Introduction
Basics of phishing technique
Theme and variations
Who falls for the scam?
Some other telling statistics
So who picks up the bill?
From crude con to sophisticated scam
Virus wars
The brand profile
More recent developments
The money-laundering scam
The managed solution to email security
About MessageLabs
About MessageLabs Intelligence
In November, MessageLabs scanned aver 80 million emails per day on behalf of its clients.
We scanned more than 1.75 billion emails worldwide for spam, of which over 1.29 billion or 73.77% (1 in 1.36) were stopped as spam (498 per second).
During the same period, we also scanned 2.11 billion emails for viruses, Trojans and other malicious content. More than 62.91 million or 2.98% (or 1 in 33.54) were intercepted (24 per second).
Basics of phishing technique
Phishing is all about online identity theft. In essence it is an attempt by malicious fraudsters to gull innocent Internet users into revealing personal and security details. Once the swindlers have this information, it’s a simple matter for them to access a victim’s online business dealings and make free with their assets.
This time last year few people had even heard of phishing. Yet over a remarkably short time the phishing phenomenon has established itself as one of the most prevalent email security threats. In the month of September 2003, MessageLabs encountered just 279 phishing emails. By June this year, that monthly figure had escalated to 264,354 and by November, this figure had risen further, averaging over 100,000 phishing emails each day, targeting between 80 and 100 fraudulent websites daily.
As we shall see, what began as a somewhat crude con has continued to evolve into an ever more sophisticated scam, as the world has become more conscious of Internet trickery. These days the perpetrators are having to use more cunning techniques to conceal their malicious intent.
The fraudsters - widely acknowledged mainly to be organised crime syndicates - set about achieving their objectives by first creating counterfeit copies of genuine web sites. They will typically hijack well-known brands in the banking and financial services sector, though other commercial organisations such as ISPs and retailers are also favoured targets.
Using mass-distribution techniques already well developed by senders of unsolicited spam email, they then send out hundreds of thousands of spurious emails purporting to come from that particular bank or commercial organisation. Emails are sent randomly, in the hope that a significant proportion will reach customers of the target brand.
In a financial services example, the email will typically state that some irregularity has been spotted on the recipient’s bank account, usually something fairly alarming such as suspected fraud. It will then instruct the customer to click on the link provided (which looks at a glance to be perfectly genuine) and enter the relevant web site in order to resolve the matter.
Up pops what looks like the customer’s familiar bank web site, as expected - except that this is actually a replica of the real thing. Here the unsuspecting customer, anxious to resolve what looks like a serious problem, can relatively easily be persuaded to key in all manner of personal security details such as credit card numbers, PINs, account names, passwords and social security numbers.
Theme and variations
Another approach is that a customer receives an email thanking him or her for ‘ordering’ some product and that their credit card has been charged accordingly, usually some significant amount of money. The recipient is asked to click on the link in order to verify - or cancel - the order, which takes them to what appears to be a perfectly genuine web site belonging to a major brand name.
Anxious to establish that they have not, in fact, ordered any goods, customers can again be easily gulled by what appears to be a perfectly genuine web site to enter card numbers and other security details.
Similarly, some ISPs’ web sites have been fraudulently copied, followed by a rash of emails encouraging recipients to log on and ‘verify’ their personal details on some pretext. Again identity theft is the motive, providing the swindlers with key information that can be used to steal assets.
Who falls for the scam?
You might think that these types of attack have been so widely publicised that victims would be too few to warrant the cost and effort of setting up fraudulent web sites.
However, the Anti-Phishing Working Group (APWG), an industry association dedicated to eliminating identity theft and fraud, has data suggesting that the phishers are achieving a hit rate of around five per cent.
Given that spamming techniques enable thousands of unsolicited emails to be transmitted concurrently, a five per cent response can obviously amount to a significant opportunity for the criminals.
Certainly, since increasingly sophisticated subterfuge techniques are now being used by the phishers, fraudulent emails are becoming less easy to spot, and this must be helping to sustain success rates for the fraudsters.
Some other telling statistics
In October 2004, APWG identified 1,142 of these fraudulent phishing sites operating on the Internet, representing an alarming 25 per cent increase in numbers over three months.
