The Ocean Is Full of Phish
It was only a little more than a decade ago when "the Internet" was not part of most individual's daily vocabulary. Today, the use of the Internet, e-mail, and text messaging is ubiquitous throughout coffee shops, cities, cell phone communications, and the workplace. This medium, despite the lack of inherent security at the network level, has become "trusted" by many to perform daily personal and business operations. As with everything that is "trusted" in our society, a criminal element is also invited to the party to penetrate that trust for personal satisfaction or financial gain. Enter the latest lucrative criminal element poised to diminish the trust that companies have built up-phishing.
Wikipedia defines phishing as "a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication." The Anti-Phishing Working Group (APWG) defines phishing as a form of identity theft that employs both social engineering and technical subterfuge to steal consumer's personal identity data and financial account credentials. They further define technical subterfuge as "a scheme to plant crimeware onto PCs to steal credentials directly, often using key logging systems to intercept consumers' online account user names and passwords, and to corrupt local and remote navigational infrastructures to misdirect consumers to counterfeit Web sites and to authentic Web sites through phisher-controlled proxies that can be used to monitor and intercept consumers' keystrokes."
The term "phishing" was first mentioned in the America Online (AOL) Usenet newsgroup in January 1996 and may have been used in the earlier hacker "2600" newsletter. Phishing is a variant of the word "fishing," describing the use of sophisticated techniques to "fish" for financial information by casting lures into the mouths of unsuspecting users. AOL was a large target, and many passwords, known as "phish," to AOL accounts were obtained by phishing and subsequently traded for other pieces of stolen software, such as games and copyrighted software.
Companies work very hard to protect their brand and establish trust in the presence of their brand with the consumer. When an individual goes to a McDonald's for example, he expects to get a consistent level of service and product and pay a price similar to that of their last experience. The transactional trust, which is built over time, causes people to have faith in obtaining products from the company. The cleanliness and safe handling of the hamburger, fries, equipment, etc., are also expected to be the same each time the consumer visits the store. All of these thoughts come to the surface when the "Golden Arches" brand is presented, and people's trust in future purchases is based upon their last interaction with the brand.
Similarly, many banks have established trust over time with consumers to protect their funds and offer online banking services. When notices appear to come from the bank, complete with its logo, the individual perception of trusting the message is based upon the last interaction with the bank. Criminal phishing activity disrupts the trust model by masquerading as the "trusted brand" to gain the consumer's confidence. Consumers are left confused in many cases as to whom they should trust. This creates a very difficult problem for companies to educate the workforce as to what is and what is not a phishing attempt.
The following sections describe how to identify phishing attempts, methods used to deliver phishing by the attackers, attack methods, and approaches being used to minimize the threat.
Evolution of Phishing
Originally, phishing attempts obtained passwords by tricking users into supplying the passwords in response to an e-mail request. Although this method is still prevalent today, with firms such as the major banks, eBay, and PayPal being among the largest targets, more complex and creative methods have been developed to attempt to fool the end user. These include such methods as directing users to fake Web sites that appear as if they are issued by the same company (i.e., eBay, Chase, U.S. Bank), man-in-the-middle proxies to capture data, Trojan-horse keyloggers, and screen captures. Early attempts utilized requests from individuals posing as AOL support staff asking the subscriber to "verify your account" or "confirm billing information." This resulted in AOL issuing the first statements that "no one from AOL will ask for your password or billing information." Now, these statements are prevalent across banks, online payment services, and organizations providing E-commerce activity. E-mails have been made to look like they were coming from the Internal Revenue Service (IRS) to obtain tax information to be used in identity theft criminal activities. There is typically an increase in fake IRS e-mails around April 15 filing deadline, as consumers are more vulnerable due to the short time left to file taxes. Fake job sites have been erected to entice individuals to reveal personal information. MySpace was the subject of a worm in 2006 to direct users to different Web sites to obtain their log-in credentials.
Today's Phishing Activity
Phishing activity has been increasing dramatically over the past few years. The APWG identifies itself as "an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and e-mail spoofing." For the past several years they have been tracking trends in phishing activity.
Unique phishing attacks are defined by the APWG as unique Uniform Resource Locators (URLs) of the Web sites that the users are directed to. In January 2004, they tracked 176.
Just nine months later, in October 2004, the number had risen to 1142, and by October
2005 the number was 3367. An explosion of phishing Web sites subsequently occurred, with 27,221 unique sites in January 2007.
The AWPG defines a phishing report as the instance of a unique e-mail sent to multiple users, directing them to a specific phishing Web site. The number of e-mails increased substantially, from 6957 in October 2004 to 15,820 in October 2005 and 29,930 in January 2007. The number of brands attacked is also increasing, with 28 brands attacked in November 2003, 44 brands in October 2004, 96 brands in October 2005, and 135 brands attacked in January 2007.
