Risk
10/26/2006
03:45 PM
50%
50%

Anatomy Of A Phishing Scam

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.1) Attackers first find a list of e-mail addresses, something they can do in several ways. You can buy lists, or you can buy software that searches Web sites for e-mail addresses, Klein said at this week's InfoSecurity conference in New York. He told the packed crowd at his phishing seminar that there's even software available for sale on eBay that helps you generate lists. For example, once you figure out how a company assigns e-mail addresses to its employees, it's not hard to conjure a list of potential e-mail addresses for all of that company's employees.

2) Write an attack script that resides within a bogus Web site and is tuned to steal information from anyone visiting the site. More and more, thieves are looking for more than credit card numbers, which are difficult to sell without accompanying card holder information. Debit card info, however, is extremely valuable, since a debit card number with a PIN is "instant money," Klein said. Banks tend to have little sympathy for people who lose money from PIN-protected accounts and may not cover the victim's losses, even if said victim is duped by a phishing site.

3) Now you're ready to look for computing resources from which to send phishing e-mails that attract victims back to your phishing site. One popular way to do this is to enlist a botnet army to scavenge the Web for unused disk space on e-mail servers. A botnet brigade won't come cheap and can cost as much as $700 per hour, Klein said.

4) Don't forget to find a place to host your phishing site. Since you don't want to actually buy or rent servers (remember, you're a bad guy), nor do you want any paper trail (digital or otherwise) that would lead the police back to your door, make sure you steal space in someone else's data center. You might even want to spread your malicious activity among several unsuspecting enterprises so it's not too obvious that you're stealing capacity from their systems. Register your site's name with an Internet authority and make sure that the site's URL resembles some existing business. One PayPal scam registered the address "paypal.com," only the first "a" was written using the Cyrillic alphabet. Pret-ty clever.

5) Don't stop now, it's time to launch your attack, which consists of flooding the Internet with spam that seeks hapless e-mail users to direct to your phishing site. You're going to be extra clever and send your potential victims two e-mails. The first will notify them of some problem with their account (banking, brokerage, retirement--you choose), alerting them that you'll be following up at some point to verify their account information. Remember, don't ask for any information or send any links in that first e-mail, just be sure to make it look official. This will lend an air of legitimacy (which, of course, you don't deserve). The follow-up e-mail is where you'll make your move, directing the victim to your site and asking them to verify their account information.

6) All that's left is to cash in on the results (and avoid the police, of course). What are your odds? Klein puts it this way: If a phisher sends out 2 million spam e-mails, it's likely that 5% of those e-mails will go to legitimate e-mail addresses. About 5% of those e-mail users are likely to click on the phishing link contained in the spam. And 2% of those e-mail recipients will actually enter their information into a phishing site. That works out to about 100 people, but once the phisher has their personal and account information, the dollars can quickly add up.

It's a process that's so thorough and well-crafted, "I'm surprised VCs haven't funded these enterprises and that the government hasn't found a way to tax them," Klein joked with his audience.

Don't despair. Phishing is on just about everyone's radar screens today, and there are ways to keep your company's customers from being defrauded. When crafting e-mails to your customers, cut down the number of links you include. Better yet, provide a dead link and ask the recipient to copy and paste the link into their browser rather than automatically clicking through to a site. Remember to personalize your e-mails as much as possible, even to the point of including middle initials of your clients when addressing them. Klein notes that middle initials aren't always easy to find by surfing the Web. If you have them in your records, use them. Also provide non-e-mail ways of allowing clients to verify that an e-mail is legit, such as a phone number through which they can talk to a real-live person.

A real-live person. Imagine that.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.