Last year, researchers at Indiana University performed a fascinating study on the potential impact of a phishing attack that included some form of relevant context. It was felt that it wouldn't be much longer before phishers harnessed the power of contextual techniques. The academic work I'm referring to, entitled "Social Phishing", involved an experiment where researchers at Indiana University first mined available resources (social networking sites, etc.) to determine who was friends with who. Then, they launched a mock phishing attack to see how individuals responded to a phishing email when the email message was forged to appear as if one of their friends sent it. It turned out that 72% of email recipients fell for the ruse and divulged sensitive credentials (compared to 15% in the "control" group that received an email from a random stranger).
At the time of the study, we weren't really aware of phishers trying to use the same trick to increase the "conversion rate" on their attacks. But, that is no longer the case. Consider two relatively recent attacks—one involving Yahoo! and the other involving AT&T.
In the Yahoo! scam, unsuspecting victims received a message (via Yahoo! Messenger) from a "friend" of theirs. The message asked them to click on a link using some guise, such as inviting them to check out some online photos. The link took them to a Geocities page, where the victims were asked to enter their Yahoo! login credentials. The phishers, lying in wait, had access to the login credentials just as soon as they were entered. At this point, the phishers logged into the victim's Yahoo! account using the newly provided username and password, fired up Yahoo! Messenger, and repeated the attack.
The AT&T attack was a little more involved. In this case, malicious attackers actually broke into one of AT&T’s back end systems that stored data for customers who had recently ordered DSL-related equipment. They then sent phishing emails to many of these individuals. To make the email look realistic, they included information that would be familiar to the customer, such as the last four digits of the victim's credit card number and their home address. The email also made some claim about a recent order requiring the victim's attention and led the victims to a site where they were asked to provide additional information, such as their social security number and birth date. Who knows how many people fell for this attack?
These attacks point to the larger trend that we are starting to see. Namely, phishers are indeed getting more sophisticated. It used to be the case that you could infer an email's legitimacy by looking for a few select trust cues. However, that's no longer the case. The scales have tipped and now, more than ever, it's important to look for any clues that suggest an email is not legitimate. Until we can solve the phishing problem, or at least get to the point where it is no longer a big issue, many legitimate businesses who use email as a way to reach out to their customers will suffer.
• Phishing research at Indiana University: http://www.indiana.edu/~phishing/
• My colleague, Eric Chien, has posted some good blogs regarding IM phishing: http://www.symantec.com/enterprise/security_response/weblog/2006/07/hijacked_yahoo_im_accounts.html, and http://www.symantec.com/enterprise/security_response/weblog/2006/05/im_phishing_threat.html