Phishing and pharming
In this report, it provides overview about phishing and pharming like what is phishing, what is pharming, what are the impacts that caused by phishing and pharming and what are the solutions can be apply to remediate or minimize the chance of being attack by phishing and pharming.
Phishing are internet frauds or identity thefts that use to acquire or steal targeted victim's sensitive information like personal identity data or financial account credentials. Phishing can be carried out by attackers using social engineering like sending email, through instant messaging (IM), peer to peer (P2P) networks, search engine and other techniques to redirect users to fraudulent website.
Pharming is the new twist of internet fraud or identity theft. It is the evolutionary of phishing that used to achieve the same goal, but pharming is more sophisticated. Pharming can be carry out by using technical subterfuge such as DNS cache poisoning, domain hijacking and other techniques to redirect users to fraudulent website or proxy server to solicit user's sensitive personal information.
Phishing and pharming attack will cause financial impacts on the targeted victims or hard-hit to small organization. It will also cause the undermining of consumers confident in using internet over secure transaction or communication. Beside from this, phishing and pharming will also cause the law investigation become harder.
There are techniques can use to remediate the chance of being attack by phishing and pharming so that the potential impact caused by phishing and pharming can be minimize. Both users and web developers also have their own responsible in preventing from becoming the victims of phishing and pharming.
For web developers, SSL (secure sockets layer) certificate can be use to protect the websites, while users can install security suite at their computer in order to protect them from phishing and pharming. Laws also being introduce by government in order to against suspecting phisher and pharmer. In addition, if consumers feel that they are the targeted victims of both identity thefts, they can make complain to the related company or agencies that responsible for the work of anti phishing and anti pharming.
Years ago, consumer need to step out from home for buying groceries, settle bills, making transactions and others daily activities. But in nowadays, consumer can simply sit in front of computer with the available of internet connection to complete all of those daily activities with the help of online transaction. Online transaction becomes more advance from days to days but also accompanied by the increasing of the prevalent and sophisticated of internet fraud. Phishing and pharming are the two most famous internet frauds.
This report will discuss in detail about the two most famous internet frauds, Phishing and Pharming. The topic that will be discuss in this report included the history of phishing and pharming, methods of phishing and pharming attacks, impacts cause by phishing and pharming and solutions to phishing and pharming.
For this report, the problem is being approached from practical standpoint via internet. The materials that obtained from the internet are the results of experiment and investigation by others.
The purpose of this report is written for those users of online transaction which hope that this report will give a clear message for those users of online transaction like what actually phishing and pharming is, impacts that will cause by phishing and pharming and the solutions to phishing and pharming.
History of Phishing and Pharming
The term phishing was coined when the America Online (AOL) accounts being theft by attackers using email in year 1996. The term phishing was derived from the concept of fishing hook which the attackers use email to lure the user's AOL password. The character "f" of fishing is then being replaced by "ph" to keeps it compatible with the computer hackers' tradition. Phishing works by using social engineering to lure consumers to divulge their sensitive personal information at fraudulent websites or known as spoofed site, sending email, through instant messaging (IM), Peer to Peer (P2P) network, search engines and etc.
Pharming was the evolution of phishing that also use to solicit consumer's sensitive personal information by using technical subterfuge like sending email contained of viruses or trojan house that will install small application program at the targeted victims' computer. The application program will redirect user to a fraudulent website when they visit an authentic official website. Beside of this, attacker will also use those well known traditional techniques like DNS cache poisoning, domain spoofing and other techniques to redirect users to the fraudulent website when user want to visit an authentic website.
What is Phishing Attack
Phishing is criminally and fraudulently lure of consumers in divulging their sensitive personal information such as credit card numbers, account username, password, PIN number, mother's maiden name and other personal information through social engineering like sending email contain of link, download and install keylogger in victims' computer or create look-alike web interface and domain name that hard to be differentiate by the victims.
Techniques of Phishing Attack
The most popular techniques that used for phishing attack is by sending the targeted victims an email that contained of hyperlink to fraudulent websites pretending the email are sent from the hijacked brand name of banks, e-retailers, credit card companies or others online merchants Attackers will always convince the recipient of the email to respond by including message that sounds plausible or problem that are serious to the recipient like "there is a problem in your account's information, please verify it". When the recipients click on the hyperlink included in the email, recipients will be redirect to the fraudulent website. The website will either contained of form or pop up screen that will ask user to insert their sensitive personal detail and submit it to the attacker.
This email did look like the email that sends by eBay but it is actually an email that sent by attacker to the recipient. When the mouse pointed to the Respond Now Button, it will reveal the web address that will redirect recipient to. As we can see the link that being reveal is http://126.96.36.199/IT/.cgi-bin/ws/ISAPIdllUPdate/...... that is not a link to the authentic eBay website. When recipient get this type of email, they should go to their eBay account and check on the private message and see is this email sent by eBay.
The emails that send by attackers to recipient that shown is in image format which embedded into the email. No matter where did the recipient point at the image, the mouse cursor will change to a "hand" for the computer default setting. When recipient of this email click on the image that embedded into the email, they will then being redirect to the website that control by the attackers and the sensitive information of the recipient that being redirect to the fraudulent webpage might be stole.
At the example shown, there is a masked web address which show a link to legitimate website but when mouse pointer point to the link, it will reveal the real link which will redirect user to. Those links is being present in a string of cryptic number which is not the company's web address.
Phishing and Pharming: What is happening in this area, the impact of this and how can it be stopped?
Other then sending email to the targeted victims, attackers also uses instant messaging (IM), Peer to Peer network (P2P), exploited website or search engine to download and install keylogger at the user's computer. Keylogger is a type of malware that use to track the user's keystroke on a website to steal the sensitive information that key in by the user.
There is a list of keylogger being detected by using the Microsoft AntiSpyware. The registry entries that made by keylogger might be in EXE or DLL format which as what shown in figure 4, the keylogger that detected is bpk.exe, bpkhk.dll, bpkr.exe, bpkun.exe, bpkvw.exe and i_bpk2003.exe.
Create Look Alike Web Interface & Domain Name
At the early year, the phishing of sensitive personal information was less sophisticated where the hyperlink contained in email is representing by IP address like 192.168.1.25, but not domain name like www.banking.com. The email that sent to the recipient at the early year of phishing normally has poorly written, bad grammar, spelling error and cheap scam. But in the later days, the attackers start using HTML to code the website with the stolen logo from the authentic website so that it look like the authentic website and make the user hard to differentiate between the authentic website and fraudulent website. Beside from this, some attackers also create a look-alike domain name that will confuse the user. For example, the character "l" of www.google.com is being replaced by the number "1" which www.goo1ge.com that look similar to www.google.com with just one character exchange.
Phishing and Pharming: What is happening in this area, the impact of this and how can it be stopped?
In figure 5, it is the phishing site uses authentic PayPal logo, font and color that used by the authentic website. The attackers try to convince users to believe this website is the authentic website by including title page which is "Random Account Verification", tabs on top of the page, the log in link, the help link and especially the Secure Verification symbol with lock. But one of the things that can recognize this is a phishing site by having a look at the address of it which an IP address is being use.
There are 20,305 phishing websites being detected by APWG at January 2008 where there are about 5,023 cases decrease compares to December 2007.
At the first quarter of year 2007, there are 64,555 new phishing sites while there are 124,790 new phishing sites reported in second quarter of year 2007, 60,235 new phishing site increased compare to first quarter of year 2007. In the third quarter of year 2007, there are 33,697 new phishing sites decreased compare to second quarter of year 2007 which the there are 91,093 new phishing sites. In the fourth quarter of year 2007, there are 83,224 new phishing sites which are 7,869 new phishing sites less then third quarter of year 2007.
In the comparison between January year 2007 with January year 2008, there are 6,916 new phishing sites less.
According to the research that carried out by APWG, there are actually drops in hijacking of brands in January 2008 compare to December 2007. The figures of hijacked brands drop to 131 at January 2008 compare to December 2007 which have 144 reported hijacked brands.
From the chart, it shows that there are 436 total hijacked brands for the first quarter of year 2007. At the second quarter of year 2007, there are 469 hijacked brands which are 33 hijacked brands increase compare to first quarter of year 2007. In third quarter of year 2007, there are decreases of 122 hijacked brands compare to second quarter of year 2007 which there are 347 hijacked brands in third quarter of year 2007. At the fourth quarter of year 2007, there are 442 hijacked brands which are 95 hijacked brands more compare to third quarter of year 2007.
In the comparison between January year 2007 and January year 2008, there are 4 hijacked brands less in January 2008.
Categories of Phishing Attack
Phishing is actually being divided into categories like deceptive phishing, malware based phishing, content injection phishing, man in the middle phishing and search engine phishing.