The average time for a phishing site to be online has been steadily decreasing, making it difficult to identify and deal with the spoofed sites in a timely manner. The average time online was five and a half days in October 2005, compared with four days in January 2007. The longest time online for a site was 30 days. Almost 97 percent of the ports used at the Web sites were port 80, with the other 3 percent made up of ports 84, 82, 81, and other ports.
The United States leads as the country hosting the most phishing sites, with 24.27 percent. The other top countries are China (17.23 percent), Republic of Korea (11 percent), and Canada, with 4.05 percent. These statistics point out that this is a growing activity and increasingly used as a criminal activity to open an account, make an unauthorized transaction, obtain log-in credentials, or perform some other kind of identity theft.
A First Data survey in 2005 revealed that over 60 percent of online users had inadvertently visited a spoofed site. A Consumer Reports survey indicated that 30 percent of users had reduced their overall use of the Internet and 25 percent had discontinued online shopping. Where once there was trust in the major brands, as indicated earlier, this trust is eroding with respect to online transactions, in large part due to a lack of trust in Web sites and fear of identity theft.
Phishing Delivery Mechanisms
Simple Mail Transfer Protocol (SMTP) is the primary avenue of vulnerability exploitation by phishers due to failures within the protocol. In addition to the e-mail communication channel, other methods such as Web pages, messaging services, and Internet Relay Chat (IRC) are increasingly being used to extract personal information. As vulnerabilities are plugged within SMTP over time, other methods of exploitation will emerge, because of the lucrative financial opportunity presented by phishing. Therefore, it is critical that organizations take a proactive stance to reduce consumer fears that their information may be compromised. Organizations whose primary livelihood depends upon the Internet for E-commerce and large banking institutions have been implementing proactive education for consumers and implementing tighter controls for the past several years. Obviously, with the increasing number of phishing attempts previously noted, the breadth of organizations being phished and the type of delivery are expanding.
E-Mail and Spam Delivery Method
This is the most common method of delivery, by which the end user is tricked into clicking on a link or an attachment. The e-mails are meant to look legitimate, complete with the logos of the company and an official looking e-mail address in the "Mail From:" field of the e-mail.
Flaws in SMTP permit the "From" address to be spoofed, and the phisher may also put an address in the "RCPT To:" field to direct any responses to the spoofer. When the recipients of the e-mail click on the link included in the e-mail, they are directed to a fraudulent Web site set up by the phisher. Personal information is collected at the Web site to be used in further the criminal activity.
These e-mails look official and use language to sound like they could come from the company. In fact, the e-mail may be a replica of a similar notice from the organization. There is usually a sense of urgency stated in the e-mail request for a quick response to the e-mail. Some of the e-mails are Hypertext Markup Language (HTML) based to hide the target URL information using different color schemes and substituting letters, such as an I for an L, to direct the user to different sites. These e-mails are often constructed in an attempt to defeat the antispam filters by inserting random words in a color to match the background of the e-mail so that they would not appear to the end user. Open e-mail relays are also utilized to hide the real source of the e-mail. The URL may point to a different Web site through the use of an escape coded into the HTML. Nonstandard ports specified in the URL may be clues that the phisher's Web site is being hosted on a personal computer (PC) exploited by the hacker earlier.
Although most of the attacks have been through random e-mails sent to people that may or may not have a relationship with the company, some phishers are getting smarter and are performing spear-phishing, which is targeted phishing. In the case of spear-phishing, a group is targeted for their relationship. For example, employee names listed in a Web site directory may be sent a notice from the company's health insurance company or credit union or another firm known to provide services for the company. Additionally, as companies become larger in size and have millions of customers, there is a greater chance that their Web sites contain more information about their organizations in the name of customer service, as well as a greater likelihood that even a random e-mail will connect with someone who has a relationship with the organization.
Web-Based Delivery Method
Web sites are constructed to contain HTML links that are disguised such as in the e-mail scenarios noted earlier. Fake advertising banners with different URLs may be posted to legitimate Web sites, directing traffic to the phisher's Web site. Malicious content embedded within the Web site may then exploit a known vulnerability within the user's browser software and then be used to install a keylogger (monitors keystrokes), screen-grabber (monitors portions of the user's input screen), backdoor (to gain control of the computer for later remote or botnet access), or other Trojan program. Keyloggers may be coded to intercept specific credential information, such as the log-in information for certain banks. Phishers may establish an online account, use a fake banner pointing to a fake Web site, all with a stolen credit card and other bank information obtained to cover their tracks.
IRC and Instant Messaging Delivery Method
Communication in the instant messaging area makes it possible for the end user to fall victim to the same techniques used in other delivery methods. Embedded dynamic content is permitted in these clients, which can also point to other links that would point to fictitious Web sites.
