Phishing Exposed

Phishing Exposed\ \ By Lance James \ Syngress\ Copyright © 2005 Syngress Publishing, Inc.\ All right reserved.\ ISBN: 978-0-08-048953-7 \ \ \ \ Chapter One\ Banking On Phishing\ Solutions in this chapter:\ * Spam Classification * Cyber-Crime Evolution * What Is Phishing? * Fraud, Forensics, and the Law [\ \  ] Summary [\  ] Solutions Fast Track [\  ] Frequently Asked Questions\ \ Introduction\ During 2004, close to 2 million U.S. citizens had their checking accounts raided by cyber-criminals. With the average reported loss per incident estimated at $1200, total losses were close to $2 billion. The incidence of phishing e-mails—e-mails that attempt to steal a consumer's user name and password by imitating e-mail from a legitimate financial institution—has risen 4,000 percent over the past six months. The term phishing comes from the fact that cyber-attackers are fishing for data; the ph is derived from the sophisticated techniques they employ, to distinguish their activities from the more simplistic fishing.\ Over the last few years, online banking, including online bill paying, has become very popular as more financial institutions begin to offer free online services. With the increase in online fraud and identity theft, financial crimes have changed from direct attacks to indirect attacks—in other words, rather than robbing a bank at gunpoint, the criminals target the bank's customers. This type of indirect attack significantly impacts the financial institutions themselves because their inability to adequately protect their customer assets tarnishes their reputations and overall trust.\ Originally termed carding and carried out by carders, phishing e-mails are just another form of spam. Universally regarded as an intrusive side effect of our electronic age, spam continues to proliferate at an unbelievable rate each month. According to antispam technology vendor Symantec (Symantec Internet Threat Report, Volume VII, March 2005), 63 percent of the 2.93 billion e-mails filtered by the company's Brightmail AntiSpam software were spam. In mid-July 2004, Brightmail AntiSpam filters blocked 9 million phishing attempts per week, increasing to over 33 million blocked messages per week in December 2004.\ Postini, an antispam service provider that provides real-time, online spam statistics, reports that during a 24-hour period in March 2005, 10 out of 12 e-mails were officially classified as spam, and 1 out of 82 messages were infected with a virus.\ Since we universally agree that spam is bad, you may ask why it is still one of the fastest-growing industries? The answer is, as long as 1 in 100,000 recipients actually responds to the "Click here" come-on in spammers' e-mails, spammers will find sufficient financial incentive to send out another 5 million spamming messages.\ Litigation against spammers has been hampered by several factors: tracking the source, identifying the source, and interpreting international laws in attempts to prosecute. Many industry experts believe that the majority of the phishing and spam e-mails originate outside the United States. However, antivirus software provider Sophos has reported that 60 percent of the spam received by its SophosLabs worldwide spam research center in 2004 originated in the United States. According to SophosLabs, over 1200 new viruses were reported during the first two months of 2005—a significant increase over 2004 stats. The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 could be used to prosecute spammers, but over 60 percent of the spam sent from the United States was sent from computers infected with spam-relay Trojans and worms. These evil tools allow spammers from anywhere in the world to relay their messages through thousands of infected systems without the owners even knowing about it.\ Spam Classification\ Through the use of classification techniques and forensic data gathering, we can identify specific spam groups. In some cases the identification can include a specific individual; in other cases, groups of e-mails can be positively linked to the same unspecified group. Forensic tools and techniques can allow the identification of group attributes, such as nationality, left- or right-handedness, operating system preferences, and operational habits.\ The identification techniques described in this book were developed for spam in general. However, these methods have shown an exceptional ability to identify some subsets of spam, including phishing, the focus of this book.\ Spam Organization\ There are two key items for identifying individual spammers or specific spam groups: the bulk mailing tool and the spammer's operational habits. People who send spam generally send millions of e-mails at a time. To maintain the high volume of e-mail generation, spammers use bulk-mailing tools. These tools generate unique e-mail headers and e-mail attributes that can be used to distinguish e-mail generated by different mailing tools. Although some bulk-mailing tools do permit randomized header values, field ordering, and the like, the set of items that can be randomized and the random value set are still limited to specific data subsets.\ More important than the mailing tool is the fact that spammers are people, and people act consistently (until they need to change). They will use the same tools, the same systems, and the same feature subsets in the same order every time they do their work.\ Simplifying the identification process, most spammers appear to be cheap. Although there are commercial bulk-mailing tools, most are very expensive. Spammers would rather create their own tools or pay someone to create a cheaper tool for them. Custom tools may have a limited distribution, but different users will use the tools differently. For example, Secure Science Corporation (SSC), a San Diego, California-based technology research company, has a unique forensic research tool that generates a unique header that is used in a unique way, which in many cases, makes it easy to sort and identify e-mails.\ Figure 1.1 shows a subset of spam received by SSC.\ This example shows that there are many different types of spam. Identification of an individual or group from this collection is very difficult. But there are things we can do to filter the spam. For example, a significant number of these spam messages have capital-letter hash busters located at the end of the subject line. So, we can sort the spam and look only at messages with capital-letter subject hash busters (Figure 1.2).