Tools and Tactics

Phishing attacks generally rely on a number of simple tools and techniques to trick unsuspecting users. The underlying infrastructure to support a phishing scam may be as basic as a simple copied HTML page uploaded to a freshly compromised web server and a server side script to process any user input data, or it may involve more complex web sites and content redirection, but generally the objectives are the same - to set up a fake web presence for a trusted brand with the necessary back end capabilities to process user input data and make it available to the attacker. Using modern HTML editing tools it is very easy to produce a web site mimicking a target organisation, and poorly secured web servers can easily be located and compromised if an attacker is not adverse to scanning entire portions of Internet IP address space in the search for vulnerable target hosts. Once compromised, even home PCs can make effective hosts for phishing web sites, so not only well known corporate or academic systems are targeted. Attackers are often indiscriminate in their choice of target computers, purely selecting large IP address blocks to scan at random for a particular exploitable security vulnerability.

Once a phisher has established a realistic and convincing fake web site that mimics a trusted brand, their main challenge is how to divert users of a legitimate web site to the fake web site instead. Unless the phisher has the ability to alter the DNS for a target web site (DNS poisoning) or somehow otherwise redirect network traffic (a technique sometimes referred to as pharming), they must instead rely on some form of content level trickery to lure unfortunate users to the fake web site. The better the quality of the lure, and the wider the net that can be thrown, the greater the chance of an innocent user mistakenly accessing the fake web site (and in the process potentially providing the phisher with the victim's credentials or other personal data).

Unfortunately for the attacker, when they target an individual organisation (such as a bank or trusted retailer), the phisher probably does not have any information about who on the Internet is a customer of the target organisation and therefore who might be most receptive to a particular lure. Although the attacker could post hyperlinks pointing to the fake web site on chat rooms and forums related to the target brand (such as a technical support web site or community discussion group), it is likely that the target organisation would be notified reasonably quickly and the offending hyperlinks removed or discredited before many victims had accessed the content and submitted their personal details. There would also be a significant risk that the target organisation or law enforcement agencies might trace and potentially shut down the fake web site. The phisher therefore requires a method of reaching the maximum number of potential victims with the minimum amount of risk, and they have found their ideal partner in crime in the form of spam email.

Spammers have databases containing many millions of active email addresses, so the latest mass emailing techniques can be employed to allow a phisher to distribute their lure to a very wide audience with very low risk. Spam emails are often sent via compromised servers hosted in foreign countries, or via global networks of zombie PCs (botnets), so the likelihood of an individual sender being traced is low. If an unsuspecting user receives an officially branded email that appears to have been sent by their bank which asks them to go to what appears to be the bank's usual branded web site to change their online banking password for security reasons, they are much more likely to consider doing so than when confronted with standard spam emails about novelty products and links to unknown web sites. To increase the likelihood that a user will believe that an email is genuine, the phisher can employ a number of techniques to further improve the quality of their attempted deception:

  • Using IP addresses instead of domain names in hyperlinks that address the fake web site. Many innocent users will not check (or know how to check) that an IP address is registered and assigned to the target organisation that the branded fake web site claims to represent.
  • Registering similar sounding DNS domains and setting up fake web sites that closely mimic the domain name of the target web site (i.e. b1gbank.com or bigbnk.com instead of bigbank.com), in the hope that users will mistake the fake domain name for the real domain name.
  • Embedding hyperlinks from the real target web site into the HTML contents of an email about the fake phishing web site, so that the user's web browser makes most of the HTTP connections to the real web server and only a small number of connections to the fake web server. If the user's email client software supports auto-rendering of the content, their client may attempt to connect automatically to the fake web server as soon as the email is read, and manual browsers may not notice the small number of connections to a malicious server amongst the normal network activity to the real web site.
  • Encoding or obfuscating the fake web site URL. Depending on the method employed, many users will not notice or understand what has been done to a hyperlink and may assume it is benign. One variant of this technique (IDN spoofing) is to use Unicode URLs that render in browsers in a way that looks like the original web site address but actually link to a fake web site with a different address.
  • Attempting to exploit weaknesses in the user's web browser to mask the true nature of the message content. Microsoft's Internet Explorer and Outlook applications have been particularly vulnerable to such techniques (such as the address bar spoofing or IFrame element bugs).
  • Configuring the fake phishing web site to record any input data that the user submits (such as usernames and passwords), silently log them and then forward the user to the real web site. This might cause a "password incorrect, please retry" error or even be totally transparent, but in either situation many users will not be overly worried and put this event down to their own poor typing, rather than intervention by a malicious third party.
  • Set up a fake web site to act as a proxy for the real web site of the target brand, covertly logging credentials that are not encrypted using SSL (or even registering valid SSL certificates for spoof domains).
  • Redirect victims to a phishing web site by first using malware to install a malicious Browser Helper Object on their local PC. BHOs are DLLs designed to customize and control the Internet Explorer web browser, and if successful, victims can be tricked into believing they are accessing legitimate content when in fact they are accessing a fake web site.
  • Use malware to manipulate the hosts file on a victim's PC that is used to maintain local mappings between DNS names and IP addresses. By inserting a fake DNS entry into a user's hosts file, it will appear that their web browser is connecting to a legitimate web site when in fact it is connecting to a completely different web server hosting the fake phishing web site.

Due to the relatively complex nature of many e-commerce or online banking applications, which often employ HTML frames and sub-frames or other complex page structures, it may be difficult for an end user to easily determine if a particular web page is legitimate or not. A combination of the techniques listed above may mask the true source of a rendered web page and an unsuspecting user might be tricked into mistakenly accessing the phisher's fake web site, unknowingly divulging their authentication credentials or other personal data. At this point the phisher will be free to make use of the user's accounts or electronic identity as required, and the user becomes another victim of a successful phishing attack.