Phishing

•Definition: a criminal mechanism employing

both social engineering and technical
subterfuge to steal consumers’ personal
identity data and financial account credentials
–Social engineering:
•Spoofed emails
•Counterfeit websites
•Trick users into giving credentials
–Technical subterfuge
•Install software that steals credentials directly
•Corrupt web navigation
–Either to a counterfeit website
–Or a proxy to the real site (man in the middle)
 Numbers (Q1 – 2010)
•85.2% of all email is spam
–Sources
•USA – 16%
•India – 7%
•Russia – 6%
•0.68% of all email has malicious content
•0.57% of all email has a link to a phishing site
–Targets
•Germany – 11.6%
•Great Britain – 10.2%
•Japan – 7.7%
•Twain – 7.1%
•USA – 6.9%
•67.34% of the phishing related websites are hosted
in the USA
 Numbers (Q1 – 2010)
•Number of:
–Unique phishing emails – 30,577
–Unique phishing websites – 29,879
–Brands hijacked – 298
•Industries targeted
–Payment services (Paypal) – 35.9%
–Financial (Chase) – 37%
–Gaming, social networks, online classified –
17.9%
–Auction sites - 8.3%
 Phishing Steps
•1) Get an email list
–Google “email lists for sale”
•2) Develop the attack
–Create the email
•Use logos, convincing language, urgency
–Create the website
•Use look and feel of original website
•Ask for user id/password
•Ask for credit card/ssn numbers
 Phishing Steps
•3) Locate sites to host your website
–Use many sites
–Update DNS to have a very similar name to the original
•Chase.org, paypal.us.com, etc…
•Citibahk.com with a valid ssl certificate
•Paypal.com with a Cyrillic ‘a’
–Median uptime: 13 hours 42 minutes
•4) Locate email sender
–Google ‘email sender’
–Usually use a botnet.
•Many infected computers that send emails from a “command and
control” computer
•Most phishers use their own botnet
 Phishing Steps
•5) Launch the attack
–Maybe use “Fast Flux”
–Image from Adrew Klein – Sonic Wall

Sending Machines Receivers Phish Web Sites

Mary John
66.165.106.111 Tim

Tomas
Frank
Evan
61.152.175.161
152.146.187.172
Jan George
Ramona

Phil
Charlie
Elisa
161.58.214.148
Herman Dom
210.114.175.226
June
Scott
Lana
195.75.241.4 Luann
Vadim
Andy

Tonia Venkat
212.250.162.8
Chao 211.23.187.151
Joe Oliver
 Phishing Steps
•6)Collect
–Example:
•2,000,000 emails sent
•5% get to a real end user – 100,000
•5% click on the link – 5,000
•2% enter data into the site – 100
•Average of $1,200 per incident or $120,000
•Not bad for about 14 hours!!
 Phishing Gangs
•David Levi – UK
–6 people
–$360,000 from 160 people
–Arrested in 2006
•USA and Egypt Gang
–100 people
–Egypt created websites and emails
–US side laundered the money
•Romanian Gang
–70 people
–$1,000,000 transferred from bank account to western
union
– Arrested May 2010
 Phishing Gangs
•Largest current gang is Avalanche
–2/3 of all phishing comes from this gang
–4,272 attacks in the first quart of 2010
–1,624 domains are theirs
–They have had a sudden decrease in email
phishing and have instead switched to malware
phishing
 Phishing Gangs Infrastructure
•Not just a individual
–Creative department
•Create email, website
•Come up with DNS names
–Admin department
•Pay role
•Office space rent
•President, etc…
–Money Launderer (Mule)
 Money Laundering (the Mule)
•People create accounts on banks they are
about to attack.
–Transfer the stolen account/id from one account
to the other.
–Cash out.
–Close the account
•“Make money at home”
–Dad has money sent to his bank account
–Dad then wires the money to another bank
–Dad get 10%
–Small amounts are transacted ~$3-5K
 Money Laundering (the Mule)
•“Financial Operations Manager” job
•“Help young cancer patient transfer funds”
•“African finance minister”
•…
 Phishing Ecosystem
Construct Launch Collect

• Account Info
• Credit Info
Email Email & Sending Hosting • Identity Info
Phishing Kit
list Web site Machines Sites • Logins &
Passwords

The $ The Malware Community

$ Phished
information
Phisher turned into
Cash

Tools to the Trade

$
Harvested
• DHA • Templates • Botnets • Hacks & Information
• Site • Sitecopy & • Trojans Attacks
Crawlers wget • Worms • “Real”
• Spyware Domain
• Keyloggers Names

Image from Andrew Klein – Sonic Wall

 Protect your company
•If your company sends emails you are more
vulnerable
•If you must send emails
–Put identifiable info in the email
•Last 4 of credit card number
•Your name
•Account ending in…
•Address
–Provide non-email ways to verify
–Use standard company domain names
•Do not use chase.offer.com, etc…
–Avoid web page links
 Protect your company
•Educate your clients
–Tell them how you will communicate
–What to look for in an email
•Monitor new customers (they might be a
mule)
•Report phishing to authorities
 Protect yourself
•If you get an email, DO NOT click on the link,
copy and paste
•Is this someone I do business with?
•Was I expecting this email?
•Be aware of attachments.
•Keep your anti-virus software up to date!
 Resources
•APWG – Aniti Phishing Working Group
•Kaspersky Labs
•www.securelist.com
•Adrew Klein – Sonic Wall from the Secure IT
conference in 2006