Evolution of Phishing Attacks Archives • InfoSec Resources

Phishing is a low-success rate form of social engineering attack. That simply means that thousands upon thousands of attacks are sent out every day in order to generate a successful hit. That does not make it harmless by any means.

Although the Nigerian Prince scam has long since become passé, the current versions continue to victimize greedy people. They’re better targeted now, so that in the United States you’ll receive an unexpected, unsolicited e-mail from “Tommy Johnson, a U.S. soldier” in a war-torn zone, who needs your help to get stolen, corrupt-regime money out of a country.

Depriving the “bad-guys” of money and getting rich yourself—what a plan! If only it weren’t so utterly ridiculous.

Security Awareness

In the beginning it didn’t seem so ridiculous. “The Internet” was all shiny and new. We were assailed on all sides by newscasters interviewing university professors; by highly-decorated military officers talking about how using all this information would keep the world safe; by politicians telling us that it was an aid to mutual understanding and the path to world peace; and by people in white lab coats telling us how it would advance the cause of science.

In many ways all that was perfectly true, and it still is. The cause of humanity has been pushed ahead by light-years. However, with all this unbridled optimism, very few people addressed the flip side of the coin; the slithering, slimy, sleazy underbelly of society who recognized the value of information.

Here was something a thief could steal, transport, utilize, sell, profit from, and destroy, all from the comfort of a chair sitting in front of a microcomputer. No fingerprints; no witnesses; nothing to tie them to the crime but an electronic trail, which they could obfuscate.

When America Online (AOL) was the largest provider of Internet services, it attracted the warez community than had previously confined itself to local bulletin board systems (BBS), where they exchanged pirated copies of commercial programs. Obviously, the Internet was a much more efficient way to communicate and it connected groups from all over the world that had very little contact previously. The community blossomed.

It didn’t take too long for them to realize that there was a vast audience of people surrounding them that knew next to nothing about how to use the Internet. Using programs like AOHell, they spoofed valid credit card numbers, set up fake AOL accounts, and began an enduring period of conning people into sending them valuable personal information.

They posed as AOL Tech Support, asking for account information, which people happily provided because they didn’t know any better. If that included their credit card information, those people suddenly had huge bills to pay.

The move to creating fake websites that looked like the originals, and conning people into visiting them and surrendering all their personal information began about 1986. It hasn’t changed much since then. The main difference seems to be that you’ll get an e-mail that steers you to a general attack site.

Sophistication

Of course phishing has moved well beyond that in terms of the depth of their penetration into our infrastructure. Before the Internet made this sort of attack easy, spear-phishers had to go through public announcements, newspaper articles, and whatever else they could find to discover and cull elements to exploit.

A public relations release saying:

Susan Accountperson, CFO of SOME Corporation, attended EVENT with 30 corporate delegates in Diatribe, Florida, last month. The weeklong event netted the company two different contracts estimated to be worth over $880 million over the next four years.

…provides enough information that someone could call chief financial officer of SOME Corp., Ms. Accountperson, claiming to be the sponsoring hotel. The bills for the rooms were now 30 days past due and they needed a wire transfer of $25,200 for the cost of the rooms, $20,160 for room services ordered and $8,088 dollars in ancillary charges.

“That’s $53,448 plus Florida State taxes of 8%, or $57,723.84. And we need that today… I’m sorry I can’t stop that, because it is headed to collections and there is no way to prevent the new services from finding out about it unless we have the money transferred today.”

Susan Accountperson, CFO, certainly doesn’t want to be responsible for the company name being dragged through the press. She authorizes the money transfer; the crooks quickly transfer it to another account, and it is then gone forever.

This type of “social engineering” attack rarely requires that much research to accomplish nowadays. Obtaining information about people has been made so much simpler due to the amount of information sharing we do online.

The attackers will go to Facebook, or LinkedIn, or any of a number of other popular “social” sites and collect enough information to convincingly pass themselves off as a familiar acquaintance. Scanning news articles will give them names of people you work with and the names of contracts and “big deals” that you’re working on.

They can sound “exactly right” and, having established themselves as a “friend” or “business acquaintance,” these crooks can now begin to manipulate you with a stunning level of psychological expertise. They’ll request contract details, or that you send them copies of confidential deal details that should never leave your office.

Often they will have an “urgent” air about them; something must be done immediately. They need a file; they need a password; a customer is going to abandon a million-dollar deal if you don’t get them something right now.

