Phishing is an online scam in which people are lured to fraudulent web sites, mostly by authentic-looking emails, and asked to divulge personal information such as their user names, passwords, account numbers, addresses, personal identification numbers (PINs), and so on. The phisher, or modern con artist, then uses this information to appropriate the victim’s identity and withdraw money from his or her bank account, run fraudulent online auctions, apply for credit cards, obtain loans, launder money, and engage in a variety of illegal online activities. While these schemes are focused on individual consumers, the institutions that phishers are impersonating are also victims: their brand and hard-earned reputation is impugned. Banks are the most common targets of phishing attacks, but more and more, such attacks are being carried out against auction sites, payment sites, social networking sites, online brokerages, gambling web sites, and online merchants.
This form of fraud has become an unfortunate and thriving economic reality. Online phishing can be traced back as far as 19961 and has escalated swiftly: the number of unique phishing web sites detected by the Anti-Phishing Working Group rose to 55,643 in April 2007, a massive jump from March’s 20,8712. Similarly, PhishTank (a collaborative clearinghouse for data and information about phishing) received 53,263 submissions of suspected phishing sites in May 2007, of which 43,789 were verified.3 A more accurate measurement of phishers’ activities is the number of corporate brands attacked. According to the MarkMonitor Brandjacking Index™, a quarterly report that measures the effect of online threats to brands, the number of brands phished each month reached an all-time high of 229 in March 2007.
Phishing is a serious threat not only to consumers and companies but also to the general perception of the Internet’s suitability for business transactions. A recent poll of 2,120 American adults conducted by the Wall Street Journal and Harris Interactive confirmed online businesses’ worst fears: 30 percent of those polled said they limit online transactions, and 24 percent limit online banking transactions.
Of particular cause for alarm is the growing threat presented by the Phish Gang, a formidable twist on the standard phishing scheme that has garnered tremendous amounts of money for its perpetrators. They are clearly not an average group of thieves, but rather a sophisticated international crime syndicate that has a talented IT staff. By exploiting high-availability practices to achieve system redundancy and horizontal scaling, and relying on a geographically dispersed system, the Phish Gang has developed a methodology that makes them very difficult to defeat using standard anti-phishing measures. Ironically, their success relies on many of the information technology best practices that legitimate companies use to ensure business continuity.
The Typical Phish
In a typical phishing attack, the perpetrator sends out enormous amounts of spam (unsolicited commercial email) including links to fraudulent web sites that are under the control of the attackers. This means that the first step of a successful phishing attack is to evade recipients’ spam filters. Anyone with an email account has been inundated by spam in recent years, and phishers rely on the fact that as spam filters analyze billions of emails a day, dangerous ones can slip by. The phishing email must look legitimate enough that the victim believes it is a genuine communication from a legitimate business. In addition, the phishing email has to entice the victim to act on it (and hand over personal information), perhaps by reporting a fake transaction that needs to be cancelled or requesting account maintenance. Thus, phishing is not purely a technology problem: it is a combination of social engineering and technology prowess. Though phishers rely on technology to carry out their attacks, consumers must take the bait
and then voluntarily provide sensitive information for attacks to succeed.
When a victim is persuaded to act by a phishing email, he connects to a fake web site by clicking on a link in the email. A web browser window opens and takes him either directly or through a series of redirects to the spoofed (fraudulent) web site. Once the victim arrives at the web site, he is presented with a web page that looks like a legitimate company page; usually these pages contain mock corporate logos, privacy policies, and links to report fraud. The victim then fills in his personal information, which is transmitted to the attackers or stored in a text file on the server. Typically, the attacker sells the information to other criminals who then engage in fraudulent transactions.
The fake web site is normally hosted on a compromised web server, one which has been exploited by the phishing attacker for this purpose. The attacker may also use rapidly provisioned free web space, such as that provided by a social networking site, which is usually untraceable; although that is becoming less common. The URL pointing to the fake web site usually contains some wording that impersonates the organization being attacked. For example, if the attacker has compromised the server at http://www.site.com, he may then send victims to http://www.site.com/bankname.com where "bankname" represents the institution being impersonated. This fools naive users, who quickly scan the URL for "bankname" and when they see it, decide that the link is legitimate.