Deceptive Phishing: it is performs by sending the targeted victims an email that required the recipient to click on the hyperlink to respond to the action that specify in the email.
Malware Based Phishing
Malware Based Phishing: it is done by running malware like keylogger, session hijacker or web Trojan at the user's computer.
Content Injection Phishing
Content Injection Phishing: for this type of phishing technique, malicious content are being insert into a legitimate site by exploiting the vulnerability of server's security or by SQL injection.
Man In The Middle Phishing
Man In The Middle Phishing: for the man in the middle phishing, the attackers need to get in between the sender and receiver to get all the information and select the information that are usable to them.
Search Engine Phishing
Search Engine Phishing:- in search engine phishing, attacker will need to set up a website that contain of fake product and getting the site index by the search engine. When a consumer responds to the product, attacker will receive the sensitive personal information.
According to the research from Anti Phishing Working Group (APWG), there are 29,284 phishing cases happen in January 2008. The numbers of cases are increasing 3,601 report compare to the phishing report that had been reported in December 2007 which are 25,683 cases reported.
At the first quarter of year 2007, there are 78,393 cases in phishing reports received while at the second quarter of year 2007, there are 75,959 cases in phishing reports received where 2,434 cases decrease compare to first quarter of year 2007. In the third quarter of year 2007, there are 88,055 cases in the phishing reports received which 12,096 cases increased compare to second quarter of year 2007. While there are 85,407 cases phishing reports received at fourth quarter of year 2007. There are 2,648 cases decreased compare to third quarter of year 2007.
In the comparison between phishing reports received at January 2007 which are 29,930 cases received and 29,284 cases reported at January 2008, there are 646 cases decrease in phishing report received.
According to the chart that provided by APWG, financial services are the focus point of attackers which the phishing on financial services are the highest which are at rate of 92.4% compare to retail which is 1.5%, ISP that is 3.8% and government & miscellaneous which are 2.3%.
According to the pie chart, we can see that, United States is the top of country in hosting phishing sites which are 37.25% from all of the hosting country. Follow by United State, Russia Federation is the second top of phishing site hosting country which is 11.66%, follow by china which is 10.3%, Germany which is 5.64%, Romania 5.09%, Republic of Korea 3.77%, France 3.28%, Canada 1.94%, United Kingdom 1.92% and at the last is Italy with 1.59% of phishing sites hosting country.
What is Pharming Attack
In the last topic was about the internet fraud called as phishing, the sending of bogus email with hyperlink that required user to respond to the action that specified in the message by clicking on the hyperlink. The hyperlink will redirect user to fraudulent website that look like the authentic website.
Because of the raising of user awareness on phishing, pharming is being develop and use as one of the technique of internet frauds to solicit targeted victim's sensitive information. Pharming uses technical subterfuge to solicit the targeted victim's sensitive personal information and it is more sophisticated then phishing.
Techniques of Pharming
Pharming is carried out by attackers in several ways. The attacker will send email to the targeted victims that contained of viruses or Trojan horse that will download and run on the user's computer. The recipient of the email can be duped by the attackers even they did not open or download the attachment in the email. The viruses or Trojan horse contained in the email will install small application in the recipient's computer that will tries to redirect the recipient to the fraudulent website when the recipient try to visit an authentic website.
Pharming can also be performed by not sending email. Pharming can also be carried out by perform using techniques like DNS cache poisoning, domain hijacking, DNS server hijacking and malconfiguration of setting or rewrite the firmware of router.
DNS Cache Poisoning
DNS cache poisoning can be carry out by using malicious responses or taking of DNS software vulnerability to "poison" the cache that store queries made by user in certain amount of time in order to improve the speed of respond to user. After the cache being "poison", when user make queries at the DNS, the user will be redirect to the fraudulent website.
While domain hijacking is perform by skipping the confirmation of the old domain registrar and the domain owner where the change of domain registrar can only be make with the confirmation from three parties, the domain owner, old registrar and new registrar.
