PC Privacy Threats: Phishing

Posted on: 31 July 2008 by Gareth Hargreaves

Is your computer safe from hackers?

Everybody is familiar with the problems of “spam”, the equivalent of digital junk mail which uses mass advertising emails to sell various unwanted services with the unfortunate effect of clogging up inboxes worldwide.

Although spam is a problem for users, the worst that can happen if you follow the link in the email is that you get directed to a dodgy site trying to sell you something.

But if you follow the link in a “phishing” spam you could well be the victim of identity theft, because the black-hat art of phishing is spam on steroids with criminal intent.

The use of email based attacks designed to steal personal details is currently very popular with cyber criminals and it is estimated that over two billion phishing emails have been sent worldwide.

As the estimated “success” rate of such attacks can be as high as 5 per cent, there can be no doubt that a huge number of people are being tricked into divulging personal details that they would rather remained private.

In a typical phishing attack an email is sent to the victim, either from an open SMTP relay or a group of botnets, with a spoofed sending address which appears to originate from an online-e-commerce or e-banking company. Within the email is a link to a website that looks identical to the target website, but is actually a copy which is hosted elsewhere.

The phishing email may encourage the user to login with their password, or even try and socially engineer the unsuspecting user into giving credit card, social security numbers and other personal details. Once the data is entered into the phishing site it is emailed to an address for the phisher to pick up at a later date.

Examples of this approach include the 2003 attack on eBay which spammed users with phishing emails. These emails purported to come from eBay and told them that their accounts were suspended until they verified their personal information, including their credit card number and their mother’s maiden name. The unsuspecting victims were then directed to a fake phishing site which was mounted on a hacked server in an American university.

Attacks such as these are very common against targets such as e-commerce sites, online banking websites and other online financial transaction websites. These types of websites often hold personal details such as social security number, name, address, telephone number, credit card number, credit card limit and mother’s maiden name.

Potential cyber-criminals don’t even need much technical sophistication to mount a phishing attack, as it is possible to obtain complete “phishing kits”. Researchers have found that the same programs are used to process the information and then email the phishers, suggesting that only a few people are writing them.

These kits are often sold or traded on the “phishing underground”, an informal group of web forums and websites devoted solely to phishing and credit card theft.

Once the wannabe cyber-criminals have their phishing kit they only need to:

  • Gain access to a web-server. Black-hat hackers will often trade access to servers they have hacked for other information for example credit card numbers. The phisher can compromise a server themselves, or they can hire web-hosting in an offshore hosting company using a stolen credit card number. Only a novice phisher would use web hosting in their own name from their local ISP.
  • Install the phishing kit on the server, and configure it with the email address that the phisher is using to collect the data. Only a novice phisher would collect their ill-gotten gains using an email address which can be traced to them through their local ISP.
  • Send out hundreds of thousands of spam emails to the potential victims. The phisher can either compromise an SMTP relay server themselves, purchase root access to a server, or enlist a botnet to send out the phishing spam. Only a novice phisher would send out millions of spam emails using the SMTP capabilities of their ISP, even if they were spoofing the addresses.
  • Sit back and wait to see how many victims fall for the scam by checking the email drop address regularly. Once the credit card numbers start pouring in then the phisher has the problem of cashing out and laundering the money. Only a novice phisher will funnel traceable financial transactions to their personal bank or Paypal account.

When the phishing site is taken down or blocked, phishers repeat the process again, and again and again. Any credit card numbers stolen can be used for purchasing more web-hosting, sold on the black market, or traded for other information, programs and new phishing kits.

The major problem for wannabe phishers is that there is no honour among thieves. Some phishing kits are known to have backdoors which are designed to send the author of the kit the same information as the would-be phisher. It should be noted that backdoors in black-hat programs are not uncommon.

For example, the “tornkit” package is a typical Linux “rootkit”, designed to compromise a computer, and then hide the installed software to avoid detection but it is widely alleged to have “backdoors” in the program logic which alert the author of the malware every time it is installed and used.

Preventing phishing attacks often depends on checking the URL within the email to see if it is genuine, or on installing a browser plug-in which checks the URL against a known list of phishing sites.

One problem with the “backlist” approach is that the information can be “reverse-engineered” to provide a list of IP addresses and host names of phishing sites, some of which are “pre-compromised” to host the bogus website.

This is a lure to the black-hat system crackers because it indicates the server has one or more security flaws which they can use, unless the original cracker patched the holes to prevent future system compromise.

A recent variation on phishing is so-called “spear-fishing” which targets individuals and corporations rather than relying on a bulk spam attack.

In a spear-fishing attack the black-hats gather information about the internal structure and personal contacts of the target individuals and companies. The phisher then uses this information to launch a small amount of highly targeted phishing emails, rather than taking the spam approach and launching thousands.

The true power of spear-fishing is that it uses social engineering and the betrayal of trust relationships within a corporation or organisation to ensure the emails appear to be genuine.

Normal spam-phishing is like a shotgun, blasting everything in its path in the hope of hitting something, but spear-phishing is like the sniper rifle, only targeting the most useful potential victims, often with greater effect.

By Dr. K

Hackers Handbook 3.0 Dr. K is author of Hackers Handbook 3.0 which is published by Carlton and costs £9.99.  Alternatively you can purchase it online at Amazon for £6.59.

Share with friends


You need to be signed in to rate.