Phishing 2006: The Year in Review
Now that we’re near the end of the year, I thought I’d spend some time looking back at the phishing threat and reviewing some of the noteworthy trends. There are three high-level aspects that I’d like to touch upon:
1) The overall increase in phishing activity
2) New phishing attack vectors
3) New antiphishing techniques
First, phishing activity has steadily increased during the course of 2006. We’ve seen increases in both the number of phishing Web sites that go up as well as the number of unique phishing emails being sent out. Most targets are in financial services, but phishers have expanded their scope to include retailers, social networking sites, service providers, government sites, and even certificate authorities.
In addition, we’re seeing semblances of “corporate” behavior in phishing attack patterns. For example, phishers seem to be working normal business workdays and, therefore, are less active during the weekends and summer months. Phishers are also taking a more business-oriented approach to their attacks, trying to hit targets that they perceive to be lucrative.
New attack vectors
Phishers have increased their attack vectors beyond just the traditional email directing you to a Web site. For example, we’ve seen phishing attacks that use email to get you to call a specific phone number or some even use the phone to contact you in the first place. These so called voice phishing or “vishing” attacks leverage voice-over-IP, which is a protocol that allows one to leverage the Internet as a medium for carrying voice traffic inexpensively. As a result, such attacks can be conducted cheaply enough that phishers might see a sufficient return on their investment. At the same time, there have not been many reported cases of such attacks, so it’s not clear if they will take off.
Another phone-related attack vector involves sending SMS messages to victims. This attack has been termed “smishing.” Here, a victim might receive a phone message saying that he or she will be charged $x per day if a fictitious order at a particular Web site isn’t cancelled. In a panic, the victim then visits the site to “cancel” the order. In the process the victim will end up with malicious software on his or her machine that could allow an attacker to take complete control over it.
Finally, instant messaging (IM) has been a third attack vector. Here, victims receive instant messages asking them to visit particular fraudulent sites. In one particularly nasty incarnation of this attack, the victim received the message from what appeared to be a friend. The victim was prompted to visit a Web site and was asked for the username and password associated with this IM account. When they were entered, the attacker then used those credentials to log into the victim’s account and repeat the same attack on all of the people in the victim’s contact book. The attacks were particularly powerful because they leveraged social context to make the attacks that much more believable and successful.
New antiphishing techniques
There are a number of techniques that attempt to address the phishing problem. One of these is two-factor authentication. Here, your bank gives you a special hardware device that displays a random-looking number that changes every minute or so. When you log in to your account, you have to provide not only your username and password, but also the number displayed on the device at that moment. The hope is that even if you manage to divulge your username and password (and the current number displayed on the device) to a phisher, he still won’t have the hardware device your bank gave you, so won’t be able enter the number on that device in order to log in as you.
Of course, if a phisher can steal your money the instant you divulge your information, then two-factor authentication is not going to be of much use. This past year we saw phishing attacks that could operate at such speeds. From a technology perspective this attack wasn’t all that innovative, but it was the first time we saw phishers actually implement it.
Phishers are also taking measures to circumvent block lists. These are lists of known phishing sites that many antiphishing products make use of. The idea is simple. If you try to visit a site that’s on the block list, then you are simply warned or directly blocked. To get around this mechanism, phishers are heavily leveraging unique URLs that are designed for one-time usage. However, these URLs all point to what amounts to one Web site. In some cases, we’ve seen thousands of such distinct URLs pointing to the same site.
This technique can foil naïve block lists since the URLs are discarded after one use – so even if they make it on to the block list initially, they don’t block future unique URLs. In the antiphishing technologies Symantec builds, such as those available on Norton Internet Security and Norton Confidential, we also include heuristic-based zero-hour protection phishing mechanisms. These techniques allow us to detect phishing sites immediately without having to rely solely on block lists.
This past year phishers have demonstrated that they really mean business. Their attacks have become more frequent, more varied, and quite frankly more innovative. At the same time, none of this is new. At Symantec we’ve seen such trends over and over again in many other threat areas for quite some time. Attackers are constantly adapting their approaches to increase their success rate. We must, therefore, continuously out-innovate them and persistently redouble our efforts to protect those who put their faith in the technologies we build. And we take that responsibility quite seriously.
My other blog entries, many of which are on phishing trends: http://www.symantec.com/enterprise/security_response/weblog/authors/zulfikar_ramzan.html
A recent paper I wrote on phishing statistics: