Phishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2006:
- Plug and Play Phishing Networks: The number of phishing sites and attacks rose dramatically in the second half of 2006 as phishers perfected techniques to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known as Rockphish and R11, featured dozens of sites spoofing major banks, which could be unzipped in a subdirectory of a hacked site to create an instant phishing network. By using a common directory structure and subdomains, phishers created URLs that included the name of the target institution.
- Two-factor Authentication: A July attack on Citibank demonstrated a technique that was able to defeat two-factor authentication tactics using a man-in-the-middle attack. Two-factor authentication, which uses physical security devices to generate a single-use password, is being touted by banks and financial regulators as a way to reduce fraud losses from phishing. The second authentication factor used by Citibank is provided by a security token - a physical item possessed by an account holder - which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they stop working shortly after the victim has used them. However, by tricking a victim into entering their login details, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly, allowing the attacker to successfully log in.
- Hacked Bank Sites: Several attacks in 2006 saw phishers hack into bank web servers and use them in attacks. In March, a Chinese bank's web server hosted phishing sites targeting U.S. banks. The phishing pages were placed in hidden directories on The China Construction Bank (CCB) Shanghai Branch. This attack was the first instance we've seen of one bank's infrastructure being used to attack another institution. Several weeks later, Phishing scammers compromised a server housing the web sites of three Florida banks and redirected their customers to spoof pages. Previous scams managed to manipulate financial sites through cross-site scripting and cross-frame content injection, but didn't gain access to the server hosting the banks' site.
- Continued XSS Vulnerabilities: The web sites of some of the world's leading financial institutions remained vulnerable to attacks using cross-site scripting (XSS), more than two years after Netcraft first highlighted the issue. The most prominent of these was an attack on Paypal that used XSS to insert fraudulent content into a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal. Random checks of bank web sites by the Washington Post identified XSS weaknesses on the web sites of Visa, JP Morgan Chase, eBay, Bank of America and American Express.
- MySpace Phishing: Attacks targeting social networks present a small percentage of all phishing scams, but became more common in the second half of 2006 as hackers used them to seed botnets through malware distributed on sites like MySpace, LiveJournal and Orkut. MySpace accounts themselves are of limited value, but can serve as a delivery mechanism for keylogging trojans, capturing home computers that may be used for shopping or online banking as well as social networking. Several leading social networks have proven vulnerable to XSS exploits, serving as a laboratory for phishers to test new technical attacks and social engineering techniques. An October attack at MySpace was hosted on a profile page with the username login_home_index_html, and used specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form. It was the first major attack using a technique known as a reverse cross site request.