way
as discussed in, criminals commit crimes either by killing the victim and pretend to be the legitimate
person or steal confidential information from garbage, where criminals access information from discarded
letters, financial records, electricity bills, and many others bills which are dumped without shredding
properly.
Definition
Phishing is one of the most organised crimes of the 21st century. It is defined as a type of malware
or a term for where someone sends out a spoofed email to random victims to try to get personal
information about them. More specifically in computing, phishing is a criminal activity using social
engineering techniques to fraudulently acquire sensitive information such as usernames and
passwords by attempting to trick users of popular websites by emailing them fake versions of the
website to provide their credentials to.
Over 250,000 Twitter accounts and over 110,000 job applicant’s NPI (National Provider Identifier) were
compromised in Virginia Tech’s website in early 2013 [66]. In addition, about 74,000 students, staff and
faculty members of University of Delaware became a victim of phishing attack and researchers
discovered that users’ personal details were stolen by an using an existing vulnerability on their website
[63]. According to C. Goggi, Phishing attacks were one of the most serious type of threats in 2013 [40].
Malcovery reported that in last quarter of 2013 the top five targeted companies by phishers were
Facebook, WhatsApp, UPS, Fargo and Companies House (UK) [44]. Sheng et al. showed that, women
were more likely to be a victim of phishing than men. Similar goes for people from 18 to 25 years of age,
possibly due to the lack of awareness against phishing threats [45, 56, 61, 62]
The United States Computer Emergency Readiness Team (CERT) gathered security details from various
agencies, which stated that there were 107,655 incident in 2011, 43,889 of which were on federal
agencies [46]. In May of 2015, construction, engineering, transportation and telecommunication sectors
were a target of Advanced Persistent Threat (APT3) phishing campaigns. FireEye identified it to be a zero
day attack. The employees received phishing emails having malicious URLs, upon clicking them they
redirected to compromised web server, and the target system downloaded an infected Adobe Flash Player
SWF file and FLV file which made a backdoor [66].

History
Hillary Clinton presidential campaign chairman, John Podesta’s Google email account was “hacked” in
March 2016 prior to the US election [86]. The hacker simply sent a phishing email to Podester’s gmail
account and lured him to disclose his login credentials. In the phishing email, Podesta had been invited to
click on a link (i.e. Unified Resource Locator, so called “URL”) warning him to change his password
immediately. However, the URL did not link to a secure Google web page, instead directing the user
blindly via bit.ly, which is a service used to shorten URLs. Podesta hack didn’t require much technical
skills. Instead, the hacker merely used social engineering techniques to make the attack successful. The
simplicity of the attack, of course, does not make less impact of the crime and makes it no less illegal
either.
Security has been an issue in the field of computer technology since early 50’s. In 1950’s, the computer
had techniques to ensure that a particular application is not able to use memory other than allotted to it.
Several encryption and access control techniques to protect passwords etc., were developed in 1960’s.
Computers were studied as a new complete domain in the 1970’s. We have the concept of “Phone
Phreaking” since the 1950’s till 1980’s, that is where the phrase “ph” in “Phishing” comes from replacing
“f” in ‘fishing’ [2]. In 1950, J. Engressia, discovered by accident that certain frequencies can telephone
switches with perfect pitch. In 1960, Bell published a paper [47], which included the actual frequencies
used for the routing codes. Leak of these codes started a new trend, which was irreversible. In 1964,
AT&T began to monitor telephone calls to track phone “phreakers.” In 1969, as described in [11] "phone
phreaking" was invented by a retired air force technician J. T. Draper. He created a worldwide famous
device the ‘Blue Box’ an electronic device which could use the tones in use by a telephone company so
that it was possible to make long distance calls for free, in 1972 he got arrested for toll fraud charges. In
1978, DEC’s marketing manager G. Thuerk sent first international commercial spam. A single mass e-
mail was written and sent to 393 West Coast ARPANET users for advertising the availability of a new
model of DEC computers [2,66]. In 1983, K. Thompson first described a security threat, which is called
as “Trojan horse”. An electronic magazine named as ‘Phrack’ which was written by and for hackers,
begun publishing in 1985 [2].
We described in detail about the “phishing” era of 1990’s and onward in figure 6. In December 1995, it
has been reported that hackers attempted to break into DoD (US Department of Defense) computers about
250K times in the same year and 65% of them were successful. In 1996, as described in [11], the term
‘phishing’ was used first time by hackers who stole America On-line (which is the largest Internet
Service Provider in US) by getting access to the passwords of AOL users. As described in [2], phishing
was first mentioned on the Internet by the “alt.2600” hacker newsgroup in January 1996, in which
hackers asked for any other method to get an account, other than ‘phishing’. In addition, in 1997 first
media publication warns customers of new threat called “phishing”, also AOL cut down its direct access
for Russian users due to increased level of fraud. In 1998, phishers started to make use of message boards
and news groups to attack victims. From 2000 onwards, phishers started using massmailers to spread
phishing emails and spoofed URLs to redirect a fake website [2]. In addition to this, for acquiring login
credentials (i.e. login-id, password, etc), key loggers became popular among the phishers [2]. In 2001, as
described in [11], e-gold became the first victim among the financial institutions. Phishers started using
spam messages to spread their network. As described in [11], Buffalo spammer was arrested in New York
in 2003 after sending 825 million spam emails and fraudulently using stolen identities. In 2005, Bank of
America lost 1.2 million usernames and SSNs of their customers. In 2006, phishers targeted VoIP first
time. In 2007, according to Gartner study, about 1.5 millions of US citizen identities got stolen. In 2008,
S. Wallace received $711M for posting spam messages on walls of Facebook’s members. In 2011, Credit
and Debit card details of more than 10M PlayStation Network and Sony Entertainments users are stolen
and damaged approximately $1 to $2 billion making it the costliest cyber-hack ever. In February 2014,
according to the report of 3rd Microsoft Safer security Index phishing caused annual losses of about $5
billions [48]. Over the past few year, phishing attacks have evolved into much more advanced threats
beyond emails also including SMS, online social
1954
•Bell's Journal published signalling system & process for routing telephone calls over trunk lines
1957
•7 year blind boy Josef Engressia discovers a frequency to activate phone switches
1960
•"Signalling Systems for Control of Telephone Switching " was published with frequencies for routing
codes
1964
•AT&T starts monitoring telephone calls to detect "Phone Phreaking"
1965
•First reported vulnerability in Multies CTSS on IBM 7094, disclosing password file(founded by WD
Mattews) data
1969
•John Draper built "Blue Box" which generates the frequency to gain easier entry into AT&T systems
1972
•John Draper arrested on toll fraud charges & sentenced to five year probation
1978
•First international commercial spam was sent by DEC marketing Gary Thuerk
1982
•Ken Thompson described a security exploit that he called "Trojan Horse" •Rich Skrenta a 15-year old
high school student creates the first boot sector virus "Elk Cloner" for Apple II
6

