Extra Feeds & Services »

Home / Blogs

New Study Revealing Behind the Scenes of Phishing Attacks

  • May 22, 2005 9:54 AM PDT
  • Comments: 0
  • Views: 8,794
Print Comment
By David Watson

The following is an overview of the recent Honeynet Project and Research Alliance study 'Know your Enemy:Phishing' aimed at discovering practical information on the practice of phishing. This study focuses on real world incidents based on data captured and analyzed from the UK and German Honeynet Project revealing how attackers build and use their infrastructure for Phishing based attacks.

In this paper we have presented a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. All the information provided was captured using high interaction research honeypots, once again proving that honeynet technology can be a powerful tool in the areas of information assurance and forensic analysis. We analysed multiple attacks against honeypots deployed by the German and UK Honeynet Projects. In each incident phishers attacked and compromised the honeypot systems, but after the initial compromise their actions differed and a number of techniques for staging phishing attacks were observed:

  1. Setting up phishing web sites targeting well known online brands.
  2. Sending spam emails advertising phishing web sites.
  3. Installing redirection services to deliver web traffic to existing phishing web sites.
  4. Propagation of spam and phishing messages via botnets.

This data has helped us to understand how phishers typically behave and some of the methods they employ to lure and trick their victims. We have learned that phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent. IP address blocks hosting home or small business DSL addresses appear to be particularly popular for phishing attacks, presumably because the systems are often less well managed and not always up to date with current security patches, and also because the attackers are less likely to be traced than when targeting major corporate systems. Simultaneously attacking many smaller organisations also makes incident response harder. We have observed that end users regularly access phishing content, presumably through receiving spam messages, and a surprisingly large number appear to be at risk from becoming victims of such attacks.

Our research also suggests that phishing attacks are becoming more widespread and well organised. We have observed pre-built archives of phishing web sites targeting major online brands being stored, ready for deployment at short notice, suggesting the work of organised phishing groups. Such content can be further propagated very quickly through established networks of port redirectors or botnets. When coupled with evidence of mass scanning and hard coded IP addresses in web content and scripts, this suggests that many instances of a particular phishing site may be active at any one time. Web traffic has been observed arriving at a newly compromised server before the uploaded phishing content was completed, and phishing spam sent from one compromised host does not always appear to advertise the sending host, which again suggests it is likely that distributed and parallel phishing operations are being performed by organised groups.

Our research demonstrates a clear connection between spamming, botnets and phishing attacks, as well as the use of intermediaries to conceal financial transfers. These observations, when combined with quantitative data on mass vulnerability scanning and combined two-stage phishing networks, demonstrate that the threat posed by phishers is real, their activities are organised, and the methods they employ can sometimes be quite advanced. As the stakes become higher and the potential rewards become greater, it is likely that further advancements in phishing techniques and an increase in the number of phishing attacks will continue in the coming year. Reducing the number of vulnerable PCs contributing to botnets, countering the increasing volume of spam email, preventing organised criminal activity and educating Internet users about the potential risks from social engineering all remain significant security challenges.

Written by David Watson, IT Security Consultant

Related topics: Cyberattack, Cybercrime, Security, Spam

Get a weekly summary of postings to CircleID:

 Master Feed (more feeds)      Twitter      Mobile
Bookmark / Email This Post
Print Comment

Comments

To post comments, please login or create an account.

Related Blogs

Turn the Table on Content Filtering

  • Jul 03, 2009
  • Comments: 2

The Proxy Fight for Iranian Democracy

  • Jun 22, 2009
  • Comments: 2

No Honor Among Thieves on the Internet

  • Jun 18, 2009
  • Comments: 0

Why Not an Interim Step Until DNSSEC is Ready?

  • Jun 18, 2009
  • Comments: 19

ICANN 35: What's Going Down, Down Under (Want the Low Down?)

  • Jun 17, 2009
  • Comments: 0
View More

Related News

Spam Bouncing Back to Original Levels Despite Major Shutdowns

  • Jul 02, 2009
  • Comments: 0

US Teaming Up With Italy to Combat Cybercrime

  • Jun 30, 2009
  • Comments: 0

Trojans Fastest Growing Category of Data-Stealing Malware

  • Jun 30, 2009
  • Comments: 0

US Continues to Lead As Top Country Hosting Phishing Attacks

  • Jun 29, 2009
  • Comments: 0

Gary Warner: We Are Well Past Time to Declare a Spam Crisis in China

  • Jun 29, 2009
  • Comments: 4
View More

Industry Updates – Sponsored Posts

Latest Brandjacking Index Examines How Fraudsters Abuse Financial Brands

MarkMonitor at 2009 Trademark, Anti-Counterfeiting and Grey Market Fraud Mitigation Summit

NeuStar Addresses DNS Vulnerability with Cache Defender, a Secure DNS Authentication System

A Seemingly Overwhelming Number of Important Documents Released by ICANN

.ORG First Open Top-Level Domain to be Signed with DNSSEC

  • By PIR
  • Views: 861

Expanding Internet Access Driving Software Piracy, Study Says

DNSSEC Industry Coalition Symposium is Announced

  • By PIR
  • Views: 912

SPIL GAMES Chooses MarkMonitor for Global Domain Management

Facebook Selects MarkMonitor Antifraud Solutions to Combat Malware

MarkMonitor AntiFraud Solutions, Combining Proven Antiphishing and Expert Antimalware Capabilities

DNSstuff.com Offers Trusteer Rapport Product to Help Users Boost Their Defenses Against Online Fraud

MarkMonitor AntiFraud Solutions Combine Proven Antiphishing and Expert Antimalware Capabalities

DNSSEC Industry Coalition Meets with Vint Cerf and Dan Kaminsky

  • By PIR
  • Views: 856

COCC Partners with MarkMonitor for Anti-Phishing Services

ICANN Mexico City Meeting Brings a Significant Shift in Direction for Brand Rights Holder Issues

MarkMonitor Year-in-Review Report Finds Online Abuse of Major Brands Was a Growth Industry for Fraud

DNSSEC FUD Buster: DNSSEC Slows the Internet?

  • By PIR
  • Views: 1,203

A United Front to Stop Cybercrime

  • By PIR
  • Views: 1,137

Committed to Keeping the Internet a Safe Place

  • By PIR
  • Views: 1,739

NeuStar's UltraDNS to Power NASDAQ Dubai

View More