Web Phishing

You receive an e-mail from your credit card company informing you that your account has been deactivated because of suspicious activity. The message requests you to click a web link and log in to verify your account information. Following the instructions, you are directed to what appears to be the “Online Update” page of your credit card company. Here you are asked to enter your name, password, account number, social security number, and PIN. It all seems legitimate: the logos look proper, the web address of the page looks convincing, and the format of the site is the same as you remember. However, this is a scam; the e-mail is a fraud, and now a cyber-criminal has your personal information. He or she can now use or change your account or open new accounts in your name. You have become a victim of a growing crime called phishing. Every day millions of e-mails are sent around the globe, millions of web pages are accessed to gather information, and millions of people use online sites to transact business. We strive to trust the systems that are in place to deliver our e-mail messages and to route us to the proper web servers. We want to believe that e-mail is from “reputable” sources, and we are keen to assume the web sites we visit are legitimate. Unfortunately, a growing number of cyber-thieves are using these same systems to manipulate us and steal our private information; they take advantage of people’s trusting nature, or, in some cases, their naivete.

Explanation of the attack

Phishing, also known as “brand spoofing” or “carding”, is a term used to describe various scams that use (primarily) fraudulent e-mail messages, sent by criminals, to trick you into divulging personal information. The criminals use this information to steal your identity, rob your bank account, or take over your computer. Counterfeit web sites, using “hijacked” company brands and logos, are created to lure you into revealing information you would not want to be public knowledge. These digital thugs are “phishing” for any data they can obtain to prey on people and further their criminal activities.

The concept of phishing has actually been around for years. The term “phishing” was first used by hackers to describe stealing America Online® (AOL) accounts by acquiring usernames and passwords. With the ubiquitous spread of e-mail and internet access, the potential for criminals to take advantage of the technology has increased considerably in the last few years, with an almost exponential increase in incidents since 2003, according to many organizations that are trying to track this trend. Flaws in e-mail protocols, security weaknesses in browser software, a basic lack of computer security education, and continuing susceptibility to social engineering attacks all contribute to the increase in incidents, as criminals are able to exploit these weaknesses to their advantage.

Threats from phishing

One of the primary threats from phishing is identity theft. Consumers go to great lengths to protect their personal information, but a single breach of security can expose a person to a multitude of threats, including credit card fraud, damaged credit, having an identity used for criminal activity, stolen bank information, unauthorized use of accounts (online and otherwise), or stolen money. There are also intangible threats, such as damage to credibility, loss of trust, or embarrassment; having personal information stolen can cost a great deal more than lost cash. According to The Identity Theft Resource Center, the average time spent repairing the damage caused by a stolen identity is approximately 600 hours and it can take years to completely recover . For consumers, this can equal lost salary, lost time, frustration, stress, and embarrassment, not to mention a sense of being violated.

Methods

To understand how phishing works and why it is so easy to perpetrate, a bit of technical background regarding the protocols, technology, and tactics behind the schemes may be helpful. The following are some of the main elements related to phishing attacks:

Simple Mail Transfer Protocol (SMTP)

SMTP is the protocol used to transmit e-mail over the Internet. It was originally described in a Request for Comments (RFC) by Dr. Jonathan Postel in 1982 (RFC 821). According to the RFC, “the objective of Simple Mail Transfer Protocol (SMTP) is to transfer mail reliably and efficiently.”  Notice that it doesn’t include “securely” in that statement. SMTP has no built-in security measures to confirm who is sending an e-mail. All it does is  communicate with an SMTP server on the receiving side, in essence, telling the other system “who” it is, who the e-mail is from (sender), and who the e-mail is destined for (recipient). There is no guarantee that the sender of the e-mail is legitimate or if their address is fake. The sending SMTP server initiates a MAIL command to the receiving SMTP server. This MAIL command indicates the sender of the e-mail. The receiving server will reply if it is able to receive mail and if a user with the specified address is a user on that system. The sending server then transmits a RCPT command to identify the recipient of the e-mail  . The two systems negotiate back and forth until the message is delivered, at which time the transmission is complete and the servers say “ok” and “goodbye”, so to speak. Nowhere is there any validation to confirm the sender of the message. Researchers are working to make e-mail protocols more secure; however, for the near future, this is what we have to work with.

HTML-based E-mail

E-mail messages can be transmitted as either plain text, with no graphics or formatting, or they may be formatted as mini web pages, capable of displaying graphics, formatted text, even able to run scripts. This makes phishing a much easier task. For this reason phishers usually send their hoax e-mails in HTML format, embedding graphics and formatted text to make it look more like a legitimate communication from the spoofed company. Logos, banners, even ads are placed within the e-mail to entice the recipient to believe that the message is authentic. If the message was plain text, with only a URL (Uniform Resource Locator) link, the user may become more suspicious and less likely to click on it.

HTML Forms

One scheme involves using HTML-based forms within an HTML-formatted e-mail. The code in the form is hidden; therefore, the phisher is able to hide a bogus URL in a Submit button that the user presses after entering his or her personal information. As a result, it is more likely that the casual user will be enticed by a form-based attack.

