2008-07-01
Abstract
Paul Baccas looks at the recent rise in targeted phishing campaigns alongside a decline in the profitability of more traditional phishing methods.
Copyright © 2008 Virus Bulletin
The spam traps at SophosLabs receive millions of emails every day. We have complex internal systems that process these emails. The majority of the emails are classified as spam automatically, and as such they may never be seen by a human (yes, researchers are human). As a researcher therefore, I tend only to see spam that is causing our customers a problem – in other words, emails that are not being classified automatically or that are not being received by our spamtraps.
Recently, we have seen an increase in targeted phishing, or spear phishing campaigns. These campaigns are not being seen by traditional spamtraps, though they are being seen by our customer base.
Spear phishing is the targeted phishing of users. By pretending to be an internal employee – often an IT administrator – the phisher gains access to local credentials. Once the bad guys have local credentials they may use that information for a variety of purposes:
To hack the box in order to install malware (spambots etc.)
To hack other users’ information
To phish other users in the company
To gain further information from the customer
The issues of security information reuse mean that once someone has obtained one password then they may have access to several others.
For example:
A phisher sends an email to under the pretence of being an IT administrator and asks for the user’s username and password.
Joe Doe enters his details into a website. Username: jdoe & Password: Lakers
This information tells the phisher the format of Company X usernames (first initial followed by surname) and that the company does not enforce strong passwords (and therefore they are susceptible to a dictionary search).
The information also leads the phisher to suspect that Joe is a basketball fan – often secondary security information is sports related.
In Figure 1 we see a typical text-based phish requesting the recipient’s email username, password etc. In the ‘To’ field is the address of a member of staff or student at Oxford Brookes University, and there were a large number of addresses in the CC field (including my work email address – and Brookes is not even my alma mater). The ‘From’ addresses is forged. However, it only takes one person to give away their details for a phishing campaign to be successful.
Once the phisher has one piece of personally identified information (PII) it makes it easier for them to gain other pieces.
Phishers phish for economic reasons. Both direct phishing of bank details and spear phishing for personal information ultimately generate an income for the phisher. However, direct phishing is becoming less profitable for a number of reasons, which can broadly be categorised into social and technological:
Social reasons:
User education. Education has raised the level of awareness among users of the dangers of phishing, and as a result users are becoming more wary of the emails they receive and less likely to be tricked.
Bank effort. Many banks alert their customers when a phishing attack is known to be targeting their organization. Some are also beginning to change their style of communication with their customers to avoid confusion with phishing emails – for example by not including any links to their sites and instead requiring the customer to enter the bank’s URL manually or to bookmark the site.
Technological reasons:
Browser enhancements and add-ons that flag suspected or known phishing sites.
Proactive anti-phishing rules incorporated into anti-spam products.
In my opinion it is the last of these that has had the greatest impact on the profitability of the more traditional phishing methods. As a result, phishers are moving away from direct phishing and concentrating their efforts instead on spear phishing or on another more lucrative business.
Spear phishing is less efficient than direct phishing for a number of reasons:
A smaller volume of phishes are sent.
Better spam filtering means that the number of phishes that reach the recipients may be very low.
More effort is required to extract the profit.
User education means that users are wary of giving away personal information such as that requested in spear phishes (although they are more likely to expect emails from and reveal information to IT staff).
But for the phisher, the plus side of spear phishing is that the lower volume of emails and their targeted nature mean the phish have lower visibility to spam filtering software, and as a result spear phishing is becoming more popular among phishers.
Spam is nearly all about the perceived financial reward for the spammers. Phishing is all about the economic reward, and as long as one person falls victim to the scam, phishers will keep on phishing. As one modus operandi becomes unprofitable another will open up. You can guarantee that somewhere in the world a phisher is thinking, à la Cuba Gooding Jr., ‘Show me the money’.
