The Gods of Phishing

Not long ago, Beth Jones received a bogus email that she couldn’t help but find amusing. The note was written in Greek, although she recognized the word ‘MasterCard’ in it. While she had no clue what the sender was looking for, Jones knew it was a blatant attempt at phishing – a calculated attempt to obtain her financial information.

“Now I don’t speak Greek, and have no concept of how to read it...but I saw the word ‘MasterCard’ in there, so that truly made me giggle’’, recalls Jones, a senior threat researcher at security firm Sophos.

Given her profession, and of course, the fact that the email was written in a foreign language, Jones certainly knew better than to fall prey to a phishing scheme. While email phishing campaigns have traditionally pretended to come from banks and financial institutions, industry experts say scammers have gotten more sophisticated and a new trend is emerging: attacks via social networks, which can be harder to spot. Most significantly, email phishing and a subset, spearphishing – which targets a specific person or company for their financial information – continues to rise.

In 2010, phishing attacks increased 27% in comparison to the previous year, according to RSA Security. They work, experts say, because inevitably there will always be someone who falls for the scheme – especially when the scammer sends a note threatening dire consequences if the user doesn’t respond right away. Common threats include those pretending to be from organizations like PayPal, warning that your account will be suspended or closed right away if you don’t reply to the email, or that your account has been compromised and you need to verify your information.

“The problem is there are still some very, very naïve users”, says Toby Weir-Jones, vice president of product development at BT Counterpane, a provider of real-time enterprise security monitoring. He recalls being at a dinner party and sitting with friends of his in-laws and getting into a discussion about his job. Weir-Jones asked his companions if they all had email accounts and to raise their hand when he named the category of their passwords. “So I said, ‘Your children’s names, pets’ names, the city where you were born and the variation of your birthday’, and within 15 seconds everyone had raised their hands. They were all shocked because I knew what category their password fell in, and they thought they were being terribly clever.”

People tend to use the same password from site to site because it’s easier for them to remember, so it’s extremely valuable to a phisher to get even a tiny number of users to believe his or her ruse, Weir-Jones says. Statistically, all phishing attempts fail at a macro level. However, “If the conversion rate is 1%, that’s an exceptionally good score for a scammer”, he says. “A 50% hit rate would be cataclysmic.” Even when a small number of users fall prey to the scheme, it encourages the attackers to keep the phishing attempts coming, say researchers.

Social networking phishes are becoming increasingly more common because people expect their friends to email them and share information. “Criminals have gotten better at figuring out how to distribute phishing emails not in an obvious way, but using your Facebook friends and taking over your account by asking you to ‘click on this video to see this great vacation we’ve gone on’, or ‘play this game with me’”, notes Avivah Litan, a senior security analyst at research firm Gartner.

The emails may not directly ask for personal information, but “In the end they’re trying to get your bank account or access to a privileged user account at a company to manipulate financial information or steal intellectual property or spy on a company”, Litan says. “Phishing has not declined. It has morphed.”

Not Your Typical Viagra Spam

Although people tend to be fairly savvy about not divulging personal information, especially online, experts say it’s still pretty easy to fall for a phishing scheme. Some of the best ploys are the ones that play off an emotional hook, such as after a natural disaster, says Weir-Jones (see ‘most effective/frequent phishing emails’ box on p.31). After horrific floods in Brazil and Australia earlier this year, scammers used images from various wire and news services to make so-called pleas for donations, he says.

“The advantage they have is they don’t have to mimic a bank; they don’t need to convince you of who they are...because the pleas come from something that sounds like a charitable organization”, says Weir-Jones. That creates “an emotional pull, and people want to be generous and put aside their inherent skepticism”. He says they see new email phishing schemes surface every time there is a natural disaster. The most successful phishing messages that “purport to be affiliated with the Red Cross or UNICEF, or any of these international relief organizations, are generally going to be the most effective when coupled with a pressing current event that people are going to respond to emotionally”, he adds.

Then there is the class of schemes that come from a company you already do business with or have in the past. Take Netflix, for example, which was used as the hook by a scammer(s) last year to send out an email to thousands of customers notifying them that their account had been suspended. The attack was a particularly good one because it looked genuine, observes Paul Judge, chief research officer and vice president of Cloud Services at Barracuda Networks, a provider of web and email security.

But upon examining the email more closely, Judge says there were a number of suspicious clues that it was a fake. First, the email wasn’t sent to anyone by name, and the link did not take a user directly to Netflix.com, but rather “a deceptively similar domain, netflixus.com”, he notes. “This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US)”.

Barracuda technicians signed into the site using a fake user name and password. At that point, there was “a landslide of warnings”, Judge recalls. The first was that the user was immediately asked for credit card information on a “very well-designed page, right down to an image of the back of a credit card to help identify the security code”. Another red flag was the fact that while financial information was being requested, the more secure HTTPS protocol was not used. After entering details, the site then redirected the user’s browser to the real netflix.com home page – a move Judge says is designed to make the user feel comfortable with the just-completed transaction.

“We saw [the Netflix email] go out to thousands of accounts we were protecting”, he says, estimating it probably means that a half million copies went out around the world. Once the attacker has a username and password, they cannot only go into Netflix and make changes, but, again, users tend to utilize the same password across multiple sites, so chances are high the attacker can penetrate information on other sites as well.

Phishers are masterminds at storing and managing passwords across the internet and trying to use them on different sites, Judge asserts.

Avoid Becoming a Victim

Of course, the easiest way to avoid falling prey to a spammer’s attack is to delete emails that look suspicious or are from companies you don’t do business with. But there are some other rules of thumb to follow.

Avoid any emails “with a call to action asking you to log in to your account and click on a link and go somewhere where you need to submit information”, says Rami Habal, director of product marketing at email security provider Proofpoint. “A call to action is often a link that says ‘Please click here to learn about our latest policy or link to your account’”.

Also take note of the URL. Be suspicious of emails with random names like americanexpress.cn “or some of the domains that tend to be a little more spammy like cn, because that’s coming from China; tw for Taiwan and co.cc”, advises Sophos’ Jones. “We see a lot of spam and phishing attempts coming out with that domain ending.”

If the email is threatening dire consequences, this should also send up an immediate alarm, she says. Generally, you will have already received correspondence from your bank or credit card company if there is a problem with your account.

Another tipoff: does the note use a non-standard sentence structure? If so, “it’s trying to avoid certain key words or phrases that spam filters will pick up”, says Jones. “You may see something like ‘Your card are expiring’. They almost always look poor grammatically with bad spelling to try and trick email filters.”

“A lot of phisher attacks have extremely poor English, the [company] logo is wrong and the colors are different, whereas a sophisticated attack looks identical”, agrees Andres Kohn, vice president of product management at Proofpoint.

Beware, too, of a link in a message that takes you to a website you’ve never been to. Most people tend to know their bank’s website address, the experts say.

Finally, keep in mind that phishing attacks are not limited to emails and social networking sites. Kohn says he recently got a strange instant message that looked to be from a colleague asking if he had a fax, and to go to a link to find out his IQ. “I got a little suspicious so I asked [the colleague], but what was interesting was…it actually had interacted with me a couple of times to put away my defenses and then have me think it was her.”

Exercising caution is always a good idea and, above all else, think before you click. “The problem is most people don’t know they’ve been hit until later”, says BT Counterpane’s Weir-Jones. “Once you’ve given the information away you can never get it back.”

Gartner’s Litan concurs. “If you click in the wrong place”, she says, “you’re doomed”.