Domain Naming System (DNS)

DNS is the hierarchical “database” that converts numerical internet protocol (IP) numbers to human-readable names. When you type in www.somesite.com the name is associated with the IP number and takes you to the server at that address. There are several security issues with DNS. Cyber-criminals may “hijack” a domain, redirecting traffic from the legitimate web site to a malicious site that is setup to look identical to the original (pharming), or, more easily, they can create a totally new domain name that looks so similar that an unsuspecting user may not notice the difference. One incident involved a phishing scam that came from the domain www.aol-billing.net, a fraudulent domain name entirely unassociated with America Online, but it appears convincing to an unsuspecting user.

Trojan Horse

A Trojan horse is a malicious software program (malware) that masquerades as legitimate software. Malware can be installed by worms or viruses, or unknowingly by the user, thinking the software is a game or utility or a browser plug-in. It may also be installed via Internet Relay Chat (IRC) sites. More sophisticated phishing scams use Trojan horses to install keystroke loggers to capture a user’s passwords and account numbers, or install programs to take screenshots of the system. These images may have usernames, passwords, or credit card numbers that are then forwarded to the phisher.

Browser Insecurities

There are security holes in web browsers that can make a phisher’s crime easier to accomplish. A glitch in (un-patched versions of) Microsoft Internet Explorer™ allows a specially crafted URL to load a browser window that appears to be displaying any address the attacker wants [19]. The attacker embeds a URL into an e-mail using the form: http://www.sometrustedsite.com%01%00@malicious-site.com/malicious.html. When a mouse cursor is over the link, it appears to be a link to www.sometrustedsite.com; however, when clicked, the link points to malicious-site.com, where a fake web page has been set up. This hole was fixed by Microsoft, but it may only be a matter of time until another hole is found that will allow some other type of fraud. This underscores the need to keep up with all security patches.

Malicious JavaScript

One of the more sophisticated techniques discovered, according to the Anti-Phishing Working Group, involves the use of scripting to create fake browser address bars or other areas of the browser interface, known as the “chrome”. The script fakes the browser chrome—modifying the address bar, status bar, menus, etc.—making it indistinguishable from the real browser. When a user types in an address, the malicious code can route them to the fraudster’s web site. Even the “https” and the “lock” icon within the browser can be forged, making the user think they are safe, when in fact they are not.

Cross-Site Scripting

Cross-site scripting (XSS) involves the injection of malicious code into a web application. If a web application—the login page of a bank for example—is not properly designed or does not perform proper validation, malicious code can be inserted and run on that site. A phisher could lure an unsuspecting user to follow a link to a vulnerable site and craft the URL in such a way that his malicious code runs on the bank’s site. The user thinks he is browsing safely on the bank’s page, when actually he is running the malicious code. The code can then do any number of things, such as displaying a fake login form or an “Update Your Information for Our Records” form. The information that is entered by the user is then redirected to the phisher’s fake site. Many well-known sites have been vulnerable to this type of attack, and it continues to be a major problem.

Social Engineering

One of the most effective tools in the phisher arsenal is the ability to fool someone into divulging personal information—this is social engineering. Social engineering methods are used to make a person believe they are dealing with a legitimate person or company, when in fact they are not. The hoax e-mails used in phishing schemes allege to be from a trusted entity, or an instant message seems to come from a “buddy”, so the user is more likely to trust them. Social engineering can be a very successful ploy, not only for phishing scams, but for other criminal activities as well.

The Phishing attack

Traditional Attack

A “typical” phishing attack is launched using spam e-mail messages, usually sent to thousands or even millions of e-mail addresses. The e-mails are forged with a “From” or “Reply to” address that makes them appear to be from a reputable or trusted source, such as a bank or credit card company. The messages are often sent in Hyper-Text Markup Language (HTML) format (as opposed to text-only) and may use logos, URLs, legal disclaimers, etc., taken from the spoofed company’s website. This makes the attack all the more insidious since the average user may not question an e-mail if it appears to be from his or her bank and has that bank’s logo on it. Phishers play the odds when sending their mass-mailings. Of the thousands of messages sent, only a small percentage of the recipients may actually be a customer of the spoofed company. For instance, if the phisher has spoofed PayPal ®, an online payment company, the number of e-mails sent to actual PayPal customers who then fall for the scheme might be relatively small; however, it is estimated that around five percent of the phishing e-mails sent  actually are successful . This can result in quite hefty profits for the scammers.

Mitigation

Many experts contend that phishing is less of a “technology problem” and more of a “user problem”; that the responsibility ultimately lies with the user being aware of where they are browsing, what information they are giving over the Internet, and to whom they are giving the information. Others are more concerned that the sophisticated techniques used by phishers are becoming more difficult to detect, even for experienced computer users; casual or less technical users are much less likely to be able to discern a legitimate e-mail, web address, or web site from a fake one. Social engineering ploys can be very effective in these situations. There is a several components to mitigate this Using Education , Technology – like Firewalls , Antivirus , Browser Enhancements, Digital certificate and many others .