Phishing is a term coined to describe a relatively new kind of blended threat on the Internet which combines tactics of social engineering with advanced vectors of delivery and technical subterfuge in implementation. The purpose is either to directly coax computer users to disclose personal or privileged information or to unwittingly install software on their computers which will covertly monitor and/or search for personal or privileged information and transmit it covertly back to the attacker. Phishing attempts started out threateningly enough as efforts to convince users to divulge credentials to their Internet email and Internet Service Provider accounts. As the scope of the targets of the genre has shifted, the threat has rapidly transformed to a decidedly more sinister one. Today, the vast majority of known phishing attacks are purposed towards a small number of ends, including:
- gaining illicit access to financial systems for direct theft
- theft of personal information to be used for establishing false identities or the usurping of a valid identity (identity theft)
- gaining access to vast numbers of consumer-grade computers to be clandestinely controlled by an attacker (i.e., “Zombie PCs”)
In a typical phishing scenario, a previously-compromised computer is used to deliver a specially crafted email with a “spoofed” address and with misleading content and links to one or malicious more websites. Both the emails and the websites are styled to very closely resemble real counterparts on the internet and contain combinations of malicious content or inducements to divulge sensitive information (e.g., usernames and passwords, credit card numbers, social security numbers, institutional account numbers, etc.). It’s not too difficult to see how these delivery mechanisms, methods of attack and vectors of compromise can be put together in various combinations to suit many purposes.
While most people who know the term phishing will immediately think of email as the primary initial method of delivery in the phishing “lifecycle”, it needs to be noted that this is not always the case. A high profile case last year involved unknown assailants compromising unsecured web servers and modifying the content to deliver an invisible, “silent” install of malicious software to vulnerable versions of several popular web browsers. This incident was significant as it was one of the first high profile cases where servers were exploited in an attempt to compromise end users. The trend from the recent past has developed in the other direction. Many other server-side exploits could be used in an effort to dupe an unwitting user. Usually the exploits employed in these server compromises are well-known and a vendor patch has been issued for the vulnerability. However, the server administrator(s) in question have failed to implement the patch before the exploit is used against the server.
The sharp rise in phishing activity and its level of sophistication demands increased awareness in the user community. Several groups have emerged to help combat this threat. Recently, major technical efforts have been undertaken by key players, including the Internet Storm Center, the FBI, Microsoft, the BSD community, Google and many others to combat this growing threat, but the best defense is user awareness.
If you have a question you would like to see answered in an upcoming Ask the Engineer, please send it to Newsletter@InLine.com. We will be picking the best questions for future columns.