Phishing is an attack whereby an attacker attempts to acquire sensitive information from a target, including usernames and passwords, personal identification information or payment card information. Phishing techniques include bogus emails and websites, malicious links and malware.
It was around 2006 that cyber criminals realized the value of using phishing networks. Using networks, phishers could exchange useful information, have easy access to buyers and sellers of hacked information and collaborate with phishing colleagues who have specialized skills including good grammar and proper spelling.
How do phishing networks operate?
Christopher Abad, a research scientist at Cloudmark, did some research to deconstruct a typical phishing network and its gang members in 2005. He showed how the infrastructure of these networks is designed to accommodate all the resources the gang needs and pointed out the corresponding specialist that handles each of these resources.
Mass emailers – Individuals who specialize in sending out large volumes of e-mail hoping to get an initial response. These guys have good grammar and spelling skills.
Template providers – Designers who specialize in creating a legitimate look and feel for fake financial (and other) institution emails and websites.
Server managers – IT specialists who manage the network’s servers.
Cashers – Buyers of financial information that can be used to generate bogus ATM cards and other financial frauds.
Bots – A bot (short for robot) is a software application that runs automated tasks (scripts) over the internet. Bots are used to join chat rooms like Internet Relay Chat (IRC) and can be remotely controlled by attackers.
How do they do it?
In the case of the infamous Avalanche group, they used a botnet (short for robot + network) of hijacked PCs to host their own sites, usually impersonations of branded sites. These fake sites were used to trick people into entering personal information like credit card numbers and IDs. A Kaspersky spam report found that about 40% of phishing attacks in 2009 were carried out by impersonating PayPal and 30% the IRS.
Online fraud has low start-up costs so snaring only a few victims can turn a huge profit for a phisher. Phishers use phishing packages, like the RockPhish toolkit, to deploy entire networks of phishing sites on cracked web servers. These packages are freely available online but phishing networks have the available specialization needed to create their own packages.
Members with other specialist skills focus on different areas of the operation, like gathering information, using the identities stolen to develop new attack strategies, selling stolen information and laying down false trails. Members of phishing networks move fast, changing personas and reinventing themselves continuously which makes them difficult to track.
Chat rooms are an ideal venue for phishers to meet their victims. People are vulnerable on chat rooms; their primary objective is to meet people and chat with them, which inevitably involves some sharing of personal information.
In March 2013 Symantec reported a scam where phishers used a fake Asian chat application on a phishing site hosted on a free web hosting site. According to the instructions (see image on the right), after the user enters their login information they will be able to chat with Pakistani and Indian girls for free. The price: the theft of the victim’s login credentials by the phishers.
In a 2015 Wall Street Journal article, Jason Zweig interviewed the authors – George A. Akerlof and Robert J. Shiller – of “Phishing for Phools: The Economics of Manipulation and Deception.” Their basic thesis is that the free market isn’t merely the best mechanism ever devised to provide people with what they want, it is also the best mechanism ever devised to provide people with what they don’t want.
The reasoning is that free markets can create fertile opportunities to profit from dishonesty. In short, aside from minimal marketing, technological, and behavioral knowledge, phishing is not all that difficult. Scamming is more than exploiting people’s ignorance of how the internet works; it’s psychological warfare that often attempts to profit from people’s baser motivations.
A botnet is a collection of compromised PCs –on their own operating in a similar fashion to that of the mythical Trojan Horse – controlled by an attacker remotely. Botnets generally are created by a specific attacker or phishing network using one piece of malware to infect a large number of machines. The individual PCs that are part of a botnet are often called “bots” or “zombies”.
Most home computers run Microsoft Windows and often are not properly patched or secured behind a firewall, making them vulnerable. Hijacking a single computer has great value for an individual phisher but phishing networks operate on a much larger scale where the stakes are higher. Hijacking large numbers of computers and networking them so they can all be controlled at once provides opportunities to attack large organizations, stealing sensitive data and either holding it ransom or selling it. Successful attacks on government, the military and financial institutions can be extremely lucrative. Specialists in phishing networks use command-and-control (C&C) servers to direct, manage and monitor attacks.
How do they do it?
Attackers infect individual PCs and link them to a botnet using various techniques like drive-by-downloads and email.
Drive-by downloads: Phishing networks find a website with some sort of security vulnerability (they have members whose primary function is to uncover these vulnerabilities) or create their own fake website. Malware is loaded onto the site and rigged to exploit security vulnerabilities in web browsers, applications and operating systems, etc. Surfers are redirected to malware-infested sites controlled by the attackers where the bot code is downloaded and installed on the user’s machine.To combat this type of phishing, as Bing and other search engines index the web, pages are assessed for malicious elements or malicious behavior. Because the owners of compromised sites are usually victims themselves, the sites are not removed from the Bing index. Instead, clicking the link in the list of search results displays a prominent warning, saying that the page may contain malicious software, as shown in this figure:
Trojan horse: This malware, often attached to an email, installs code that allows the computer to be commanded and controlled by the botnet’s operator. It often masquerades as or hides inside legitimate software.
Email: The network’s email specialist sends out a large batch of spam that may include malicious links to websites where malware can be downloaded to an unsuspecting user’s machine, or malicious attachments such as infected PDFs.
Why do they do it?
Malicious botnets are used to:
Send out phishing emails, spam and malicious links to gather personal information. Phishers use stolen identities to make online purchases, run up credit card debts and attack a victim’s contacts.
Execute Distributed Denial of Service attacks (DDoS) which involves sending huge amounts of traffic to a specific website in an effort to knock the site offline. Sometimes these attacks are a sly way to disguise deeper attacks on financial and government institutions.
Steal an organization’s confidential information or government to destroy the data if the ransom is not paid within a specified period of time. They may also sell the information to political activists and terrorist organizations.
Manipulate online polls and product “likes”. Since every bot has a distinct IP address, every vote could have the same credibility as a vote cast by a real person.
Phishing networks have the resources to send out millions of fake emails every day. They have members with the skills to create increasingly sophisticated fake websites and emails that look like they come from legitimate companies.
Chat room safety
Don’t click on links in messages from someone you haven’t actually met. Ever.
If you receive a message from someone you know and it contains a link, type the address of the authentic website in a new browser window rather than clicking on the link. One of the anti-phishing techniques used to identify link manipulation is to move the mouse over the link to view the actual address. You’ll see the actual address in a pop-up or in the status bar at the bottom left of your window (depending on the browser you’re running).
Always ensure you have an httpS (Secure) connection and that there is a lock symbol in the address bar .
Don’t use your real name in chat rooms and divulge as little personal information as possible; that includes uploading photographs of yourself, your pet or family, your new car (phishers may consider your plate number useful information) or your home.
Keep your software and browsers up to date and free of malware.
Choose strong passwords; a weak password is easily broken by a botnet.
Install an anti-malware program.
Never turn off your firewall, even – especially – if you receive a message that the firewall is preventing the execution of some process or download of software.
Don’t click on links from sources you don’t know and trust. Be cautious even if you know the source; they may inadvertently be sending you a malicious link.
It’s not just the less tech-savvy; even IT professionals get fooled. Use the internet to research the credentials of the chat site or social networks you’re using and keep abreast of current scams. Security specialists like Infosec Institute have resources to help you. Sign up for a free account at http://securityiq.infosecinstitute.com/ to browse their videos and test just how phishing savvy you really are.
Infosec IQ awareness and training empowers your employees with the knowledge and skills to stay cybersecure at work and at home. Teach employees to outsmart cyberthreats with over 2,000 awareness resources and phishing simulations.