Trojaned Host Delivery Method
PCs that have been previously compromised may act as a delivery mechanism for sending out phishing e-mails, which makes tracking the originators of the phishing scams very difficult. Although antivirus software can help with the reduction of the risk of Trojans, it is becoming increasingly difficult. Home users are often tricked into installing software as an upgrade that provides the ability for the PC to be controlled at a later date.
Man in the Middle
In this type of attack, the attackers insert themselves in between the consumer and the real application, capturing the credentials along the way. The end user may have a false sense of security by relying on the HTTPs, as the man-in-the-middle attack could set up a secure communication path between the hacker's server and the customer and subsequently pass the information to the real Web site. While the phisher remains in the middle, all transactions can be monitored. This can be accomplished by multiple methods, including transparent proxies, Domain Name System (DNS) compromises, URL obfuscation, and changing the browser proxy configuration. Transparent proxies reside on the network segment on the way to the real Web site, such as a corporate gateway or an intermediary Internet Service Provider (ISP). Outbound traffic can then be forced through the proxies, which would deliver the information back to the consumer unnoticed. DNS caches can also be poisoned to point certain domain names to different Internet Protocol (IP) addresses controlled by the phisher. The cache within a network firewall could redirect the packets bound for the real Web site to that of the attackers. The DNS server itself could also be compromised, as well as the local host's file on the user's PC ahead of receipt of the phishing e-mail. The browser proxy can also be overridden to proxy the traffic for, say, the HTTP port, to a proxy server. This involves changes on the client side and may be noticed by the end user by reviewing the setup. Many users, however, would not be actively looking at those controls and there is a high likelihood that the controls would be named something that would sound technical, making noticing them difficult.
Man-in-the-middle attacks are particularly troublesome, as the end users think they are interacting with a trusted entity when executing transactions with a trusted bank, online shopping storefront, or service provider; meanwhile, their identity is being captured for later exploitation.
URL Obfuscation Attacks
URL obfuscation involves minor changes to the URL and directing the consumer to a different Web site. There are multiple techniques for changing the URL to make it appear as though the user is being directed to a normal Web site.
The first technique leverages bad domain names to appear like the real host, although in reality these are domain names that are registered by the phisher. For example, a firm with the name Mybrokerage.com may have a transaction site named http://onlinetrading.mybrokerage.com. The phisher could set up a fraudulent server using one of the following names:
In the foregoing examples, the name was varied, extensions were added, words were misspelled, or different character sets were used. To the average user, the URL looks like a valid site.
There are also third-party services that shorten URLs to make entry easier. These sites map other URLs to their shorter ones to make entry by the user easier. These sites can also be utilized by phishers to hide the real site.
Friendly log-in URLs are another method by which the user can be deceived. URLs can include authentication information, in the format of URL://username:password@hostname/path. To trick the end user, information would be placed in the username and password fields to resemble the company Web site while directing the user to the host-name Web site, which is managed by the phisher. In the preceding example, the URL may look like http://mybrokerage.com:firstname.lastname@example.org/fagephisherpage.htm. Several browsers have dropped support of this method of authentication due to the success it has had in the past with phishers.
The host name can also be obfuscated by replacing it with the IP address of the fraudulent Web site. Another technique is the use of alternate character set support, which is supported by many browsers and e-mail clients. Escape encoding, Unicode encoding, inappropriate UTF-8 (8-bit UCS/Unicode Transformation Format or variable length encoding for unicode) encoding, and multiple encoding are all techniques for representing the characters in different ways.
Cross-site scripting attacks are another method by which the attacker can utilize poorly written company Web site code to insert an arbitrary URL in the returned page. Instead of returning the expected page for the application, the attacker returns a page that is under the control of their external server.
Preset session attacks make use of a preset session ID, which is delivered in the phishing e-mail. The attacker then polls the server continuously, failing as the session ID is not valid. When the end user authenticates using the session ID, the application Web server will allow any connection using the session ID to access the restricted content, including the attempts by the attacker.
Each of these methods for obfuscation can be combined with others, making it even more difficult to identify when the URL is being used to direct traffic to a fraudulent Web site.
Educating consumers about the dangers of phishing is a delicate balance. On the one hand, consumers need to be vigilant in not responding to e-mails with links to sites requesting their personal information; on the other hand, consumers should not be afraid to participate in online commerce and use e-mail wisely. Many banking and E-commerce sites have included information on phishing on their Web sites in an effort to reduce the risks. According to the National Consumers League Anti-Phishing Retreat conducted in 2006, there should be more consumer education, possibly included with new PCs, and ISP-supported pop-ups to warn users of risky URLs. They also proposed that technical staff should be made better aware of the legal and law enforcement sides of the issue, as well as law enforcement and legal staff s understanding the technical side.