networking even online gaming [54, 55, 56]. eCrime Trends Reports of the year 2012 shows that Phishing
attacks are increasing by 12% per year. Phishing emails are becoming an enormous threat everyday
affecting major financial companies and clients. Researchers have given many solutions ranging from
authentication protocols to content filtering to protect against phishing attacks but still the attackers are
able to carry out these frauds successfully [54,. Of course, it is easy to exploit humans rather than
breaking into the system straightway.
ROLES OF PHISHING
A complete phishing attack involves three roles of phishers
Mailers
Collectors
cashers
A complete phishing attack involves three roles of phishers. Firstly, mailers send out a large number of
fraudulent emails (usually through botnets), which direct users to fraudulent websites. Secondly,
collectors set up fraudulent websites (usually hosted on compromised machines), which actively prompt
users to provide confidential information. Finally, cashers use the confidential information to achieve a
pay-out. Monetary exchanges often occur between those phishers.
Types of Phishing
Phishing has spread beyond email to include VOIP, SMS, instant messaging, social networking sites, and
even multiplayer games. Below are some major categories of phishing.
2.1 Clone Phishing In this type phisher creates a cloned email. He does this by getting information such
as content and recipient addresses from a legitimate email which was delivered previously, then he sends
the same email with links replaced by malicious ones. He also employs address spoofing so that the email
appears to be from the original sender. The email can claim to be a re-send of the original or an updated
version as a trapping strategy [31].
2.2 Spear Phishing Spear phishing targets at a specific group. So instead of casting out thousands of
emails randomly, spear phishers target selected groups of people with something in common, for example
people from the same organization [28]. Spear phishing is also being used against high-level targets, in a
type of attack called “whaling”. For example, in 2008, several CEOs in the U.S. were sent a fake
subpoena along with an attachment that would install malware when viewed [24]. Victims of spear
phishing attacks in late 2010 and early 2011 include the Australian Prime Minister’s office, the Canadian
government, the Epsilon mailing list service, HBGary Federal, and Oak Ridge National Laboratory [18].
2.3 Phone Phishing This type of phishing refers to messages that claim to be from a bank asking users to
dial a phone number regarding problems with their bank accounts. Traditional phone equipment has
dedicated lines, so Voice over IP, being easy to manipulate, becomes a good choice for the phisher. Once
the phone number, owned by the phisher and provided by a VoIP service, is dialed, voice prompts tell the
caller to enter her account numbers and PIN. Caller ID spoofing, which is not prohibited by law, can be
used along with this so that the call appears to be from a trusted source [1].

