Phishing 101: Part 1

Phishing 101: Part 1

This week, there is a lot of media hype over emails being sent to users of the Royal Bank of Scotland and NatWest because of severe IT issues making it impossible for users to access their accounts online. The emails offer users the ability to log-in to their accounts and provide a link to the log-in page. If the users click the link and try to log-in, their bank login credentials are stolen. Here is an example of the email text used in this particular attack:

———————————————————————————————————

Online banking
We're sorry but the service to your natwest online account  will be temporarily unavailable.
Please verify your account information:  www.nwolb.com/update/default.aspx (Fake link actually navigates to phishing page)
Service Helpdesk Team. Legal Info Privacy SecurityC 2005-2012 National Westminster Bank plc

———————————————————————————————————

This is just one example of an attack strategy which has been in use for over 20 years known as Phishing. Phishing is everywhere, every day you hear about it and every time you connect to the internet, you are a potential victim of a phishing attack. Compared to most of the cyber-attacks performed, detected and announced to the world, phishing stands alone. When you hear about a new type of malware on the news, a few hours later, the threat is mitigated. If a new vulnerability is announced, it is patched immediately.  However with all the attention and wide spread attempts at protection from phishing attacks, it still exists and is still a threat. Truth be told, phishing is the simplest kind of cyber-attack and at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet, the human mind.

Background

In case you are new to the internet, Phishing is a cyber-attack which attempts to obtain login credentials/credit card numbers/etc. by asking for this information under the guise of a trustworthy entity, usually through e-mail or messaging.  It is most commonly seen through e-mail as a communication from a bank or other organization which the user probably uses, asking for login credentials or personal information to be confirmed or provided by the user.  These e-mails always come with a link to the web page the user needs to conduct their business on.   This link will almost always send the user to a ‘fake’ version of the legitimate website where all their credentials will be obtained and given to the attacker.

The term ‘phishing’ is a variation of ‘fishing’ in the sense that attackers ‘bait’ the user to click something or provide information. Since it’s considered a digital attack, the ‘f’ was changed to ‘ph’ just like ‘phreaking’ for hacking phones.  The first phishing technique was reported to be in 1987 and the first use of the term ‘phishing’ was in 1995. Straying from the technical history, I want to mention that the basic concept behind phishing has been around probably for the entire extent of human history.  For example, an alluring woman used to ‘bait’ a passerby into coming into a dark alley, where they would be mugged. Another example is a burglar who would pose as a maintenance person to gain entry into a house.  They were exploiting the same vulnerabilities which phishing attacks use, enticing a human into entering into some vulnerable state with the promise of something pleasing or official. The only difference between then and now is the execution of the attack.

Different Cases

Over the years phishing attacks have changed, as with most things, and have been segmented into different groups of variants. However, the end goal is the same with all of them.  This post series will go over various forms of phishing attacks including the most commonly seen email phishing to spear phishing and phishing seen on social networks.

Phishing Emails

To begin this series, we start with the most basic and commonly seen type of phishing attack, phishing emails. Phishing emails involve sending a fake email to a broad group of users which are unique enough to be used as ‘bait’ but broad enough to possibly fool a large amount of people. These emails historically pose as account update notifications from:

  • Banks
  • Online Auction Sites
  • Social Networks

However, once the user clicks the link included in the e-mail which advertises a direct link to an ‘Account Log-in’ or ‘Account Update’ form, they are directed to a page which looks identical to what you would normally see if you were actually on the web site of the assumed organization.  In reality, the page is being hosted through a separate web server and the information plugged into the forms will be sent to the attacker rather than the actual organization.

Bank Phishing

One of the more recent phishing schemes caught by our researchers involved trying to steal the login information of Tesco Online Banking users. The user would receive an e-mail from a spoofed e-mail address, instructing them to update their bank profile by clicking on an included link.  The link would send them to the login page for Tesco where they would enter their information.  This information would then be sent to the e-mail address of the spammer rather than Tesco authentication servers.

Here are a few screenshots of what the fake Tesco phishing page looks like and what the real Tesco login page looks like:

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.