DNS Server Hijacking
Pharming also can be performing through DNS server hijacking. DNS server are responsible as the signposts of internet which it will change the domain name into the IP address. To hijack a DNS server, the attacker will first targeted the DNS server on the LAN or DNS server hosted by the ISP to change the IP address of an authentic website's domain name to the IP address of fraudulent website. When user tries to visit the authentic website, queries will be makes on the DNS server for the IP address of the domain name. Because of the IP address of the domain name had been changed, it will redirect user to the fraudulent website. When user being redirect to the fraudulent website, they will perform the activities that they wish to perform at the website because the address display in the address bar remain the same with the authentic website's address and they think that they are accessing the authentic website. Through the activities that perform by the user, attacker will be able to obtain the information that they wish to obtain. The website that always targeted by the attackers is normally those address that start with HTTP but not HTTPS because the website is without SSL protection.
- Attacker targeted the DNS server on the LAN or DNS server hosted by the ISP to change the IP address of an authentic website's domain name to the IP address of fraudulent website
- User tries to visit the authentic website
- Queries will be makes on the DNS server for the IP address of the domain name
- The IP address gathered from the DNS server is the IP address of fraudulent website
- User is being redirected to the fraudulent website
Malconfiguration of Setting or Rewrite Firmware of Router
Pharming can also be done through malconfiguration of setting or rewrite the firmware of the router. Once the setting or firmware of the router being configure, the computers that connected to the router will automatically redirect to the DNS server that control by the attacker when they try to visit a website. This technique is being used for pharming because the change of setting or firmware of router is hard to detect and the malicious firmware will work as how the manufacture's firmware works. In addition, the administration page and setting of the router will still remain the same.
What Impacts Caused By Phishing and Pharming
Lost of Financial
There are impacts that caused by rising of phishing and pharming. One of the impacts that caused by phishing and pharming is the lost of financial on both organizations and consumers. According to the InternetNews.com, there are about $1.2 Billion lost in financial of banks and credit card issuers at year 2003, while at year 2004, there is about £12 Million lost in financial reported by the Association of Payment Clearing Services in United Kingdom.
Due to the credit card association policies, the online merchants that accepted and approved transactions made by using credit card numbers which solicit through internet fraud may need to liable for the full amount of those transactions. This may cause hard-hit to those small organizations.
Lost of Time and Wages
The victims of phishing and pharming might need to spend time in clearing infect of phishing and pharming to them. But if the attacking on the victims was discover slower and then victims might need to take more time to resolve the problem. This might cause the victims in lost of time for their work and lost of wages.
Undermining of Consumer Trust
Another impact that caused by phishing and pharming is the undermining of the consumer's trust in the secured internet transaction or communication. This situation occurred because the internet fraud like phishing and pharming made consumer feel uncertain about the integrity of the financial and commercial websites although the web address display in the address is correct. Undermining of consumer trust might also happen if the financial and commercial website lost the consumers' data file or the sensitive information of consumer is being access by attackers.
Law Investigation Become Harder
Phishing and pharming also caused some impact on the Law investigation. It makes the law investigation become harder because the technique that used by attackers to perform phishing and pharming is more sophisticated. In nowadays, those attackers can perform all of the phishing and pharming attack at a location that provided with the internet connection. With the available of internet connection, they can make use of it to perform attacking activities. Those activities included the control of a computer located in one place to perform phishing and pharming's attack by using computer located at another place. The investigation become harder also because of the division of attacking tasks to several people located in different locations.
Brand Reputation Damage
Phishing attack will also cause damage in the brand reputation, which the peoples' trust in the brand will reduce if they get the phishing email from the respective brand.
In additional, brand reputation might also be damage if the respective brand lost their consumer data file or the sensitive information of their consumer is being theft.
Impacts on IT Resources and Administrator
Phishing and pharming attack might also cause serious impact on both IT resources and administrator of the IT resources. The phishing email that send in large amount of quantity might take up the free space of email server and this might cause in reducing of the system performance of email server.
Due to the attack of phishing attack, the administrator of IT resources might need to repair their system in order to clean the system from the infection. The IT administrator might need to perform some task like patch the system, shut down application and service, filer Transmission Control Protocol (TCP) ports and apply hotfixes. In order to reduce the chance of being attack by phishing and pharming in the future, IT administrator might also need to educate the end user in order to reduce the change of being attack.
How to Prevent and Stop Phishing and Pharming Attacks
The attack of phishing and pharming are on rising. Peoples are actually come out with numbers of ways in order to remediate or minimize the chance of being attack by phishing and pharming.
Secured Socket Layer Certificate
First of all, at the side of website developer, SSL (secured sockets layer) certificate can be use in protecting the website by establish the identity of the website because SSL certificate cannot be duplicate easily and SSL certificate are also good in alerting user about the attack of phishing and pharming. The address of a website that protected by using SSL certificate will initial by using HTTPS but not HTTP.