Now a days most phishing attAcks are done on cell phone and mostly are on whatsapp now
lets talk about these attacks
WhatsApp scams used to be for the most part innocent, the digital equivalent to the chain letter. But today
WhatsApp scams are increasingly nasty, whether they want to scrounge your personal data or install
malware on your device. Check our guide to common WhatsApp scams and you'll know which ones to
delete.

Verification code links

A warning has been issued in the United Arab Emirates - and it's good advice for us all - against

WhatsApp verification code messages that contain links. 

When you first install WhatsApp you are sent a message with a code that you must enter into the app to

verify your phone number. You are not required to click on a link to verify your number. Neither are you

required to verify your phone number following the initial installation of the app.
However, scammers are reportedly catching out the unaware by fooling them into clicking these links,

then hacking their WhatsApp accounts and taking over control.

Olivia

Back in September 2018 Police warned over a new WhatsApp hoax they are calling 'Olivia', the name the

scammer tends to go under, in which kids are targeted with a series of messages from someone pretending

to be a friend of a friend or a friend with a new number. If they respond they are then hit with links to

pornographic sites and content. We have full details here: make sure your kids know to steer well clear

Free Adidas trainers

A particularly clever phishing scam is doing the rounds on WhatsApp in the US, Norway, Sweden, the

Netherlands, Belgium, India, Pakistan and elsewhere, claiming that Adidas is offering 2,500 free pairs of

trainers in celebration of its 69th anniversary. The message includes a link, which looks genuine - but on

closer inspection there is not dot above the i in Adidas.

This is known as a homoglyph attack, explains Eset, and on clicking the link you are redirected to a

survey with four questions. At the end of this they are instructed to share the link in order to claim their

prize, but of course there is no prize.

Instead you get an offer to claim your trainers for $1, which actually signs you up to a dodgy subscription

service that will charge you $49.99 a month. 

You'll need to be 16 to use WhatsApp

Unfortunately this one is not a scam: it's true - although, we imagine, difficult to control. It's all due to

GDPR, and the company has confirmed it is updating its privacy policy and terms of service in response.

The change will apply only in the EU, and the age limit will remain at 13 elsewhere.

Aer Lingus free flight

to trick users into clicking a dodgy link by offering free flights. This is not a genuine offer, and the

messages are not from Aer Lingus. Please do not fall for it, and do not pass it on.

Request to transfer your number

The most recent WhatsApp scam involves a text message suggesting that "You have requested to transfer

your number to another device. This change will be made within 24 hours. If you did not make this

request please call 0902 394 1246."

It's a scam: don't call the number. It's a premium number, and will cost you.

You don't need to request a transfer of your number on to another device on WhatsApp, you simply

download the app on that device and verify your phone number on it, at which point the app on your old

device ceases to work.

Free £250 shopping voucher

One of the most common WhatsApp scams is one that offers a link with the promise of a free £250 gift

card for either Sainsbury's, M&S, Tesco and Asda. The M&S version is pictured here.

Even the most savvy WhatsApp users are falling for this scam, because who doesn't want £250 in

shopping vouchers? And anyway, what's the worst that can happen, right?

By clicking on the link you are taken to a survey page that asks you to answer various personal questions.

This survey has absolutely nothing to do with the supermarket, and everything to do with stealing your

data.

You might think you're doing your friends a favour by passing it on, but you're really not.
Dodgy WhatsApp attachments
A recent WhatsApp scam to come to our attention hopes to trick the user into opening a legitimate-

looking Word, Excel or PDF document attached to a WhatsApp message that will actually download

malware to their device and can then steal their personal information.

All reports originate from India, and apparently use the names of the NDA (National Defence Academy)

and NIA (National Investigation Agency) in an attempt to get users to open them, but it won't take much

for the scam to make its way to the UK too.

A similar message did the rounds in the UK that tried to persuade users to download a £100 Sainsbury's

voucher. In reality, the link simply installed cookies or a browser extension on the user's phone that could

be used to serve adverts to them.

The easiest way to avoid this scam is to delete the message, and never to download an unexpected

document attachment - whether or not it comes from a trusted contact.

If you're concerned that you may have already downloaded malware on to your device, see our guide

on how to remove malware from Android.

You have to pay for WhatsApp

Can you imagine life without WhatsApp? Well fortunately, you probably don't have to. One well known

WhatsApp scam goes as follows:

"tomorrow at 6 pm they are ending WhatsApp and you have to pay to open it, this is by law

This message is to inform all of our users, our servers have recently been very congested, so we are

asking you to help us solve this problem. We require our active users to forward this message to each of

the people in your contact list to confirm our active users using WhatsApp, if you do not send this

message to all your contacts WhatsApp will then start to charge you. Your account will remain inactive

with the consequence of losing all your contacts. Message from Jim Balsamic (CEO of Whatsapp ) we

have had an over usage of user names on whatsapp Messenger. We are requesting all users to forward

this message to their entire contact list. If you do not forward this message, we will take it as your account

is invalid and it will be deleted within the next 48 hours. Please DO NOT ignore this message or

whatsapp will no longer recognise your activation.

monthly bill.

We are also aware of the issue involving the pictures updates not showing. We are working diligently at

fixing this problem and it will be up and running as soon as possible. Thank you for your

cooperation from the Whatsapp team”

WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user

i.e. you have at least 10 people you are chatting with. To become a frequent user send this message to 10

people who receive it (2 ticks) and your WhatsApp logo should turn blue"

This is absolutely not true, and under no circumstances should you fall for it. If you're still not convinced,

just think about it: you are sending a message to everyone on your contact list to help solve congestion?

WhatsApp is also based on phone numbers, not user names. We could go on...

WhatsApp Gold

Another WhatsApp hoax offers an exclusive invitation to upgrade to a premium version of the app, called

WhatsApp Gold. It's complete and utter rubbish: there is no WhatsApp Gold. 

"The invitation reads: "Hey Finally Secret Whatsapp golden version has been leaked, This version is used

only by big celebrities. Now we can use it too."

It claims to allow you to delete messages after you've sent them, and simultanously send 100 pictures,

among other things. It sounds great, but it's entirely made up. Click on the link in the invitation and you're

more likely to end up with a malware infection. (See how to remove a virus from Android if you've

already done so.)

One WhatsApp scam isn't delivered via WhatsApp itself but through your email app on your Android

phone or iPhone. It tells you that you have missed a WhatsApp call or have a WhatsApp voice message,

which you should click on the link in the email to access. Rather than your message, you get a virus

downloaded to your device.

do not click the link and delete the message.

WhatsApp is closing down

One WhatsApp hoax that regularly does the rounds is that which asks you to forward the message to 10

people or the service will close down.

WhatsApp has millions of users, and it really won't notice you sending 10 messages through the service.

It is not about to close down, and this is very much a hoax. 

Another variation suggests there are too many WhatsApp users, and it will close your account if you don't

start using it.

The chain message reads: Message from Jim Balsamic (CEO of Whatsapp). We have had an over usage

of user names on WhatsApp Messenger. We are requesting all users to forward this message to their

entire contact list.

"If you do not forward this message, we will take it as your account is invalid and it will be deleted within

the next 48 hours. Please DO NOT ignore this message or WhatsApp will no longer recognise your

activation."

If you don't act in time, WhatsApp will apparently charge you £25 to reactivate your account, which will

be added to your phone bill.

Except it won't, because WhatsApp has been a free service for some time. 

As it says on its official blog: "WhatsApp will no longer charge subscription fees. For many years, we've

asked some people to pay a fee for using WhatsApp after their first year. As we've grown, we've found

that this approach hasn't worked well. Many WhatsApp users don't have a debit or credit card number and

they worried they'd lose access to their friends and family after their first year. So over the next several
weeks, we'll remove fees from the different versions of our app and WhatsApp will no longer charge you

for our service."

Inactive users will have to pay

By far the most popular WhatsApp hoax is that which suggests the service will start charging inactive

users a certain amount per message, so by sending the message on to 10 users they can prove they are an

active member and loyal to WhatsApp, and therefore deserving of its free service.

Really? Ask yourself how sending that message you don't pay for to 10 people could possibly keep open

the company if it was that desperate for cash? If it were skint, it wouldn't have decided to ditch its

subscription fees.

So now we think that you better understanding of whatsapp phishing attacks so if you like our
video then like and subcribe our channel and follow us on facebook Instagram and twitter for daily
updates stay toon.