\ By sorting the spam based on specific features, we can detect some organization. We can further examine these e-mails and look for additional common attributes. For example, a significant number of spam messages have a Date with a time zone of -1700 (see Figure 1.3). On planet Earth, there is no time zone 1700, so this becomes a unique attribute that can be used to further organize the spam.\ Based on the results of this minimal organization, we can identify specific attributes of this spammer:\ * The hash buster is nearly always connected to the subject.\ * The subject typically does not end with punctuation. However, if punctuation is included, it is usually an exclamation point.\ * The file sizes are roughly the same number of lines (between 50 and 140 lines—short compared to most spam messages).\ * Every one of the forged e-mail addresses claims to come from yahoo.com.\ * Every one of the fake account names appears to be repetitive letters followed by a number. In particular, the letters are predominantly from the left-hand side of the keyboard. This particular bulk-mailing tool requires the user to specify the fake account name. This can be done one of two ways: the user can either import a database of names or type them in by hand. In this case, the user is drumming his or her left hand on the keyboard (bcvbcv and cxzxca indicate finger drumming). With the right hand on the mouse, the user clicked the Enter key. Since the user's right hand is on the mouse, the user is very likely right-handed.\ Although this spammer sends spam daily, he does take an occasional day off— for example,Thanksgiving, NewYear's Eve, the Fourth of July, a few days after Christmas, and every Raiders home game. Even though this spammer always relays through open socks servers that could be located anywhere in the world, we know that the spammer is located in the United States. We can even identify the region as the Los Angeles basin, with annual travel in the spring to Chicago (for one to two months) and in the fall to Mexico City (for one to two weeks).\ The main items that help in this identification are:\ * Bulk-mailing tool identification This does not necessarily mean identifying the specific tool; rather, this is the identification of unique mailing attributes found in the e-mail header.\ * Feature subsets Items such as hash busters (format and location), content attributes (spelling errors, grammar), and unique feature subsets from the bulk-mailing tool.\ * Sending methods Does the spammer use open relays or compromised hosts? Is there a specific time of day that the sender prefers?\ The result from this classification is a profile of the spammer and/or his spamming group.\ Classification Techniques\ After we identify and profile individual spam groups, we can discern their intended purpose. To date, there are eight specific top-level spam classifications, including these four:\ * Unsolicited commercial e-mail (UCE) This type is generated by true company trying to contact existing or potential customers. True UCE is extremely rare, accounting for less than one-tenth of 1 percent of all spam. (If all UCE were to vanish today, nobody would notice.)\ * Nonresponsive commercial e-mail (NCE) NCE is sent by a true company that continues to contact a user after being told to stop. The key differences between UCE and NCE are (1) the user initiated contact and (2) the user later opted out from future communication. Even though the user opted out, the NCE mailer will continue to contact the user. NCE is only a problem to people who subscribe to many services, purchase items online, or initiate contact with the NCE company.\ * List makers These are spam groups that make money by harvesting email addresses and then use the list for profit, such as selling the list to other spammers or marketing agencies.\ * Scams Scams constitute the majority of spam. The goal of the scam is to acquire valuable assets through misrepresentation. Subsets under scams include 419 ("Nigerian-style" scams), malware, and phishing.\ Phishing\ Phishing is a subset of the scam category. Phishers represent themselves as respected companies (the target) to acquire customer accounts, information, or access privileges. Through the classification techniques just described, we can identify specific phishing groups. The key items for identification include:\ * Bulk-mailing tool identification and features\ * Mailing habits, including, but not limited to, their specific patterns and schedules\ * Types of systems used for sending the spam (e-mail origination host)\ * Types of systems used for hosting the phishing server\ * Layout of the hostile phishing server, including the use of HTML, JS, PHP, and other scripts\ To date, according to SSC, there are an estimated four dozen phishing groups worldwide, with more than half the groups targeting customers in the United States. The remainder of this book demonstrates techniques to help you better understand and track phishers and to help enable a solid line of defense against these cyber-criminals, which most view as an overwhelming offense. The book begins with a general overview and then moves into very specific, in-depth views from both sides of the fence, the good and the bad.\ Cyber-Crime Evolution\ Chances are high that you have received a phish in your e-mail within the few months or even last week. By the time this book is published and into your hands, the operations that involve phishing scams will have accelerated due to aggressive malware propagation (trojans, viruses), automated botnets, and the overall infrastructure that has been established by these cyber-scammers.\ So let's step back for a moment. Our world has changed significantly since I was a kid. Just 10 years ago, the sophistication of hackers and the tools available to them were somewhat limited from both the national and international security perspective. Yes, there was cyber-crime, no denying that, but not at the audacious level we are experiencing today. Breaking into computer systems was motivated by the need for exploration, information, and education. That was the world of the late-night, for-fun hackers, which are now but a memory (who would have thought we would be nostalgic for them one day!).\ (Continues...)\ \ \ \ \ Excerpted from Phishing Exposed by Lance James Copyright © 2005 by Syngress Publishing, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

Chapter 1.  Banking On Phishing Chapter 2.  Go Phish! Chapter 3.  E-Mail: The Weapon of Mass Delivery Chapter 4.  Crossing the Phishing Line Chapter 5.  The Dark Side of the Web Chapter 6.  Malware, Money Movers, and Ma Bell Mayhem! Chapter 7.  So Long, and Thanks for All the Phish!