« Defensive Social Networking | Main | Hype-cycle management »

Monday, 14 December 2009

Phlavors of Phishing

I still recall my first visit to a Baskin Robbins Ice Cream Parlor. Some of you no doubt recall your own  anticipation: imagine choosing from 31 flavors of ice cream! Fifty years later,  I feel angst and trepidation rather than anticipation when I open my e-mailbox and confront the imposing numbers of phlavors of phish.

Phishing is commonly associated with financial scams and identity theft but is increasingly being used to drive visitors to pages that host malicious executables (in particular, keyloggers and man-in-the-browser malware). As I again scanned nearly six months of mail posted to an antiphishing list, I noticed how broad the phishing reach has extended. Sifting through five months' worth of posts and several weeks worth of URLs listed at PhishTank, I found at least one phishing attack notification and multiple targets in the following categories:

  • Financial scams/Identity theft. A partial list of banks attacked illustrates that financial institutions of all sizes and kinds are in play: Abbey, Alliance, Barclays, Chase, Citigroup, Colonial, commerce, Compass, Farmers State, Franklin, Halifax, HSBC, Home Valley, Leicester, Lloyds, NatWest,Ocean, State Farm, Synergy, UniCredit Banca di Roma, Wells Fargo,...The list has only grown and includes home town community banks and savings and loans, too.
  • Bank scams that use fake security certificates. In attacks against Wachovia/Wells Fargo and Bank of America, phishers used bogus digital certificates to convince visitors that the site is SSL-protected.
  • Domain name authority impersonations. Phishers used anticipated correspondence - annual Whois accuracy reporting, account verification - from ICANN, eNom, Network Solutions, Netsons (reseller) to lure users to fake registrar sites where the users were duped into disclosing login information for domain name account management.
  • Government agency impersonations. Phishers impersonated US IRS eFile and Her Majesty's Revenue and Customs, the US Social Security Administration and the FTC to obtain social security IDs numbers and other personal information. 
  • Fee/Deposit scams. Phishers still lure victims with various state and national lotteries, and other 419/Nigerian scams, and now customize these with phony contests run by recognizable brands like Pepsi. Mystery and secret shopper scams as well as zero-effort diplomas are also on the rise.
  • Banner and pay per click frauds. Phishers replicated landing pages and altered Google Adsense and AdWords on these pages to divert PPC revenue from Google customers to accounts they control directly or through mules.
  • Software scams. Impersonating Microsoft, antivirus companies (AntiVir, McAfee), and open source developers (Joomla!), phishers lured victims into downloading malware instead of patches, virus definitions, and executable binaries. 
  • eMerchants: The major eMerchants (eBay, PayPal, Amazon.com) remain prime targets for phishers, but smaller (Big 5 Sporting Goods, Shopping.com) are targets now as well.
  • Online payment services: Phishers remain very interested in hijacking PayPal, MoneyBookers, and Cahoot accounts.
  • VoIP Service hijacking: Vonage is primary target for enticing customers into downloading malware that purports to optimize your VoIP service. Account hijacking was also popular.
  • Online Pharmaceuticals. I found hundreds of domains hosting sites that sell prescription meds without prescriptions. They are inherently illegal, so phishers don't need to impersonate a Pharmacy brand.
  • Airline rewards programs: AAdvantage was phished using a $50 award for completing a survey that included numerous questions seeking personal and financial information.
  • Social Networks. Phishers targeted Facebook, Hi5, Classmates.com, SinglesNet.com, Habbo, and HabboTeen accounts. I could have listed a dozen more if I could read Cyrillic, Korean, Chinese, and Japanese. These are great resources for hosting malware and to send spam.
  • Sharing sites. Phishers create fake invitations to view photos or videos at sites like Flickr, Myfavoritetube.net, YouTube, or Yahoo! Photos to grab accounts that they later use to lure victims into downloading malware.
  • Blog phish and malware. Geocities and BlogSpot are reputed to be the hottest spots for hosting malware. The phish email notices I found corroborate this claim.
  • List, messenger, and contact management phish. Phishers cast their nets to any account they can compromise, from the "remove my email address from your list" managers to sites such as Twitter,CheckMessenger3, MeetYourMessenger, Messenger FX that enhance or extend the reach of instant messaging.
  • Mortgage, debt consolidation/cancellation, relief from bankruptcy. Phishers take advantage of worries over the economic downturn and lending crisis to lure individuals into applying for refinancing. Promises of immediate relief from debt, harrassment by collection agencies, tax or other liens lure people into sharing credit information.
  • Military and charity frauds.  Phishers lure sympathetic individuals to sites that purport to provide holiday meals or financial support for families of members of armed forces killed or wounded in action.
  • Fear (health) scams. Phishers impersonate the Center for Disease Control (CDC), luring those who panic at the thought of catching swine flu to sites promising free H1N1 vaccines.
  • Greeting (e-card) malware. Someone's sent you an e-card! may be exactly the lure a phisher will use to entice you to install a malicious program on your PC.

If I were a phishing behavior analyst a la the TV show Criminal Minds, I might profile a formidable phishing "unsub" as follows. The unsub attacks any financial, merchant or social networking site that he believes will eventually lead to money or resources (PCs he can infect and "own"). He explores any and all means available to obtain personal information and account logins. The unsub is interested in any account. He relies on the inherent laziness of Internet users who use the same names and passwords for many if not all of the web accounts they create. He is patient, willing to sort and correlate information from multiple, successful attacks against an individual to land a whale, an individual with a fat online banking account and sloppy Internet habits, to gain administrative control over a portfolio of domain names that he can use to make money via subsequent phishing attacks, or to sell in the underground market to other unsubs.He is elusive, and criminally clever.

If you don't want to be the next unsub's victim, take measures to protect all your online accounts. Don't use short, simple passwords. Don't use the same username and password for every account you create on the web. Don't publish information on social networks, blogs, and wikis that provide clues the unsub can collectively use to identify you. Imagine the kind of information you would hesitate to share with a stranger and exercise the same caution in your virtual world as you would in the real world.

Posted at 05:06 PM in Anti-Malware and Anti-phishing, Stop Think Connect |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...

Search

My Photo

Categories