Phishing is really a fairly simple idea that has grown into a sophisticated global security threat, to which millions of dollars are lost annually. The name comes from (and is pronounced in the same way as) ‘fishing’—the ‘ph’ arises from a hacker tradition of naming illicit activities with such deliberate misspellings, such as ‘phreaking’ (the use of telecoms systems to make unpaid for or spoofed telephone calls), and as such it helps to distinguish it as a concept.  The concept is simple, send out some ‘bait’ that will be attractive to the recipient, and see if any you get any ‘bites’—that is customers who will give up their financial details to the phisher.

Typically phishing is performed by email, and will usually include some other elements, such as fake websites. More recent phishes have used Instant Messaging and VoIP telephone numbers—this is sometimes called ‘Vishing’ to distinguish it from email phishing—but the concept is the same. To simplify the discussion, I’ll focus on email based phishing only.

Phishing Attack in Depth

Phishes are usually targeted at a specific bank or financial institution, though not exclusively so, and they typically have three parts, sending out the ‘bait’, collecting the ‘bites’, and using the fraudulently obtained information for profit (and sometimes identity theft).

In the first stage, the phisher designs an email to look like an official communication of the bank which is then sent out in huge numbers as spam. Let’s say we have a bank called MyBank, and our attacker is going to try to phish the customers of that bank. He designs an email that might look something like the following.

Table -1

Often the phising email will contain legitimate information, including graphics taken from the real bank site and in some cases text taken from genuine bank emails. Phishing emails range in complexity and cleverness from the very easy to spot—with many spelling mistakes and obvious flaws—to the sort of mails that even experienced security researchers would have a hard time deciding its legitimacy. Unfortunately, some banks have not helped this, sometimes sending out mail that looks suspiciously like phishing, but that is in fact legitimate. However, the important aspect of the phish mail is the web-link. Often phishes are written using HTML for layout, and this makes it very easy to disguise the actual destination of a web link.

ecause HTML can make any text an active link, the phisher can display the correct link text to the reader, but underneath direct the browser to a site of his choosing. Only a vigilant user will notice the difference, which leads us to the next part of the attack.

Once the phisher has got the attention of the reader, with the threat of losing access to a bank account or similar trick, the recipient will click on the link and be taken to a website designed to look as much as possible like the real bank website the user is expecting to see. Sometimes there will simply be a login page, where the victim will enter the username and password that would be used to access the real site; in other cases, there may be more elaborate forms that will capture the victim’s address, telephone numbers, email address, bank account details and often credit card numbers. Once the form has been filled out by the victims, they may receive a ‘login failed’ message, or in some cases, the site is sophisticated enough to pass the victims through to the real bank’s site and immediately log them in. This method has the added advantage to the attacker that he can check the details are correct. In fact, in some phishes, the purpose of the redirection to a malicious site is only so that the attacker can insert a malicious javascript into the real bank page that will serve to capture the details the victim enters, and send those back to the attacker, an activity almost entirely transparent to the user.

Once the attacker has collected the victim’s details, they can be used in a number of ways. Of course, the attacker can use them himself and transfer funds from the victim’s account, if so desired; however this has a reasonably high risk associated, as the transfers can be tracked. More normal is that the details are sold to a third party who specialises in money laundering—this is particularly so in the case of captured Credit Card details. At that point, the initial phisher has his money and is out of the game, but the phished victim’s pain is just starting. Typically, the system works through so called ‘mules’ who allow their bank accounts to be used for transferring money, so the victim’s account will have small amounts removed to many ‘mule’ accounts, and later the mules are instructed to transfer the money to further accounts, which may be more mule accounts, or the criminals’ accounts. In the case of stolen credit cards, legitimate goods are sometimes purchased from internet commerce sites, and the goods delivered to various mules (who can be in any country). Those goods (frequently software packages) are then advertised for sale by spam runs, or sold on auction sites, and the money is laundered in that way, each mule taking a small percentage.

There are no official figures for the true amounts lost to this sort of phishing fraud each year, but it is certainly in the tens of millions of dollars.

Preventive Measurements:

Phishing works because it activates a ‘fear’ response, which is known to prompt action, the act of taking advantage of this and other normal human responses (such as people’s willingness to help others) is called social engineering. So the first and best defence against phishing is not to allow the fear response to be provoked in the first place, and to think before you act. This sounds like obvious advice, but the fact that phishing is so phenomenally successful shows that many people simply don’t think about their response.  The most obvious things to look for are, firstly—am I a customer of this bank, and secondly, is the mail correctly addressed to me? After all, my bank should know my name, and if there really is a problem with my account, I expect them to have the courtesy to address me correctly. Of course, these are not iron cast guarantees that you won’t get phished—there is a phenomenon known as spear-phishing which is much more targeted at individuals or companies, and of course, it could just be taken from your email address.

Here is my list of the top-five tips to help you avoid being phished:

1. Don’t react immediately. Think first, take a good look, think again, and then again, before you act, and then do the following.

2. Check the addressing is correct. Is the mail sent to you personally and does it identify you correctly? Does it use the email address that you use for your own banking? I suggest creating an email address specifically for your internet banking, and never using that address anywhere else, that way you can be fairly sure when something is really from your bank.

3. If you’re worried, and you want to check your account, always go directly to the website of the bank; don’t click through to the site on a link in an email. Open a new browser window and type in the URL of your bank, and go through the login in your normal way; this can help you getting redirected through a malicious site.

4. Banks should never, ever ask you for personal information like your password or credit card details in email, so don’t ever give out such information by email. If you find out your bank has done this, then complain to your bank, or better still, find a new bank.

5. Use the telephone or visit the branch. Banks provide telephone numbers for customer service if they are internet based, and many have street branches where you can go and speak to someone about your account. Nearly all phishing scams would be avoided if the victim just picked up the telephone and checked with the bank if all is well with the account. Banks also lose a lot of money from frauds like phishing, so they will usually be delighted to have you check with them. Most banks also have an email address to which you can send suspicious emails that you think may be phishing attacks.

—By: Andrew Lee Chief Technology Officer K7 Computing Limited.