By Crystal Ferraro, Site Editor
In 2004, phishing was a relatively simple attack to execute -- and foil. These days, phishing attacks are not only on the rise, but they have become more sophisticated and tougher to stop.
According to MessageLabs' 2005 Annual Security Report, phishing accounted for an average of one in every 304 e-mails last year, up from one in every 943 e-mails in 2004. Security experts point to attackers' use of botnets for the rise in phishing attacks.
When phishing began, attackers used a couple of e-mail servers or relays to send spam embedded with a link to a single spoofed Web site. A member of the Web community needed only to call up the attacker's ISP and have the e-mail or Web servers shut down.
Today, phishers are using distributed computing to carry out their attacks. Botnets consisting of hundreds -- even thousands -- of machines generate the spam. And spoofed Web sites are hosted by distributed virtual Web servers across the botnet itself.
"This makes it more difficult to shut down their phishing infrastructure," said Ed Skoudis, co-founder of security consultancy Intel Guardians and author of Malware: Fighting Malicious Code. "Blacklisting all those mail relay points is impossible."
Skoudis said the use of botnets has led to yet another trend in phishing attacks: A single bot herder controls the differentiation and specialization of botnets. Some bots are focused on e-mail distribution, some are Web servers, and others launder the bot herder's location. This strategy helps attackers stay nimble, enabling them to constantly change location and tactics. "The bots help them do that because they can be coming from all kinds of places all over the world," Skoudis said.
New tactics, same goal
One constant is phishing's objective: identity theft.
"The trend in phishing is a more sophisticated means to specifically perform identity theft," according to Russell Dean Vines, president and founder of consultancy The RDV Group and co-author of Phishing: Cutting the Identity Theft Line. While phishers are growing more sophisticated on the infrastructure front, they've also become savvy businesspeople.
Attackers have developed "really solid business plans," Skoudis said, turning stolen credit card numbers into cash. He said ID theft is funding other criminal activities. For example, methamphetamine addicts are using it to support their addictions.
To make matters worse, phishers are using new social engineering techniques to hook users. Many have resorted to "spear phishing," sending e-mails that appear legitimate to a specific company's employees or customers in an effort to gain access to that business' systems. In most cases, they'll even spoof the sender information to make it seem as if an executive at the organization has generated the e-mail.
Of course, phishing wouldn't be a problem if users didn't submit their personally identifiable information to spoofed Web sites. Or would it? Here, too, phishing has evolved.
Users need only click on the URL in a phish e-mail to have a keystroke logger installed on their machine. Attackers get any information the user enters into the Web site, as well as all the keystrokes following the phishing attack, Skoudis said.
And, it doesn't stop there.
"[Attackers are] getting better at making the keystroke loggers difficult to find," Skoudis said. Some are embedded with rootkits, or they attack antivirus and antispyware tools. Some spyware and other malcode purposely try to foil their own analysis to buy time. For example, Skoudis said some malcode can detect VMware, which is used by researchers to study malcode. If it detects it's in a virtual machine, the malcode will infer that it's on an analyst's machine and shut down its malicious behavior.
"The longer an attack can be perpetrated, the more money can be made. The profit motive is really kicking into high gear," Skoudis said. "It's a good time for the bad guys these days."
This was first published in March 2006