Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeynet Revealing Actual Phishing Techniques

Posted by CmdrTaco on from the know-your-enemy dept.

edsonie writes "CircleID is reporting on the recent Honeynet Project, 'Know your Enemy: Phishing', aimed at discovering practical information on the practice of phishing. The study reports on a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." Check out the full report here presenting actual techniques and tools used by phishers."

38 of 155 comments (clear)

  1. Now the Honeynet by Psionicist · · Score: 3, Funny

    Now the honeynet will reveal how an actual DDoS attack work.

    Anyone have a mirror?

  2. Phishing! by Anonymous Coward · · Score: 3, Funny

    I move that all 13 year old Hackers now be referred to as 'Tom Sawyers' and that at any time there is a severe lack of 'Tom Sawyers' it is to be referred to as 'playing hookey'.

    1. Re:Phishing! by Ralin_JM · · Score: 5, Funny

      And when a "Tom Sawyer" steals your identity, he "gets high on you".

  3. Actual techniques by Anonymous Coward · · Score: 4, Insightful

    I've discovered that these Phishers ask questions and stupid people give them answers.

    Lets not make it into brain surgery. Do we need honeynets to tell us there are stupid people out there? And there always will be stupid people out there.

    1. Re:Actual techniques by NanoGator · · Score: 3, Informative

      "Do we need honeynets to tell us there are stupid people out there?"

      Good god. You use a computer a lot, and that makes a lot of people stupid BUT you? Question: Did you believe in Santa Claus growing up? Would you appreciate me calling you stupid about it?

      Yeesh. Anyway, to answer your question: If Honeynets are revealing specific ways of screwing people, then specific warnings can be given out to help minimize the risk. You've never noticed how Paypal tries to very clearly explain to people not to click on paypal links in their email?

      --
      "Derp de derp."
    2. Re:Actual techniques by snorklewacker · · Score: 2

      Good for you, you identified that there are stupid people in the world. Boy what an insightful analysis. The paper happens to do a wee bit more than say "we got some phishing messages, so heads up folks, phishing exists", it also offers some pretty good overview analysis (though short on raw source data) into the network structure of phishers.

      Your non-solution leaves a whole lot to be desired if you're a bank. Do you suggest banks administer an I.Q. test before they allow people to open accounts? Do you suggest that banks just accept that phishers are out there somewhere and can't ever be tracked or caught or that their techniques can't be countered? I don't know what you suggest, because you don't want to "make it into brain surgery" by actually looking into the problem in any depth other than a dismissive "people are stupid".

      Part of security is protecting institutions against their own stupid users. Get used to it.

      --
      I am no longer wasting my time with slashdot
    3. Re:Actual techniques by jonadab · · Score: 2, Insightful

      > Good god. You use a computer a lot, and that makes a lot of people stupid
      > BUT you?

      Susceptibility to phishing has virtually NOTHING to do with how much you do or do not use a computer. It is a function of your general level of naivete. Giving out your bank password in response to an email request is fundamentally no different from giving out your credit card number to a sleazy telemarketer who says he's from the local police charity. In both cases, somebody contacts you and claims to represent a certain organization, and you just believe he is whoever he represents himself as, without wondering whether someone could be faking those credentials. No amount of computer-technical knowledge will prevent you from making that mistake, and no amount of *ignorance* of technical computer and network details will *prevent* you from seeing through the ruse.

      Granted, technical knowledge helps you to see the *details* of the ruse, e.g., to expose it; an end user is unlikely to be able to analyze email headers and do whois lookups and whatnot to track down the sender's real identity, for instance. But that won't stop a sensibly sceptical end user from saying to himself, "Hey, how do I know this message is really from Citibank and that what it says is true? Maybe I'll call the bank and check..." A network admin won't have to call the bank, obviously, because he can analyze the headers and stuff, but he'll only do that under the same circumstances that an end user would call the bank, i.e., if he doesn't immediately believe that the message must certainly be reliable just because he received it.

      > Question: Did you believe in Santa Claus growing up?

      No. My parents taught me discernment, not lies.