Phishing and pharming can also being prevent by using visual cues at the authentic website so that user can differentiate between the authentic website with the fraudulent website. The visual cues can be as simple as a symbol in a colored box. The visual cues will remain the same when every time user log into the website. Identity Cues is one of the programs that can use to provide visual cues for a website.
Token Based Authentication
At the side of being a web developer, technique like token based authentication can also be used to prevent from phishing and pharming because it provided layer of security. It is suitable to use as the technique in preventing phishing and pharming because the time based token is hard to duplicate by attackers.
Switch Off Recursion Queries
Others from using SSL certificate or visual cues in protecting the website from being attack by phishing and pharming, the DNS server that being use should also being secure by switching off the recursion queries so that the DNS cache poisoning will not work effectively.
Install DNS Security Extension
To secure the DNS server, DNSSEC (DNS Security Extensions) should also be installed to secure DNS server from the attacking of phishing and pharming.
User Self Awareness
Users are also playing important role in preventing of phishing and pharming attack. As a user, they should not trust or open any email that send by unknown sender or email that send by bank that required recipient to respond to it like verify your account. In addition, when user visit a website with SSL certificate protection and when there is a message displaying that "your exchange with this site cannot be viewed or change by others. However, there is a problem with the site's security certificate", the users should confirm that did the website that they visit give this message in earlier or check on the web address at the address bar so that it is the same as the site they want to access. This message normally will be display when the server's SSL certificate is not match with the website's URL. User can also look for the "lock" or "key icon" at the bottom of the browser that lock the site they want to enter their sensitive personal information.
Install Security Suite
In the user's computer, security suite or firewall should also be installed to protect computer against phishing and pharming. Security suite that can use to prevent or detect the attack of phishing and pharming is like AdAware, Windows Defender, Spybot Search and Destroy. After installing those security suites in the computer, user need to make sure that the detection definition of the security suite is up to date so that it can provide the maximum protection for the computer.
Web Browser Phishing and Pharming Preventing Tools
Some additional tools are also available for web browser in preventing phishing and pharming attack. Those additional tools are like Google Safe Browsing, Netcraft toolbar, Microsoft Phishing Filter for MSN toolbar, Cloudmark Anti_fraud toolbar and PhishingGuard.
Report Phishing and Pharming Attack
As a user, they are also responsible to report to the related company or agencies when they are being attacked by phishing and pharming. They should report about what is the character that acts by the attacker to lure user in providing their sensitive personal information or report it to law enforcement agencies through internet or telephone. Those actions will help to stop the attack of phishing and pharming.
Anti Phishing Act By Government
The work of preventing phishing and pharming are not only the responsible of web developer and user, government also responsible to fight against phishing and pharming. At United State, an act called Anti Phishing Act of 2005 was introduced to fight against the phishing attack. This act was introduced by Sen Patrick Leahy at Senate of United State. It was introduced with the introducing of two new crimes into the United State code, the prohibit creation or procurement of a website or the prohibit creation or procurement of an email that pretending it is from a legitimate business and try to solicit targeted victims sensitive personal information. The phishers will be charge under these laws no matter they successful gather sensitive information through phishing attack or unsuccessful, they could be spending up to 5 years in prison or they may also have to pas $250,000 fine.
Does The Laws Stop The Attacks
Case 1: Jailed for Identity Theft
Twenty eight people in seven countries including in United State were arrested for trafficking stolen bank and credit card numbers and personal information over the internet.
Those twenty eight people are the members of Shadowcrew.com. There operations of these members are in the sight of US Secret Service Agents after two years they had set up the identity theft ring. The operation of US Secret Service Agents was help by the former gang member turned informant in autumn of year 2004. The goal of this operation is to target the top tiered people that operate Shadowcrew.com.
After year long of investigation, twenty eight people are arrested while some of them are still in trading when policed arrived.
One of the people that arrested, Wellman, 35, from Liverpool was sentenced for six year due to the reason of his part in the conspiracy.
Another three people which is Smith, 22 from Camberley, Surrey, Murphy, 24, from Northwich, Cheshire and Kotwal, 25 from Bolton have been jail for nine month.
