The Evolution of Cyber Fraud Techniques: Phishing and Pharming
Phishing and pharming dominated the cyber fraud scene until quite recently, and each remains a formidable threat.
Phishing is not directed only against consumers anymore. Reports from iDefense underground intelligence sources indicate that the administrative logins for a major e-commerce site were leaked through phishing e-mails sent to help desk personnel. In a typical phishing operation (see Figure 2.19), perpetrators use a variety of tactics to obscure the fraudulent Web site’s URL, making it appear as the legitimate company. Sometimes this is as simple as hosting the fraudulent Web site at a similar-sounding address (for example, COMPANYNAME-info.com). Other attacks incorporate more sophisticated technical methods to block the URL being displayed. Despite their technical sophistication, e-mails used in many phishing attacks contain poor English, which has led many analysts to believe that most phishers either live in non-English speaking countries or are American teenagers with poor writing skills.
Figure 2.19 the phishing process. (From anti-Phishing Working group, www.apwg.com.)
There are several different theories regarding the origin of the word “phishing.” Some analysts believe the term is an acronym for “password harvesting fishing,” and others believe it is simply a “hacker spelling” of the word “fishing” or homage to “phreaking” (that is, the 1980s term for attempting to illegally gain access to telephone networks).
The Development of Phishing Techniques
The HoneyNet Project and Research Alliance, a nonprofit group “dedicated to improving the security of the Internet by providing cutting-edge research for free” (www.honeynet.org), recently published a white paper entitled “Know Your Enemy: Phishing” that provides a detailed guide to the mechanics of present-day phishing attacks. The paper is available at http://www.honeynet.org/papers/phishing/ and details a number of “cutting-edge” phishing tactics, including the following:
Mass Scanning: According to the report, more systems are being compromised by automated tools typically referred to as “autorooters.” Autorooters scan Internet Protocol (IP) address ranges searching for vulnerable systems to exploit. HoneyNet claims that some of the autorooters it identified were not publicly available software programs, which, according to the group, indicates that malicious actors are increasingly acquiring more technical knowledge.*
Phishing through Port Redirection: Rather than phishing-related content, a port-redirection service is installed on the targeted server. This service redirects visitors to another server that hosts the malicious content in an attempt to make the phishing attack more difficult to trace.
Phishing Using Botnets: Networks of computers “hijacked” by malicious code (a.k.a. botnets) have long been used to perform denial of service (DoS) attacks and send commercial spam messages. The HoneyNet Project claims that botnets are also used to distribute phishing e-mails, although this is less common than the other two types of attacks. As with spam-ming attacks, botnets distributing phishing e-mails involve malicious code that incorporates a SOCKS proxy, which is used to send e-mail from the infected computer. Obviously, the larger the botnet is, the more e-mails that can be spammed.
Combination Attacks: HoneyNet also claims that many attackers are using a combination of methods in their attacks. For example, an attack could operate via a hijacked server, incorporate port-redirection functionality that redirects users to the malicious Web site, and use a botnet to send e-mails designed to lure recipients to the fraudulent Web site.†
In addition to the tactics mentioned above, phishers go to great lengths to obfuscate the fraudulent character of their pages. Among the most common methods developed over the past three years are the following:
Spoofed E-Mail Addresses: Phishers use a variety of techniques and shareware tools so that the phishing e-mail appears legitimate (for example, customerservice@ TARGETEDCOMPANY. com).
Similar-Sounding URLs: In this case, the fraudulent Web site has a URL that sounds similar to that of the targeted company (for example, www.searss.com, www.discovercardaccountinfo.com). This was initially a very common practice but is falling out of favor due to increasing user sophistication and increased efforts by companies to purchase such domain names. A more sophisticated version is a “homograph attack” in which the phishing Web site incorporates nonstandard characters, such as a Cyrillic character that resembles the letter “A,” to generate a malicious URL that looks identical to the legitimate URL.
Phishing Using Only IP Address: Rather than a URL, the Web site uses an IP address. This could confuse nontechnical users, who might trust a Web site identified as a string of numbers as opposed to a Web site with a suspicious-sounding URL.
Pop-Up Windows: When using pop-up windows, phishers direct victims to a Web site that opens the legitimate bank’s Web site with a fraudulent pop-up window over it. This pop-up window contains the fields for entering the user’s login and password.
Fast-Flux Phishing Sites: Too Fast for Traditional Solutions
The most recent development in phishing is the “fast-flux” hosting technique. This is the phisher’s ultimate weapon: sites are hosted dynamically on servers at present, but eventually phishers will also host them dynamically on botnets. Because phishing pages rarely last for more than a few days, and usually not more than a few hours, it is risky to host too many sites in succession on the same server. With the fast-flux method, it is presently impossible to know where the sites will sit next.
In a majority of phishing cases, published WHOIS data on the domain name involved has been a valuable part of the takedown process. For cases where legitimate machines or services have been hacked or defrauded, published WHOIS information with open, accurate contact data is an important tool used to quickly locate and communicate with site owners and their service providers via e-mail, phone, and fax.
For cases where domain names are fraudulently registered as part of the phishing scheme, the published WHOIS information can often be tied to other bogus registrations, especially via e-mail accounts, and even directly to the victims of prior identity theft through name, address, and phone numbers. This allows responsible registrars to take action on domains that are part of current or future phishing scams.
In all, more than 80 percent of phishing site takedowns involve using the domain name WHOIS system to find a contact for assistance via e-mail, phone, or fax, or to prove the registration to be fraudulent through any or all portions of the available information. IP WHOIS data¬bases are also quite useful in performing shutdowns. However, recent trends in phishing sites that use fraudulent domains tied to “fast-flux” Domain Name Systems (DNSs) to rotate the phishing site around large “botnets” (sometimes these botnets can have tens or hundreds of thousands of compromised and remotely controlled computers throughout the world) have created a difficult problem. A phishing site can be moved to hundreds of different servers around the world, so the only way to affect an actual takedown of such a phishing site is to get the fraudulent domain suspended and removed from the DNS.
* David Watson, Thorsten Holz, and Sven Mueller, Know Your Enemy: Phishing (white paper, Naperville, IL: The Honeynet Project and Research Alliance), http://www.honeynet.org/papers/phishing/.
From: James Graham et al., Cyber Fraud: Tactics, Techniques and Procedures, New York: Auerbach Publications, 2009