What is Phishing?Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, fake Web sites, crimeware and other techniques to trick people into divulging sensitive information, such as bank and credit card account details. Once they've captured enough victims' information, they either use the stolen goods themselves to defraud the victims (e.g., by opening up new accounts using the victim's name or draining the victim's bank accounts) or they sell it on the black market for a profit.
How phishing works
In most cases, phishers send out a wave of spam email, sometimes up to millions of messages. Each email contains a message that appears to come from a well-known and trusted company. Usually the message includes the company's logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the email often makes a request of the user's personal information. Sometimes the email directs the recipient to a spoofed Web site. The Web site, like the email, appears authentic and in some instances its URL has been masked so the Web address looks real.
The bogus Web site urges the visitor to provide confidential information — social security numbers, account numbers, passwords, etc. Since the email and corresponding Web site seem legitimate, the phisher hopes at least a fraction of recipients are fooled into submitting their data. While it is impossible to know the actual victim response rates to all phishing attacks, it is commonly believed that about 1 to 10 percent of recipients are duped with a "successful" phisher campaign having a response rate around 5 percent. To put this in perspective, spam campaigns typically have a less than 1 percent response rate.
Over 2005, phishers became much more sophisticated. They began using crimeware in conjunction with their phony, hostile Web sites by leveraging common Web browser vulnerabilities to infect victim machines. This trend means that by simply following the link in a phishing email to a bogus Website, a user's identity could be stolen as the phisher would no longer need to get you to enter your personal information – the Trojan or spyware placed onto your machine would capture this information the next time you visit the legitimate Web site of your bank or other online service. Throughout the past year, this genre of crimeware has become more targeted (capturing just the information the phisher wants) and more silent, using rootkit and other aggressive stealth techniques to remain hidden on an infected system.
Another example of the growing skills of the phishing groups is their use of flaws in Web site design to make their attacks more convincing. For example, a flaw in the IRS Web site allowed phishers to make their "bait" URLs appear to be the IRS' Web site, even though the victim was headed to a different, criminally-owned Web server. This is one of many potential examples of the steadily advancing skills of online fraudsters.
Phishing exampleSymantec operates a group of machines known as honeypots—a network of intentionally vulnerable systems that are used to capture and study real-world attacks. This information is in turn used for research and refinement of Symantec's products. Symantec recently captured a stereotypical phishing attack in its honeypot network focused on the online auction service eBay. eBay's widespread popularity and universal appeal has made it one of the most phished brands on the Internet.
The events began with the attacker taking advantage of a longstanding security flaw that was purposefully available in one of the honeypot servers in order to entice events such as this. Once the attacker established complete access to the system through additional hacking techniques and a covert remote control tool, they set up a bogus eBay Web site on the server. The phony eBay login page set up by the phisher is shown above—it is convincingly similar to the genuine eBay version.
Note: The fraudulent eBay Web site was taken down before any victims visited the site and fell prey to the scam.
Email "bait" like the message shown below is then sent by the phisher to an email list of potential victims. This message, taken from an actual phishing attack, follows the typical formula of official sounding language coupled with an ominous warning that the recipient must act quickly to keep their account active. Every link included in the message does indeed point back to the actual eBay Web site, with the notable exception of the fraudulent invitation to "click here to re-enter your account information." The link for this section takes the user to the bogus sign-in page of http://signin.ebaay-com.us/ rather than the genuine eBay sign-in page at http://signin.ebay.com/.
After clicking on the phony link in the phishing email message, victims log into the bogus eBay site using their username and password (this particular phishing Web site was not fussy - it would take any username and password). The victim is then taken to a page to supposedly update their billing profile, which actually emails highly confidential information such as the victim's credit card information, social security number, home address, driver's license number and mother's maiden name to the phisher. While many phishers collect all of the victims' information on what is known as a "dead drop" or "egg drop" server, this particular phisher preferred to have the information emailed to their free email account where they could login and read each victim's personal information at their leisure. Most phishing attacks such as this last only a few days, with most of the victims responding within the first 24 hours.