Anatomy Of A Phishing Scam

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.1) Attackers first find a list of e-mail addresses, something they can do in several ways. You can buy lists, or you can buy software that searches Web sites for e-mail addresses, Klein said at this week's InfoSecurity conference in New York. He told the packed crowd at his phishing seminar that there's even software available for sale on eBay that helps you generate lists. For example, once you figure out how a company assigns e-mail addresses to its employees, it's not hard to conjure a list of potential e-mail addresses for all of that company's employees.

2) Write an attack script that resides within a bogus Web site and is tuned to steal information from anyone visiting the site. More and more, thieves are looking for more than credit card numbers, which are difficult to sell without accompanying card holder information. Debit card info, however, is extremely valuable, since a debit card number with a PIN is "instant money," Klein said. Banks tend to have little sympathy for people who lose money from PIN-protected accounts and may not cover the victim's losses, even if said victim is duped by a phishing site.

3) Now you're ready to look for computing resources from which to send phishing e-mails that attract victims back to your phishing site. One popular way to do this is to enlist a botnet army to scavenge the Web for unused disk space on e-mail servers. A botnet brigade won't come cheap and can cost as much as $700 per hour, Klein said.

4) Don't forget to find a place to host your phishing site. Since you don't want to actually buy or rent servers (remember, you're a bad guy), nor do you want any paper trail (digital or otherwise) that would lead the police back to your door, make sure you steal space in someone else's data center. You might even want to spread your malicious activity among several unsuspecting enterprises so it's not too obvious that you're stealing capacity from their systems. Register your site's name with an Internet authority and make sure that the site's URL resembles some existing business. One PayPal scam registered the address "paypal.com," only the first "a" was written using the Cyrillic alphabet. Pret-ty clever.

5) Don't stop now, it's time to launch your attack, which consists of flooding the Internet with spam that seeks hapless e-mail users to direct to your phishing site. You're going to be extra clever and send your potential victims two e-mails. The first will notify them of some problem with their account (banking, brokerage, retirement--you choose), alerting them that you'll be following up at some point to verify their account information. Remember, don't ask for any information or send any links in that first e-mail, just be sure to make it look official. This will lend an air of legitimacy (which, of course, you don't deserve). The follow-up e-mail is where you'll make your move, directing the victim to your site and asking them to verify their account information.

6) All that's left is to cash in on the results (and avoid the police, of course). What are your odds? Klein puts it this way: If a phisher sends out 2 million spam e-mails, it's likely that 5% of those e-mails will go to legitimate e-mail addresses. About 5% of those e-mail users are likely to click on the phishing link contained in the spam. And 2% of those e-mail recipients will actually enter their information into a phishing site. That works out to about 100 people, but once the phisher has their personal and account information, the dollars can quickly add up.

It's a process that's so thorough and well-crafted, "I'm surprised VCs haven't funded these enterprises and that the government hasn't found a way to tax them," Klein joked with his audience.

Don't despair. Phishing is on just about everyone's radar screens today, and there are ways to keep your company's customers from being defrauded. When crafting e-mails to your customers, cut down the number of links you include. Better yet, provide a dead link and ask the recipient to copy and paste the link into their browser rather than automatically clicking through to a site. Remember to personalize your e-mails as much as possible, even to the point of including middle initials of your clients when addressing them. Klein notes that middle initials aren't always easy to find by surfing the Web. If you have them in your records, use them. Also provide non-e-mail ways of allowing clients to verify that an e-mail is legit, such as a phone number through which they can talk to a real-live person.

A real-live person. Imagine that.