There are a number of variations on this theme. Phishers may use the IP address of the server to further confuse victims. They may also go so far as to register fake domain names, which are typically a variation of the legitimate institution’s domain name, such as securesite.com, and then create a sub-domain that typically includes a variation of the legitimate institution’s domain name, such as: http://www.bankname.securesite.com/.
Recently study shows that Phish Gang has employed several techniques that make them more difficult to defeat than other phishers. In an elaborate, multi-tiered scheme, they use the stolen credentials of their victims to register multiple domain names at multiple registrars. These domain names are usually short and meaningless, such as "342egt.info". The gang then hosts their own authoritative DNS servers using wildcard "A" records to provide name-to-IP service for each of the fraudulently registered domain names. The IP addresses used (and there may be upwards of 100 at a time) point to multiple compromised PCs. These PCs are part of a botnet, which act as proxy connections to a handful of servers that host phish pages of up to 20 fake web sites at a time.
Challenges Presented by Phishing
The difficulty of preventing this technique is that each layer of the phisher’s infrastructure (DNS, proxy server, back-end server) contains redundancies and variations. The advantage to phishers of implementing a distributed architecture is that attacks can continue unfettered when any one element of the system is shut down: a traditional phishing site can be defeated by removing the hosting web site or domain, but Latest Phish sites share hosts and domains; if one is removed, the site automatically switches to another.
It is extremely difficult to track Phish attacks all the way through to the back-end server. The rapid cycling through domain names and IP addresses makes them appear to be always on the move and leaves much of the international security community in a quandary; the Phish Gang seems to be able to bring up countless combinations of multiple tiers in their attacks. This matrix of sites provides a robust system with many levels of failover. If a domain server is taken down, then name-to-IP services failover to another domain server. If a proxy server running on a compromised host is taken down, then the proxy services failover to another compromised host. Although they will typically only be using 10 to 20 such hosts at a time, the Phish Gang is known to be in control of a multitude of compromised web servers, which are commissioned as needed.
To defeat site-blacklisting techniques such as those employed by PhishTank, Google, and many other anti-spam and anti-phishing services, the Phish Gang uses large numbers of slightly varied URLs to draw victims to their fraudulent web site, such as these:
http://welcome23.bank.com.cbibsweb168st.342egt.info/confirm/submit.do/
http://welcome24.bank.com.cbibsweb59121j.342egt.info/confirm/submit.do/
http://welcome22.bank.com.cbibsweb146121k.342egt.info/confirm/submit.do/
http://welcome24.bank.com.cbibsweb574721a.342egt.info/confirm/submit.do/
MarkMonitor has seen as many as 5,000 unique URLs targeting a single organization within a one-month period. This high number indicates that approximately 50 percent of all active phishing URLs during a given period can be attributed to the Phish Gang. As long as a single URL can still be resolved to a single IP address the attack is still fully functioning and dangerously harvesting information. Many combinations of URLs, domains, DNS servers, compromised hosts providing proxy services, and back-end servers can exist.
The Phish Gang has evolved—now, the initial spam email they send to their victims is likely to contain random text followed by a GIF image containing the actual phishing message. Spam filters currently lack an effective means to analyze this GIF image and thus are ineffective. Many analysts estimate that between one third and one half of all phishing email can be traced back to the Phish Gang.
Unfortunately, the successful sophisticated techniques employed by the Phish Gang have motivated other phishers to emulate their methods. These copycats use similar tactics, such as registering bogus domains and using large numbers of variations of URLs. These attacks are much more difficult to defeat and represent an increased threat to consumers and institutions doing business on the Web.
It is difficult, if not impossible to distinguish between the Phish Gang’s attack on a bank and a copycat’s attack on an online payment service, as shown by the URLS each used:
Bank
http://session-05856.bankname.com.kitrt.cn/corporate/onlineservices/TreasuryMgmt/
http://session-101101156.bankname.com.dllet.bz/corporate/onlineservices/TreasuryMgmt/
http://session-101101186.bankname.com.dllet.bz/corporate/onlineservices/TreasuryMgmt/
Online Payment Service:
http://www.onlinepaymentservicename.com.156254.oagty79a.com/cmd-confirm/login.php
http://www.onlinepaymentservicename.com.177461.aaasjpa0.com/cmd-confirm/login.php
http://www.onlinepaymentservicename.com.306716.oagty79a.com/cmd-confirm/login.php