Charting the Evolution of Phishing
The RSA FraudAction team just marked a major milestone – reaching the official shut down of 500,000 phishing attacks, done across 185 countries. Sometimes viewed as one of the oldest Internet scams in the book, phishing is still a very popular method among cyber criminals. RSA recently estimated that worldwide losses from phishing attacks during the 12-month period from July 2010 through June 2011 reached nearly $1 billion.
How did such a seemingly simple email ruse get to be such big business in the world of cyber crime?
Today, most Internet users have heard about phishing or have already been affected by phishing to some extent. And while the term phishing has been discussed since as early as 1996, the world has not been able to rid itself from this phenomenon. Phishing is still easily one of the top threats on the Internet; its direct and indirect costs tax the global economy with billions of dollars in fraud losses every year.
Let’s take a look at how the phishing threat started and the ways in which it has evolved with attacks becoming more sophisticated and targeted over time.
The Humble Beginnings of Phishing
While there are conflicting accounts to the contrary, it’s believed the term ‘phishing’ was coined in 1996 by hackers who managed to steal America Online (AOL) accounts by coaxing username and passwords from unsuspecting users. At the time, hacked accounts were dubbed ‘phish’; within a year, ‘phish’ was actively being traded between hackers as a form of electronic currency that was of value to them.
‘Phishers’ used to go after compromised e-mail accounts in order to send out spam. In its early days, phishing was not looking to steal bank account information or even financially driven for that matter. It was only when phishers realized that it was relatively easy to convince web users to divulge their passwords that they inevitably saw it as a way to monetize data. Now going beyond spam, phishers added a criminal layer to their activities and began thinking of ways to compromise more valuable credentials, especially those which afforded online access to bank accounts. Phishing became a fraudster’s gold rush.
The Evolution of Phishing
From the tactics to the targets, phishing has evolved rapidly in a relatively small amount of time. Let’s take a look at the evolution of one of the longest-standing Internet threats.
The Ploys Changed
Every phishing attack begins with some sort of ploy. Regardless of the method of delivery of the phishing URL or the e-mail containing the phishing HTML page, the web user has to be convinced that he needs to go to that page for a reason valid enough to then impart with personal and financial information.
|
Before |
Now |
|
Initial phishing ploys delivered a hyperlink inside an e-mail, urging the potential victim to take immediate action.
Most times, if action was not taken, the alleged consequence would result in some sort of a penalty (account suspension or closure). |
Recent ploys have kept the good old tale. An e-mail tells you it was sent from your bank, credit card issuer, or another important part of your life, urging victims to update certain information immediately or risk having their accounts closed or suspended. Newer ploys insert other human motivators into the mix. Rewards: Tax refunds, lottery winnings. Obligation: Fraudulent tax reporting. Curiosity: ‘Look who has been searching for you’ Right the wrong: Fake order confirmations from known online merchants or shopping sites. |
Look and Feel Upgraded
|
Before |
Now |
|
Phishing pages were rather easy to identify, presenting patchy and blurry-looking logos (copied from the genuine websites), broken hyperlinks, and erroneous data fields inside the pages were very common.
Both phishing e-mails and pages contained numerous evident spelling and syntax errors. |
Although some phishing attacks today are still lacking in finesse, most new attacks create communications to potential victims that are almost identical to that of the targeted entity. Sophisticated phishing pages pull the genuine website’s HTML code directly from the source; making the replica look as good as the original and allowing the phisher to achieve the exact same look and feel victims would expect to see. |
Phishing Campaigns Expanded
Phishers have advanced with the times. Today’s professional phishing perpetrators opt for modern-day evasion techniques to bypass spam filter mechanisms. Beyond sending spam or links, Local Pharming sends the victim to phishing pages, and DNS poisoning resolves the victim’s requests to phishing sites. Fraudsters even go to the length of Search Engine Optimization (SEO) poisoning in order to ensure that potential victims land on their phishing pages.
Phishing campaigns have also expanded their horizons in terms of the geographies and the number of worldwide brands they target.
|
Before |
Now |
|
Phishing campaigns were delivered via e-mail spam. |
Recent phishing campaigns use a variety of delivery methods, moving away from e-mail and into Instant Messaging platforms (sending the URL from ‘friends’ with a message to access a link). Spam comments flood social networking sites, posted to friends’ “walls,” spam messages are sent from alleged friend groups, urging users to access the URL. These ploys are used both for credential phishing and for malware infections. |
|
Phishing was sent via hijacked e-mail accounts |
Phishing sent via spam botnets are capable of sending out billions of e-mail daily. |
|
The campaigns almost always communicated a message in English. |
Phishing campaigns have expanded and evolved into using at least 16 different languages. |
|
Phishing targeted a few major brands with a strong aim on financial institutions. |
Phishing expanded its horizons and now targets a steady growing number of brands across geographic regions. The brand diversity has also increased with attacks going after companies such as worldwide manufacturers, airlines, online auctions, and e-commerce shops and retailers, just to name a few. |
The Average Phisher Changed
Successful phishing is no longer conducted by the same fraudsters one would imagine, sitting in a basement and launching small time attacks. Phishing, and those who orchestrate its cycle, have become much more organized; today’s fraudsters embrace capitalism, making crime their business. For some, fraud is a full-time job and sole source of income.
