Phishing Techniques: Similarities, Differences and Trends - Part I: (Mass) Phishing

March 1, 2013 by

Ivan Dimov

Introduction

The term "phishing" actually originated from the word fishing because the manner of attack defined by the term resembled fishing ever since its early invention. Namely, the criminal sets a particular "bait" (he impersonates a legitimate bank or other legitimate website such as PayPal or Facebook and requests that you enter sensitive data by pretending that you have to validate, verify, update your account or that there was suspicious activity so you have to "prove" that you are the owner of the account, etc...) to different users of the vast sea of the Internet, extracts the personal information given voluntarily (in most cases) by the ones that took the bait and uses it to commit malicious acts, whether it be identity theft, credit card fraud, or something else. Early phishers were using the symbol <>< to refer to phishing before the term was invented and due to the symbol's resemblance of a fish, the name was crafted. Later on, the symbol <>< incorporated not only stolen accounts and credit cards but other illegal activity as well.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

The "ph" spelling in "phishing" was most likely established to link the phishers with another underground community called phreakers (phreaking) which includes the early variant of hackers. Phreakers are not only the ones who learn about, investigate into or explore telecommunication systems but the word also includes persons who use the knowledge that they have gained in studying these systems for fraudulent, malicious use and illegal activities.

There are two different types of techniques associated with phishing. The first set of techniques relates to the method employed to obtain the sensitive information and convey the phishing message. (1) Such as whether the criminal disperses his message via email or instant messaging platform, whether he tries to obtain the information via malware (like a key-logger or trojan), whether he uses search engines to lure the victims or lures them via phone the second set of techniques relates to the type and the targets of the phishing attack (2) such as spear-phishing, the type of spear-phishing called whaling, clone phishing, reverse-phishing. This paper will focus mostly on the latter set of techniques.

Objects of examination in this paper

All phishers have one goal – to collect personal, sensitive, confidential or classified information and use it for material gains. However, the phishers strive to collect different type of information depending on the technique they employ. For instance, in the simplest form of phishing, (mass) criminals mostly aspire to drain your credit/debit card whereas in spear-phishing or whaling, criminals may desire to collect information such as a confidential government documents, firm's intellectual property or a list of clients or personnel of it; the criminal may even be a member of a rival firm or government or be hired by one. This rival can then attempt to misuse the information or sell it on the black market.

Such different sub-goals are examined amongst other things, such as the type and degree of information that the criminal must obtain to launch the attack using one of the techniques, how this information is acquired, the preferred method for the launch of the particular technique, types of victims sought by the different techniques, as well as the different customizations that are necessary to employ the technique and actions that ought to be taken for a phisher to be "successful" such as pharming.

All of these are objects of examination because they are the points where the phishing techniques differ or resemble each other.

Also, the trends in the usage of these techniques are shown with a discussion on why the technique or method is on the uptrend or downtrend.

Mass Phishing

The most common form of phishing is referred to above as mass phishing because there are no specific targets and the fraudulent social engineering technique is usually sent to myriad of people. Thus, no information gathering is necessary for the phishing attempt to be performed as the cyber-criminal disguises his message as coming from an entity used by many people (popular and/or global).

Only a small proportion of these people will actually be using the services of the bank, social media, e-commerce website, airline, credit card company or another entity that would be impersonated and, of those people, even a smaller percentage will open the email or message and follow the links or open the attachments provided there.

For instance, people who are not using the services of PayPal will disregard a phishing attempt where the cyber-criminal is impersonating PayPal staff. It has been estimated that 3% of the mass phishing emails are opened while 8 people out of 100,000 divulge their sensitive information to the phishers or install a malware which enables the cyber-criminal to access this information.

In mass phishing, browser and anti-virus blacklisting technologies are somewhat effective and this further reduces the chance of getting scammed, although they are comparatively ineffective against sophisticated phishing attempts such as spear-phishing and whaling, as they are highly customized and are unlikely to be found as generic spam. This is one of the reasons why mass phishing is said to be a thing of the past and no longer effective and targeted phishing is claimed to be the "new thing", but more on this in the spear-phishing section.

However, these anti-phishing blacklists remove only a small percent of the threats at hour zero. The average lifespan of a phishing website was around 23 hours and 10 minutes in the first half of 2012 but this does not mean that the phishing endeavor stops – it just moves to another website or starts to imitate another service provider.

23 hours are enough to entice many people and send a myriad of messages. To illustrate, a mass phishing attack, which disguised itself as a message from Nacha, the electronic payments association, sent 167 million phishing emails in just a day. Over the years, mass phishers have adopted manners of slowing the blacklisting process with toolkits such as a "Bouncer" (which adds a unique ID in every mail that is sent to a victim) and by other methods and tools, so to make their phishing endeavor last longer and earn more from it. It is estimated that a mass-phishing campaign costs around 2,000 dollars to run and yields 14,000 dollars profit.

Nowadays, mass phishers tend to represent popular and global websites and brands in order to increase their chances of being successful. This tendency has been steadily evolving. Look at the following table to see which were the top 10 brands targeted by phishers in January 2012.

As it can be seen above, January 2012 saw large bulk of phishing directed at Brazilian companies. In total, APGW alone detected 53,225 unique phishing websites in January 2012 and received 25,444 unique phishing e-mail reports. There were around 400 different brands targeted for phishing in the first quarter of 2012 alone.

Some of the brands that are targeted the most change every month so even statistics from last month cannot exactly pinpoint all brands that are going to be highly targeted in the upcoming month, though some remain relatively static. If the website is popular and global and can give a material gain to the phisher it is most likely to be chosen for phishing (for instance, PayPal). Statistics show that the number of brands impersonated is declining for the sake of more phishing attempts moving over to popular and global brands.

Usually, the top 20 targets account for a lot more than 50% of the total mass phishing (in the second half of 2011, the top 20 targets accounted for 78% of total phishing).

January 2013 saw reduction in total phishing where 1 in 508.6 emails were phishing compared to December 2012 where 1 email in 377.4 was phishing. This may prove the allegation that 2013 will see further reduction in mass phishing due to focus on spear-phishing techniques and even on whaling as these involve less but more individualized emails as they provide better returns on the phishers' investments.

The purpose of mass phishing is, in most cases, to gain fast profit and phishers strive to collect either information about your credit/debit card, bank account or other financial entity in the Internet and drain your money from these accounts or attempt to collect personal information for identity theft. Identity theft is a much more serious threat as it will enable cyber-criminals to open new lines of credit and ruin your credit rating, steal money from your existing bank accounts, establish services in your name (phone, Internet, etc…) which will be charged to you, establish bank accounts with your personal information and compose bad checks, apply for different loans (such as auto loans) in your name, make you pay for their tickets, bills and other uses. Thus, the consequences from mass phishing can be severe.

To drain your bank account or perform identity theft, the perpetrator of mass phishing may strive to collect information such as:

1. Name and Username
2. Address and phone number
3. Password/PIN
4. Debit/credit card number
5. CVC/CVV
6. Social security number
7. Bank account number

The mass phishing messages usually do not provide your name in the email but start with something like "Dear Valued Customer", "Dear User", "Dear Member" or another similar form of address.

You should expect no customization of the email, nothing that refers to you in particular and that targets you. Your account in the targeted brand would not be mentioned, as they write in bulk and probably do not have that information as well.

Most cyber-attacks are difficult to prepare and implement but mass phishing is not one of them. A person with relatively low technical knowledge can launch such a scam and collect the profits. Plus, one mass phishing campaign generally costs around 2,000 dollars to the phisher which is often affordable for beginner phishers/scammers.

Mass phishing appears to be on the downtrend because the more sophisticated phishing campaigns such as spear-phishing yield better success/fail ratio and yield more money in general. Also, because mass phishing campaigns are usually caught early and blacklisted, thus, their lifespan is short (less than a day). Another factor is that people are getting educated in basic cyber-crime attempts.

Sometimes, a sense of urgency to act for the victim is not necessary to perform a mass phishing campaign, although this is the most frequently employed method to lure and trick users. The method establishing a sense of urgency to act is the most used as it exploits the fears of people to make them take rash and ill-judged decisions. The criminals could try not to establish a sense of urgency to act, as in cases of most mass phishing attempts (claiming that your account would be deleted if you do not open a link and fill something or that your account is suspended and you need to do the above mentioned things to fix it, etc...), but to persuade them that they are simply lucky, that they have "won" something or that their help is needed from which they will greatly benefit.

For instance, a mass phishing scam impersonating the Brazil TAM Airlines claimed that the potential victim have won 10,000 miles TAM loyalty points (which could, if they were real, be used by users to travel 10,000 miles for free via the airlines) and provided a promotional code that he has to enter in a link on the email. The link leads to an imitation of the website of the airlines and asks for one's TAM Airlines username and password "before" he proceeds to get his prize which, if entered, will be used by phishers to buy plane tickets and other goodies.

Furthermore, technical knowledge might be largely superseded by creativity and imagination. This is proved by the infamous Nigerian scams which are present since the 1980's and some of them have transformed to phishing scams. Typically, the Nigerian scams create a sense of "luckiness and good fortune" instead of urgency to act.

But, in most cases, one of these two methods will be employed, although it could be also possible for the phisher to disguise himself as a trustworthy entity seeking feedback, opinions, recommendations or something similar which does not involve either of the two methods mentioned above, but still seeks to extract sensitive data from you by deceit.

As to the first set of techniques, phishing kits have become widely used tools for mass phishers to conduct their attacks. A phishing kit provides the scammer with pre-generated pages and emails for targeting popular and/or global brands, scripts for various scripting languages created to process the input of the phishes, web hosting, lists with proxy and email servers.

Some of the web hosting services provided in such phishing kits are claimed to be invulnerable in terms of being impossible to shut down by authorities.

These phishing kits are used by many of the phishers, and mass phishers in particular, as they further reduce the technical knowledge necessary to run such a malicious campaign and enable beginners to be successful.

Hence, an examination of them may prove useful in grasping the tactics implemented by mass phishers to seduce random Internet users.

The most common method of dispersing mass phishing messages is through email, but it could also happen via an instant messaging platform. Moreover, phishing could also be done via phone (although criminals tend to use Internet programs for voice communication to call phone numbers mainly in a consequential manner, such as Skype) and it is called vishing.

In the next part will discuss targeted phishing (spear-phishing and whaling), as well as reverse-phishing, vishing and clone phishing.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

References:

1. Phishing.org, 'History of Phishing'. Available at: http://www.phishing.org/history-of-phishing/ (Accessed 2/15/2013)
2. Wikipedia, 'Phishing'. Available at: http://en.wikipedia.org/wiki/Phishing (Accessed 2/16/2013)
3. Jeff Orloff, 'Phishing: A Look Inside the Statistics', September 5 2012. Available at: http://www.allspammedup.com/2012/09/phishing-a-look-inside-the-statistics/ (Accessed 2/16/2013)
4. Mike Lennon, 'Phishing Sites: Lifespan Decreases, Population Grows at Record Speed, Says APGW', October 25 2012. Available at: http://www.securityweek.com/phishing-sites-lifespan-decreases-population-grows-record-speed-says-apwg (Accessed 2/16/2013)
5. Zhannalight325, 'Email Spam and Phishing Trends 2011-2012', 2012. Available at: http://visual.ly/email-spam-and-phishing-trends-2011-2012 (Accessed 2/16/2013)
   Note: the statistics presented in reference 5 were extracted from symanteccloud.com and phishtank.com
6. APWG, 'APWG Phishing Attach Trends Reports'. Available at: http://www.apwg.org/resources/apwg-reports/ (Accessed 2/16/2013)
7. David Waterson, 'Shortcomings of anti-phishing blacklisting', February 4 2013. Available at: http://dwaterson.com/2013/02/04/shortcomings-of-anti-phishing-blacklisting/ (Accessed 2/16/2013)
8. Symantec.cloud, 'Symantec Intelligence Report: January 2013'. Available at: http://www.symanteccloud.com/mlireport/SYMCINT_2013_01_January.pdf (Accessed 2/16/2013)
9. National Science Foundation, 'Identity Theft'. Available at: http://www.nsf.gov/oig/identitytheft.pdf (Accessed 2/16/2013)
10. Net-Security, 'Mass phishing emails a thing of the past', December 04 2012. Available at: http://www.net-security.org/secworld.php?id=14058 (Accessed 2/21/2013)
11. Avi Turiel, 'Phishing attack targets frequent flyers of Brazilian airline TAM', April 09 2012. Available at: http://blog.commtouch.com/cafe/malware/phishing-attack-targets-frequent-flyers-of-brazilian-airline-tam/ (Accessed 2/21/2013)
12. Jason Milletary, 'Technical Trends in Phishing Attacks', 2005. Available at: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDIQFjAA&url=http%3A%2F%2Fwww.cert.org%2Farchive%2Fpdf%2FPhishing_trends.pdf&ei=YzEmUa2IOIXctAa004CgDA&usg=AFQjCNEAcFcHcw8M7XzCCmJf09GywR9HuA&sig2=Cs2G1Ipx2Z2PKH35hKmN_w&bvm=bv.42661473,d.Yms (Accessed 2/21/2013)
13. Microsoft support, 'Identify fraudulent e-mail and phishing schemes'. Available at: http://office.microsoft.com/en-us/outlook-help/identify-fraudulent-e-mail-and-phishing-schemes-HA001140002.aspx (Accessed 2/21/2013)
14. /spearphishing-a-new-weapon-in-cyber-terrorism/