In the same month, 6,597 new phishing email messages were reported to APWG (and of course, those are only the reported instances). This was more than three times the number recorded as having been received in August.
Naturally, as soon as a site is shown to be fraudulent, it can be shut down by law enforcement agencies. Nevertheless, APWG suggests that the average active life for a phishing site is 6.4 days, with the longest being as long as 31 days.
So who picks up the bill?
Until recently, the victims of phishing scams in virtually all cases have been the banks, because they compensate customers who have been defrauded. The Times newspaper in the UK estimates that the banks, unable to insure against phishing fraud, paid out a total of £4.5 million in the first half of this year.
Furthermore, an estimated $11.7 billion was lost to consumer fraud in the United States during the year ending April 2004, according to analyst firm Gartner. However, several high street banks are now saying that they will reserve the right to review policy. This is likely to result in the banks placing more responsibility on the customer to apply proper security provision, though little has yet been said about how proof of negligence, and definitions of negligence, can be applied.
From crude con to sophisticated scam
Initially the phishing scam was a pretty blunt instrument. A stumbling command of English, erroneous spelling or illiterate construction would often betray the initial email as unlikely to have come from a bank or other business.
Many phishing operations appear to originate in Eastern Europe, which could explain why language was a problem for the fraudsters at the outset. Now, however, these operations are getting slicker and the use of language now tends to emulate more realistically that of a bank or commercial organisation.
Another initial problem for the phishers was making URLs or links for bogus web sites look like the real thing. They got round the problem by inserting concealed characters in the URL so that it looked genuine, but in fact pointed to the fraudulent site. However, these manipulated URLs were easily blocked as soon as they were exposed as bogus.
More recently a new technique has appeared. The counterfeiters overlay the fraudulent address bar with an image showing the true web address of the target organisation. The user believes he is clicking a genuine URL, while in reality it is the link concealed beneath the image that is being activated.
A similar technique is also being employed to simulate the padlock symbol on bogus web sites. The padlock is understood by Internet users the world over to guarantee that the site is secure - so the counterfeit padlock image makes it extremely difficult to differentiate between a rogue site and the real thing without resorting to a check of the properties for the web page itself.
The hosting of phishing sites has also been evolving as the tricksters’ use of technology becomes more sophisticated. The Anti-Phishing Working Group’s latest intelligence gathering shows that the number of bogus sites being hosted on what appear to be compromised broadband PCs has risen to more than 50 per cent. (For a thorough discussion of how zombie PCs and ‘botnets’ are created and exploited, please read MessageLabs Intelligence October report.
With networks of zombie PCs in place, the fraudsters have much greater computing power available to them. They can launch a phishing attack over a distributed network of zombie PCs that are hosting identical bogus sites. Each email they send out may be pointing to a different site - a thousand pointing to this one, another thousand point at that one, and so on. So if one site gets rumbled and taken off-line, they have fault tolerance built in.
The APWG also reports seeing multiple brands being spoofed from the same compromised PC over a few days. For example, the machine will be hosting a bogus eBay site one day, a Paypal site the next and a Citibank look-alike the day after that.
Virus wars
Control of zombie networks has evidently become the focus of power struggles between rival crime syndicates. During the early summer, a war was raging between rival viruses, Netsky and Bagle, each designed to disable the other. The battle was palpably about who held control of zombie botnets.
The value of these networks of compromised PCs, usually broadband connected, always-on machines, lies in the cash value of renting them out to spammers, extortionists wishing to launch denial of service attacks on commercial organisations or as hosting proxies for all manner of criminal web sites.
The brand profile
The APWG says 117 different high-profile brands are known to have been hijacked by phishers since November 2003. These include Citibank, HSBC, eBay, Visa, Natwest, ANZ and Westpac.
The financial services sector is the most commonly targeted - 73 per cent in October - with the ISPs coming in second at 14 per cent and the retail and miscellaneous sectors accounting for the remainder.
Around 29 per cent of phishing sites have been hosted in the USA, though China, Korea and Russia are coming up fast behind. China is a particular growth area for phishing sites, since many Chinese ISPs are small operations that are only too pleased to host web sites from the west, pretty much regardless of content.
