Fighting the phishers

The last two years have seen a dramatic change in the nature of internet crime and hacking. Where previously hackers used to try to break into corporate networks, now criminals are attacking consumers directly with the aim of stealing their identity information in order to defraud them and their financial institutions.

A major technique of the online identity thief is phishing. Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social-engineering schemes use ‘spoofed’ e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as account usernames and passwords. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.

A disturbing new trend is the emergence of technical subterfuge schemes that plant crimeware onto PCs to steal credentials directly, often using key logging systems to intercept consumers’ online account user names and passwords. Crimeware is a highly sophisticated form of spyware that is constantly evolving and getting more and more complex and difficult to detect and prevent.

In 2003, the Anti-Phishing Working Group (AWPG) was formed by a group of 20 financial institutions, ISPs and security vendors. The group now has over 2000 member organizations and works globally on tracking and shutting down phishing scams. The APWG phishing attack repository is the internet’s most comprehensive archive of e-mail fraud and phishing activity, and the organization produces a monthly Phishing Activity Trends Report that analyzes phishing attacks reported via its website. Additionally, we also measure the evolution, proliferation and propagation of crimeware drawing from the independent research of our member companies.

Phishing trend analysis

Figure 1 illustrates the number of unique consumer reports of phishing attacks on a monthly basis. Uniqueness is based on the subject line of the e-mail. The number of unique consumer reports of phishing attacks almost doubled over 2005, from 8829 in December 2004 to 15,244 in December 2005.

From these reports, we analyze the actual websites that collect the user data. This yields Figure 2, which is the most accurate measure of actual phishing campaigns. What we find extremely concerning is that the number of unique phishing sites increased from 1707 in December 2004 to 7197 in December 2005. Seasonality of the data is clearly visible, as the back-to-school period and the Christmas shopping period show large increases in phishing activity.

Over the last 18 months, financial institutions have been deploying a variety of anti-phishing techniques to help mitigate the problem. These include:

• Takedown services. A number of vendors offer services whereby they work with ISPs around the world to have identified phishing sites disabled so that consumers cannot fall victim to them. Takedown services can be very effective at shutting down sites, and these services operate 24/7. Most companies offering takedown services have employees that speak many languages, as phishing sites are often hosted in a country that is different from where the victims are.
• Stronger authentication. Financial institutions and online retailers are deploying a number of stronger mutual authentication technologies to help ascertain that a user’s password has not been stolen by a phisher, and also to help consumers determine if a website is actually that of the legitimate bank. These approaches range from geo-location fraud analysis, shared secret images, PC fingerprinting, one time password devices and cryptographic smart cards on USB flash drives.
• E-mail authentication. Although the internet industry remains divided over e-mail authentication protocols, financial institutions are increasingly taking steps to enable ISPs and end users to filter out forged phishing e-mail. Banks should be using SPF, SDID (sender-ID) or DKIM (domain keys identified mail) to identify their legitimate sending mail servers.

In response to these anti-phishing measures, the phishers have increased the sophistication of their attacks, and broadened their attacks against smaller financial institutions and non-financial companies. In 2004, a typical phishing attack might use less than 10 computers to send the e-mails, and would host the site on a single server. Today, armies of botnets are used to send phishing e-mails from thousands of hijacked computers, and botnets are often used to host many copies of a single phishing site.

Because takedown services have become quite effective at shutting down fraudulent sites, the phishers have dramatically increased their ability to automate their schemes, resulting in a much higher number of phishing attacks. As the effectiveness of each attack diminishes through technological defense and more educated consumers, the number of attacks continues to increase.

Crimeware: the next big threat

Viruses and spyware are now being used by identity thieves to create crimeware: malicious software that steals user information without having a mass e-mailing campaign. Principal types of crimeware include:

• Keyloggers. These Trojans get onto a consumer’s PC and monitor their keystrokes. The keystrokes are sent to a hacker data collection server, where the phishers groom through the information to find passwords to online banking sites. To make this easier, the keyloggers typically only capture keystrokes when the consumer is visiting the website of a targeted bank.
• Screenloggers. Used in conjunction with a keylogger, a screenlogger will take snapshots of a user’s screen when they are logging into a bank website. These screenshots are used by the phishers to defeat visual authentication systems such as onscreen keyboards and shared image secrets.
• Browser helper objects. BHOs are browser plug-ins that steal web form information that a user types into the browser (such as a password or credit card number). Some BHOs go even further, and display fake web pages that look like the real websites. BHOs can be impossible to detect through PC fingerprinting or geo-location techniques.
• Pharming and man-in-the-middle. DNS attacks, coined as ‘pharming attacks’, modify the DNS settings on a user’s computer, so that when they type in the web location URL of a bank, they are in fact redirected to a fake banking website. Some pharming attacks operate as ‘man-in-the-middle’, whereby the malicious server actually acts as a proxy, and spies on everything that the user is seeing and typing into a website. DNS and local man-in-the-middle attacks can defeat one-time password devices.
• Transaction generators. This new type of crimeware resides on a user’s computer and waits until they log into a bank or e-commerce site. They then open an invisible window onto the site and start issuing transactions on the user’s behalf. These have primarily been observed attacking alternative payment systems. There is concern that transaction generators could be very harmful if targeted against online brokerage sites.

The Anti-Phishing Working Group and our members are tracking the rise of crimeware. Figure 3 illustrates that the number of password-stealing crimeware programs detected by the APWG rose from 77 in April 2005 to an all-time high of 180 in December 2005. That means that more than five new password stealing Trojans were released onto the internet per day in December. The actual number is likely to be much higher, as this information is only those crimeware instances that were captured and analyzed.

One way that crimeware is distributed is by phishing e-mails that lure users to visit websites that take advantage of security vulnerabilities in their web browser, and that transparently download the crimeware onto their computer. Figure 4 shows the number of these crimeware distribution servers that were discovered by the APWG and our members in 2005. There is a huge spike in December 2005, which also correlates with the large spike in observed phishing sites (Figure 1).

Crimeware is also distributed into existing botnets. It is estimated that there are perhaps 10 million computers that are infected with botnet software. This software has the ability to auto-update and download new software at any time. This allows crimeware authors to distribute their malicious wares to millions of computers whenever they choose to.

Conclusion

The internet security industry and the financial services industry have been making great strides to protect their customers from the emerging threat of online identity theft. There is much research and development being done to create secure operating systems, and affordable authentication technologies, that can prevent these emerging threats.