The Phisher Kings

The rise of phishing has followed a trajectory that is remarkably similar to that of spam. Just as spam originally referred to flooding Usenet newsgroups, rather than email inboxes, so the practice of phishing seems to have started on AOL's online service, rather than on the Internet. Like spam, phishing in the early days was a relatively rare annoyance, but has recently begun growing to epidemic proportions: phishing attacks jumped 43 percent in March 2004, with over 400 unique scams.

Top Ten Phishing Countries
Country % of phishing sites
 hosted in country 
US 42.4%  
Korea 16.1%  
China 9.7%  
Japan 5.5%  
Canada 5.1%  
Russia 3.8%  
Taiwan 3.4%  
Germany 2.5%  
Romania 2.5%  
UK 1.3%  

Spam makes only the flimsiest attempts to deceive, generally in the Subject line. Once opened, it is usually obvious that the message is a sales pitch. Spam's success is simply a question of mathematics: even if the vast majority of recipients block or delete the message, the huge volume of spam ensures that the absolute numbers of replies are sufficient to warrant the small expense of the spamming.

Phishing, by contrast, is all about subterfuge. Typically, the email purports to be from a well- known organisation: according to the Anti- Phishing Working Group, eBay is the current favourite, with Citibank and PayPal the next most popular choices. To succeed, the phishing email must be as plausible as possible, in order to trick the recipient to move on to the next part of the scam by clicking on an enclosed URL. As a result, phishing email messages have been largely a question of social engineering.

This is what makes a recent phishing attack particularly interesting. Unlike those listed in the Anti-Phishing Working Group's archive, it does not masquerade as coming from a trusted organisation, nor does it explicitly urge recipients to click on a link. Instead, it has the appearance of being either sent in error, or at worst some fairly mild kind of spam message. It does, however, contain a URL that recipients might be tempted to follow out of curiosity - especially given the relative innocuousness of the message, and the lack of any traditionally phishy features.

But as the Code Fish Spam Watch site reveals in loving detail, doing so unleashes an extraordinary series of intrusive events. They culminate in highly-targeted screenshots of password characters being grabbed and sent to an email address in Russia if the user happens to log into Barclays online bank - ironically, one of the few to employ a two-step user login process designed to protect its customers from ordinary keylogger trojans.

Two things are striking about this. First, the technical virtuosity of this scam is an indication of how fast this field is evolving. And secondly, the form of this intricate, low-level attack presupposes a machine running Windows and its default applications. In other words, it depends on the Microsoft monoculture still found within most companies and homes.

Although users of GNU/Linux or the Macintosh may feel a certain satisfaction that they are immune to this and many other attacks based around deep-seated flaws in Microsoft products, they should not be too smug. Another recent but more traditional phishing scam enhances the plausibility of the fake Web site by employing JavaScript to replace the browser address bar with one that displays a fraudulent URL. Users of all platforms who have enabled JavaScript are potentially vulnerable.

As these examples show, phishing is rapidly becoming malware's new frontier - a devastating mix of coding deftness and cold-blooded deceit. Eradicating it will be even harder than stopping spam, the perpetrators of which are little more than script kiddies in comparison to these new phisher kings.

Glyn Moody welcomes your comments.