the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

In my “Phishing attacks 101” article, I covered theory on confidence scams and defined what a phishing attack was. This article will concentrate on different methods of phishing attacks, make some predictions for future attacks, and cover some countermeasures.

Identity impersonation

The first goal of a phishing attack is to convince you that you’re being contacted by a company that you do business with or that has some type of authority over your organization. This is commonly done using the following methods:

1. Forging the sender’s e-mail address, for example using timothy.johnson@irs.gov as a sender address and pretending to be Timothy Johnson at the Internal Revenue Service. Many users believe that it is difficult to forge an e-mail address, but it is very easy.
2. Using the impersonated company’s logo as an image in the header or footer of the e-mail.
3. Wording the phishing attack e-mail similar to an actual e-mail message commonly sent from the impersonated organization.
4. Personalizing the e-mail with your name and organization in the salutation, which can help with the e-mail’s sense of credibility because you may think that an anonymous attacker wouldn’t know that information.
5. Link you to a third party Web site that has been built to look like the impersonated organization’s Web site.
6. Ask you to contact the organization by telephone, with a telephone number in the same area code as the impersonated organization.
7. Simply claiming to be from the impersonated organization.

The action required

The phishing attack will use bait that preys on your fear or optimism to prompt you to take action by contacting the criminal with your account or personal information. Some of the common scenarios are:

1. A fraudulent purchase or transaction has occured on your account, and you need to clear up the situation.
2. Someone has made a criminal or legal complaint against you, and you need to clear up the situation.
3. A suspicious transaction has occured on your account, and you need to clarify whether you initiated it.
4. Your account is past due and you need to clear up the situation.
5. Your account is going to be suspended if you don’t update your account contact information.
6. You have won a prize and need to take action to claim it.

Note that while some of these are the very few reasons why an organization where you an hold account may actually legitimately contact you. Instead of just thinking that you seldom hear from the institution being impersonated unless there is a problem, also remember that problems are rare and be doubtful that the notice is real.

The most effective attacks are likely the ones where the criminal convinces you that they’re contacting you to help you, such as the ones where they claim there has been a suspicious charge and want you to confirm.

Methods of contact

Because very few people will actually take the bait, the attacker relies on automated methods to send out large amounts of bait and then relies heavily on the victims being the ones to follow up and provide the information that the phisher is trying to gain. This is usually done using the following methods:

1. The criminal simply asks you to reply to the e-mail message with the account or personal information.
2. The criminal asks you to call a telephone number to provide the account or personal information. The number may even be in the same area code as the impersonated company and the person answering the phone is likely to answer it the same way that the impersonated company does.
3. The criminal asks you to fill out and submit a form that is in the e-mail message.
4. The criminal asks you to visit a Web site that has been built to look just like the Web site of the legitimate company. The link to the Web site may be at a subdomain such as “paypal.com.example.com”, use javascript to make the link look like it’s legitimate, or use a form submission button to hide the link completely. It’s also common to use a hidden redirector in the legitimate company’s Web site, if the company has a vulnerable Web site.
5. The criminal attaches an information stealing program to the e-mail and asks you to open it under the guise of opening a required document.

Countermeasures

As the company being impersonated, your customers can take advantage of some preventative methods on your part:

1. Use domain keys and SPF records to help prevent criminals from forging e-mail from your domain.
2. Set up a unique “secure challenge” with each customer that you will provide them to authenticate yourself when calling them, or even when they contact you. Note that a compromise of the unique challenge would be even worse than not having one, though.
3. Watch for third party links to images on your Web site.
4. Educate your customers.
5. Protect your customer database.

Many banks are starting to use a ”secure challenge” method, where you must first type in your username and then you’re provided with a ”unique” word or picture for your account with the password request. If the challenge is not correct, you don’t type in your password.

As the person being targeted by a phishing attack that impersonates another organization, there are countermeasures that can be used against the attacks:

1. Don’t provide any personal or account information over e-mail.
2. Don’t open attachments unless you were expecting them, and they’re what you were expecting.
3. When contacting an organization where you hold an account, use a trusted directory such as a trusted bookmark for the Web site or the phone number from a legitimate account statement.
4. If the contact is initiated by the company, don’t be afraid to break off contact and then initiate your own.
5. Encourage organizations where you hold accounts to use a different method to identify you besides your social security and other account details, and to set up a ”secure challenge” that the organization first uses to identify itself.
6. When typing your account details into a Web site, check the security certificate and URL.
7. Educate your company’s users that these types of attacks exist, and that everyone is a target.
8. Use anti-virus software at the SMTP gateway and workstations.
9. Use an anti-spam service that can block phishing attacks.
10. Don’t review spam identified by your anti-spam service.
11. Report suspicious activity and suspected phishing attempts to the company being impersonated.

Although many articles about phishing attacks list some of these countermeasures, they often forget the most important one, which is the anti-spam service.

Using an accurate anti-spam service such as SpamStopsHere will block most phishing attack e-mail messages before they even reach your network. It’s also very important to use an accurate anti-spam product, and not try to manage your own in house anti-spam solution, because if you’re using an accurate product, there is no need to review spam looking for false positives. It’s quite dangerous for a user to have no confidence in the anti-spam product being used, because it can lead to a phishing e-mail message in the quarantine being released with little concern that it might be an actual threat and not a false positive.

Although I don’t believe that there have been any studies to find commonalities among phishing attack targets that did not fall victim to the attack, it’s likely that education is going to be the second most effective countermeasure.

Projections for future attacks

Although we haven’t seen any yet, it’s likely that criminals will start taking advantage of faxes as an additional contact method. Many organizations, such as banks and law offices, currently rely heavily on signed faxes for account changes or to prompt action. It would be quite trivial for phishers to set up a fax number and ask you to fax them your account or personal information on signed company letter head to resolve an account issue.

It would also be easy for a criminal to send an anonymous text message to your cell phone warning that your cell phone account is about to be shut off if you don’t call and pay your bill. The phone number provided to call would belong to the criminal. We predict a lot of text message based attacks coming in the future.

SpamStopsHere’s Sean Vogt contributed to this article.