David Emm, senior technology consultant at Kaspersky Lab, looks at phishing scams and how to avoid getting caught.

Hardly a day goes by without some online news reference to 'phishing', sometimes also known as 'carding' or 'brand spoofing'. But what is it, how does it work and what are the effects?

Phishing (a conscious misspelling of the word 'fishing') is a specific form of cybercrime. It involves tricking computer users into disclosing their personal details (username, password, PIN or any other access information) and then using these details to obtain money under false pretences. It's fraud: data theft followed by theft of money.

Phishers rely heavily on social engineering techniques, which is just a fancy way of describing non-technical breaches of security that rely on human interaction: tricking users into breaking normal security measures.

Social engineering is commonly employed by writers of viruses and worms as a way of beguiling unsuspecting users into running malicious code. This might mean attaching a virus or worm to a seemingly innocent email message.

LoveLetter for example arrived as an email with the subject line 'I LOVE YOU' - and who doesn't like to receive a love letter? - and the body text 'Kindly check the attached LOVELETTER coming from me.'

In an effort to put unsuspecting users further off their guard the attachment had a double extension [LOVE-LETTER-FOR-YOU.TXT.vbs]: by default, Windows does not display the second (real) extension. This double extension trick has been used by lots of viruses and worms since including SirCam, Tanatos and Netsky.

Another social engineering technique is to construct an email to look like something that's positively beneficial.

Swen for example masqueraded as a cumulative Microsoft patch, manipulating users' growing awareness of the need to secure their operating system from attack by internet worms.

Such 'sweet' emails are not the only form of social engineering. There are also ICQ messages with links to infected web pages, for example.

In the case of phishing scams the criminal creates an almost 100 per cent perfect replica of a chosen financial institution's website.

The criminal then goes 'phishing', using spam methods to distribute an email that imitates a genuine piece of correspondence from the real financial institution.

Phishers typically use legitimate logos, good business style and even make reference to real names from the financial institution's senior management. They also spoof the header of the email to make it look like it has come from the legitimate bank.

In general, these letters inform customers that the bank has changed its IT structure and is asking all customers to reconfirm their user information. Occasionally the letters cite network failures, or even hacker attacks, as reasons for requiring customers to reconfirm their personal data.

The fake email messages distributed by phishers have one thing in common: they're the bait used to try and lure the customer into clicking on a link provided in the letter.

If the bait is taken the luckless 'fish' stands in serious danger of divulging confidential information that will give the criminal access to their bank account. The link takes the user directly to an imitation site that mimics the real bank's website.

This site contains a form that the user is told they must complete, and in doing so they hand over all the information needed by the criminal.

As you'd expect, phishers target organisations that handle significant numbers of customer financial transactions online. In the last 18 months customers of Barclays, Citibank, Halifax, HSBC, Lloyds TSB and MBNA, NatWest have all been targeted by phishers.

However it's not only banking customers other organisations whose customers have been targeted include amazon.com, AOL, BestBuy, eBay, MSN, PayPal and Yahoo.

Of course in any single phishing scam it's likely that only a small proportion of those who receive the fake email will be customers of the spoofed bank or other organisation; and only a small proportion of them may 'take the bait'.

However, as with spam email, the perpetrators send out such large volumes of fake messages that even a low response is likely to harvest enough data to make scam worthwhile. In this sense the term 'trawling' might be more appropriate than phishing.

There are high stakes involved. Estimates of the losses resulting from phishing scams vary (search online and you can find figures ranging from $400 million to $2.4 billion).

However it seems clear that the number of phishing attacks, and the associated costs, are increasing.

From July 2004 through to November 2004 there was a 34 per cent month-on-month growth in the number of new, unique phishing email messages; and a 28 per cent month-on-month growth in the number of unique fraudulent websites (figures taken from the Phishing Activity Trends Report - November 2004, Anti-Phishing Working Group).

As if this weren't enough, the problem doesn't necessarily end with direct costs. Some phishers also place exploits for Microsoft Internet Explorer (IE) vulnerabilities on their sites. When the victim follows the link to the fake website, the exploit is used to upload a Trojan to their machine.

As a result not only is the user's banking information harvested but their machines become unwilling 'soldiers' in a 'zombie' army that can be used for further malicious activities: as part of a Distributed Denial of Service (DDoS) attack designed to extort money from a victim organisation, for use as a platform for spam distribution or for use in the spread of a virus or worm.

Not bad for a day's phishing!

It's hardly surprising that phishing has attracted significant media attention during the last year or so. At the same time financial institutions now provide advice to their customers about the potential dangers.

The result is that users are becoming increasingly wary. So phishers are looking for more sophisticated ways of luring users into giving up their personal banking information.

What's next?

Some phishers now make use of vulnerabilities (or unwanted features) to make their scams less obvious. An IE vulnerability documented by Microsoft in late 2003 allowed a phisher to create a fake website that not only has the right 'look and feel' of a legitimate financial institution but displays the correct URL in the IE browser window.

So when the user clicks on the link in the phisher's email, the web browser displays content from the fake website but the URL in the browser window is that of the legitimate bank. This vulnerability is explained on the Microsoft website, together with tips on how to identify spoofed websites.

More recently, phishers have found a way to direct the user to a fake website without the need for them to click on a link at all. This is based on the fact that it's possible to embed script instructions, including exploit instructions, within HTML that will execute automatically when the email message is read.

In November 2004 phishers sent HTML emails containing scripted instructions to edit the host's file on the victim's machine. As a result when the user next directed their browser to their bank's website, it was automatically redirected to the fraudulent website, where any input could be captured.

The user hadn't clicked on a link. And they had no reason to think that they weren't accessing their bank's website as normal. Yet they had still become a victim of the phishers. This is one more reason for using plain text email rather than HTML and to disable scripting on your machine.

The following provides some general guidelines on how to minimise the risk of getting 'hooked' by the phishers:

  • Be very wary of any email message asking for personal information. It's highly unlikely that your bank will request such information by email. If in doubt call them to check.
  • Don't use links in an email message to load a web page. Instead type the URL yourself into your web browser.
  • Don't complete a form in an email message asking for personal information. Only enter such information using a secure website. Check that the URL starts with 'https://' rather than just 'http://'. If you're using IE, look for the lock symbol in the right of the status bar and double-click it to check the validity of the digital certificate. Or alternatively use the telephone to transact your business.
  • Consider installing a web browser tool bar that alerts you to known phishing attacks.
  • Check your bank accounts regularly (including debit and credit cards, bank statements etc) to make sure that listed transactions are legitimate.
  • Make sure that you use the latest version of your web browser and that any security patches have been applied.
  • Report anything suspicious to your bank.

For more information on phishing, specific phishing attacks and how to stay safe, check out Consumer Advice on Phishing on the Anti-Phishing Working Group website: www.antiphishing.org