Case 2: Jailed for Running Bogus MSN Billing Website
Jayson Harris, 23 was sentenced for 21 months due to the reason of running a bogus MSN billing website between January 2003 and June 2004. A spam email is being sent to recipient to encourage recipient to visit the site with link included and telling the MSN customer that they would get 50% discount on the next month's service by updating their account information and credit card number at the site. Harris is then being tracked by Microsoft and involve in the investigation of FBI into the fraud.
Case 3: Jailed for Six Years for Defrauding Up to £1.6m
Peter Francis Macrae, 23 from St Neots, Cambridgeshire was arrested after threatening Nominet UK which is the registry that controls the dot-uk domain. Because of Nominet warned businesses not to fall to the bogus invoice, Francis Macrae launched a botnet attack to the organization's system which consists of 200,000 zombie computers. He is being jailed for six years for defrauding up to £1.6m. He tricked thousands of business in registering a dot-eu domain name by sending fraudulent email to the companies. In the email said so, those company need to pay renewal fee to avoid from losing the existing domain name.
Laws Did Stop The Attacks
Studies the three cases did show that, the laws of Anti Phishing Act did successfully punish the attackers that perform phishing attack with jailed for at least nine (9) months and the most jailed six (6) years. None of them from the cases that being studies are punished by fine in cash.
Phishing is about the use of social engineering by performing online imitation of brands to send spoof email that contain of hyperlink to fraudulent website to solicit user's sensitive personal information like credit card number, PIN, mother's maiden name and etc. Phishing can also be done through installing keylogger at user's computer.
Pharming use technical subterfuge like, DNS hijacking, DNS cache poisoning, domain hijacking, router's setting or firmware malconfiguration to redirect users to a fraudulent website. Pharming may also perform by sending the targeted victims an email that contained of viruses or Trojan horse that will install small application that will redirect user to fraudulent website.
There are impacts that caused by both phishing and pharming. Those impacts included the lost of financial, lost of time and wadges, undermining of user confident in secured online transaction or communication, hard hit to small organizations and cause the law investigation harder.
As a web developer, SSL certificate, switching off the recursion queries or DNS security extension should be apply because it can protect the DNS or website from phishing and pharming attack. Visual cues can also be use so that user can easily differentiate between authentic website and fraudulent website. Token based authentication also one of the technique that can be apply to protect the website or DNS server from phishing and pharming attack.
Users are also responsible to protect their self from phishing and pharming attack by not opening email or download attachment from unknown sender or email that required user to respond by clicking on the hyperlink contained in the email. User should also double confirm the URL at the address bar when a warning message like "SSL certificate do not match with the sites" appear. User can also install security suite or firewall in the computer in order to protect them from phishing and pharming. User can also look for the "lock" or "key icon" at the bottom of the browser that lock the site they want to enter their sensitive personal information.
As a user, they can also report the attack of phishing and pharming to the related agencies or company through internet or telephone to assist the work of minimize the attack. In addition, laws are also being introduced to against phisher and pharmer.
After having looked back on the report, I used to find out on what needed to do so that can improve on the report and how to make it better. After the research, much knowledge gained on Phishing and Pharming attacks like how the attack of phishing and pharming being done, the impacts that caused by phishing and pharming attack. Last but not least, knowledge in how to prevent from being attack by phishing and pharming attack is also gained. Truth to be told, the research is quite huge and detail. It takes a lot of time in this part. To do a complete research on phishing and pharming not saying that is impossible, but it will take time to do it. At this moment, the research is just to make sure that it is enough to complete the report. After finished the report and presentation, free time might spend to do more research on it. As what said just now, the knowledge that earn might be useful in future, because knowledge is power.
As for the research that that had done, spent adequate amount of time had spent into it and adequate methods and approaches to get the information also being used. The methods and approach that used is through research from internet because it is free, up to date information and many available sources for the topic.
A particularly dangerous spam and commonly known as "Phishing" attempts to trick recipients into disclosing personal sensitive information, such as login names, passwords or credit card information. It works by requesting users to click on a link to login into their account to update certain information. Visitors are instead directed to counterfeit websites which are exact duplicates of the actual website. Any information entered into the counterfeit website is then captured and stolen for identity theft. Favorite targets are eBay, PayPal and other well known financial institutions...
In the interest of originality, the body of the message is left unaltered as much as possible. But for security reasons, and to protect the reputation of our own website from being seen as linking to bogus websites, the links in the spam message have been disabled. Placing your mouse over them will show the original url it intended to link to, but clicking on them will bring you to spamhaus.org, a non-profit organization for combating spam.
