Hardly a day goes by without some online news reference to phishing. It’s sometimes also called carding or brand spoofing. But what is it? How does phishing work and what are the consequences?
Phishing [a deliberate misspelling of the word ‘fishing’] is a specific form of cyber crime. Phishing tricks computer users into disclosing personal details such as usernames, passwords, PIN numbers, credit card numbers etc, which are linked to bank accounts or on-line shopping accounts. These details are then used to steal money. So phishing is fraud: first your personal information and then your money…
Phishing and social engineering
Phishers rely heavily on social engineering techniques. The term social engineering normally refers to the use of sociological methods to influence a large group of people.. In computer security, the term refers to methods employed by virus writers to trick users into disclosing information and causing a security breach.
For instance, social engineering is commonly employed by virus writers to trick users into running malicious code. This can be done by attaching a virus or worm to a seemingly innocent/standard email message. LoveLetter, for example, arrived as an email headed ‘I LOVE YOU’ – who wouldn’t like to receive a love letter? The message itself said “Kindly check the attached LOVELETTER coming from me”. The attachment had a double extension [LOVE-LETTER-FOR-YOU.TXT.vbs]. By default, Windows does not display the second [real] extension, which might alert users to the fact that the attachment contained malicious code. This double extension trick has been used by lots of viruses and worms during the last five years.
Another social engineering technique is using an email that offers something desirable. Swen, for example, masqueraded as a cumulative Microsoft patch. In this case, the goal is to exploit users’ growing awareness of computer security and the need to patch systems to avoid Internet worms. Other social engineering tricks include ICQ messages with links to infected Web pages.
Phishing in focus
Basic phishing techniques
The phisher first creates a web site which is almost identical to the site of the financial institution being targeted. The criminal then goes ‘phishing’, spamming an email that imitates an email from the bank or credit card company itself.
Phishers typically use genuine logos, good business style and may even include the names of real employees from the financial institution’s senior management. They also spoof the header of the email to make it look legitimate: it’s not difficult to send an e-mail and make look like it has come from a different sender. Usually, emails say that the bank has changed its IT structure, and customers therefore need to confirm their user information. Occasionally, the letters cite network failure, or a hacker attack, as the reason why personal data should be resubmitted.
Phishing emails have one thing in common: they’re the bait used to try and lure customers into clicking on the link included in the email. The link takes the user directly to the specially constructed site. If the luckless fish swallows the bait, and completes the form with the personal information requested – the phisher now has access to the victim’s bank, credit card, or on-line shopping account.
Typical phisher targets
As you’d expect, phishers target organizations that handle high volume financial transactions online. In the last 18 months, customers of nearly all major banks (Barclays, Citibank, Halifax, HSBC, Lloyds TSB and MBNA, NatWest) have all been targeted by phishers. However, it’s not only banking customers who are at risk – amazon.com, AOL, BestBuy, eBay, MSN, PayPal and Yahoo have all been targeted by phishing scams.
In any single phishing scam, only a small proportion of recipients will be customers of the spoofed bank or other organization, and only a small proportion of them will ‘take the bait’. However, phishing messages are spammed – such large volumes of fake messages are sent that even a low response will harvest enough data to make the scam worthwhile.
Phishers are playing for high stakes. Estimates of losses caused by phishing vary – search online and you can find figures ranging from $400 million to $2.4 billion. However, one fact is clear: the number of phishing attacks, and the associated costs, are increasing. Between July 2004 through to November 2004, there was a 34% month-on-month growth in the number of new, unique phishing e-mail messages; and a 28% month-on-month growth in the number of unique fraudulent web sites [figures taken from the Phishing Activity Trends Report – November 2004, Anti-Phishing Working Group].
The problem doesn’t necessarily end with direct financial losses experienced by the victims and the financial institutions. Some phishers also place exploits for Microsoft Internet Explorer [IE] vulnerabilities on their sites. When the victim views the fake site, the exploit uploads a Trojan to their computer. As a result, not only is the user’s banking information harvested, but their machines become part of a network of zombie machines. This network may be used for other malicious activities: as part of a DDoS [Distributed Denial of Service] attack designed to extort money from a victim organization, for use as a spamming platform, or to spread a virus or worm.
Not bad for a day’s phishing!
It’s hardly surprising that phishing has attracted a lot of media attention during the last year or so. Responsible financial institutions now inform their customers of the potential dangers. Users are becoming increasingly wary. So phishers are looking for more sophisticated ways of luring users into giving up their personal information.
The latest phishing techniques
Some phishers make use of vulnerabilities [or unwanted features] to make their scams less obvious. An Internet Explorer [IE] vulnerability documented by Microsoft in late 2003 allows phishers to create fake sites that not only have the look-and-feel of a legitimate site, but also display the URL of a genuine site. When the user clicks on the link in the phisher’s email, the web browser displays content from the fake web site, but the URL in the browser window is that of the genuine bank. This vulnerability is explained on the Microsoft web site, together with tips on how to identify spoofed web sites.
Moreover, phishers have found a way to direct users to fake sites without getting them to click on a link. This is because it’s possible to embed script instructions [including exploit instructions] within HTML that will execute automatically when the email is read.
In November 2004, phishers sent HTML emails containing scripted instructions to edit the hosts file on the victim’s machine. As a result, when the user next directed their browser to their bank’s web site, it was automatically re-directed to a fraudulent site, where any input could be captured. The user hadn’t clicked on a link, and had no reason to think there was anything different about the way the bank site was accessed. Yet the user still fell victim to the phishers. This is one more reason for using plain text email, rather than HTML, and for disabling scripting on your machine.
The following provides some general guidelines on how to minimize the risk of getting hooked by phishers.
- Be very wary of any email asking for personal information. It’s highly unlikely that your bank will request such information by email. If in doubt, call them to check!
- Don’t use links in an email message to load a web page. Instead, type the URL into your web browser.
- Don’t complete a form in an email asking for personal information. Only submit such information via a secure web site. Check that the URL starts with ‘https://’, rather than just ‘http://’. If you’re using IE, look for the lock symbol in the right of the status bar and double-click it to check the validity of the digital certificate. Or, alternatively, use the telephone to transact your business.
- Consider installing a web browser tool bar that alerts you to known phishing attacks.
- Think about using plain text in your emails, rather than HTML. It may not look as nice, but it’s a lot safer
- Check your bank accounts regularly [including debit and credit cards, bank statements, etc.], to make sure that listed transactions are legitimate.
- Make sure that you use the latest version of your web browser and that all necessary patches have been installed.
- Immediately report anything suspicious to your bank or credit card provider.
For more information on phishing, specific phishing attacks and how to stay safe, check out the Consumer Advice on Phishing on the Anti-Phishing Working Group website.