Just don’t do it! If you stop and think, and delay them in any way, you will almost certainly make a better decision. They want you to catch their “air of panic” and make rushed, thoughtless decisions.

Adopting New Technologies

Misrepresentation

When you hover over a link like this one, https://www.google.com, you will see something similar to this image in the bottom corner of your browser screen.

1

That is generally a good guide as to where the address actually goes. Sometimes people just use something like this which takes you to the same place, but could literally take you anywhere else in the web.

Phishers, to encourage you to click, would simply misidentify the link like so: http://www.google.com/ looks very similar, but if you hover over it, you can see it will not take you to the place advertised. If you have never heard of this site, Bing is another search engine for people who can’t spell “Google.”

However, even those of us smart enough to look at the link description every time before we click can be deceived by a trick Phishers have implemented using JavaScript where they can make that bottom-corner description say anything they please while the link sends your browser to another location. That is why it is a good idea to disable JavaScript and only activate it when specifically required.

There are (for example) tools such as QuickJava (for Firefox) which gives you a set of buttons on your toolbar:

2

where you can click to turn various features on and off, including JavaScript, Java, Flash, Silverlight, Cookies, Images, Animated Images, CSS/Style Sheets, and even Proxies. It provides a single button to toggle all the buttons to your choice of states.

3

There are equivalents for all browsers so you can disable JavaScript selectively.

One-Person Scenario:

Imagine if your bank e-mailed you a notice, with a perfectly normal appearance, that said your account had been compromised and it was frozen until you contacted them. It provided a real-looking link to myactualbank.com/customerservice that, when clicked, took you to a site that looked exactly like your banking site. It has all the proper graphics, the right icons, the contact data, the address, and nothing is out of place—except you! This is not your real banking site.

But right in front of you is a form requiring all your personal data. It says all your assets will remain frozen until you “confirm” your account numbers, credit card information (including CSS or CVV), full name, mother’s maiden name, address, previous address, the pin-number for your bankcard, date & place of birth, social security number… And hey, it’s okay to tell your bank that information, right?

If you fill it in, it will tell you that your access has been restored and you are now completely safe. It’ll even say “thank you” and wish you a good day. Feeling relieved that you fixed everything, you forget about it.

What happens next can take days. Loans are arranged in your name for thousands of dollars. Mortgages can be placed on your home. Credit cards are activated and spent to their maximums. Finally, after they have rendered every penny they can leverage against your name, your savings are cashed out, and your accounts are overdrawn to their limits.

Growing Sophistication of Phishing Messages

Business Scenario One

Tricking a low-level employee into clicking a malicious URL is rather easy, unfortunately. Sometimes it’s as simple as sending a newsy-commercial e-mail with “click bait” such as Lose 14 Pounds In 10 Days! Or Behind On That Project? Catch Up In Just 2 Hours!

Links like that will take them to a malicious URL that will install dangerous software on their computer. Now the hacker has access to your corporate computer system through that one infected computer.

It’s even easier if there is an e-mail attachment and the pitch is sufficiently convincing to get the employee to open the attachment. It is then just a one-step process, and now your system is infected.

We’re Better Now

Of course we’ve grown more sophisticated, too. We have Gatekeeper software that keeps a very large percentage of that sort of material out of our mail systems.

Whereas originally it would kick out mail based on certain content, which would then have to be painstakingly reviewed by a human, our automated sorting abilities and algorithms have gotten so good that we can eliminate mail from certain known domains without even having to look at it, use internal verification codes to eliminate mail coming from spoofed (faked) addresses, and even identify falsified URLs (links) in e-mails. If something has an attachment that instantly raises red flags. Practically nothing harmful gets through, which means that employees have a false sense of security and simply open everything.

Business Scenario Two

Targeting specific people is called spear-phishing, and targeting CxOs and other high-level targets is called whale-phishing, or simply whaling.

In this case, it involves a remarkable amount of research focused on the target victim; it requires the creation of fake websites, fake LinkedIn profiles, extensive fake LinkedIn networks, and even domain creation with highly believable company names. In every way, they look absolutely legitimate and their entire purpose is to obtain the credentials of the victim.

Last year an unnamed company saw $100 million transferred to many banks around the world, under the unwitting authority of one of its highest executives. Global estimates in 2015 place losses a $2.3 billion.