The email message it is being spreaded with looks perfect:
It is much more convincing that the usual phish stuff. The sender i spofed, and the link is masked. But even further - if the link is examined, it turns out it leads to the following URL: 'http://usa.visa.com/track/dyredir.jsp?rDirl=http://188.8.131.52/.verified/'. And this is a URL that is really on the visa.com page! It turns out that the phishers have used a redirect page on the visa.com site to redirect to the phish server.
The fraudulent web site that supports the phishing email is designed to mirror the legitimate web site it is purporting to be. The fraudsters use multiple methods to do this, including using genuine looking images and text, disguising the URL in the address bar or removing the address bar altogether. The purpose of the web site is to trick consumers into thinking they are at the company's genuine web site, and giving their personal information to the trusted company they think they are dealing with.
Genuine Looking Content
Phishing web sites utilize copied images, text and in some cases simply mirror the legitimate web site. This will contain the normal links on the web site such as contact us, privacy, products, services etc. The user recognizes the website content from the genuine site and are unaware they are not on the genuine web site.
Similar looking URL to Genuine URL
Some phishing web sites have registered a domain name similar to that of the organization they are appearing to be from. For example, one phishing scam we received targeting Barclays Bank used the domain name "http://www.barclayze.co.uk". Other examples include using a sub-domain such as "http://www.barclays.validation.co.uk", where the actual domain is "validation.co.uk" which is not related to Barclays Bank.
Form - Collection of Information
The most common method used to collect information in phishing scams is by the use of forms on the fake web site. The form is normally displayed in the same format as that used on the genuine web site. This may be an Internet Banking log-in, or a more detailed form for verification of personal details, with many fields for personally sensitive information.
Incorrect URL, not disguised
Some phishing scam web sites do not even attempt to deceive users with their URL, and hope that the user does not notice. Some simply use I.P Addresses displayed as numbers in the users address bar.
URL Spoofing of Address Bar (Fake)
Phishing WebSite Method A
Figure 1: Fake Address Bar displayed. Notice the change in colour on the right? You can also observe if you click on the drop down arrow on the address bar, the history is empty.
Phishing WebSite Method A
Figure 2: A closer look. Right click on a toolbar, tick address bar. This shows the correct address bar with the correct URL.
Hovering Text Box over Address Bar
This form of URL spoofing involves the placement of a text object with a white background over the URL in the address bar. The text object contains the fake URL, which covers the genuine URL.
Phishing WebSite Method B
Figure 3: Fake Address Bar displayed using a hovering text box. Virtually impossible to pick when glancing at the address bar.
Phishing WebSite Method B
Figure 4: A closer look. Select Properties from the File menu. The properties box shows us the correct URL, whilst also highlighting the white text box hovering over the address bar.
Pop Up Windows
This form of deception involves the use of script to open a genuine webpage in the background while a bare pop up window (without address bar, tool bars, status bar and scrollbars) is opened in the foreground to display the fake webpage, in an attempt to mislead the user to think it is directly associated to the genuine page. (See figure 6 below)
Phishing WebSite Method C
Figure 5: Genuine Citibank webpage is displayed in the background, while the fake webpage is displayed in a pop up window in the foreground.
Trojans / Spyware
Trojan and worm viruses are sent to the user as an email attachment, purporting to be for some type of purpose, such as greetings, important files or other type of SPAM email. The attachment is a program that exploits vulnerabilities in Internet Browsing software to force a download from another computer on the Internet. This file downloads other files and codes, which eventually installs a fully functional Trojan virus.
The Trojan is designed to harvest, or search for personal banking information and passwords, which many people keep on their computer. This information is then sent to a remote computer on the Internet.
Other worms have been known to hijack the user's HOST file, which causes an automatic redirection to a fake phishing web site when the user types in a specific URL (normally for a specific financial institution) into the address bar of their Internet browser.
Spyware, such as keyboard loggers, capture information entered at legitimate web sites, such as Internet banking sites. This type of spyware can be planted on a user's computer using a previous worm or Trojan infection. Any information the spyware captures is sent to a predetermined computer on the Internet.
A recent phishing scam used the link in the email to direct the users browsers to a site to first download keyboard logging spyware before redirecting the user to the genuine Internet banking web site. This spyware captured the login information entered, and sent this information to the fraudsters via a remote computer on the Internet.