Bigger phishes ready to spawn

Phishing attacks may have slowed, but their sophistication is increasing at a rapid pace.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
7 min read
There's good news about phishing: The growth of new attacks has slowed. But that's only because attackers are building more sophisticated traps and using advanced technology to perpetrate online fraud, researchers say.

Last week, the Anti-Phishing Working Group, an online fraud watchdog, reported that the number of phishing e-mails it tracked between January and February grew by only 2 percent.

That figure seems to mark a significant lessening of the threat, given that the average growth rate has been 26 percent per month since July 2004. But during the January-February period, phishing attacks also became dramatically more complex, experts said.

Whatever form they take, phishing fraud schemes--including offshoots such as pharming, cross-site scripting and DNS poisoning--are getting smarter.

"Phishers are thieves, and thieves in the online world, as in the real world, are working very hard to separate personal financial information and other data from their victims," Microsoft attorney Aaron Kornblum said.

The software maker recently filed 117 lawsuits against alleged operators of phishing Web sites--a major step forward in thwarting online criminals, according to Kornblum.

However, he acknowledged that there may be as much to fear in the future of phishing as there is to learn from its past.

"People will continue to think up news ways to apply phishing techniques and deceive consumers," he said. "The sophistication is growing, and it's not that surprising at all."

New crooks, more-effective tricks
The first wave of phishing attacks played on the ignorance of unsuspecting consumers, spamming their in-boxes with e-mails that looked like they linked to Web sites belonging to banks, investment companies and e-commerce businesses such as eBay. In reality, they were fake pages designed to lure people into divulging account login data, or other sensitive personal information that could enable the crooks to commit identity fraud.

Recent attacks have gotten more sophisticated, with advances in phishing schemes that use e-mail and the creation of fraudulent Web pages that appear almost identical to their legitimate counterparts.

And new threats have arisen: Attacks based on instant messaging; ploys that use JavaScript technology to hide threats on legitimate Web pages; and new social-engineering strategies.

One of the most telling examples of improved social-engineering techniques is a recent attack that didn't seek to nab victims' names, addresses or Social Security numbers.

Instead, the scheme targeted customers of Salesforce.com, with the aim of stealing information stored on the company's databases.

The campaign began with an e-mail sent to Salesforce customers that promised new application features under a free trial if the

recipient logged onto a Web page and entered an account name and password, according to people familiar with the phishing attempt. Salesforce.com declined to comment.

Armed with that type of information, an individual could conceivably make off with a company's most valuable proprietary data. The criminal possibilities ranged from selling off closely guarded customer information to marketers to committing online industrial espionage.

Security experts say online criminals are becoming more savvy in the way they choose targets.

"We're seeing attempts to steal corporate intranet logon information," said Dave Jevans, the chairman of the Anti-Phishing Working Group.

Many types of phishers in the sea

Criminals have adopted a range of strategies to try to part online consumers from their personal data.

E-mail phishing
Crooks send out fraudulent e-mails that look like they come from legitimate sources and ask people to click through to spoofed versions of company Web sites.

Online thieves redirect people from legitimate sites to malicious ones, mainly using a "DNS poisoning" technique. Thieves target domain name servers--the white pages of the Internet--and swap out the numeric addresses of the Web sites.

IM phishing
Fraudsters distribute IM messages that contain links to fake Web sites. The messages are crafted to look like they come from a known contact on an individual's IM buddy list.

Cross-site scripting
Tech-savvy criminals use JavaScript code to put their content on top of legitimate pages--most often, the Web sites of banks. Commonly, they insert a fake customer login box meant to steal password data.

URL hijacking
Opportunists find and exploit unprotected URLs maintained by real businesses to redirect users to phishing sites.

"With that sort of information, you're talking about a total security breach, getting into a company's network," Jevans said. "And that information is valuable to a lot of people, especially hackers. When you consider the big picture, phishing is getting even more painful right now."

Attacks designed to hit specific groups of people who hold valuable information will likely increase, said Jayne Hitchcock, a cybercrime specialist who advises law enforcement agencies and company executives about online fraud. Hitchcock also is author of the book "Net Crimes & Misdemeanors: Outmaneuvering the Spammers, Swindlers and Stalkers Who Are Targeting You Online."