China’s lack of Internet fraud legislation is one cause for concern; another is that the language barrier and time-zone differences are hampering efforts to shut down phishing sites in China, where ISP operators often speak no English.
However, the Chinese government is known to be anxious to cooperate with international Internet security initiatives and changes are expected that will redress China’s growing reputation as a haven for dodgy web operators.
To be fair to the ISPs, it’s not always easy for them to know what is passing over their networks. Typically, whoever owns the site will set up their own server farm and firewall it off from the ISP, so its encrypted traffic becomes invisible or unintelligible to the ISP.
The fact that the USA is the prime territory for phishing sites may be explained, in part at least, by the fact that it has the highest number of broadband PC connections in the world. The increase in the exploitation of zombie PCs, deliberately compromised with Trojans by the fraudsters in advance, is consistent with this statistic.
More recent developments
Until now most phishing scams have required victims to click on the URL within the initial email and then to enter personal information into the fraudulent web site.
However, as Internet users become more aware of the phishing hazard, they are increasingly reluctant to click on a link provided in an email; rather they will go to their web browser and type in the URL, or maybe pull it in from their bookmarks.
MessageLabs has recently intercepted a number of phishing emails, targeting several Brazilian banks. These demonstrate a sinister new technique, designed to plant malware surreptitiously on users’ PCs. When the spam email is opened, it silently runs a script that rewrites the “hosts” file of the target machine. In effect, this replaces the genuine address for the target organisation with the bogus one, without even querying its DNS record.
So the next time the user attempts to access online banking, they are automatically redirected to a fraudulent web site where their log-in details can be stolen.
Planting bogus IP addresses in the hosts file, which will override the DNS file, is a technique that has been exploited by virus writers in the past. The objective here is usually to fool the PC user into thinking he has updated his anti-virus signatures, but in fact he has been redirected unknowingly to a spoof address. However, the Brazilian example was first evidence of the technique being used in phishing, though it does not appear to have been developed any further.
Another new twist, again observed first in Brazil, is the phishing email that encourages you to connect to a popular virtual postcard web site where a postcard is waiting for you. You click on the link, but that simply takes you to a site that automatically downloads malware on to your machine. This will then log subsequent keystrokes on your PC, enabling passwords and security codes to be captured and transmitted to the fraudsters.
The money-laundering scam
A further twist in the phishing industry is the attempt to recruit unsuspecting Internet users - known as mules - into money-laundering networks, exposing them also to potential identity theft.
The email offers the victim the chance to make easy money by working freelance for what appears to be a perfectly legitimate business organisation in their own country.
The ‘job’ is simple and purports to be well paid - transferring money from one account to another, as directed by the ‘employers’. The objective of the fraudsters is to move funds gained by criminal activities such as drug smuggling, illegal immigration and arms dealing, as well as phishing proceeds, through a series of bank accounts before they land eventually in the fraudsters’ own account.
The trail of movements becomes difficult for law enforcement agencies to follow, effectively laundering ill-gotten gains into apparently perfectly ‘clean’ money.
Often the fastest way for phishers to transfer money is between accounts in the same bank, and the easiest way for them to do this is to recruit unsuspecting mules to act on their behalf, opening bank accounts and transferring money for the phishers.
For example, in November 2004, MessageLabs warned job seekers to be wary of fraudulent emails offering regional representative and general assistant positions with ICG Commerce. These emails were secretly recruiting middlemen for phishers, luring unsuspecting victims into laundering money for them. This scam was a sinister demonstration of how fraudsters attempt to manipulate computer users into doing their dirty work for them, and potentially lead them into breaking the law in the process.
The email offered employment opportunities involving money transfer for high rates of pay and low hours of work. It directs victims to a website where they fill in personal details to apply for the job, which could also be used for identity theft. ICG Commerce is a legitimate procurement company based near Pittsburgh, Pennsylvania, whose name was being used by the phishers to lend credibility to the scam.