Phishing has become so prevalent that the Federal Trade Commission (FTC) issued a consumer alert in late 2006 advising consumers how not to get hooked by a phishing scam. The key points from the FTC included the following:
- If you get an e-mail or pop-up message that asks for personal or fi nancial information, do not reply. And do not click on the link in the message, either.
- Area codes can mislead (and may not be in your area due to Voice-over-IP technology).
- Use antivirus and antispyware software, as well as a firewall, and update them all.
- Do not e-mail personal or financial information.
- Review credit card and bank account statements as soon as you receive them.
- Be cautious about opening any attachment or downloading any file from e-mails.
- Forward spam that is phishing for information to email@example.com and to the bank or company that was impersonated with the e-mail.
- If you believe you have been scammed, file a complaint at www.ftc.gov.
Technical Approaches to the Problem
Educating consumers is one avenue to combat the growing problem; however, the entire burden cannot be on the consumer. Several technical approaches are in process to address the issue.
Inbound Spam Filters
The most common method of assisting the end user is to restrict the e-mail that is coming in through the ISP or the organization through anti-phishing or antispam filters. These filters utilize IP address blacklists, Bayesian content filters (examining the semantic differences between legitimate messages and spam messages), heuristics (examining the ways that the URL may be incorporating the names of the institution), and URL list filtering. Each of these techniques needs to be consistently evaluated to determine the success rate, as the hosts are constantly changing, as are the URL specifications.
Protect the Desktop
Implementation and maintaining currency of antivirus protection, spyware detection, antispam filtering, and personal firewalls or intrusion detection systems are essential in protecting the desktop from unwanted changes. Products by the major desktop security vendors typically support one or more of these functions. Specifically, the desktop software must be able to block attempts to install malicious software; identify and quarantine spam; update the latest antivirus, antispam, and antispyware signatures and apply from the Internet; block unauthorized outbound connections from installed software; identify anomalies in network traffic; and block outbound connections to suspected fraudulent sites.
Although multiple products provide a defense-in-depth strategy for the desktop, they can also become quite expensive and complex for the typical end user. There is usually a subscription fee after the initial implementation and a reliance on the end user to renew the subscription. In organizations, the desktops are managed and this is not a consideration for internal users; however, with trust in the organization resting with the end-user experience, these costs and approaches must be understood.
Removal of HTML E-Mail
Plain-text e-mail communications could be utilized to reduce the ability to hide the actual URL the user is directed to in the e-mail. These e-mails would not look nice; however, the security would be improved.
Enhancements have been placed into the browser software to check against a list of known phishing sites. Microsoft's Internet Explorer version 7 browser and Mozilla Firefox 2.0 contain this functionality. Users can also take further actions such as disabling window pop-up functionality, Java runtime support, ActiveX support, and multimedia and autoplay or autoexecute extensions and preventing storage of nonsecure cookies. However, these actions may increase security, but may degrade the online experience for the end user as well. Other approaches permit the user to create a label for a Web site that they recognize, so they have a reliable method of returning to the Web site (Firefox petname extension).
Stronger Password Log-Ons
Several banking Web sites have implemented the showing of a user-selected image (animal, scenery, hobby) prior to the entry of the password. In the event the end user does not recognize the image, they are not to provide the password. This is an attempt to assure the end user, by presenting them with the image they selected, that they are on the correct Web site. The phisher would not have knowledge of the appropriate image to show the consumer.
Stronger authentication may be necessary to positively identify the users to the real Web site, so that retrieval of the username or password information has limited value. Some of these solutions can be expensive, such as issuing two-factor authentication tokens to millions of consumers for an organization. This approach introduces added complexities by the fact that individuals have relationships with multiple organizations and would potentially be carrying multiple devices.
There is no silver bullet to resolve the phishing criminal activity. There is much financial gain to be made without needing to use physical force, making this an attractive option for criminals. There are multiple known delivery methods, attack vectors, and solutions to help minimize the risk. Organizations must be vigilant in their education of internal and external customers, the design of secure software, the maintenance of appropriate patch levels, and providing a phishing reporting and remediation capability and must remain continuously aware of the techniques and threats related to this type of attack. As consumer confidence decreases through personal experiences of identity theft, excessive e-mails impersonating the company, or a perceived lack of attention to the issue, they will stop doing business with the organization. The ocean is full of phish; some bite, some do not, but it only takes a few to take the bait to disrupt the ecology. Our organizations must educate and implement the technical approaches necessary to protect the ecology of our business.
Information Security Management Handbook, Sixth Edition, Volume 2, by Harold F. Tipton and Micki Krause (Editors). New York: Auerbach Publications, 2008.