By Paul Gartside, McAfee Inc

Phishing attacks use both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social engineering involves schemes using spoofed e-mails to lead consumers to counterfeit websites that are designed to trick recipients into divulging personal and financial data.

Over the past year, the number of phishing attacks has increased at an alarming rate. The bait for these phishing attacks is usually through email. Spam emails ask the reader to update personal and confidential information under the guise of “improving security systems” or because a potential breach of information has occurred.

The estimates for how much money is lost through phishing attacks vary widely. The Australian bankers association reported A$10 million lost due to online fraud last year. It has been estimated that phishing cost US banks and credit card issuers $1.2 billion in damages in 2003 (InternetNews.com), and the Association of Payment Clearing Services in the UK reported that direct fraud losses from online phishing scams cost £12 million in 2004.

Early attempts
Originally, phishing for credit card details was not sophisticated. Emails tended to contain a link to a website that looked like a legitimate site, but in fact was not. Very often the website address was not a domain, but simply an IP address such as 162.122.19.2, and the e-mails were often very poorly written, with little attention to detail.

Towards late 2003, phishing took on a more sinister look and feel when individuals were phished for bank credentials that were subsequently used to obtain money or merchandise.

Clicking on the link directs the reader to a web page that closely resembles that of a legitimate institution, but is actually a fake. Once entered on this page, personal information is stored, allowing a hacker to recover the information later.

Getting smarter
To the trained eye it was still relatively straightforward to identify phishing websites. Consumers were told to ensure that the sites they visited contained the correct URL and generated the padlock symbol in their browser’s status bar to ensure the security of a site.

However, phishers were again one step ahead. An feature of the Microsoft Internet Explorer technology allowed scripts to cover the URL bar and hide the legitimate URL of real banks. The same technique allowed them to display a false padlock in the status bar.

Consumer awareness continues to grow and the phishers have responded. More and more sophisticated techniques are deployed by both phishers and companies because there is so much at stake.

Phishers have even set up automated phone systems and included a telephone number rather than a link to a fake website in their phishing messages to attempt to steal credit card information.

Pharming: a new threat is born
A new twist in the online identity fraud battle is a technique known as pharming. There are two techniques used; the first involves the use of a virus or Trojan to modify the user’s hosts file. This simple text file is left over from the early days of the Internet, and is used to relate a domain name (URL) to a specific machine address (IP address). The pharming technique modifies this file to relate the web addresses of well-known banks and financial institutions with the IP address of a phishing site. There is no need to click on links in emails or other communications as typing the correct URL for the financial institution will redirect to the phishing site.

The second pharming technique is equally sinister and again relies on an obsolete piece of functionality, this time implemented in DNS. DNS replaced the local hosts file as the mechanism for resolving a web address to a specific IP address. Now when the user enters a web address, it is looked up in the DNS server; if the DNS server doesn’t know the corresponding IP address, it asks other DNS servers for the address and then gets the result. The problem is that part of the protocol allows extra information to be passed back as well. So the phisher sends an email that contains a link to the phishing website, and when the DNS lookup for that address is done, this extra information is included with the URL of the bank.

Conclusions
Phishing and pharming, along with their associated identity thefts, continue to grow at an alarming rate and are wreaking major havoc on the world’s economy, as well as individual financial standings.

Paul Gartside is Senior Quality & Assurance Director at McAfee Inc., whose solutions can prevent phishing attacks, block spam, detect Trojans and keyloggers, protect against pharming techniques and block phishing websites.

This entry was posted in July, 2006.
If you want a link to this article copy this permanent link.
You can leave a comment, or trackback from your own site.