What is phishing and Phishing techniques used normally by the hackers?

Phishing

Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out by email or instant messaging,and often directs users to give details at a website, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.
The first recorded mention of phishing is on the alt.online-service.america-online Usenet newsgroup on January 2, 1996, although the term may have appeared even earlier in the print edition of the hacker magazine 2600. The term phishing is a variant of fishing, probably influenced by phreaking, and alludes to the use of increasingly sophisticated lures to "fish" for a user's financial information and passwords. The word may also be linked to leetspeak, in which ph is a common substitution for f. The popular theory that it is a portmanteau of password harvesting is an example of folk etymology.

Phishing techniques

Link manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers, such as this example URL, http://www.yourbank.com.example.com/. Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site.
An old method of spoofing links used links containing the @ symbol, originally intended as a way to include a username and password in a web link (contrary to the standard). For example, the link Free Website Hosting - Tripod free website templates to make your own free website might deceive a casual observer into believing that the link will open a page on Google, whereas the link actually directs the browser to a page on members.tripod.com, using a username of Google the page opens normally, regardless of the username supplied. Such URLs were disabled in Internet Explorer, while the Mozilla and Opera web browsers opted to present a warning message and give users the option of continuing to the site or cancelling.
A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks have yet taken advantage of it. Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.

Website forgery

Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.
An attacker can even use a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.
A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple to use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site.

Phone phishing

Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP provider) was dialed, prompts told users to enter their account numbers and PIN. Voice phishing sometimes uses fake caller-ID data to give the appearance that the calls come from a trusted organization