By now, the risks associated with phishing are well-known and well-documented. What is often misunderstood or overlooked is a hidden threat related to phishing.

Brief Background

There are various forms of phishing, but each form has a similar objective: to elicit information from an unsuspecting victim (refer to this article for more details).

Phishing

Phishing is an attack wherein an attacker attempts to acquire sensitive information from a target, including usernames and passwords, personal identification information, or payment card information. This is typically done via email, but it can also be broadened to include watering hole attacks, wherein an attacker plants innocuous-looking links in places like discussion forums to entice victims to click.

Phishing tends to be blind, in that there is no specific target.

Spear Phishing

Spear phishing is similar to phishing, but it has a much better defined target. An attacker will typically perform some kind of reconnaissance on his intended victim, collecting information that will help personalize the phishing content so it looks more legitimate.

Spear phishing content will typically look as if it’s intended specifically for the target, using the target’s name, geographic cues, or other points of interest. For example, using social media profiles, an attacker could learn that a target is an active photographer. The attacker could send a spear phishing message to the target, apparently from a popular online photography retailer, saying that a bill for a recent camera lens purchase is past due. (A “double barrel” approach will add more legitimacy to this, which we’ll look at later.)

Whale Phishing (Whaling)

Like spear phishing, whale phishing is a targeted attack, but it specifically aimed at corporate officers or high-level executives. The content of these attacks is designed to arouse the interest or alarm of senior management, providing motivation for them to click the link.

Smishing (SMS phishing or SMiShing)

Smishing is a phishing attack that uses SMS (Short Message Service) to send text messages containing phishing content. A common technique is to use URL-shortening mechanisms (like bitly or tinyurl) to hide malicious URLs.

Credibility

Some phishing attempts are obviously more effective than others. Effectiveness to a large degree depends on how believable the content is. It’s easy to dismiss the Nigerian 419 class of scams, for example. It also might be easy to dismiss fake notifications from a bank that you don’t do business with. But what about the email about the past due notice from the online photography retailer? Even if you know you didn’t order that camera lens, it’s easy to second-guess yourself into believing that maybe you did or that maybe–ironically–you suspect that someone accessed your credit card or personal information and you want to follow up with the retailer by clicking on the link.

This is why shipping-related notifications are so effective, especially around holidays; victims can easily convince themselves that maybe they did ship something via UPS instead of FedEx, or that perhaps they didn’t order something for themselves but that they could be expecting something to be shipped to them instead.

The Double Barrel Approach

PhishMe uses a “Double Barrel” approach to increase the believability of phishing attacks. Let’s use the example of the camera lens bill from above. Instead of sending a past due notice, a double barrel approach would first send an innocuous email with the order confirmation. No malicious links or alarming content would be included; this email is intended to be the seed of credibility. An attacker later sends a follow-up email (a week, two weeks, whatever is appropriate) with a past-due notice; this email includes the malicious content. The seed had already been planted, so the follow-up email looks more credible. In PhishMe’s parlance, this gives the attack a “conversation” effect, and the target is more likely to fall prey to the attack if he is feels more engaged.

The Threats (Two Common and One Hidden)

The objectives associated with phishing attacks are varied, but they fall into three general categories.

Malware

One of the most popular threats is the downloading of malware onto the computer. Malware is a catch-all classification that can include:

Keyloggers

Used for tracking keystrokes of the victim

Ransomware

Used to “lock” the victim’s data in exchange for payment

Viruses or worms

Used to further infect a victim’s computer or network

Bots

Used to perform specific tasks like collecting or transmitting data; controlled by a botnet controller

Information-nabbing

The Washington Post attack in August of 2013 was successful because the link associated with the phishing email directed the Washington Post employee to what looked like the Post’s Outlook Web Access site:

Image credit KrebsOnSecurity.com

This attack sought email credentials, but the attack could have been for any site on which the target has an account or other sensitive information. This type of attack is commonly used with spear phishing; the attacker knows something about the target (think about the online photo retailer example) and uses that to build credibility with the target.

