Risk
10/26/2006
03:45 PM
50%
50%

Anatomy Of A Phishing Scam

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.1) Attackers first find a list of e-mail addresses, something they can do in several ways. You can buy lists, or you can buy software that searches Web sites for e-mail addresses, Klein said at this week's InfoSecurity conference in New York. He told the packed crowd at his phishing seminar that there's even software available for sale on eBay that helps you generate lists. For example, once you figure out how a company assigns e-mail addresses to its employees, it's not hard to conjure a list of potential e-mail addresses for all of that company's employees.

2) Write an attack script that resides within a bogus Web site and is tuned to steal information from anyone visiting the site. More and more, thieves are looking for more than credit card numbers, which are difficult to sell without accompanying card holder information. Debit card info, however, is extremely valuable, since a debit card number with a PIN is "instant money," Klein said. Banks tend to have little sympathy for people who lose money from PIN-protected accounts and may not cover the victim's losses, even if said victim is duped by a phishing site.

3) Now you're ready to look for computing resources from which to send phishing e-mails that attract victims back to your phishing site. One popular way to do this is to enlist a botnet army to scavenge the Web for unused disk space on e-mail servers. A botnet brigade won't come cheap and can cost as much as $700 per hour, Klein said.

4) Don't forget to find a place to host your phishing site. Since you don't want to actually buy or rent servers (remember, you're a bad guy), nor do you want any paper trail (digital or otherwise) that would lead the police back to your door, make sure you steal space in someone else's data center. You might even want to spread your malicious activity among several unsuspecting enterprises so it's not too obvious that you're stealing capacity from their systems. Register your site's name with an Internet authority and make sure that the site's URL resembles some existing business. One PayPal scam registered the address "paypal.com," only the first "a" was written using the Cyrillic alphabet. Pret-ty clever.

5) Don't stop now, it's time to launch your attack, which consists of flooding the Internet with spam that seeks hapless e-mail users to direct to your phishing site. You're going to be extra clever and send your potential victims two e-mails. The first will notify them of some problem with their account (banking, brokerage, retirement--you choose), alerting them that you'll be following up at some point to verify their account information. Remember, don't ask for any information or send any links in that first e-mail, just be sure to make it look official. This will lend an air of legitimacy (which, of course, you don't deserve). The follow-up e-mail is where you'll make your move, directing the victim to your site and asking them to verify their account information.

6) All that's left is to cash in on the results (and avoid the police, of course). What are your odds? Klein puts it this way: If a phisher sends out 2 million spam e-mails, it's likely that 5% of those e-mails will go to legitimate e-mail addresses. About 5% of those e-mail users are likely to click on the phishing link contained in the spam. And 2% of those e-mail recipients will actually enter their information into a phishing site. That works out to about 100 people, but once the phisher has their personal and account information, the dollars can quickly add up.

It's a process that's so thorough and well-crafted, "I'm surprised VCs haven't funded these enterprises and that the government hasn't found a way to tax them," Klein joked with his audience.

Don't despair. Phishing is on just about everyone's radar screens today, and there are ways to keep your company's customers from being defrauded. When crafting e-mails to your customers, cut down the number of links you include. Better yet, provide a dead link and ask the recipient to copy and paste the link into their browser rather than automatically clicking through to a site. Remember to personalize your e-mails as much as possible, even to the point of including middle initials of your clients when addressing them. Klein notes that middle initials aren't always easy to find by surfing the Web. If you have them in your records, use them. Also provide non-e-mail ways of allowing clients to verify that an e-mail is legit, such as a phone number through which they can talk to a real-live person.

A real-live person. Imagine that.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?