Phishers study their market and make money by learning the weaknesses of others, leaving their victims and their victims’ service provider to pick up the tab. Anti-virus providers have noticed that Phishers are most active during weekdays, with a noticeable drop in activity over the weekend – taking time to enjoy a day off like anyone working around the clock would.
From investing into more technical phishing kits, to paying for successful spam campaigns, to looking for collaborations, discounts and a proper ROI, phishers actively seek methods and measures to ensure maximum profitability.
The Targets of Phishing Changed
|
Before |
Now |
|
Gullible Internet users; unaware and unsuspecting consumers were the ones who ‘fell’ for phishing more often. |
Phishing can be as sophisticated as making a savvy and aware individual fall for a well-crafted hoax e-mail. Some recent content sent to business people, either as spear-phishing scams or as spam, looked real enough that they could have incited even the most intelligent and discerning individuals to act upon the e-mail. Example: Sending an order confirmation with full information on the order’s contents to someone who had never ordered the goods. The person’s first reaction would be to click the hyperlink and to dispute the order. Example: A hoax sent to military personnel asked them to click the link to confirm their attendance in an important retirement party instead infected them with malware. |
The Hosting Methods Evolved
A phishing attack can only exist once it reaches its destination audience and is ‘available’ for them to read and respond to it. This is phish hosting. The hosting of attacks is probably the one aspect to have consistently evolve, having introduced new methods for an attack to be kept alive.
Fraudsters have gone to great lengths to innovate in spoofing sites, exploiting content management systems, hijacking sites, using fast-flux proxies, bulletproof infrastructures, standalone attacks (using web form services to communicate stolen credentials), local HTML attack forms which open locally on the victim’s PC – all in the name of hosting phishing attacks that will not be easily blocked, detected or taken down.
Online vendors and the financial industry started taking phishing attacks a lot more seriously, developing measures to mitigate risks and fight back. The public has learned more and been made aware of phishing, repeatedly told by banks not to divulge their information and to be suspicious of any communication that requests them to enter their personal details.
Phishers are aware of the mechanisms being deployed to stop their attacks. As to not let any of these deter them from their efforts to make more cash, phishers have been embracing web application security research and use discovered vulnerabilities for hijacking websites and for maximum exposure for each attack.
RSA has already reported vulnerability exploits made to ensure mass hijacking of otherwise legitimate websites for the purposes of hosting phishing pages (e107 exploits, WordPress vulnerability – which is still unpatched and exploited today). The more committed a phisher is, the more inclined he would be to pay for exploits to be programmed by professional malware authors and use crafty ways to deliver an attack, host it and have the credentials stolen and sent to his drop (either a drop e-mail address or a drop routed from the attack’s URL).
|
Before |
Now |
|
Phishing pages requested the victim’s username and password. |
Phishing pages request that users enter elaborate data sets, now including secret questions, contact details, payment card data, numbers found on identification documents (SSN, Driver’s license, passport number), and even demographic details: Age, DOB, Nationality. |
|
Phishing pages only contained the phish data fields designed to harvest information and forward it to the hands of the fraudster. |
Phishing pages also contain drive-by-downloads or infections points for Trojans or exploit kits. Some phishing pages studied by RSA revealed a delayed-release type of operation, where a hijacked site began by displaying phishing, then added redirections to Trojan infection sites, and last, redirected users to explicit adult content sites harboring more malware. |
Added Plug-ins
Older phishing kits were rather basic, often available free of charge, and almost always bugged by their writer who included handy scripts designed to have him share in the impending credentials harvest.
Newer phishing kits have evolved into more robust codes sold for money. Often, these elaborate kits are also the ones which include special plug-ins. Some of these plug-ins include:
A spam crawler designed to help the phisher create hefty spam lists through large webmail service providers
An MiTM feature designed to check the validity of just-harvested credentials against the genuine bank’s website (quality control)
A script add-on to collect the victim’s basic system specs (screen resolution, browser version, victim’s time zone)
RSA has already reported about a web-based interface which generated phishing pages, ready for use online. This interface was a one-stop-shop, managed by one administrator who had ‘subscribers’ register to the service, providing them with e-commerce phishing necessities.
*This post is reprinted from the RSA November 2011 Monthly Online Fraud Report
