Phishing 2006: The Year in Review
Now that we’re near the end of the year, Ithought I’d spend some time looking back at the phishing threat andreviewing some of the noteworthy trends. There are three high-levelaspects that I’d like to touch upon:
1) The overall increase in phishing activity
2) New phishing attack vectors
3) New antiphishing techniques
First, phishing activity has steadily increased during the course of2006. We’ve seen increases in both the number of phishing Web sitesthat go up as well as the number of unique phishing emails being sentout. Most targets are in financial services, but phishers have expandedtheir scope to include retailers, social networking sites, serviceproviders, government sites, and even certificate authorities.
In addition, we’re seeing semblances of “corporate” behavior inphishing attack patterns. For example, phishers seem to be workingnormal business workdays and, therefore, are less active during theweekends and summer months. Phishers are also taking a morebusiness-oriented approach to their attacks, trying to hit targets thatthey perceive to be lucrative.
New attack vectors
Phishers have increased their attack vectors beyond just thetraditional email directing you to a Web site. For example, we’ve seenphishing attacks that use email to get you to call a specific phonenumber or some even use the phone to contact you in the first place.These so called voice phishing or “vishing” attacks leveragevoice-over-IP, which is a protocol that allows one to leverage theInternet as a medium for carrying voice traffic inexpensively. As aresult, such attacks can be conducted cheaply enough that phishersmight see a sufficient return on their investment. At the same time,there have not been many reported cases of such attacks, so it’s notclear if they will take off.
Another phone-related attack vector involves sending SMS messages tovictims. This attack has been termed “smishing.” Here, a victim mightreceive a phone message saying that he or she will be charged $x perday if a fictitious order at a particular Web site isn’t cancelled. Ina panic, the victim then visits the site to “cancel” the order. In theprocess the victim will end up with malicious software on his or hermachine that could allow an attacker to take complete control over it.
Finally, instant messaging (IM) has been a third attack vector.Here, victims receive instant messages asking them to visit particularfraudulent sites. In one particularly nasty incarnation of this attack,the victim received the message from what appeared to be a friend. Thevictim was prompted to visit a Web site and was asked for the usernameand password associated with this IM account. When they were entered,the attacker then used those credentials to log into the victim’saccount and repeat the same attack on all of the people in the victim’scontact book. The attacks were particularly powerful because theyleveraged social context to make the attacks that much more believableand successful.
New antiphishing techniques
There are a number of techniques that attempt to address thephishing problem. One of these is two-factor authentication. Here, yourbank gives you a special hardware device that displays a random-lookingnumber that changes every minute or so. When you log in to youraccount, you have to provide not only your username and password, butalso the number displayed on the device at that moment. The hope isthat even if you manage to divulge your username and password (and thecurrent number displayed on the device) to a phisher, he still won’thave the hardware device your bank gave you, so won’t be able enter thenumber on that device in order to log in as you.
Of course, if a phisher can steal your money the instant you divulgeyour information, then two-factor authentication is not going to be ofmuch use. This past year we saw phishing attacks that could operate atsuch speeds. From a technology perspective this attack wasn’t all thatinnovative, but it was the first time we saw phishers actuallyimplement it.
Phishers are also taking measures to circumvent block lists. Theseare lists of known phishing sites that many antiphishing products makeuse of. The idea is simple. If you try to visit a site that’s on theblock list, then you are simply warned or directly blocked. To getaround this mechanism, phishers are heavily leveraging unique URLs thatare designed for one-time usage. However, these URLs all point to whatamounts to one Web site. In some cases, we’ve seen thousands of suchdistinct URLs pointing to the same site.
This technique can foil naïve block lists since the URLs arediscarded after one use – so even if they make it on to the block listinitially, they don’t block future unique URLs. In the antiphishingtechnologies Symantec builds, such as those available on NortonInternet Security and Norton Confidential, we also includeheuristic-based zero-hour protection phishing mechanisms. Thesetechniques allow us to detect phishing sites immediately without havingto rely solely on block lists.
This past year phishers have demonstrated that they really meanbusiness. Their attacks have become more frequent, more varied, andquite frankly more innovative. At the same time, none of this is new.At Symantec we’ve seen such trends over and over again in many otherthreat areas for quite some time. Attackers are constantly adaptingtheir approaches to increase their success rate. We must, therefore,continuously out-innovate them and persistently redouble our efforts toprotect those who put their faith in the technologies we build. And wetake that responsibility quite seriously.
My other blog entries, many of which are on phishing trends: http://www.symantec.com/enterprise/security_response/weblog/authors/zulfikar_ramzan.html
A recent paper I wrote on phishing statistics: