The following definition from the Antiphishing Web site (www.antiphishing.org) is a useful place to begin this column:
What is phishing and pharming? Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use `spoofed' email to lead consumers to counterfeit Web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and Social Security numbers. Hijacking brand names of banks, e-retailers, and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning."
The phish mongers to which I refer in the title of this column are those who deploy these phish scams in such a way that they stand a measurable chance of success against a reasonably intelligent and enlightened end user. The posers are the bottom feeders in the phishing community that exhibit a very low level of sophistication. This distinction is critical if one attempts to thwart phishing.
There's more to phishing than throwing digital bait on the Net. All too often descriptions of phishing scams drill down into deceptive URLs, fake address bars, and the like but fail to investigate the set-up that precedes the sting.
The essential requirements of effective phishing require the bait:
The similarities with angling should not be overlooked. There are reasons why anglers neither troll with charcoal briquettes nor fly-fish for sharks. I will illustrate the analogy to the digital surf with a few examples taken from one of the phishing research projects in our lab.
Figure 1a is modeled after some live phish we captured on the Net. Let's analyze this in terms of the five criteria listed earlier. First, the email looks legitimateat least to the extent it betrays nothing suspicious to a typical bank customer (aka target-of-opportunity). The graphic appears to be a reasonable facsimile of a familiar logo, and the salutation and letter is what we might expect in this context.
Second, the target is the subset of recipients who are Bank of America customers. The fact that the majority of recipients are not customers is not a deterrent because there's no penalty for over-phishing in Internet waters. Third, the request seems entirely reasonable and appropriate given the justification. We reason that if we were a bank, we might do something similar under such circumstances. Fourth, the URL link seems to be appropriate to the brand. The unwary among us might readily trade off any lingering disbelief for the opportunity to correct what might be a simple error that could adversely affect use of a checking or credit card account. We may assume the link to verify.bofa.com would take us to an equally plausible Web form that would request an account name and password information.
The unwary in this case is M. Jones, whose harvested Web form appears to the phisherman as in Figure 1b. This is a screenshot of an actual phishing server in my research lab.
In order to complete the scam the fifth condition must apply. In this case, after the private information is harvested, the circle is completed when the phishing server redirects the victim to the actual bank site. This has the effect of keeping the bank's server logs roughly in line in case someone makes an inquiry to the bank's help desk.
Figure 2 illustrates this activity. Of course, a more careful inspection of the bank's server logs would reveal a flaw in this simplified approach, because the phishing server shows up in as the "referrer"a telltale sign the phisher would like to avoid. But, this deficiency could be overcome by a bit of careful packet crafting.
The preceding example is a well-known exploit strategy. Some sub-cerebral variations on this theme appear in the sidebar "Phishing Expeditions."
So much for posers. My last example is a phish of a different stripe. So much so that it justifies discussion. It comes to us through an ISP in Shanghai in a cleverly disguised way.
Look carefully at the cursor in Figure 3. The cursor seems to be sensing the link even though it's not particularly close to it. The fact is it's not sensing that link at all, but rather an image map. A quick review of the source code, shown beneath the figure, leads us to a veritable cornucopia of trickery.
If it weren't profitable for these cyber crooks to phish, they wouldn't do it.
Several features make Figure 3 and its associated source code interesting. First, the image map coordinates take up pretty much the whole page. Second, the image that is mapped is the actual text of the email. So what appeared to be email was just a picture of email. Thus, the redirect was actually not a secure connection to eBay at all as it appeared, but an insecure connection to 218.1.XXX.YYY/ .../e3b/. While Windows users see the "dots of laziness" frequently when a path expression is too long for the path pane in some window, this isn't a Windows path in a path pane. These "dots of laziness" are a directory name. Now why would one create a directory named "..." It certainly falls short of the mnemonic requirements most of us learned in introductory programming courses.
On the other hand, it might blend in stealthily with the other Unix/Linux hidden files "." and ".." and possibly escape an onlooker's suspicion. This suggests the computer at the end of 218.1.XXX.YYY may not be the phisher at all, but another unsuspecting victim whose computer has been compromised (for that reason, I've concealed the final two octets of the IP address). Another sign of intrigue is the font color of almost pure white "#FFFFF3" for "Barbie Harley Davidson in 1803 in 1951 AVI." Though their names are sullied, neither Barbie nor Harley Davidson had anything to do with this scam. This white-on-white hidden text is there to throw off the Bayesian analyzers in spam filters. Note that the email text is actually a graphic, so the Baysian analysis likely concludes that this is about Barbie and her Harley.
As opposed to the posers, this phish monger is moderately clever. While the exploit may not earn a trophy, it's a keeper.
It is unfortunate in the extreme that there are victims who fall for the fatuous phishing scams. We would all sleep better if the kind of flagrant errors characterized by our posers automatically ruled them out of all consideration. But they don't, unfortunately. Unlike cracking and the business of script kiddying, phishing is economically motivated: if it weren't profitable for these cyber crooks to phish, they wouldn't do it. And if the posers are occasionally effective, it's no wonder that the mongers account for economic losses in the billions of dollars each yearlosses that are ultimately born by the customers.
All four examples, even those written by the posers, managed to escape detection by one of my spam/phish filters within the last few months. The likelihood is that future phishing, or whatever phoolware follows it, will continue the cat-and-mouse game with security software. Perhaps our greatest mistake is excessive reliance on technology solutions. Our efforts seem no more effective at blocking phish scams now than they were at blocking embedded executables 10 years ago.
When it comes to email, common sense still goes a long way.
Figure 1a. Phishing email that satisfies the effectiveness criteria.
©2006 ACM 0001-0782/06/0400 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2006 ACM, Inc.