Personal Injury Lawyer - Personal Injury Attorney - Injury Lawyer - Injury Attorney
Local Business Listing - Google Local Listing
A Behind The Scenes Look At Phishing By: By David Poellhuber, President, ZeroSpam
A BEHIND THE SCENES LOOK AT PHISHING
By David Poellhuber, President, ZeroSpam
Every day, unscrupulous spammers defraud thousands of innocent victims by gathering personal information to gain access to their bank accounts. According to the US Federal Trade Commission, there are nine million victims of phishing each year in the United States.
No one in the world is protected from this threat, not even French President Nicolas Sarkozy, who fell prey to cybercriminals in the fall of 2008. How do phishing schemes operate? Who are the accomplices involved in the crime? Here is a look at the players and their role.
The Players
A phishing campaign is not set up by one single individual but rather by a complex, well-organized, and technologically advanced network. The involvement of the following five players is essential for the success of the scheme: the sender, the host, the bank, the money mule and the operator. These players are mostly victims themselves. The following is an in-depth look at the role they each play in the scheme.
The Sender
The one who sends the message is not the “bad guy”. Incidentally, most senders are not even human beings, but rather networks (botnets) comprising thousands of infected computers that send out millions of phishing emails. The computer belonging to your mother-in-law or to your neighbour may very well be part of one of these networks. In fact, each computer that is not properly protected by an effective, updated antivirus is potentially a target.
The Host
The overall appearance of phishing emails leads one to believe that they have been sent from a reputable financial institution, a government agency or a business (eBay, for instance). The tone used in the message, the image and the domain from which they seem to have been sent, lead the reader to believe that these are legitimate emails. The recipient is pressured to click on an embedded link that leads them to a Web site mimicking the appearance of the entity in whose name the email was sent.
The Bank
As a responsible client of a financial institution, you naturally report any suspicious transactions to your branch. Since the bank wants to maintain a good reputation and client confidence, an inquiry into the incident will be made. Online transactions are much more profitable for banks than in-branch transactions. This is the reason banks fully reimburse victims of phishing emails schemes. By absorbing losses of several millions of dollars, banks become the third victim of the scheme.
The Money Mule
The mule is the least known accomplice of a phishing campaign. This is, however, the most important player since the mule will initiate money transfers. To defraud the victim, more is needed than access to banking information; the scammer needs to transfer the stolen money to a safe place without leaving any traces. To do this successfully, the mule must have an account at the targeted entity (a reputable financial institution, business or organization). This account must be administered in the country where the entity runs its operation. The mule will receive fund transfers from compromised accounts and will transfer these funds abroad through services offered by WebMoney, ePasseporte, E-Gold or other businesses. In exchange, the mule collects a small fee skimmed from the transferred funds. There are two possibilities: either the mule agrees to be an accomplice of his or her own free will or the mule transfers the funds without really understanding that this is being done as part of a scam. In the latter case, the mule is a fourth victim. Either way, the mule runs the risk of having his or her account frozen and receiving a strict sentence. Whether the mule is a victim or an accomplice, he or she is usually caught by the authorities.
The Operators
The operators are the real con artists. They are the most shady and elusive players of a phishing campaign. Operators control the campaign, conduct the operation and pocket the profits. They are creative and extremely competent technicians and they have access to vast resources and accomplices who are scattered throughout the world. Phishing campaign operators are part of networks that are often connected with organized crime. Romania seems to be home to several instigators of phishing campaigns, several of whom were apprehended in March and October 2008. Brazil also seems to be a phisher’s haven of choice.
The Chain Of Events Involved In an Attack
Although phishing campaigns require a great deal of preparation, they appear online only a relatively short time. The following is a description of how these schemes generally unfold.
Laying The Groundwork
All phishing campaigns are meticulously designed. Targets are chosen, a counterfeit Web site is set up, host-servers are identified, mules are recruited and most importantly, a database of email addresses belonging to potential victims is established. These email addresses may have been harvested by robots that automatically gather addresses from various Web sites, or they may have been harvested by computers that perform dictionary attacks, a method by which every possible combination of address is randomly generated and then only actual, valid email addresses are recorded. At times, phishing campaigns may also target specific victims.
Much attention is given to designing the phishing email message as this is the lure. The more effective the email message, the more profitable the scheme. Some of these messages are gems of social engineering. The emails prey on feelings of uncertainty and fear, which motivate the reader to click on the link before taking the time to think things through.
Executing The Plan
When all of these elements have been put in place, the spoof Web site is set up online, often on several servers simultaneously. Whenever possible, the scammers use a domain name that resembles a well-known domain held by the targeted entity. The onslaught of spam generated by networks of zombies usually begins over a weekend or on legal holidays, moments when the entity’s internet security teams are either reduced or absent. Phishing emails are often sent from several sources and a campaign may last for as little as a few hours or up to a few days. Once the campaign has been launched, its effectiveness soon lessens; phishing emails are quickly reported to companies that specialize in genotypic analysis, and who transmit signatures similar to those used to fight against computer viruses.
Compiling Information
Everything is now in place to snare the first victims. An unsuspecting user may disclose his username and password, his PIN, credit card information or social insurance number. The private information is then immediately included in the scammer’s database.
Shutting Down The Operation
The game of cat and mouse has now begun. Once the spoof Web site appears online, it is out in the open for all to see; victims soon begin to report the fraud to the legitimate entity. Online security officials are then informed of the breach and within a few minutes, they are able to identify the server responsible for gathering the personal information. Financial institutions now deal with specialized online security firms. These firms communicate with legitimate hosts and service providers across the globe to notify them of illegal activities being conducted on their networks.
The Ensuing Fraud
The private information gathered during the phishing campaign is consolidated, refined, and validated. The operators then withdraw funds from bank accounts or sell the personal information on the black market. At this point, cybercriminals turn to mules, who launder the stolen money. The money trail is often lost here, because of the many intermediaries involved in the process, but the end result is always that bank balances are transferred from a victim’s account to an organization or another person by way of a means that ensures both liquidity and anonymity.
Conclusion
Financial institutions, through the use of various mechanisms, have also enhanced the security of their Web interface to become less vulnerable to attacks. For instance, when users attempt to log in to their account, they are required to answer a personal question- one to which only they know the answer, or to identify a pre-selected image. A client who is accustomed to seeing these measures being used by his or her financial institution will be wary of a Web site that does not do the same.
Despite these improvements, however, phishing campaigns are not likely to disappear any time soon. Cybercriminals do not lack either imagination or resources, and they seem able to constantly reinvent themselves. They are able to come up with new phishing schemes by exploiting current events and new Internet opportunities, such as interactive role-playing games and social networks. The wealth of intelligence invested in setting up these phishing campaigns is simply mind-boggling. And the sources of financing to pay for this talent are not likely to disappear...
About the Author
David Poellhuber, CISSP is the CEO and founder of ZEROSPAM Security, a Canadian managed email security operator serving organisations abroad. He is a frequent speaker at various infosec events. He can be contacted at davidp@zerospam.ca
spam, phishing, spamming, spoofing, email security
By David Poellhuber, President, ZeroSpam
Every day, unscrupulous spammers defraud thousands of innocent victims by gathering personal information to gain access to their bank accounts. According to the US Federal Trade Commission, there are nine million victims of phishing each year in the United States.
No one in the world is protected from this threat, not even French President Nicolas Sarkozy, who fell prey to cybercriminals in the fall of 2008. How do phishing schemes operate? Who are the accomplices involved in the crime? Here is a look at the players and their role.
The Players
A phishing campaign is not set up by one single individual but rather by a complex, well-organized, and technologically advanced network. The involvement of the following five players is essential for the success of the scheme: the sender, the host, the bank, the money mule and the operator. These players are mostly victims themselves. The following is an in-depth look at the role they each play in the scheme.
The Sender
The one who sends the message is not the “bad guy”. Incidentally, most senders are not even human beings, but rather networks (botnets) comprising thousands of infected computers that send out millions of phishing emails. The computer belonging to your mother-in-law or to your neighbour may very well be part of one of these networks. In fact, each computer that is not properly protected by an effective, updated antivirus is potentially a target.
The Host
The overall appearance of phishing emails leads one to believe that they have been sent from a reputable financial institution, a government agency or a business (eBay, for instance). The tone used in the message, the image and the domain from which they seem to have been sent, lead the reader to believe that these are legitimate emails. The recipient is pressured to click on an embedded link that leads them to a Web site mimicking the appearance of the entity in whose name the email was sent.
The Bank
As a responsible client of a financial institution, you naturally report any suspicious transactions to your branch. Since the bank wants to maintain a good reputation and client confidence, an inquiry into the incident will be made. Online transactions are much more profitable for banks than in-branch transactions. This is the reason banks fully reimburse victims of phishing emails schemes. By absorbing losses of several millions of dollars, banks become the third victim of the scheme.
The Money Mule
The mule is the least known accomplice of a phishing campaign. This is, however, the most important player since the mule will initiate money transfers. To defraud the victim, more is needed than access to banking information; the scammer needs to transfer the stolen money to a safe place without leaving any traces. To do this successfully, the mule must have an account at the targeted entity (a reputable financial institution, business or organization). This account must be administered in the country where the entity runs its operation. The mule will receive fund transfers from compromised accounts and will transfer these funds abroad through services offered by WebMoney, ePasseporte, E-Gold or other businesses. In exchange, the mule collects a small fee skimmed from the transferred funds. There are two possibilities: either the mule agrees to be an accomplice of his or her own free will or the mule transfers the funds without really understanding that this is being done as part of a scam. In the latter case, the mule is a fourth victim. Either way, the mule runs the risk of having his or her account frozen and receiving a strict sentence. Whether the mule is a victim or an accomplice, he or she is usually caught by the authorities.
The Operators
The operators are the real con artists. They are the most shady and elusive players of a phishing campaign. Operators control the campaign, conduct the operation and pocket the profits. They are creative and extremely competent technicians and they have access to vast resources and accomplices who are scattered throughout the world. Phishing campaign operators are part of networks that are often connected with organized crime. Romania seems to be home to several instigators of phishing campaigns, several of whom were apprehended in March and October 2008. Brazil also seems to be a phisher’s haven of choice.
The Chain Of Events Involved In an Attack
Although phishing campaigns require a great deal of preparation, they appear online only a relatively short time. The following is a description of how these schemes generally unfold.
Laying The Groundwork
All phishing campaigns are meticulously designed. Targets are chosen, a counterfeit Web site is set up, host-servers are identified, mules are recruited and most importantly, a database of email addresses belonging to potential victims is established. These email addresses may have been harvested by robots that automatically gather addresses from various Web sites, or they may have been harvested by computers that perform dictionary attacks, a method by which every possible combination of address is randomly generated and then only actual, valid email addresses are recorded. At times, phishing campaigns may also target specific victims.
Much attention is given to designing the phishing email message as this is the lure. The more effective the email message, the more profitable the scheme. Some of these messages are gems of social engineering. The emails prey on feelings of uncertainty and fear, which motivate the reader to click on the link before taking the time to think things through.
Executing The Plan
When all of these elements have been put in place, the spoof Web site is set up online, often on several servers simultaneously. Whenever possible, the scammers use a domain name that resembles a well-known domain held by the targeted entity. The onslaught of spam generated by networks of zombies usually begins over a weekend or on legal holidays, moments when the entity’s internet security teams are either reduced or absent. Phishing emails are often sent from several sources and a campaign may last for as little as a few hours or up to a few days. Once the campaign has been launched, its effectiveness soon lessens; phishing emails are quickly reported to companies that specialize in genotypic analysis, and who transmit signatures similar to those used to fight against computer viruses.
Compiling Information
Everything is now in place to snare the first victims. An unsuspecting user may disclose his username and password, his PIN, credit card information or social insurance number. The private information is then immediately included in the scammer’s database.
Shutting Down The Operation
The game of cat and mouse has now begun. Once the spoof Web site appears online, it is out in the open for all to see; victims soon begin to report the fraud to the legitimate entity. Online security officials are then informed of the breach and within a few minutes, they are able to identify the server responsible for gathering the personal information. Financial institutions now deal with specialized online security firms. These firms communicate with legitimate hosts and service providers across the globe to notify them of illegal activities being conducted on their networks.
The Ensuing Fraud
The private information gathered during the phishing campaign is consolidated, refined, and validated. The operators then withdraw funds from bank accounts or sell the personal information on the black market. At this point, cybercriminals turn to mules, who launder the stolen money. The money trail is often lost here, because of the many intermediaries involved in the process, but the end result is always that bank balances are transferred from a victim’s account to an organization or another person by way of a means that ensures both liquidity and anonymity.
Conclusion
Financial institutions, through the use of various mechanisms, have also enhanced the security of their Web interface to become less vulnerable to attacks. For instance, when users attempt to log in to their account, they are required to answer a personal question- one to which only they know the answer, or to identify a pre-selected image. A client who is accustomed to seeing these measures being used by his or her financial institution will be wary of a Web site that does not do the same.
Despite these improvements, however, phishing campaigns are not likely to disappear any time soon. Cybercriminals do not lack either imagination or resources, and they seem able to constantly reinvent themselves. They are able to come up with new phishing schemes by exploiting current events and new Internet opportunities, such as interactive role-playing games and social networks. The wealth of intelligence invested in setting up these phishing campaigns is simply mind-boggling. And the sources of financing to pay for this talent are not likely to disappear...
About the Author
David Poellhuber, CISSP is the CEO and founder of ZEROSPAM Security, a Canadian managed email security operator serving organisations abroad. He is a frequent speaker at various infosec events. He can be contacted at davidp@zerospam.ca
spam, phishing, spamming, spoofing, email security
Total Views : 6 Word Count: 1483 See All Articles By By David Poellhuber, President, ZeroSpam