MessageLabs found that the link included in the emails pointed to a website that was not part of the main ICG website:
|
Hi, Recently I've reviewed your CV and I'd like to propose you a good opportunity to join our great team. Our company - ICG Commerce was founded ten years ago to serve the European business entrepreneurs and establish a profitable base for corporations desirous to succeed in new ventures in the United States and vice versa.
We are financially stable company with growing business worldwide. Due to expanding our business, we are glad to announce a number of vacancies of Regional Representative / General Assistant.
All operations are home based and will require just a couple of hours of your time. Successful candidates must admit a high rank of responsibility, as your duties will include money operations, transferring of valuable business documents and so on. The individuals hired into these positions will initially go through a brief training program that will give them exposure to all operations functions including routing, inventory control and special projects. Now we need regional representative in the most areas.
To apply for this position and for more information click on this link (not included).
Best regards,
Konrad Zemler, ICG Commerce. |
On following the link, the website text read:
|
Thank you for the shown interest about our proposal. At the moment we have a number of vacancies of REGIONAL REPRESENTATIVE and GENERAL ASSISTANT in many countries and territories. We'd like to give you some information about what exactly our company doing and how would you help us. But just before that I'd like to tell you that for this job we are NOT going to ask you do ANY initial investments or send ANY kind of initial payments. And another thing to mention here that this is part-time home-based job that will require just about 5 or less hours weekly. So you can happily stay at your current position if you have any and just if you'll see a good potential to grow with us you can start work harder. ICG Commerce delivers innovative and secure payment solutions that leverage the network of regional representatives worldwide. ICG helps organizations reduce payment-processing costs and settle the majority of their payments through this network. Unlike other forms of payments, the ICG payment solution is flexible, easy to implement and applicable to a broad supply base. Together with our banking partners, we'll provide a quick, customized deployment that allows to begin running transactions through the system with minimal time. Basic methods of domestic payments we are receiving from our customers are: domestic wire transfers, cashier's checks, money orders and some others. For most of those methods it will take a long time and often significant additional charges to receive them outside the country where the payment was initiated. Your responsibilities will include receiving these payments into your bank account and transfer them to us with the way we'll inform you. You will get 6-8% from total transferred amount as your wages. This is fully home-based flexible hours part-time job with just minimal limits on your age (our candidates must be at least 18 year old) and there are no other restrictions applied. Instructions are very simple and can be done by anyone. If you think that you are interested in this position please fill carefully the EMPLOYMENT FORM provided below. Once we receive your employment form we will review and file it and in about 1-2 weeks time you can start work with us. |
The managed solution to email security
The emergence of the phishing phenomenon endorses yet further the need for businesses to protect themselves comprehensively from email security threats.
We have seen the continuous development of viruses, the burgeoning menace of spam - and then the convergence of the two. Now organised criminals are exploiting techniques developed by virus writers and spammers in wide-scale fraud scams.
Plainly, email security can no longer be regarded as adequate when applied on a piecemeal basis. Moreover, it can only be truly effective if the first line of security defence is placed at the Internet level. That is why we believe that a managed and coordinated email security service, such as that pioneered by MessageLabs, is the only comprehensive solution.
About MessageLabs
MessageLabs is the leading provider of managed email security services to businesses based on market share. The company offers industry-leading managed Anti-Virus, Anti-Spam, Image Control and Content Control services to more than 10,000 businesses around the world to combat email threats before they reach corporate networks and without the need for additional hardware or software. Powered by a global network of data centers spanning four continents, MessageLabs scans tens of millions of emails each day on behalf of clients such as The British Government, The Bank of New York, Bertelsmann, CSC, Diageo, Random House, SC Johnson and StorageTek. The service is also available through more than 600 channel partners, including BT, Cable & Wireless, CSC, IBM, MCI and Unisys. For more information on MessageLabs, please visit www.messagelabs.com.
About MessageLabs Intelligence
MessageLabs Intelligence is a respected source of data and analysis for email security issues, trends and statistics. MessageLabs provides a range of information on global email security threats based on live data feeds from our control towers around the world. The information relating to MessageLabs' services contained in this report, is based on data generated internally by MessageLabs and has not been subject to an independent review by a third party.
Alerts
Monthly Reports
