Phishing Attacks Evolved Steadily Throughout 2005
29th December, 2005
Phishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2005:
- Open redirects became a favorite method for phishing attacks to "borrow" the URL and credibility of a trusted web site. Redirects are common on large web sites, where server side scripts are employed to redirect users to different parts of the site. On banking sites, these redirects can be exploited by fraudsters to create a link that appears genuine, as it will appear to point to a page on the bank’s web site. When a user clicks on the link, they may be unaware that they have been redirected to the phishing site. This tactic was used this year in phishing attacks that redirected users from eBay's login page and a U.S. government site that managed relief for hurricane victims.
- Pharming attacks, which use DNS security breaches to invisibly redirect users, began appearing in live phishing scams in early 2005. Among the techniques employed was DNS cache poisoning, a sophisticated attack that is rare but allows malicious web sites to spoof trusted web brands, redirecting requests for legitimate financial sites to look-alike fraud sites.
- Another DNS-level strategy that appeared early this year is the use of wildcard DNSto construct URLs that convincingly mimick the legitimate sites of banks. This technique, combined with numerous redirects, was used in a sustained attack on Barclays in March.
- Still more trickery with DNS: Botnets controlled by fraudsters began hiding their DNS nameservers on compromised computers, complicating the task of shutting down malicious sites. The technique can keep phishing sites accessible longer by making the nameservers a moving target, shifting amongst thousands of compromised machines within a bot network.
- Cross-site scripting, while not a new technique, continues to be an effective strategy for skilled attackers. Cross-site scripting (XSS) is a well known technique which involves injecting the text of code to be executed by the browser into urls that generate dynamic pages. Despite widespread attention to the phishing threat, several bank web sites were successfully targeted by these attacks in 2005, including SunTrust and Citizens Bank. Several phishing scams also were able to use cross-frame scripting to inject a spoofed data collector page into a bank's official site, taking advantage of frame-based layout that allowed the display of outside content.
- Phishing scams also developed strategies to evade detection by content filters on e-mail and proxy servers, which can detect and block sites masquerading as popular phishing targets such as Paypal. An example is phishing e-mails using images to display text that includes terms that might be caught by filters.
- At mid-year we also saw an increase in phishing attacks that eliminated the spoofed web page altogether, with data collection forms embedded directly in the HTML "bait" HTML e-mails. The technique eliminates a step in the process, allowing phishing scams to steal sensitive information without constructing an elaborate fraudulent web site. The HTML form within the email lets phishers set the destination email address, allowing for easy re-routing of submissions as mailboxes are shut down.
Posted by Rich Miller in Security
Related News
Phishing By The Numbers: 41,000 Blocked Sites in 2005
31 Dec 2005
Security
The Netcraft Toolbar has blocked more than 41,000 confirmed phishing URLs since its launch last Dec. 28. The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and...
View full post
More than 450 Phishing Attacks Used SSL in 2005
28 Dec 2005
Security
In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for...
View full post
Browser Changes An Opportunity for SSL Certificate Authorities
27 Dec 2005
Security
Do you know who checked that gold padlock in your web browser? Names like GeoTrust, Comodo, Starfield Technologies and Thawte will likely become more familiar to Internet users as browsers begin displaying the names of the issuers of SSL certificates that...
View full post