Hidden Phishing Threats
By now, the risks associated with phishing are well-known and well-documented. What is often misunderstood or overlooked is a hidden threat related to phishing.
There are various forms of phishing, but each form has a similar objective: to elicit information from an unsuspecting victim (refer to this article for more details).
Phishing simulations & training
Phishing is an attack wherein an attacker attempts to acquire sensitive information from a target, including usernames and passwords, personal identification information, or payment card information. This is typically done via email, but it can also be broadened to include watering hole attacks, wherein an attacker plants innocuous-looking links in places like discussion forums to entice victims to click.
Phishing tends to be blind, in that there is no specific target.
Spear phishing is similar to phishing, but it has a much better defined target. An attacker will typically perform some kind of reconnaissance on his intended victim, collecting information that will help personalize the phishing content so it looks more legitimate.
Spear phishing content will typically look as if it's intended specifically for the target, using the target's name, geographic cues, or other points of interest. For example, using social media profiles, an attacker could learn that a target is an active photographer. The attacker could send a spear phishing message to the target, apparently from a popular online photography retailer, saying that a bill for a recent camera lens purchase is past due. (A "double barrel" approach will add more legitimacy to this, which we'll look at later.)
Whale Phishing (Whaling)
Like spear phishing, whale phishing is a targeted attack, but it specifically aimed at corporate officers or high-level executives. The content of these attacks is designed to arouse the interest or alarm of senior management, providing motivation for them to click the link.
Smishing (SMS phishing or SMiShing)
Smishing is a phishing attack that uses SMS (Short Message Service) to send text messages containing phishing content. A common technique is to use URL-shortening mechanisms (like bitly or tinyurl) to hide malicious URLs.
Some phishing attempts are obviously more effective than others. Effectiveness to a large degree depends on how believable the content is. It's easy to dismiss the Nigerian 419 class of scams, for example. It also might be easy to dismiss fake notifications from a bank that you don't do business with. But what about the email about the past due notice from the online photography retailer? Even if you know you didn't order that camera lens, it's easy to second-guess yourself into believing that maybe you did or that maybe--ironically--you suspect that someone accessed your credit card or personal information and you want to follow up with the retailer by clicking on the link.
This is why shipping-related notifications are so effective, especially around holidays; victims can easily convince themselves that maybe they did ship something via UPS instead of FedEx, or that perhaps they didn't order something for themselves but that they could be expecting something to be shipped to them instead.
The Double Barrel Approach
PhishMe uses a "Double Barrel" approach to increase the believability of phishing attacks. Let's use the example of the camera lens bill from above. Instead of sending a past due notice, a double barrel approach would first send an innocuous email with the order confirmation. No malicious links or alarming content would be included; this email is intended to be the seed of credibility. An attacker later sends a follow-up email (a week, two weeks, whatever is appropriate) with a past-due notice; this email includes the malicious content. The seed had already been planted, so the follow-up email looks more credible. In PhishMe's parlance, this gives the attack a "conversation" effect, and the target is more likely to fall prey to the attack if he is feels more engaged.
The Threats (Two Common and One Hidden)
The objectives associated with phishing attacks are varied, but they fall into three general categories.
One of the most popular threats is the downloading of malware onto the computer. Malware is a catch-all classification that can include:
Used for tracking keystrokes of the victim
Used to "lock" the victim's data in exchange for payment
Viruses or worms
Used to further infect a victim's computer or network
Used to perform specific tasks like collecting or transmitting data; controlled by a botnet controller
The Washington Post attack in August of 2013 was successful because the link associated with the phishing email directed the Washington Post employee to what looked like the Post's Outlook Web Access site:
Image credit KrebsOnSecurity.com
This attack sought email credentials, but the attack could have been for any site on which the target has an account or other sensitive information. This type of attack is commonly used with spear phishing; the attacker knows something about the target (think about the online photo retailer example) and uses that to build credibility with the target.
The Hidden Threat
For all of the threats that phishing is known for, one that hasn't received much acknowledgment is geo-locating. A nefarious characteristic of this threat is that the target doesn't even need to click a link to fall victim to the attack. This type of attack takes a cue taken from marketing emails: using a tracking image, usually a 1x1 pixel transparent image hidden somewhere in the body of an HTML email. In marketing terms, this lets the sender know that the message was viewed by the recipient. In phishing terms, it gets much more interesting than that.
184.108.40.206 - - [13/Jan/2014:19:51:41 -0500] "GET / HTTP/1.1" 404 16
220.127.116.11 - - [14/Jan/2014:05:17:33 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
18.104.22.168 - - [14/Jan/2014:05:17:36 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
22.214.171.124 - - [14/Jan/2014:05:17:41 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
126.96.36.199 - - [14/Jan/2014:05:17:51 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
188.8.131.52 - - [14/Jan/2014:05:18:11 -0500] "GET /tmui/login.jsp HTTP/1.1" 404 212
184.108.40.206 - - [14/Jan/2014:05:49:26 -0500] "GET / HTTP/1.0" 404 16
220.127.116.11 - - [14/Jan/2014:09:19:35 -0500] "GET / HTTP/1.1" 404 16
18.104.22.168 - - [14/Jan/2014:11:14:42 -0500] "GET /manager/html HTTP/1.1" 404 210
22.214.171.124 - - [14/Jan/2014:13:37:24 -0500] "HEAD / HTTP/1.0" 404 -
126.96.36.199 - - [14/Jan/2014:15:45:59 -0500] "GET / HTTP/1.0" 404 16
188.8.131.52 - - [14/Jan/2014:18:20:18 -0500] "GET /manager/html HTTP/1.1" 404 210
184.108.40.206 - - [14/Jan/2014:22:52:20 -0500] "GET / HTTP/1.1" 404 16
220.127.116.11 - - [14/Jan/2014:22:52:20 -0500] "GET /robots.txt HTTP/1.1" 404 208
18.104.22.168 - - [15/Jan/2014:06:39:55 -0500] "GET /manager/html HTTP/1.1" 404 210
22.214.171.124 - - [15/Jan/2014:08:18:02 -0500] "GET / HTTP/1.0" 404 16
126.96.36.199 - - [17/Jan/2014:14:11:59 -0500] "GET /img/1x1.gif?userid=566235 HTTP/1.1" 200 4121
188.8.131.52 - - [17/Jan/2014:17:52:21 -0500] "GET /img/1x1.gif?userid=566235 HTTP/1.1" 200 4121
In this case, an attacker appended a userid parameter to uniquely identify the victim. The true worth of this request, however, is the IP address.
What an attacker now knows:
- Using a web site like http://geomaplookup.net/?ip=184.108.40.206, an attacker can see that the first of the last two IP addresses resolves to the Washington, D.C., area. An attacker now knows generally where the victim was at the time the email was viewed.
- The IP address resolves to pool-173-73-85-84.washdc.fios.verizon.net, so the victim was accessing the internet using Verizon FiOS, most likely from home.
- The last IP address resolves to 25.sub-174-236-199.myvzw.com, which is a Verizon Wireless mobile host. The victim left home and then hopped in the car.
With this information, the attacker can follow the victim's progress, assuming that the victim views his email along the way and leaves digital breadcrumbs.
This geo-location information is useful for information gathering, among other purposes. Given the information above, an attacker could craft spear phishing emails claiming to be from Verizon or from a local retailer. The purpose of using this information is to establish credibility with the target and entice him or her to click a link or visit a malicious website.
Keep in mind that this information was gathered from the victim's simply viewing the HTML email; no links were clicked. From a web server's perspective, viewing an HTML resource is indistinguishable from clicking a link.
When a victim clicks a link in a phishing link, in addition to the IP address information discussed above, the attacker can gather other characteristics about the client that the victim used to click the link.
For example, consider the following table based on a victim's interaction with a phishing link:
12/02/13 7:08 AM
Internet Explorer 8.0
What an attacker now knows:
- The victim is using Windows, possibly an unpatched version.
- The victim is using an outdated version of Internet Explorer.
- The victim is using an unpatched version of Flash.
- The victim is using an unpatched version of Java.
From this information, the attacker can use a more directed attack against the target using a product-specific exploit against the target's operating system, browser, Flash, or Java.
Putting It All Together
In the illustration below, an attacker sends a simple lure that doesn't include any nefarious content other than a tracking image. By viewing the email, the target divulges the name of his home internet service provider. Fresh with this knowledge, the attacker crafts a credible-looking spear phishing email that solicits payment information from the internet service provider. Pressed by fear, the victim obliges by providing payment information to a credible-looking payment web page crafted by the attacker.
Icons courtesy http://www.designcontest.com,
Used by permission using http://creativecommons.org/licenses/by/3.0.
In this scenario, the attacker solicited payment information, but the attacker could instead have requested any other type of information or could have planted malware onto the victim's machine. The point is that the attacker was able to persuade the victim to view the lure and use that information to create a believable spear phishing attack.
Organizations typically lean on education and awareness to teach employees how to identify potential phishing attacks. The refrain is heard often enough: don't click suspicious links (knowing what to look for can be the hard part!). To avoid the hidden threat of geo-location tracking, however, HTML images should not be viewed. Most email clients enable this feature by default, putting users at risk. The following are examples of how to disable this setting in popular email clients.
To turn off this feature in iOS, turn off the "Load Remote Images" option in the "Mail, Contacts, Calendars" setting:
Image loading setting in iOS
In Android, this is managed through a mail client, like the Gmail app:
Image loading setting in Gmail for Android
The setting for Outlook 2013 is buried under "Options" | "Trust Center" | "Trust Center Settings" | "Automatic Download":
Image loading setting in Outlook
Whatever mail client is used, look for a setting similar to the above examples.
What can start as a basic phishing attack can turn into something much more specific and personal. An important risk to know about is that employees might think of a phishing attack as something that threatens the company's computer or network. When an employee checks company email from home or from mobile phones, the threat becomes much different; even if the employee is viewing a company email, the attacker can gain access to the employee's home computer and network.
Successful attacks rely on the psychology of phishing. Relevant content is more credible than generic content, and personal content is even more convincing. Attackers are continually tuning their craft and can produce some impressive spear phishing attacks given the appropriate research on their target.
Further, psychologists have demonstrated that the fear of loss is greater than the potential for gain (Kahneman, 2011). This explains why content based on past due notices can be more successful than content based on a winning sweepstakes entries.
Simple defenses like not viewing HTML images in email messages can go a long way in protecting your privacy and securing your computing devices.
Kahneman, D. (2011). Thinking, Fast and Slow. New York City: Farrar, Straus and Giroux.
"Spear phishing led to DNS attack against the New York Times, others"
"The Double Barrel: PhishMe trains users to avoid conversational phishing"
"Washington Post Site Hacked After Successful Phishing Campaign"
See Infosec IQ in action