The Hidden Threat

For all of the threats that phishing is known for, one that hasn’t received much acknowledgment is geo-locating. A nefarious characteristic of this threat is that the target doesn’t even need to click a link to fall victim to the attack. This type of attack takes a cue taken from marketing emails: using a tracking image, usually a 1×1 pixel transparent image hidden somewhere in the body of an HTML email. In marketing terms, this lets the sender know that the message was viewed by the recipient. In phishing terms, it gets much more interesting than that.

Consider the fact that viewing an HTML resource (web page, image, JavaScript, stylesheet, etc.) leaves a digital fingerprint on the attacker’s web server. The log file below, for example, is from an Apache access log. The last two entries represent HTTP requests for “1×1.gif,” which is the embedded transparent image in a phishing email that the target unwittingly viewed:

111.74.122.19 – - [13/Jan/2014:14:14:52 -0500] “GET /manager/html HTTP/1.1″ 404 210

71.6.167.142 – - [13/Jan/2014:19:51:41 -0500] “GET / HTTP/1.1″ 404 16

183.60.244.46 – - [14/Jan/2014:05:17:33 -0500] “GET /tmui/login.jsp HTTP/1.1″ 404 212

183.60.244.29 – - [14/Jan/2014:05:17:36 -0500] “GET /tmui/login.jsp HTTP/1.1″ 404 212

183.60.244.30 – - [14/Jan/2014:05:17:41 -0500] “GET /tmui/login.jsp HTTP/1.1″ 404 212

183.60.244.37 – - [14/Jan/2014:05:17:51 -0500] “GET /tmui/login.jsp HTTP/1.1″ 404 212

183.60.243.187 – - [14/Jan/2014:05:18:11 -0500] “GET /tmui/login.jsp HTTP/1.1″ 404 212

119.9.74.172 – - [14/Jan/2014:05:49:26 -0500] “GET / HTTP/1.0″ 404 16

162.243.119.47 – - [14/Jan/2014:09:19:35 -0500] “GET / HTTP/1.1″ 404 16

58.64.155.116 – - [14/Jan/2014:11:14:42 -0500] “GET /manager/html HTTP/1.1″ 404 210

163.247.46.15 – - [14/Jan/2014:13:37:24 -0500] “HEAD / HTTP/1.0″ 404 -

173.244.215.194 – - [14/Jan/2014:15:45:59 -0500] “GET / HTTP/1.0″ 404 16

111.74.122.19 – - [14/Jan/2014:18:20:18 -0500] “GET /manager/html HTTP/1.1″ 404 210

198.20.69.74 – - [14/Jan/2014:22:52:20 -0500] “GET / HTTP/1.1″ 404 16

198.20.69.74 – - [14/Jan/2014:22:52:20 -0500] “GET /robots.txt HTTP/1.1″ 404 208

58.64.155.116 – - [15/Jan/2014:06:39:55 -0500] “GET /manager/html HTTP/1.1″ 404 210

209.126.230.76 – - [15/Jan/2014:08:18:02 -0500] “GET / HTTP/1.0″ 404 16

173.73.85.84 – - [17/Jan/2014:14:11:59 -0500] “GET /img/1×1.gif?userid=566235 HTTP/1.1″ 200 4121

174.236.199.25 – - [17/Jan/2014:17:52:21 -0500] “GET /img/1×1.gif?userid=566235 HTTP/1.1″ 200 4121

In this case, an attacker appended a userid parameter to uniquely identify the victim. The true worth of this request, however, is the IP address.

What an attacker now knows:

  1. Using a web site like http://geomaplookup.net/?ip=173.73.85.84, an attacker can see that the first of the last two IP addresses resolves to the Washington, D.C., area. An attacker now knows generally where the victim was at the time the email was viewed.

  1. The IP address resolves to pool-173-73-85-84.washdc.fios.verizon.net, so the victim was accessing the internet using Verizon FiOS, most likely from home.
  2. The last IP address resolves to 25.sub-174-236-199.myvzw.com, which is a Verizon Wireless mobile host. The victim left home and then hopped in the car.

With this information, the attacker can follow the victim’s progress, assuming that the victim views his email along the way and leaves digital breadcrumbs.

This geo-location information is useful for information gathering, among other purposes. Given the information above, an attacker could craft spear phishing emails claiming to be from Verizon or from a local retailer. The purpose of using this information is to establish credibility with the target and entice him or her to click a link or visit a malicious website.

