Q&A: Phishing explained
Dr. Jason Hong is the CTO and co-founder of Wombat Security Technologies, a provider of cyber-security training and filtering solutions. In this interview he discusses phishing.
Let’s say your identity gets stolen, what happens next? How exactly does a phisher benefit from gaining access to your sensitive information? What can he do?
There are several things that can happen, depending on the motivations of the criminals.
In the most common case, the criminals don’t care about you specifically, and are instead interested in what kinds of resources you have that they can use. This might include taking money from your bank accounts, applying for credit cards in your name, or even spamming your friends on social networking sites.
However, there has been a rise in specialized “spear-phishing” attacks that target you specifically, either because of who you are or your role in your organization. For example, criminals have been targeting lawyers and accountants to steal their clients’ documents. Attackers have also been targeting government employees to steal national security secrets. There have also been many cases of criminals scamming employees of an organization to steal intellectual property or customer data.
As an aside, social networking sites like Facebook and MySpace have been popular targets of phishers recently, and many people don’t understand the dangers involved. There are three primary risks if you fall for such a scam. The first is having criminals spam your friends with advertisements, which is mostly embarrassing and a nuisance. The second is having criminals spam your friends with links that lead to web sites that make use of a vulnerability in the web browser, effectively taking over their computers. The third is reused passwords. Many people use the same password for several different sites, such as for their email and for their banking. If an attacker gets one of these passwords, they can potentially access all of your accounts.
Many have become victims of phishing and we see the attackers using new methods all the time. In your opinion, what is their skill level? Who are we dealing with?
We’ve seen a wide range of skills, and unfortunately, the trend has been increasing sophistication. The first phishing attacks were done by amateurs, who had laughably bad spelling errors in their emails and web pages. Their fake web pages were also easy to find and take down. However, over time, these kinds of attacks became more elaborate and effective. Phishing is no longer done just by amateurs, but rather by skilled experts, gangs of criminals, and even foreign governments.
We’ve seen numerous toolkits to help attackers generate fake sites quickly. We’ve seen network tricks that hide where a fake web site actually resides, making it harder to take down those sites. Phishing attacks have also been increasingly entwined with malware. An attacker might send a seemingly innocuous PDF, which, if you open it up, exploits a vulnerability in your PDF reader and takes over your computer. We’ve also seen the growth of “marketplaces” for criminal activities, enabling a division of labor. Here, some criminals deploy fake sites, and then sell this information to others, who try to monetize the stolen information.
What are phishers’ most common information trade networks?
Phishers trade information on underground networks. Sometimes these are open Internet Relay Chat (IRC) channels, where they post sample information. Sometimes these are encrypted networks that make it difficult for law enforcement to penetrate.
One very important aspect of phishing is monetizing the stolen information. For instance, criminals rely heavily on unwitting “mules” to launder money and goods, reducing the direct risk that the criminals face, as well as to circumventing existing countermeasures.
As an example, some of these “work at home” jobs involve receiving (illicitly purchased) packages and then forwarding the package to another address. Another “job” might be to receive some transfers into their account (from a hacked bank account) and then wire that money (minus a commission) to a different account in another country. These kinds of activities are illegal, but when people are desperate for jobs, they often don’t ask too many questions.
What are phishing kits and how are they distributed?
Phishing kits are toolkits that simplify the criminal’s task of creating and deploying a fake site. These toolkits might let a person specify what real page to copy and where they want stolen data to be sent. The toolkit then generates all of the files that can be dropped into an existing web site.
These toolkits are distributed in lots of ways. If you look hard enough, you can find some through search engines. These kits are also distributed through underground networks.
One important note about these kits is that they aren’t always what they seem. Many of these kits contain backdoors meant to double-cross the person using them. For example, the kit might create phishing pages that send stolen information to the creators of the kit rather than the person using the kit.
What is, currently, the magnitude of the phishing threat? What can we expect in the next five years?
The exact amount of damage that phishing causes is very hard to calculate. Estimates have ranged from a low of $61 million per year in the U.S. to about one billion per year. A large part of the problem here is lack of data from banks and other institutions that suffer losses. However, many researchers, myself included, believe that the main damage of phishing is actually the secondary effects. One bank I spoke to said it cost them about $1 million per attack, in terms of call center costs, recovery costs, damage to brand name, and actual money that could not be recovered (which was a small part of the costs).
In terms of the next five years, there will be two major trends. The first is that there will be a large up-tick in spear-phishing attacks against corporations and governments. These attacks have already proven to be effective and are hard to defend against.
The second trend is that the good guys will get better organized. We’ve already seen increased cooperation between academic researchers, law enforcement, and industry, in terms of gathering data and sharing information. Companies are also offering better tools to defend against phishing attacks.