"Sending a phishing e-mail out to everyone on the Web has had some effect, but not the kind of impact you imagine that some of these more custom-made attacks might have," Hitchcock said. "When you know that a certain group behaves a certain way, or is accustomed to getting information from a known source over e-mail, there's a greater opportunity to play on people's habits and get them to hand over the goods."

Schemes that use instant-messaging services rather than e-mail to distribute fake links are another new way of phishing, Hitchcock said. She pointed to an attack launched via Yahoo Messenger last month as an example. The messages often appear to be sent to IM users from someone on their contact list. Teenagers in particular are among those that could be successfully hooked by such bait, she said.

"The message is coming to them from someone on their buddy list," Hitchcock said. "That's a different level of threat than an e-mail sent from someone you don't communicate with on that medium, and it presents a much greater risk as well. Our research tells us that teens are fast and loose on the Internet and will share information more readily than most adults, so their information could get out via something like IM phishing and ruin their credit before they even get started in life."

Another twist on the old formula keeps the tried-and-true e-mail messages but hides a spoofed URL in a legitimate Web site address.

In one case, antispam technology specialist Mail-Filters detected a phishing attempt that listed one fake eBay Web page among a number of real URLs hosted by the online auctioneer. The message also

mimicked antiphishing missives sent out from eBay and other companies, telling recipients that eBay would never ask for personal information in an e-mail and inviting them to log onto the company's site for more details.

By inserting the attempt among legitimate sites and incorporating antifraud rhetoric, phishers could pull in more targets, said Dan Ashby, a senior vice president at Mail-Filters.

"If a user clicked every link in the e-mail except the phishing link, they'd be taken to real eBay pages, some of which even offered advice on fighting phishing," Ashby said. "But all these guys need is for someone to become less observant and click that one fraudulent link and sign in, and the result would be the same. Phishers are getting smarter, and it's going to get even harder to separate real messages from the companies you do business with from the more advanced phishing schemes."

Pushing the tech envelope
Online criminals have also begun adopting more-advanced technology. These more-sophisticated phishing methods range from the relatively simple (such as using unprotected URLs maintained by real businesses to redirect users to phishing sites) to the extreme (such as using JavaScript code to add content on top of legitimate pages, a practice known as cross-site scripting).

In one style of attack, which has earned the nickname "pharming," online thieves try to redirect people from legitimate sites to malicious ones using "DNS poisoning." The scammers target the servers that act as the white pages of the Internet--a key part of cyberspace that's known as the domain name system, or DNS--and replace the numeric addresses of legitimate Web sites with the addresses of their malicious sites.

There is evidence that when a new form of phishing is reported, another variation on the theme appears, as criminals try to stay one step ahead of the law. For instance, shortly after cross-site scripting began to garner media coverage, researchers at Internet security company Netcraft saw some fraudsters loading their content into the internal frame rendering on Web pages, which would allow attackers to victimize people who had turned off JavaScript applications to protect themselves.

This sort of rapid adjustment is proof that more professional criminals and technologists have turned their attention to phishing, according to Paul Mutton, Internet services developer at Netcraft.

"The work has been getting much more professional over the last six months," Mutton said. "The attacks include a lot more clever tricks, like cross-site scripting, and other things that try to exploit browser vulnerabilities. The redirect sites might not be as technologically advanced as scripting, but they probably easier to set up and run, so there's a lot of thought going into this on the part of the thieves."

The answer for now is continue to educate businesses and consumers about the problem, the Anti-Phishing Working Group believes. The group hopes that better collaboration between the companies being targeted, law enforcement officials and government regulators will soon create better resources for fighting phishing.

"We need more industry cooperation about sharing information on attacks in a rapid manner--about where these attacks are coming from, about correlating that data, and taking the sites down," Jevans said. "We need better communication with law enforcement. Those guys are not yet equipped to deal with this stuff--they're focused on fraud in the real world. Tracking down (online) criminals is a lot different. There's no warehouse full of stolen goods when you're talking about information."

Without this collaboration, and even with better industrywide resources, phishing is a problem that's only just begun to rear its head, Jevans added.

"It's fair to say that there's no end in sight right now," he said. "Phishing will get worse--it's almost a certainty."