Teach a Man to Phish and He'll Feed on Fools for a Lifetime

Phishing is a tactic known to malicious hackers ever since the first one crawled out of a swamp and onto dry land. It's another variation on social engineering. The phisher's goal is to get people to open themselves up to technical vulnerabilities through nontechnical means. However, even though most e-mail users have become more savvy about obvious scams, phishing is evolving.

Why do phishing attacks continue to work when e-mail users are constantly warned about identity theft? Because phishers go where the money is, just like bank robbers.

Phishers know that an e-mail bombardment of convincing messages leads them to that money. Phishers also know that a reliable percentage of e-mail recipients will always click on an embedded link. Once that happens, the phony Web site to which the link leads will catch consumers off guard. Out of the thousands or millions of people who receive a phisher's bait, a handful are all too willing to provide their personal information to comply with the supposed bank or investment company's request to confirm an event.

Even if the consumer is smart enough to resist the urge to enter account information, log-on details and other pertinent personal data, the damage is already done. The embedded link has already taken the sucker to a Web site that probably installs malware to track browsing and log keystrokes.

"Phishers wouldn't still be doing these things if they didn't work," Paul Piccard, director of threat research at Webroot, told TechNewsWorld.

No Reinventing the Wheel

Phishers rarely spend too much time thinking up new scams. Why should they, when the old ones continue to work? In fact, they work so well that Piccard said he rarely sees much innovation. However, when innovation does occur, the new trick raises the phishing bar to new levels.

Like other security software firms, Webroot constantly researches e-mail spam and compiles lists of phishing Web sites. That work is very challenging, Piccard said, because some attackers unleash their e-mail attacks over a few hours and then disappear.

Phishers use three sources of e-mail dissemination with impunity. One common outlet is a hacked domain. The Web site operator does not know his or her server is hosting phishing attacks. A second common source for phishing attacks is a Web site domain the criminals actually own.

Similar to using a hacked domain is the third most typical delivery route used by phishers: They send out their e-mail attacks from thousands of compromised computers already part of a botnet of zombie computers. The individual businesses and personal computer users do not know that their machines are infected with malware to allow remote access and control.

Newest Phishing Lure

Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits, according to a new McAfee report released Feb. 21. One the the newest tricks of the phishing trade is capitalizing on regional lures. Part of this new tactic involves creating malware that is specific to each country.

"This isn't malware for the masses anymore," said Jeff Green, senior vice president of McAfee's Avert Labs. "Cyber-crooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They're not skilled just at computer programming -- they're skilled at psychology and linguistics, too."

This means that e-mail recipients are sometimes unable to spot obvious phishing attempts by the bad grammar and awkward phrases that made earlier messages laughable. It also means that those on the receiving end of phishing attacks are more likely to be caught unaware if they go clicking on links provided in the message.

Latest Findings

McAfee's researchers have identified several new phishing trends designed to lure the unsuspecting e-mail recipients to new sources of malware. Besides the increase in regionalized malware, more phishing attacks are tailored to different cultures and adjust the social engineering tactics to suit the locale, according to the report.

"Malware has become more regional in nature during the past couple of years," said Green. "This trend is further evidence that today's cyberattacks are targeted and driven by a financial motive, instead of the glory and notoriety of yesteryear's cyber-graffiti and fast-spreading worms. We're in a constant chess match with malware authors, and we're prepared to counter them in any language they're learning to speak."

In addition to regional ploys targeting the United States, today's malware includes elements of malicious software seen around the world. Attackers use increasingly clever social engineering skills to trick victims and are looking to exploit the viral nature of Web 2.0, according the McAfee's report.

Although the United States has cybercrime laws in place, the lack of international cybercrime laws and the differences in extradition treaties make it difficult for enforcement agents to prosecute criminals across borders, the report concludes.

Going for the Phishing Gold

Look no further than the upcoming Beijing Olympics for a glaring example of the innovation today's phishers use. Targeted e-mail attacks crafted with the help of social engineering have convinced e-mail recipients to pass the malicious messages on to others, according to software security firm MessageLabs.

Follow this sequence of events to see how daring the phishers have become: On Feb. 13, a MessageLabs customer received a document containing a targeted Trojan from a trusted business partner. The e-mail appeared to have originated from the servers of an Olympic committee and contained attached documents related to security setups for the Beijing Olympic Games. The writers of this phishing attack honed in on content relevant to the recipients.

Opening the attachments activated a flaw in Microsoft (Nasdaq: MSFT) Word. This caused the hidden malware to silently extract and run malicious code. It appears that the attackers did not create the initial document. Instead, they actually found documents with useful information relevant to the target and added malware to it. This decreased any suspicion about its content, according to MessageLabs.

Spear Phishing

This scenario shows the latest innovation in the so-called phishing industry. Part of the problem in dealing with phishing attacks is their ever-changing nature.

"Phishing continues to evolve in new ways. Spear phishing is the newest approach," Brian Lapidus, chief operating officer of Kroll's Fraud Solutions, told TechNewsWorld.

In order for spear phishing to work, the phishers need advanced insight into their potential victims. This kind of phishing requires incredible levels of targeting, he explained. The phishers need to know key details about their potential victims.

New Tactics

The old defensive standard was that a message should contain the recipient's full name. Now phishers have that information along with the look-alike company names and Web sites. The old protective rules also said you could tell the the real destination of a link by hovering the pointer over the link. Not so anymore, security experts warn.

"Now phishers have raised the bar by overwriting the real URL (uniform resource locator)," Jim Stickley, CTO of Trace Security, told TechNewsWorld. "Now names mean nothing in a message. Name grabber tools today are very sophisticated. They can match up name fragments found in a database."

One of the newest phishing attack tricks involve a multi-factor scam. Phishers have added what appears to be a layer of security. The person landing on the phony Web site after clicking an embedded link in a fictitious e-mail message from a bank or business is directed to select a security question and answer. Messages direct the recipient to click on a link to take them to the setup page.

"This is really convincing looking. Recipients have to ignore it all and wait for a phone call from the company. I don't trust anything I get in e-mail anymore," Stickley said.