Anti-Phishing Techniques

Due diligence

Be relentless in your use of anti-malware and antivirus software at all times. Of course, it is important to run antivirus software all the time, and it can detect some versions of malware, but anti-malware software is the tool that is going to offer the greatest resistance to phishing threats in your system. Set it to update automatically, and assure that it runs at the recommended intervals.

Inform your clientele that…

…you will never, ever solicit account information through e-mail. Anything bearing a hyperlink purporting to represent your company and requesting account or security information is fraudulent. Use big letters and eye-catching colors, and get that message out there!

No e-mail on servers capable of making payments

In the $100,000,000 example above, the credentials were used to order payments to be made. Once inside, the attacker obtained user names and passwords from the payment system, and could then request and approve their own transfers using the authority of different people. If there had been no e-mail associated with that server, the task would have been much more difficult, perhaps even impossible.

Consequently, that system has been changed to use biometrics. It’s a little like closing the barn door after the horse has escaped, but at least now it requires more than a user name and a password, so it cannot be done remotely.

No Internet connection on payment servers

For the same reason as above; if they can’t get in, they can’t manipulate your system. Play it safe. If this is not possible, at least forbid incoming connections from phones, tablets, laptops, and even from your own employees’ home offices. They almost certainly do not need access to your payment system and all of the foregoing devices are far too vulnerable to be connecting to your secure servers.

URL & IP address filtering

Limit your exposure to known attack sites (there are lots of lists available online) by forbidding access to them by your servers. Use a website-reputation service to avoid treacherous connections.

Train your people

SecurityIQ at the InfoSec Institute would be more than happy to discuss your staff’s training needs. We have to make a concerted effort to protect ourselves. The way to do that is through education so that we know how to make good decisions.

Circumventing Anti-Phishing Solutions

Poison…<gasp>

There is a technique called DNS poisoning. It is particularly insidious because, even as far back as 2008, if you had a security toolbar installed as part of your protection mechanism, it was supposed to inform you whether the site you were visiting was or was not safe.

Attackers can exploit weaknesses on routers or access points (AP). Changing the DNS addressing (such as your HOSTS file) makes sites look normal. Since the security toolbar uses the same reporting mechanism, it reports that the site is safe even when it’s not, instilling a false sense of security. You can’t fault them; the software was circumnavigated.

Technology has improved in the intervening years; some older routers and APs still remain vulnerable. Check to make sure your older technology is not leaving you wide open to attack.

BYOD = BYODL

Bring your own device has certainly improved people’s work efficiency. Now they can work just about anywhere—on the bus, on the plane, at home, or even when they’re away at the cottage. Make sure your employees are aware that they need to install programs only from legitimate sources and to be careful of which permissions they grant.

This is because BYOD also means bringing your own data leak (potentially). People like to download apps, and seldom check the permissions. Many of those apps ask for access to your contacts list and, with the wrong program on your phone, that can be sent to an exploiter who now has a wealth of information about your company that makes spear-phishing or whaling even easier.

Vulnerable biometrics

A very popular model for security biometrics is the human face. Our structures are all sufficiently different that it’s fairly easy to find distinct and unique characteristics for everybody. Unfortunately, criminals are getting smarter.

At first they used a simple photograph, if and that could fool primitive systems. Those same systems implemented “living face” technology to recognize eye blinks, subtle head motion, muscle movement beneath the skin, and other factors. The criminals got even smarter.

CG imaging, that makes everything looks so good in the movies, can now be used with several different still photographs to create a “living face” sufficient to fool computers. Fortunately it’s difficult to bring CGI equipment into your typical office and place it before a camera without somebody noticing.

The Takeaway

The war is on! Cybercriminals will continue to send their volleys against our fortifications and battlements. We’ll continue to build thicker barricades and higher walls to keep those larcenous plunderers at bay.

But no matter how much effort we expend on our side of the equation we have to remember that the solution doesn’t lie in hardware or software, but rather in humanware. We have to keep our people informed, trained, and constantly reminded about the threat. There’s no better firewall than human firewall.

If your humans need training, come and see us. We would be delighted to assist you in getting prepared to repel the cutthroats and pirates trying to relieve you of your property.

Drop by https://securityiq.infosecinstitute.com/ and try out the training for free. It’s interesting and fun enough to keep your employees attention. Remember, preparation is half the battle.

This really is important, so do it today—Fortune favors the prepared.

Section Guide
Ryan
Fahey