Keep in mind that this information was gathered from the victim’s simply viewing the HTML email; no links were clicked. From a web server’s perspective, viewing an HTML resource is indistinguishable from clicking a link.

Information Gathering

When a victim clicks a link in a phishing link, in addition to the IP address information discussed above, the attacker can gather other characteristics about the client that the victim used to click the link.

For example, consider the following table based on a victim’s interaction with a phishing link:

Clicked

IP

Browser

Flash

Java

12/02/13 7:08 AM

173.73.85.84

Internet Explorer 8.0

11.9.900.117

1.7.0_45

What an attacker now knows:

  1. The victim is using Windows, possibly an unpatched version.
  2. The victim is using an outdated version of Internet Explorer.
  3. The victim is using an unpatched version of Flash.
  4. The victim is using an unpatched version of Java.

From this information, the attacker can use a more directed attack against the target using a product-specific exploit against the target’s operating system, browser, Flash, or Java.

Putting It All Together

In the illustration below, an attacker sends a simple lure that doesn’t include any nefarious content other than a tracking image. By viewing the email, the target divulges the name of his home internet service provider. Fresh with this knowledge, the attacker crafts a credible-looking spear phishing email that solicits payment information from the internet service provider. Pressed by fear, the victim obliges by providing payment information to a credible-looking payment web page crafted by the attacker.

Icons courtesy http://www.designcontest.com,

Used by permission using http://creativecommons.org/licenses/by/3.0.

In this scenario, the attacker solicited payment information, but the attacker could instead have requested any other type of information or could have planted malware onto the victim’s machine. The point is that the attacker was able to persuade the victim to view the lure and use that information to create a believable spear phishing attack.

Protecting Yourself

Organizations typically lean on education and awareness to teach employees how to identify potential phishing attacks. The refrain is heard often enough: don’t click suspicious links (knowing what to look for can be the hard part!). To avoid the hidden threat of geo-location tracking, however, HTML images should not be viewed. Most email clients enable this feature by default, putting users at risk. The following are examples of how to disable this setting in popular email clients.

iOS

To turn off this feature in iOS, turn off the “Load Remote Images” option in the “Mail, Contacts, Calendars” setting:

Image loading setting in iOS

Android

In Android, this is managed through a mail client, like the Gmail app:

Image loading setting in Gmail for Android

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Outlook

The setting for Outlook 2013 is buried under “Options” | “Trust Center” | “Trust Center Settings” | “Automatic Download”:

Image loading setting in Outlook

Whatever mail client is used, look for a setting similar to the above examples.

Conclusion

What can start as a basic phishing attack can turn into something much more specific and personal. An important risk to know about is that employees might think of a phishing attack as something that threatens the company’s computer or network. When an employee checks company email from home or from mobile phones, the threat becomes much different; even if the employee is viewing a company email, the attacker can gain access to the employee’s home computer and network.

Successful attacks rely on the psychology of phishing. Relevant content is more credible than generic content, and personal content is even more convincing. Attackers are continually tuning their craft and can produce some impressive spear phishing attacks given the appropriate research on their target.

Further, psychologists have demonstrated that the fear of loss is greater than the potential for gain (Kahneman, 2011). This explains why content based on past due notices can be more successful than content based on a winning sweepstakes entries.

Simple defenses like not viewing HTML images in email messages can go a long way in protecting your privacy and securing your computing devices.

Resources

CryptoLocker Ransomware”

http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

Geocoding Router Log Data”

http://resources.infosecinstitute.com/geocoding-router-log-data/

Kahneman, D. (2011). Thinking, Fast and Slow. New York City: Farrar, Straus and Giroux.

“Spear phishing led to DNS attack against the New York Times, others”

http://www.pcworld.com/article/2047628/spear-phishing-led-to-dns-attack-against-the-new-york-times-others.html

“The Double Barrel: PhishMe trains users to avoid conversational phishing”

http://phishme.com/the-double-barrel-phishme-trains-users-to-avoid-conversational-phishing

“Washington Post Site Hacked After Successful Phishing Campaign”

http://krebsonsecurity.com/2013/08/washington-post-site-hacked-after-successful-phishing-campaign/