Phishing Attacks – An Inside Look
Phishing attacks have plagued the Internet for over a decade, and they don’t show any signs of slowing down.
In the second half of 2014, the Anti-Phishing Working Group (APWG) reported that there were over 120,000 unique phishing attacks worldwide. Indeed, in a recent post we explored some of the reasons why Phishing attacks are so popular. With phishing attacks continuing to be such a predominant tool cybercriminals’ arsenal, we thought we’d take a closer look at how exactly they work.
Here are the five ingredients hackers need in order to set up a phishing attack:
1. Phishing Kit
A phishing website is a site masquerading as a legitimate website. That is, it’s an infected website designed by hackers to look exactly like the legitimate website of a service (such as a bank, or online storage site) for which the hacker is aiming to steal login credentials.
The phishing site needs to mirror the legitimate website as closely as possible, and in order to achieve that effect, fraudsters don’t need to work very hard. Almost all browsers have a “Save Page” option that prompts the browser to download all the website code, images and design locally to the computer. All that leaves the fraudster to do is change the code so that any credentials entered are sent via to him. And he can also add any additional fields he may wish to receive (such as social security number, birth date, address, etc.).
Save Page option in the Chrome browser.
To develop a phishing kit, the fraudster must be proficient with website coding, usually in the programming language PHP, which is the most popular language for developing websites on the Internet today. All of the various files and images associated with the phishing site are what makes up the “phishing kit,” which fraudster’s typically refer to as a “scam page.”
While phishing kits contain just about everything fraudsters need for a fake website, the site still needs to be hosted on a server somewhere in order to “go live” and be accessible to potential victims.
There are two ways hackers can obtain hosting servers. First, they can hack into a legitimate website and plant their phishing site into a subdirectory on the server (for example, http://www.cnn.com/phishing/).
The second option involves purchasing server space. Fraudsters typically purchase server space using stolen credit cards. They might even go a step further and also purchase a custom domain name. This allows them to increase the resemblance of the phishing site to the actual website it’s mimicking (for example: http://www.paypalz.com/)
Sample phishing website. Note the lack of “https” – a sign that it’s not safe to enter personal information. Source: PhishTank.com
3. Phishing Email
At this point, the fake website has been set up on a server and is ready to fool victims into divulging their credentials. But there is still one more thing to take care of: getting victims to the phishing site.
A necessary part of every phishing campaign is the phishing email. This is a crucial part of the attack because, without attracting potential victims to the phishing site, the effort the hacker has already put into the campaign would be wasted. It’s also crucial because the success of the phishing email largely determines the success of the entire campaign. If anything in the phishing email looks or seems suspicious (such as grammar errors or problems with the graphics), there’s a good chance recipients will realize something is off and will delete the email without clicking on the link to the phishing site or providing their credentials.
Sample phishing email
Of course, it’s not enough to have a phishing email ready to go. The fraudster still needs to actually send the email to the potential victims. A mailer is a script that is responsible for spamming the phishing email to victims. A good mailer may mean the difference between the phishing email reaching victims’ inboxes rather than their spam folder.
5. Mailing List
Finally, for the mailer to work, it needs to know to which email addresses to send the phishing email to. For this, fraudsters use a mailing list, which is (as the name suggests) a list of potentially thousands of email addresses.
Naturally, if the phishing attack targets an organization in a specific country, the campaign would completely fail if the phishing email was sent to a generic mailing list made up of mostly US-based email addresses. Therefore, a properly targeted mailing list is crucial for the success of a phishing campaign.
How do fraudsters get mailing lists? Typically, they generate them using tools that scrape websites for emails.
As you may have already concluded, while phishing attacks are so popular and setting them up is very straight-forward, doing so still requires technical prowess in a number of unrelated areas including coding, social engineering, scraping emails from websites, and more.
Thankfully for the fraudsters and unfortunately for us, this is where the underground economy comes in. The underground economy revolves around the thinking that, instead of mastering a number of different skills, fraudsters should focus on one area and simply purchase the rest from other fraudsters. With this, a coder doesn’t need to know how to scrape emails from websites; he can simply purchase a mailing list that’s already been scraped from a vendor in the underground.
One of the best ways to keep yourself protected from phishing attacks is knowing about them.
If you would like to learn more about how to avoid phishing attacks check out What Are Phishing Scams and How to Avoid Them
Hopefully, now that you’ve learned about the inner workings of phishing attacks, you’ll be better able to spot one before you become a victim.
Did you enjoy this post? If so, subscribe to get a weekly roundup from BlogDOG.
The LogDog anti-hacking and privacy tool protects the most popular online account types including Gmail, Facebook, and Dropbox by detecting unusual access activity and alerting users so they can take control of their accounts before hackers do.
The service can be used across all devices and OS’s, so you’re always being protected. Here’s the Android and iOS links for you to check out.