Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/26/2006
03:45 PM
50%
50%

Anatomy Of A Phishing Scam

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks. Think it's easy to launch a phishing scam? It's not. But there's a big-time payoff for those who can successfully navigate through the following steps, as laid out by Andrew Klein, Everdream's director of product marketing.1) Attackers first find a list of e-mail addresses, something they can do in several ways. You can buy lists, or you can buy software that searches Web sites for e-mail addresses, Klein said at this week's InfoSecurity conference in New York. He told the packed crowd at his phishing seminar that there's even software available for sale on eBay that helps you generate lists. For example, once you figure out how a company assigns e-mail addresses to its employees, it's not hard to conjure a list of potential e-mail addresses for all of that company's employees.

2) Write an attack script that resides within a bogus Web site and is tuned to steal information from anyone visiting the site. More and more, thieves are looking for more than credit card numbers, which are difficult to sell without accompanying card holder information. Debit card info, however, is extremely valuable, since a debit card number with a PIN is "instant money," Klein said. Banks tend to have little sympathy for people who lose money from PIN-protected accounts and may not cover the victim's losses, even if said victim is duped by a phishing site.

3) Now you're ready to look for computing resources from which to send phishing e-mails that attract victims back to your phishing site. One popular way to do this is to enlist a botnet army to scavenge the Web for unused disk space on e-mail servers. A botnet brigade won't come cheap and can cost as much as $700 per hour, Klein said.

4) Don't forget to find a place to host your phishing site. Since you don't want to actually buy or rent servers (remember, you're a bad guy), nor do you want any paper trail (digital or otherwise) that would lead the police back to your door, make sure you steal space in someone else's data center. You might even want to spread your malicious activity among several unsuspecting enterprises so it's not too obvious that you're stealing capacity from their systems. Register your site's name with an Internet authority and make sure that the site's URL resembles some existing business. One PayPal scam registered the address "paypal.com," only the first "a" was written using the Cyrillic alphabet. Pret-ty clever.

5) Don't stop now, it's time to launch your attack, which consists of flooding the Internet with spam that seeks hapless e-mail users to direct to your phishing site. You're going to be extra clever and send your potential victims two e-mails. The first will notify them of some problem with their account (banking, brokerage, retirement--you choose), alerting them that you'll be following up at some point to verify their account information. Remember, don't ask for any information or send any links in that first e-mail, just be sure to make it look official. This will lend an air of legitimacy (which, of course, you don't deserve). The follow-up e-mail is where you'll make your move, directing the victim to your site and asking them to verify their account information.

6) All that's left is to cash in on the results (and avoid the police, of course). What are your odds? Klein puts it this way: If a phisher sends out 2 million spam e-mails, it's likely that 5% of those e-mails will go to legitimate e-mail addresses. About 5% of those e-mail users are likely to click on the phishing link contained in the spam. And 2% of those e-mail recipients will actually enter their information into a phishing site. That works out to about 100 people, but once the phisher has their personal and account information, the dollars can quickly add up.

It's a process that's so thorough and well-crafted, "I'm surprised VCs haven't funded these enterprises and that the government hasn't found a way to tax them," Klein joked with his audience.

Don't despair. Phishing is on just about everyone's radar screens today, and there are ways to keep your company's customers from being defrauded. When crafting e-mails to your customers, cut down the number of links you include. Better yet, provide a dead link and ask the recipient to copy and paste the link into their browser rather than automatically clicking through to a site. Remember to personalize your e-mails as much as possible, even to the point of including middle initials of your clients when addressing them. Klein notes that middle initials aren't always easy to find by surfing the Web. If you have them in your records, use them. Also provide non-e-mail ways of allowing clients to verify that an e-mail is legit, such as a phone number through which they can talk to a real-live person.

A real-live person. Imagine that.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18375
PUBLISHED: 2020-04-10
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
CVE-2019-18376
PUBLISHED: 2020-04-10
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-7305
PUBLISHED: 2020-04-10
Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information di...
CVE-2020-8832
PUBLISHED: 2020-04-10
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacke...
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, lea...