Phishing Dark Waters. Fincher Michele
Чтение книги онлайн.
Читать онлайн книгу Phishing Dark Waters - Fincher Michele страница 4
Now you know the what, the who, and the why; let's talk about the how.
How People Phish
Identifying a suspect e-mail would probably be pretty easy if the sender was “Gimme Your Money.” But one of the simplest ways that con men take advantage of us is by the use of e-mail spoofing, which is when the information in the “From” section of the e-mail is falsified, making it appear as if it is coming from someone you know or another legitimate source (such as your cable company). Chris and I outline some simple steps in Chapter 4 that might help you identify whether the sender is legitimate. In the meantime, it's simply good to know that thinking an e-mail is safe just because you know the sender isn't always a sure bet.
Another technique that scammers use to add credibility to their story is the use of website cloning. In this technique, scammers copy legitimate websites to fool you into entering personally identifiable information (PII) or login credentials. These fake sites can also be used to directly attack your computer. An example that Chris personally experienced is the fake Amazon.com website. This is a great example for a couple of reasons. First, it's a very common scam because so many of us have ordered from Amazon.com. We've seen the company's website and e-mails so many times that we probably don't take a very close look at either. Second, it's good enough that even someone very experienced in the sneaky tactics used by scammers almost fell victim to it.
Chris has been phishing our clients for years (with their permission, of course). He's sent hundreds of thousands of phish and knows how they're put together and why they work. But last year, he received an e-mail informing him that access to his Amazon.com account was going to be blocked. This e-mail happened to coincide with preparations for our annual contest at DEF CON. Now, there's never a time that Chris isn't busy, but the month or so prior to DEF CON is basically all nine circles of Dante's Hell at the same time, in his office. I don't know what he actually thought or said at the time he received the fake Amazon.com e-mail, but you probably know where this story is going. Figure 1.2 shows the very e-mail he received.
Figure 1.2 The infamous Amazon.com phishing e-mail
If you read this e-mail closely, you will notice that the language isn't quite up to par, and there are anomalies, such as random capitalization. These characteristics are common hallmarks of phish, as many senders aren't native English speakers. The key here is that the quality of the e-mail is more than good enough to pass a quick inspection by a recipient with his hair on fire.
Chris clicked the link and ended up on what looked like the Amazon.com website, as shown in Figure 1.3. Even a close visual inspection wouldn't have been revealed it as fake because the site had been cloned.
Figure 1.3 Fake Amazon.com website
At this point, Chris's years of training kicked in. He looked at the website URL (address) and realized it wasn't legitimate. If he had entered his login credentials as he was asked to, his account containing his PII and his credit card information would have been hijacked. This almost worked because the website itself was an exact duplicate of the real thing, and the e-mail came at a time when Chris was busy, tired, and distracted – all things that can prevent critical thinking. (We'll talk more about this in Chapter 4.) The bottom line here is that website cloning is a very convincing way of getting people to believe the phish is real.
One final trick that scammers use is to follow up phishing e-mails with a phone call. This is also known as vishing (for voice phishing) or phone phishing. Vishing has many malicious goals, ranging from adding truthfulness and credibility to an e-mail all the way to directly requesting confidential information. This technique emphasizes the idea that you should be closely protecting your PII. I grew up in an era in which people regularly had their Social Security and telephone numbers printed on their checks, right under their addresses, which basically announced, “Please steal my identity, Mr. Criminal!” Imagine how convincing it would be if you received an e-mail directly followed by a phone call from “your bank” that urged you to click the link, go to a website, and update your account information.
A real example occurred recently at the corporate level. It was dubbed “Francophoning” because the targets were primarily companies based in France.8 The attack was well planned and executed. An administrative assistant received an e-mail regarding an invoice, which was followed by a phone call by someone claiming to be a vice president within the company. He asked the assistant to process the invoice immediately. She clicked the e-mail link, which led to a file that loaded malware. This malware enabled attackers to take over her computer and steal information. This example is interesting because so many factors are in play – for example, the use of authority and gender differences in compliance – but the main point here is that any story becomes more convincing if you hear it from more than one source.
Examples
I'm not sure about you, but both Chris and I learn best by example. This section covers some high-profile compromises that started with phish and some of the most prevalently used phish on the market today. We also discuss why they work so well.
First of all, this section would be incomplete if we didn't mention the Anti-Phishing Working Group (APWG —www.apwg.org). We could fill pages about how amazing these folks are, but the thing to know is that the APWG is a global coalition of security enthusiasts who study, define, and report on how phishing is working around the world.
According to the APWG's report dated August 2014, phishing numbers continue to be staggering. In the second quarter of calendar year 2014, there were 128,378 unique phishing sites reported and 171,801 unique e-mail reports received by APWG from consumers.9 This was the second-highest number of phishing sites detected in one quarter since the APWG started tracking these statistics. Payment services and the financial industry were the most targeted sectors, accounting for 60 percent of the total, but within that, there was also a new trend in which online payment and crypto-currency users were targeted at an increased rate.
Now that you've seen the bird's-eye view of the numbers, it's time to examine some specifics.
Target Corporation is probably one of the highest-profile breaches to date. It has affected close to 110 million consumers – an estimated 40 million credit cards and 70 million people with stolen PII; with those numbers, you might have been one of them.10 The interesting thing about this story, however, is that it appears as though the attack wasn't specifically aimed at Target.11 This is a prime example of attack escalation. Target became a victim of opportunity after the real breach. The initial victim in this case was an HVAC vendor for Target that had network credentials. A person at the HVAC company received a phishing e-mail and clicked a link that loaded malware, which in turn stole login credentials from
10
Michael Riley, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” March 13, 2014, http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#p1.
11
Brian Krebs, “Email Attack on Vendor Set Up Breach at Target,” February 12, 2014, http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/.