Sunday, March 19, 2006

Exposing Online Fraud – Phishing

Phishing is very common place on the Internet. Basically, it is a spoof sent via email in the form of spam purporting to be a bank, Ebay or some other payment service. The purpose of the spam is to trick the recipient who reads it to divulge his/her personal information to a fraudulent website. The phishers then take that information and go to Ebay or some specified bank and clean them out. Phishing has evolved online over the years. No one knows exactly how many phishing gangs are operating currently on the Internet.

Phishing fraud is a still a real menace, tricking people into divulging their personal information daily. Organized crime is believed to behind some of it. I am writing about this because the financial losses are substantial: according to the Wikipedia entry on phishing: "It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims."


Phishing in 1995

AOL IM SPIM – form of phishing One of the earliest widespread forms of online phishing that I am aware of is the AOL IM spim that AOL members would receive where the fraudster would pretend to be someone from AOL Support asking for AOL user passwords and credit card numbers. This activity was prevalent back around 1996 or so. I knew of someone who was tricked this way on AOL. A few short years later, the fraudsters turned to spoofing the popular Ebay and Paypal websites and other payment services

Phishing in 2006

There is more to this problem on the backend, or from the viewpoint of an ISP, or a webhost, so to speak. Phishers operate worldwide. Often they work in groups rather than one lone person attempting to undertake all the things that must be done to make it a successful theft. Another approach phishers, use is that they upload viruses and trojans to the phishing sites, so that unprotected PCs get infected if they visit the phishing URL. You must use caution when going to any supposed phishing URL.

The fraudsters spoof all kinds of financial institutions, banks in Brazil, Turkey, UK, France and other places. You can see a list of payment services which have been spoofed in phishing exploits kept by FraudwatchInternational (FWI)

What is spoofed the most?

Fraudwatchinternational has been tracking phishing frauds as far back as 2001. This is its tally of the top 6 reported phishing frauds by name as of 3/18/06 You will see Paypal is spoofed the most, followed by US banks and UK bank Barclays.

Rank - Reported organization - number of separate reported phishing incidents(FWI)

1. PayPal 6551

2. eBay 6080
3. Washington Mutual Bank 1225
4. Chase Bank 1018
5. Barclays Bank 735
6. SunTrust Bank 603


The newer Phishtrack on DSLreports has this tally as of 3/18/06. This tracking system was only setup in November 2005.

Rank - Reported organization - number of separate reported phishing incidents (Broadbandreports)

1. paypal 201

2. ebay 113
3. chase 88
4. barclays 25
5. wellsfargo 15
6. bofa (Bank of America) 13


On the DSLreports forum, you can view how long a phishing website stays online. There is a Phishtracker utility, written on Perl posted on dslreports forum where users can report phsihing websites Ranking. Fraudwatchinternational (FWI) has been tracking phishing frauds as far back as 2001. FWI has over 31,00 reported cases of phishing in its database as of March 2006.

There is a Phishtracker utility, written on Perl posted on dslreports forum where users can report phsihing websites

To navigate to the phishtracker for the first time, you have to click through the website a few times. 1. URL: http://broadbandreports.com 2. click on Forums --- 3. Under + Up and Running··Online, what next? Select this forum: “Spam, Scam and Charge Busters” 4. Select first posting called ‘Submitting to the Phish Tracker” and the the link to the Phishtracker is listed at top: http://www.dslreports.com/phishtrack

The top link contains the phish tracker. This tracker was activated in November 2005 and believe it or not, some phishing websites from late last year are still active. There are 2 over 100 days old listed as still active! Most often these hosts are in Asia where they are not responsive to spamming issues or any other security issues for that matter. There is also a breakdown there of what institution is spoofed. I sent this information below today to the Indian organization so they can remove this phishing site, I also CCed spoof@ebay.com


Long Living Phishing websites - One is active for over 120 Days old online!

Example of a long lasting Paypal phishing website hosted in India: as of 3/18/06, this Paypal phishing site has been active for over 120 days and as of today 3/19/06, the phishing URL has been removed. Yay. finally.! Removing link below.

(link gone)
WHOIS info gone.

--------------------------------

________________________________________________________________

Anatomy of a Phishing Scam Setup

Here is a typical scenario on how a part of a phishing fraud site is setup. Fraudsters share stolen credit card information with some other trusted gangs, for example. They will go and buy domain names at registars such as the Korean registrar such as Yesnic that look similar to Ebay. Examples include: ebay-cgi-login.com or paypal-login.com, etc There are literally thousands of variations of these fraudulent domain names. The contact info in the WHOIS for these domains is fraudulent as well, often they use yahoo or some other free email address as an Email contact. With this domain, they purchase a webhosting account, usually it is an automated purchase with a small or large hosting company. Then as soon as the site is enabled, the actual spam itself is sent out through compromised machines on the Internet. So while the spoofed website is online, a few unsuspected people receive the Ebay phishing spam and think they have to update their Ebay accounts. Often the phishers have a text file or another email address where this data is sent to.

The new spin to this is phishers now use a dynamic redirect where once imbedded in the phishing spam itself, it will continually redirect recipients to newly hosted phishing sites. In this approach, the spam running gets more out of scamming users than using a specific URL that has been disabled. (when I find this information, I will post more of it here)

Brute Password Hacks
Some of the patterns I have seen: phishers exploit existing webhosting accounts. Often they brute force passwords on older systems where a lockdown of password tries has not been implemented.
Typical : Ebay phishing URL (fake of course)

http://members.someISP.com/~john/ebay/aw/cgi-login.htm


If you take a close look at this. For the username, John after tilde ~john, his username has been guessed via FTP and the phisher uploaded the phishing files to appear like an Ebay login page. This is why they use words like aw or cgi – it looks like part of an actual Ebay URL.

Exploit Vulnerabilities
Phishers also exploit ecommerce software, PHP messageboards and many other online programs where the software versions are often out of date and hence, vulnerable to an attack like this.

USEFUL PHISHING URLs

Forums and useful Messageboards
Broadbandreports - message board about large scale spamming and phishing. This site you may have to navigate from the main page.
Castlecops Phishing forum - this one contains some useful information, not very active. Castlecops is a good site for securing your PC.
Scam.com - Online scams of any kind, and other scams posted, mostly for newbies.

Anti-Phishing Organizations
Anti-Phishing Working Group - a US based organization designed to collect information on phishing. They have a useful mailing list for those who work to minimize phishing scams.
FWI - FraudWatchInternational – An Australian based organization which collects info on internet scams, including 419
Miller Smiles – a UK based anti phishing organization. They also have a messageboard, however, it is not as active as the one mentioned above.

Anti-phishing Vigilantes
phishfighting - These guys work at bringing down phishing on their own by any means necessary. I do not recommend partaking in this activity at all. Definitely a grey hat area.

Books and Articles on Phishing
Phishing Wiki information on phishing, very detailed and useful.

Phishing Exposed (2005) by Lance James – listed on Amazon - Lance James is active in the APWG (
Anti-Phishing Working Group). This book probably is considered definitive on phishing.

Phishing : Cutting the Identity Theft Line (2005) by Rachael Lininger, Russell Dean Vines - listed on Amazon. I have had a chance to read this book.

1 Comments:

At 3:09 PM, Blogger The Sanity Inspector said...

Thanks for the blogroll linkage!

 

Post a Comment

<< Home