PHISHING ATTACKS

Post date: Nov 16, 2011 8:42:2 AM

Phishing attacks leverage two elements to achieve their goals: social engineering and subterfuge.

• Social Engineering: Attackers will commonly use spoofed emails to lead recipients toward acall to action. Counterfeit websites may be designed to trick recipients into divulging information or worse, host drive-by downloads of malware. With the explosive usage of social networking sites, attackers have additional resources in which to concoct compelling and relevant phishing messages.

• Subterfuge: Subterfuge, or the act of deception to achieve a particular goal, is a core tactic in phishing. While traditional phishing attacks may utilize social engineering to get recipients to divulge account names and credentials directly, there has been a trend towards schemes that are used to install malware. Malware varies from phishing specific key-loggers that contain tracking components to monitor specific actions (such as website visits to financial institutions, retailers and other e-commerce merchants) or website redirection from legitimate to counterfeit sites. Even more malicious threats have surfaced with backdoors being exploited to search for and extract sensitive data.

Together these elements emerge, masquerading as emails from government agencies, business partners, an internal IT department, or even company executives. To drive recipients to action, the messages may warn of an account suspension (financial services) or contain fake bills designed to encourage a user to perform further examination of fraudulent activity (PayPal).

If the recipient divulges passwords to other online accounts, such as PayPal, eBay, or a financial institution, more traditional cyber theft may occur with fraudulent transactions and purchases made. If a recipient’s system and/or email credentials are compromised, the accounts are often used to launch additional phishing attacks – typically with even higher conversion rates due to the use of a legitimate account and email system.

By far, the largest threat is the possibility that malware is delivered into the corporate environment. Once inside the network, it becomes significantly easier to propagate across the network by “shoulder-surfing” until access to a desired host is made and corporate and/or sensitive data acquired.

These last two scenarios are particularly dangerous to organizations because it is no longer just the end user that becomes the victim of the phishing attack, but the enterprise is now truly at risk. An organization’s reputation can be harmed if it suddenly finds itself as a source of spam and phishing attacks. As a consequence, valid business email may be undeliverable. In some cases, compromised machines have been used to launch attacks into trusted partner organizations, with the intent of stealing sensitive data.

Figure 1. The Electronic Payments Association

(NACHA) has long been used by spammers in phish

emails to elicit financial information from individuals.

However, interesting new variants of these attacks

were seen in June as well as an increase in volume. The

variants included links to malware as opposed to the

classic phishing request for information. As shown in

this example, the link appears to be to a PDF report

while in reality it was pointing to an executable hosted

on a compromised web site.

Figure 2. A highly varied attack used a purchase

receipt as its phish attack vector. Highly varied

attacks such as this one use many different subjects,

URLs, etc. Most variations use some knowledge of

the targeted victim and, even worse, contained a link

pointed to a compromised website which led to a

malware download.