Sophisticated Phishing Attacks

6 12 2011

Most of us have experience with traditional phishing attacks where we receive emails luring us with various financial incentives or asking us click on links which lead to web pages asking for our SSN, Credit Card details, and other personal information. The Nigerian Prince is one of the most popular phishing attacks and the majority of us might have come across similar attacks multiple times[1]. Fortunately most of us have become aware of these attacks and follow best practices when it comes to handling such emails. Today, phishing attacks have become extremely sophisticated and attackers have novel ways to collect our personal information. Let us look at a few techniques below:

In session Phishing:  Unlike most phishing attacks, this attack does not rely on the user’s ignorance or negligence. It has nothing to do with them clicking on links sent via emails. In a typical attack, a user may legitimately log in into their bank account, and once they are done with their work they might move over to another tab or a different browser window leaving the bank website open and logged in. The user then may encounter a website injected with malicious code. The malware now opens a pop up asking the user for his login credentials. The user believes the pop up is from their bank website and enters details which now the attacker has access to.

There are two conditions needed for this attack to be successful. Firstly, the website must be compromised and infected and secondly the downloaded malware for this site must be able to identify whether the user is logged into the secure website (online banking). Users can avoid this attack by logging out of the online banking account once they are done viewing their account details. Also they should be weary of popups that that ask for their login credentials. Typically, most banks use security mechanisms which log the user out if they have been inactive for more than a specific amount of time. Users have to be aware that banks do not ask users to log into their online banking accounts using a popup.[2]

TabNabbing: This is another innovative sophisticated phishing attack whose name was coined in 2010 by Aza Raskin, a security researcher and design expert. This attack takes into account that a user verifies the URL of the website they are viewing only the first time they open it. Once the browser tab with the website is kept open, users don’t expect it to change into a malicious website. A video depicting this attack is given in this link.

Most users have multiple browser tabs open at the same time. When they are switching between various tabs, they don’t necessarily remember which website is open on which tab. So when they come across a fake Gmail look-alike webpage, they don’t realize the malicious intent in it because they already have their gmail account open in one of the tabs. They tend to assume that the Gmail account session timed out or they previously opened the webpage and forgot to sign in. Once they sign in on this fake webpage using their credentials, these details are acquired by the attackers, and the user is redirected to the authentic Gmail account because they had already signed in. This can be practically experienced by going to this webpage, switching to another tab and then going back to the initial tab. You will notice a Gmail look-alike sign in the initial webpage.

This is clearly one of the toughest attacks to be prevented in any manner. One of the ways in which you could prevent this attack, according to Aza Raskin is by the use of a password manager i.e by actively involving the browser in the process of securing your identity and credentials.[3]

Social Networking Websites: Another form of sophisticated phishing that has become common in the recent years is through Social Networking Websites such as Facebook. In Facebook, you tend to know all the details of friends on your friends list. This is further established by personal pictures or status updates posted on their wall. Phishing in this case is not just about a random email or a fax as in the case of the Nigerian prince email. The attackers are making use of the trust between users and their friends for financial gains.

A typical case of this attack is when your friend starts a conversation with you and indicates that he or someone in his family is in big trouble and needs you to help with some monetary aid. Since they have access to the profile they hacked into they can substantiate their impersonation by verifying names of his family members etc. If the person in question is a really close friend, you may respond immediately by transferring money to the bank account provided. The risk involved in this attack is significantly lower if the user is aware of such attacks on Facebook. A few suggestions are to cross verify with information only known to you and your friend such as details about where you first met, where you last hung out, etc. Sometimes the attacker makes it easy to detect by using incorrect grammar, different style of speaking than your friend, etc.[4]

The use of Social Networking websites as a medium for phishing is a cause for concern. According to Microsoft, the number of phishing attacks seeking personal information on social networking sites users rose from 8.4% in Jan 2010 to a staggering 84.5% at the end of 2010. It also states that 43% of all social networking users have been at the end of phishing attacks as of Dec 2010[5].

To conclude, though companies have been incorporating filters to protect their clients from phishing emails and browsers have been doing their best to protect their users from these attacks, the easiest and the most feasible way is for the users to stay well aware of these attacks. There are quite a few organizations such as Anti Phishing Working Group (APWG) which provide detailed advice on how users can identify and escape phishing attacks as well as what they need to do if they do become a victim of such an attack.[6] There have been several attempts to develop an interactive phishing tool that helps educate users about various ways to identify phishing attacks in a very simple yet efficient manner. One such tool that I tried and highly recommend is the Anti-Phishing Phil developed by CUPS (Cylab usable privacy and security laboratory)[7].












Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: