Phishing: characteristics and techniques.
Phishing involves sending email messages that seem to come from trustworthy sources, such as banking entities, but attempt to harvest confidential user data. In order to do so, they usually include a link that, if accessed, takes the user to a fake website. By doing this, users believe they are interacting with a trustworthy website, enter the information requested, which finally ends up in the hands of the fraudster.
Some of the most common characteristics that these forged email messages present are:
- Use of the names of existing companies. Instead of creating a company's website from scratch, fraudsters imitate the corporate image and website functionality of an existing company in order to further confuse recipients of the forged message.
- Use of the name of a real company employee as the sender of the spoofed message. By doing so, if recipients attempt to confirm the authenticity of the message by calling the company, they will be assured that the person that acts as spokesman of the company does actually work for the company.
- Web addresses that seem to be correct. Forged emails usually take users to websites that imitate the appearance of the company used as bait to harvest the information. In fact, both the contents and the web address (URL) are spoofed and simply imitate legitimate contents. What's more, legal information and other non-critical links could redirect trusting users to the real website.
- Fear factor. The window of opportunity open to fraudsters is very short, as once the company is informed that its clients are targets of these techniques, the server that hosts the fake website and harvests the stolen information is shut down within a few days. Therefore, it is essential for fraudsters to obtain an immediate response from users. On most occasions, the best strategy is to threaten them with either financial loss or loss of the account itself if the instructions outlined in the forged email are not followed, which usually refer to new security measures recommended by the company.
In addition to obscuring the fraudulent URL in an apparently legitimate email message, this kind of malware, also uses other more sophisticated techniques:
- Man-in-the-middle. In this technique, the fraudster is located between the victim and the real website, acting as a proxy server. By doing so, he can listen to all communication between them. In order to be successful, fraudsters must be able to redirect victims to their own proxy, instead of to the real server. There are several methods, such as transparent proxies, DNS Cache Poisoning and URL obfuscation, among others.
- Exploitation of Cross-Site Scripting vulnerabilities in a website, which allow a secure banking web page to be simulated, without users detecting any anomalies, neither in the web address nor in the security certificate displayed in the web browser.
- Vulnerabilities in Internet Explorer, which by means of an exploits allow the web address that appears in the browser address bar to be spoofed. By doing so, while the web browser could be redirected to a fraudulent website, the address bar would display the trustworthy website URL. This technique also allows false pop-up windows to be opened when accessing legitimate websites.
- Some attacks also use exploits hosted in malicious websites, which exploit vulnerabilities in Internet Explorer or the client operating system in order to download keylogger type Trojans, which will steal confidential user information.
- Pharming is a much more sophisticated technique. It consists in modifying the contents of the DNS (Domain Name Server), either via the TCP/IP protocol settings or the lmhost file, which acts as a local cache of server names in order to redirect web browsers to forged websites instead of the legitimate ones, when the user attempts to access them. Furthermore, if the victim uses a proxy in order to remain anonymous while surfing the web, its DNS name resolution could also become affected, so that all the proxy users are redirected to the false server.
How it works. How it is distributed.
The most common attack vector is a forged email message that pretends to come from a specific company, whose clients are the target of the scam. This message will contain links to one or more fraudulent web pages that totally or partially imitate the appearance and functionality of the company, which is expected to have a commercial relation with the recipient. If the recipient actually works with the company and trusts the email to have come from the legitimate source, he is likely to end up entering sensitive information in a malicious form located in one of those websites.
The means of distribution of these emails also share several common characteristics:
- Much the same as spam, it is massively and indiscriminately sent via email or instant messaging programs:
- The message urges users to click on a link, which will take them to a website in which they must enter their confidential data, in order to confirm it, reactivate their account, etc.
- It is sent as a financial company alert, warning users of an attack. It includes a link to a website in which they are prompted to enter personal data.
- As the message is massively distributed, some of the recipients will actually be clients of the company. The message states that due to some security concerns, users should visit a website and confirm their data: username, password, credit card number, PIN, social security number, etc.
- Of course, the link does not point to the company page but to a website developed by the fraudsters and that imitates the corporate image of the financial or banking entity. The web address displayed usually includes the name of the legitimate institution, so that users do not suspect any deception.
- When users enter their confidential data, these are stored in a database, and you don't need much imagination to figure out what happens next: fraudsters use the harvested information to connect to the accounts and the funds will fall into their hands.
The main damage caused by phishing is:
- Identity and confidential user data theft.
- Loss of productivity.
- Use of corporate networks resources: bandwidth, mail flooding, etc.
How to recognize a phishing email.
It might be difficult for users that have received a message with these characteristics to tell the difference between a phishing email and a legitimate one, especially for those that are clients of the financial entity from which the email message is supposed to come from.
- The From: field shows an address belonging to the legitimate company. However, it is very easy for fraudsters to spoof the source email address that is displayed in any mail client.
- The message includes logos or images, which have been collected from the legitimate website to which the forged email refers to.
- Though the link included seems to point to the original company website, it actually directs the browser to a fraudulent web page, in which user data, passwords, etc. must be entered.
- These messages frequently contain grammatical errors or spelling mistakes, or special characters, none of them usual in communication sent from the company that they are pretending to represent.
Every email user is a potential victim of this kind of attacks. Any email address used in forums, newsgroups, or a website is more likely to receive a phishing attempt, due to the spiders that crawl the Internet searching for valid email addresses.
The reason this malware threat exists is therefore clear: it is quite cheap to launch a phishing attack, and the benefits obtained are high, even with the smallest success rate.
How can I protect myself against phishing?
Panda Security has developed a complete set of technological solutions. These solutions are varied and adapt to the needs of every client, from home users to the largest corporations, offering integral protection and centralized management for every network layer: workstations, mail and web servers and corporate firewalls. For further information on Panda Security's solutions and its detection capabilities, click here.
However, as in many other computer security fields, the best defense against phishing attacks is to be well informed.
If you think that an email message you have received might be legitimate, something that should be regarded as highly unlikely right from the start, first of all, contact the company, either by phone or through your usual means. Even after doing this, check the following list before entering any kind of data that could be used for fraudulent purposes by third-parties, in order to significantly decrease the chances of falling victim to a phishing scam:
- Always verify the information source. Do not automatically reply to any email message that asks for your personal or financial information. If you feel uncertain about whether that company really needs the kind of information it is requesting, pick up the phone book and phone your usual contact, in order to check the information source.
- Type the web address in your Internet browser yourself. Instead of clicking on the links in the email message, type the web address (URL) in your browser, or use a previously defined bookmark. Even web addresses that look correct in the email message can be the path to a fraudulent website.
- Reinforce your security. Users making transactions through the Internet should install security suites that block this kind of threat on their computers, apply the latest security patches available through their usual vendors and make sure that they are operating in secure mode using digital certificates or communication protocols such as HTTPS.
- Always ensure that you are using a secure website: the web address must begin with https:// and a little closed padlock must be displayed on the status bar of the browser.
- Double-click the padlock in order to view the digital certificate that confirms the website you are accessing is actually the one you expected.
- Regularly check your accounts. Monthly statements are particularly useful to detect irregular transfers and transactions, both operations that you did not make but are reflected in the statement and operations made online but not reflected in the statement.
These and other best practices are summarized in an animation that users can view in order to learn how to better protect themselves against phishing.
Provided that all of these recommendations are taken into account, users can enter their information with reasonable peace of mind that it will not be used against their interests.
In order to protect yourself against phishing, it is very important to understand how financial service providers and other companies vulnerable to this kind of attack work. As a rule of thumb, these companies do not request sensitive information through insecure channels, such as email.
Panda Security offers various solutions to safeguard your computer from crimeware, as well as from other threats like viruses, hackers or phishing.
The main threats we face are:
Security Threats to mobile devices(Smartphones, PDA) are on the rise, as more sensitive information is stored on them.
Malware evolves to focus on obtaining financial returns
Malware is hidden to increase its useful life span and avoid detection.
All you need to know to understand viruses and other malware.
Spyware is perhaps the most worrying of all IT threats, as it intrudes on your privacy without you realizing
Have you received an email message from your bank, in which you are asked to verify your account details?
Miracle products? Make money easily? Unbeatable mortgage terms? Spam, spam, wonderful spam.
Thanks to Collective Intelligence, Panda's exclusive cloud-computing technology, the company's 2010 solutions leverage the knowledge gathered from the community of millions of Panda users around the world. Each new file received is automatically classified within six minutes and the Collective Intelligence servers classify more than 50,000 new malware samples every day. These technologies correlate information on malware received from each computer to continuously improve the protection level for the worldwide community of users. Panda's 2010 solutions have continuous, real-time contact with this vast knowledge base allowing the company to offer users the fastest response against the new malware that appears every day.
The Cloud Security Company
Founded in 1990, Panda Security is the world's leading provider of cloud-based security solutions, with products available in more than 23 languages and millions of users located in 195 countries around the world. Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology. This innovative security model can automatically analyze and classify thousands of new malware samples every day, guaranteeing corporate customers and home users the most effective protection against Internet threats with minimum impact on system performance. Panda Security has 56 offices throughout the globe with US headquarters in California and European headquarters in Spain.