      What the honeynets are doing is good, and it's worth doing, and they should keep on doing it, but it is nevertheless true that a large amount of gullibility is required to fall for a phishing scheme of any kind. Basically you have to be the kind of person who just assumes any random person you've never met before is probably telling you the truth whenever he's talking, unless you have a specific reason to believe otherwise. That's fundamentally dumb, because if you live in a world populated by human beings, at least 50% of what people tell you is wrong. If you don't put at least some thought into evaluating the probably veracity of each and every thing that you hear or read, you're stupid.

      --
      Cut that out, or I will ship you to Norilsk in a box.
  4. Internet Darwinism by Nytewynd · · Score: 5, Interesting

    Anyone that falls for a phishing scam is too dumb to have their money anyway.

    At work, the security guys put together a phishing test. It looked exactly like our normal web page, they made is sound official by calling it some kind of Task Force, and then they emailed everyone a link to the password checker. It supposedly tested your password for security difficulty. You enter your ID and password and it would email you back the results.

    I sent the link to the security guys and got an "Attaboy". About half of the people ended up on the list of idiots that handed out their secure passwords over the internet.

    What goes through someone's head to enter passwords, bank account info, or personal identity information over the Internet? Don't people consider that the companies supposedly asking for this stuff should already have it. You bank is never going to ask you for your account number over email. They already have it!

    --
    /. ++
    1. Re:Internet Darwinism by Anonymous Coward · · Score: 3, Interesting

      > Anyone that falls for a phishing scam is too dumb to have their money anyway.

      http://survey.mailfrontier.com/survey/quiztest.htm l

      (use IE, not the Fox)

      Did you get 100% correct on the first try (I didn't, I only got 9 out of 10)? Educating the internet population to be aware of the varied and increasingly sophisticated scamming variants is a hopeless proposition in my opinion.

    2. Re:Internet Darwinism by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      You bank is never going to ask you for your account number over email. They already have it!

      Part of the reason this social engineering is successful is that companies, banks, large organizations are so lousy at keeping accurate records. Have you never had a bank screw up your name, or your balance, or some other company you do business with charge you for something you never ordered or fail to charge you for something you have ordered? I've had all these things happen, and it makes it completely unsurprising that a bank would lose your information or even have a policy of verifying your account password via e-mail. It is ridiculous and insecure and generally a really stupid idea, which is why it seems plausible that some lumbering bureaucracy would do it. Obviously, I would never give out sensitive information via e-mail, but I would actually not be surprised if some company requested it via that method. Just because it looks like phishing, does not mean it is, it could just be someone being really dumb. There is plenty of blame to go around here.

    3. Re:Internet Darwinism by NetSettler · · Score: 4, Insightful

      Anyone that falls for a phishing scam is too dumb to have their money anyway.

      I would venture a guess that among the vulnerable are the parents and/or grandparents of most of the people who read Slashdot. You don't see an ethical obligation on the party of the technically savvy to care about and protect the technically unsavvy? Shame on you.

      Software can be anything we make it be. The technologists who have shaped the world have made many choices and will continue to make choices about what our programs will and won't do, how information will be presented, etc. They make those choices on behalf of the public, and they cannot simply shirk responsibility in this way.

      Almost all technological problems of this kind reduce to our desire to get as far as possible as fast as possible, and damn any ill side-effects. If browsers required you to know and approve each site before you connected to it, this wouldn't happen. "But that would slow us all down," I can hear you say. The world needs this now, now, now. Indeed, we get benefits by not holding back. But we get ill effects, too, and we can't just poo poo those as not our responsibility. They follow directly from the design decisions we make on behalf of our parents and friends, people who often don't know we're making them nor the consequences of their having been made.

      If we spent half as much time, energy, and intellect solving social problems as we do solving technical ones, I suspect the world would be happier.

      --

      Kent M Pitman
      Philosopher, Technologist, Writer

    4. Re:Internet Darwinism by mcmonkey · · Score: 2, Insightful
      100%- Simply treat them ALL as phishes. There is NO legit reason why my bank (or whatever) would be emailing me, asking me to click a link in the email.

      Besides, I don't have an account with any of those companies, so I know they are all false. ;-)

      100% correct. Even for companies I do have an account with, no reason there would ever be a link in an email I need to click. I do have one credit card set up to send me an email when the monthly statement is ready, but when I view that statement, I'll sure use my bookmark, not a link in the email.

