Gone Phishing…

More and more sensitive information is exchanged online, so much so that, most of the time we don’t realize it. We log into our email account(s), our bank sites, our eBay account etc. Every time we do that, a transaction happens. We send in passwords, usernames or credit card numbers onto an external server. Of course, we know about why it is so important to choose a strong password, but do we know it is totally useless if we cannot trust the recipient we are sending it to?

That is where anyone can I exploit that trust. Phishing is any action made to fraudulently acquire private information by pretending to be a real and trustworthy entity.

Very soon, hackers have realized how much value there was in doing Phishing scams. Stealing somebody’s credentials can give full access to very private information and basically be in total control of someone’s life (provided that the person does some online banking, logs into her healthcare site and so on).

There are many ways to carry out a phishing scam. First of all, the victim needs to be contacted in some way. It could be from an email, that leads you to a fake site, or it could be from a typical malware infection, that hijacks the web browser and redirects it to fraudulent
websites whenever the victim types in the URL, or clicks on a bookmark.

Secondly, because the phishing site will be hosted on a different domain than the real one, the hacker needs to trick the

Figure 1: phishing site targeting Facebook users. Notice the URL ending in “.cn”

user into believing this is the correct URL. A classic example is to
slightly modify the domain name. Also, typos are commonly used.

Real: www.google.com
Fake: www.go0gle.com

Real: ww.facebook.com
Fake: www.facebook.com.profile.php.id.37122.cn

Another technique called website forgery involves the use of scripts to
alter the address bar. The legitimate address bar can be closed in order to display a hacked one. More simply, a JavaScript can be used to display a picture in place of the address bar, so that everything looks legitimate.

Let’s take an example of a Phishing scam targeted at Facebook’s users (Figure 1).

A similar face plate is created, that looks identical to the legitimate one. The URL in the address bar is slightly different, but the average user may not notice it. In fact, this page is hosted in China.

Then let’s enter the email address and password in the form. Figure 2 shows that the credentials are being sent to the phishing server somewhere in China.

Interestingly enough, after entering the login information, the real login page for

Figure 2: data transfer between the client and the malware server
Facebook is loaded this time. The user might just think she typed something wrong and re-enter the login again. Now, it will work and most likely the user won’t have noticed a thing.

Meanwhile, a hacker has received a valid email address that he can use for spam, not mentioning that he can log into the Facebook account at any time. However, there is something even better he can get access to, with a bit of luck. A lot of people use the same password for the different services they long into.

Now, the hacker gets into your personal email account. Due to the larger storage available, people don’t bother deleting old emails. This is a gold mine for hackers. They will do a simple keyword search (“password”, “credit card”, “confidential”), and find even more juicy stuff.

The conclusion to this story is that Phishing is a real and dangerous online threat. Although efforts are being made to protect users, the problem is so large that not one solution can fix it.
Internet Explorer 7 does include a filter capable of detecting phishing sites. But it’s not 100% trustworthy. There are public groups combating fishing and reporting live stats as well as taking them down. The PIRT (Phishing Incident Reporting and Termination) team at Castlecops.com is one of them doing a very good job.

Ultimately, this is something that users will have to become familiar with and more vigilant. Effectively blocking spam emails which are full of phishing scams would be a good start. Browser add-ons or applications running in the background can also detect in real time dangerous websites and block them.

Jerome Segura