Risk
10/26/2006
03:45 PM
50%
50%

Anatomy Of A Phishing Scam

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.1) Attackers first find a list of e-mail addresses, something they can do in several ways. You can buy lists, or you can buy software that searches Web sites for e-mail addresses, Klein said at this week's InfoSecurity conference in New York. He told the packed crowd at his phishing seminar that there's even software available for sale on eBay that helps you generate lists. For example, once you figure out how a company assigns e-mail addresses to its employees, it's not hard to conjure a list of potential e-mail addresses for all of that company's employees.

2) Write an attack script that resides within a bogus Web site and is tuned to steal information from anyone visiting the site. More and more, thieves are looking for more than credit card numbers, which are difficult to sell without accompanying card holder information. Debit card info, however, is extremely valuable, since a debit card number with a PIN is "instant money," Klein said. Banks tend to have little sympathy for people who lose money from PIN-protected accounts and may not cover the victim's losses, even if said victim is duped by a phishing site.

3) Now you're ready to look for computing resources from which to send phishing e-mails that attract victims back to your phishing site. One popular way to do this is to enlist a botnet army to scavenge the Web for unused disk space on e-mail servers. A botnet brigade won't come cheap and can cost as much as $700 per hour, Klein said.

4) Don't forget to find a place to host your phishing site. Since you don't want to actually buy or rent servers (remember, you're a bad guy), nor do you want any paper trail (digital or otherwise) that would lead the police back to your door, make sure you steal space in someone else's data center. You might even want to spread your malicious activity among several unsuspecting enterprises so it's not too obvious that you're stealing capacity from their systems. Register your site's name with an Internet authority and make sure that the site's URL resembles some existing business. One PayPal scam registered the address "paypal.com," only the first "a" was written using the Cyrillic alphabet. Pret-ty clever.

5) Don't stop now, it's time to launch your attack, which consists of flooding the Internet with spam that seeks hapless e-mail users to direct to your phishing site. You're going to be extra clever and send your potential victims two e-mails. The first will notify them of some problem with their account (banking, brokerage, retirement--you choose), alerting them that you'll be following up at some point to verify their account information. Remember, don't ask for any information or send any links in that first e-mail, just be sure to make it look official. This will lend an air of legitimacy (which, of course, you don't deserve). The follow-up e-mail is where you'll make your move, directing the victim to your site and asking them to verify their account information.

6) All that's left is to cash in on the results (and avoid the police, of course). What are your odds? Klein puts it this way: If a phisher sends out 2 million spam e-mails, it's likely that 5% of those e-mails will go to legitimate e-mail addresses. About 5% of those e-mail users are likely to click on the phishing link contained in the spam. And 2% of those e-mail recipients will actually enter their information into a phishing site. That works out to about 100 people, but once the phisher has their personal and account information, the dollars can quickly add up.

It's a process that's so thorough and well-crafted, "I'm surprised VCs haven't funded these enterprises and that the government hasn't found a way to tax them," Klein joked with his audience.

Don't despair. Phishing is on just about everyone's radar screens today, and there are ways to keep your company's customers from being defrauded. When crafting e-mails to your customers, cut down the number of links you include. Better yet, provide a dead link and ask the recipient to copy and paste the link into their browser rather than automatically clicking through to a site. Remember to personalize your e-mails as much as possible, even to the point of including middle initials of your clients when addressing them. Klein notes that middle initials aren't always easy to find by surfing the Web. If you have them in your records, use them. Also provide non-e-mail ways of allowing clients to verify that an e-mail is legit, such as a phone number through which they can talk to a real-live person.

A real-live person. Imagine that.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.