Part I on Friday discussed the early days of phishing from relatively harmless spam to targeting the financial sector and then to an increasingly professional operation with serious consequences for both organizations and individuals.
The threat evolves further
In a technical sense, phishing has evolved in a number of ways. Phishers are conscious of the different anti-phishing technologies out there – many of which employ block lists of suspicious Web sites. Block lists work by matching the URL that appears in the address bar of the Web browser with a list of known phishing Web sites. If there is a match, the user is warned. To get around that, in September 2006 many phishers started randomizing the sub-domain portion of the URL. While these URLs lead to the same site, no two are the same, and therefore the technique circumvents basic block lists.
Phishers are also privy to the fact that their pages are being viewed by security researchers and analysts looking to classify them and potentially take them down. So, they have started employing techniques whereby, when the actual victim visits a phishing page for the first time, he will be prompted to enter sensitive information, but when that same page is later viewed by a researcher or analyst from different location, the phisher serves up a different, benign-looking page.
Another common security technology is a two-factor authentication token that displays a frequently changing password. Each token displays passwords that are unique to a particular user, and users can enter the password appearing on the token in addition to their regular one. The premise is that even if a phisher succeeds in stealing the user’s basic password as well as the one that appears on the two-factor token, he will not be able to empty the user’s accounts since the password appearing on the token will have changed by then. In July 2006, phishers demonstrated their ability to mount attacks in real-time, thereby obliterating the protection provided by the two-factor token. However, two-factor tokens still have their merits. For example, they change the economics of phishing since they make resale of credentials in the underground markets more challenging. After all, who wants to buy an expired password?
To make the take down of phishing sites more challenging, phishers have been employing a technique known as “fast-flux.” Here, the same phishing site is hosted on multiple compromised computers and the actual site presented to victims is chosen from one of these machines. Taking down the site on one machine is of little help since the same site hosted on a different machine will then take over the responsibility of extracting a victim’s sensitive information.
Phishers are also trying to make their pages more difficult to analyze via automated means. For example, in July 2006, we saw examples of entire phishing pages written in Adobe Flash as opposed to traditional HTML and JavaScript. This technique makes it harder to analyze the page in question, and is in some ways analogous to the way that spammers replace text with images in email to circumvent spam filters.
Not all “advances” in phishing techniques are technical. Many phishers have started using more advanced social tricks to make their attacks work better. For example, in May 2006 we saw an example of a phishing attack occur over Instant Messenger (IM) where each victim received a phishing message appearing to be from someone they knew. When that victim accidentally divulged his IM password, the phisher logged in as the victim, and then sent the same instant message to everyone in the victim’s IM contact book. The whole process was, of course, automated.
The expanding market
Phishing attacks seem to be heavily targeted at the United States. At last count, over 70% of the brands that are spoofed in a phishing attack are based in the U.S. Also, English seems to be the most popular language used in these attacks. This trend could, in part, be due to the international presence of many U.S. brands, as well as the prevalence of world-wide English speakers. It could also be due to limited staffing of organized phishing gangs, and the inability to find someone who can do an adequate job of translating phishing email and Web sites into other languages.
Of course, the U.S. is not the only country targeted, and English is not the only language seen. In fact, during the second half of last year, we saw brands from 31 different geographic regions targeted, and phishing sites in 16 different languages.
Also, the brands being targeted are not all well-known. Around October 2006, phishers launched a flurry of attacks targeting smaller credit unions and local banks in the United States. A disproportionate number of these banks were located in Florida – a state that has seen more than its fair share of traditional “offline” fraud because of its large elderly population. It’s a bit eerie to think about phishers targeting specific regions since it demonstrates that phishers are becoming more methodical in their approach.
Finding different ways to reach you
While email seems to be the dominant way by which phishers first attempt to reach victims, it is by no means the only way. As mentioned above, phishers have employed instant messages as well. Also, in the early summer of 2006, we saw examples of voice phishing – where attackers leveraged the low cost of voice-over IP (VOIP) to either directly call their victims or provide victims with a phone number to call rather than pointing them to a Web site. The phishers would replicate the interactive-voice-response tree of the bank they were trying to impersonate, complete with on-hold music too! They were banking on the fact that users will not check the authenticity of a phone number before dialing it and providing their credentials. A related phishing twist involves sending messages over SMS to a victim’s phone. While the fundamental concept is pretty much identical, the means of executing differ slightly.
The future
To get a sense of the trends, the best bet is to “follow the money.” Phishers have demonstrated a clear penchant towards profiting from their activity, and I expect that they will continue to do what they can to increase their top line. I expect that we will see numerous techniques geared towards making sites more difficult to detect, and improve their lifetime (most phishing sites only last a few days before being detected and taken down). I expect that financial institutions will continue to be the most heavily targeted entities, though phishers will always be on the look out for different sectors to target.
I can think of specific attack approaches that phishers might try to leverage moving forward, but would rather not discuss those here – I don’t want to give any ideas to the phishers who might be reading this blog entry! (Though, quite frankly, I would be shocked if phishers hadn’t thought of these approaches already.)
In general, phishing is a challenging problem on many levels and there is no silver bullet that solves it. However, I’m not convinced that there needs to be a silver bullet either. The reality is that phishing is different from other types of online malicious activity we’ve observed in the past since it is purely profit driven. Phishers are concerned first and foremost with making money and probably care very little for notoriety and fame. Therefore, to make phishing go away, we do not need foolproof solutions, but rather need to develop countermeasures that making phishing unprofitable. Like traditional businesses, once phishers realize there is no money to be made, they will concentrate their efforts elsewhere.