      Of course most phishing attempts are from companies I have no association with, so that's easy to catch. And 100% of phishing emails I get are filtered by SpamBayes.

    5. Re:Internet Darwinism by edx0r · · Score: 2, Informative

      "I looked at the first one and realized it's sophisticated enough to need to look at the source first."

      Exactly the point of the test, I should think. Given that the average user isn't likely to look at source, or perhaps may not even know how to look at source, asking to judge what is a phish and what isn't purely by visual inspection helps to highlight why it is these things so often work against the unsophisticated computer user.

    6. Re:Internet Darwinism by snorklewacker · · Score: 2, Insightful

      > 100%- Simply treat them ALL as phishes.

      This is what the banks refer to as "brand damage". My bank would love to sell me a money market account and actually link to their own promotion. Maybe not right to my account page, but what stops a phisher from copying entire site structures?

      I realize that you're one of the superior enlightened few that cannot be marketed to, but banks do have products to promote to the rest of the unwashed masses.

      --
      I am no longer wasting my time with slashdot
    7. Re:Internet Darwinism by snorklewacker · · Score: 2, Informative

      > Interesting you should mention that. I've been looking to open a new money market account. There are five banks within a few blocks of my house and I figured one of them would have decent online banking. Three of them will not even load the online banking in anything but IE

      Then switch banks. Wamu, Wells, and Citi all have zero problems with firefox. Call the bank and tell them why. Don't come off like some smug platform evangelist, just say "your internet banking doesn't work with my computer and theirs does". Let them wonder why.

      --
      I am no longer wasting my time with slashdot
  5. This is all very well and good, by DoraLives · · Score: 2, Insightful
    but it's like pushing down the bubble in a waterbed. We have a slithering, morphing target, and, now that I think about it, the target isn't the target.

    End users are the target and there's no way in hell ANYbody will ever change that little term in the equation.

    --
    Is it fascism yet?
  6. The best defense... by LegendOfLink · · Score: 4, Insightful

    ...is still the education of users. I can't tell you how many e-mails get stuck in our company SPAM filters that mimick phony PayPal accounts. You get that one user who thinks the message is real, and there goes your identity.

    --
    IGB: More fun than eating oatmeal!
    1. Re:The best defense... by tehshen · · Score: 4, Interesting
      One of the things e-mail clients could use from Gmail is how it handles said PayPal phishes. It lets through the message, but puts up a big red box saying:
      Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.

      Which doesn't get in the way, and is startling enough to not be ignored. It makes most users think "Is this a real e-mail?", and if it's on some company network, they could ask for help and be told not to reply, then slowly learn not to by themselves.
      --
      Guy asked me for a quarter for a cup of coffee. So I bit him.
    2. Re:The best defense... by jlapier · · Score: 2, Insightful

      the education of users

      I used to think this way too, but after 8 years in IT, I'd rather rely on technology than users (technology isn't much to rely on, but at least it can be reasoned with).

  7. Mirrors by Anonymous Coward · · Score: 5, Informative

    Europe

    Greece - http://honeynet.phrapes.net/
    Romania - http://honeynet.iasi.roedu.net/
    Croatia - http://honeynet.lss.hr/
    France - http://honeynet.startx.fr/
    Germany - http://honeynet.fh.net/
    Germany - http://honeynet.spenneberg.org/
    Germany - http://project.honeynet.de/
    Ireland - http://honeynet.heanet.ie/
    Italy - http://honeynet.securityinfos.com/
    Netherlands - http://honeynet.hackers.nl/
    Netherlands - http://honeynet.evilcoder.org/
    United Kingdom - http://honeynet.ntcity.co.uk/
    Asia

    India - http://honeynet.tiet.ac.in/
    Phillipines - http://honeynet.opensourcecommunity.ph/
    Singapore - http://www.security.org.sg/honeynet/
    Korea - http://honeynet.secuwiz.com/
    Malaysia - http://honeynet.0ni0n.org/
    China - http://honeynet.xfocus.net/
    South America

    Brazil - http://mirror.honeynet.org.br/
    North America

    Canada - http://honeynet.ihackedthisbox.com/
    USA, NY - http://www.clientbox.net/
    USA, TX - http://honeynet.5dollarwhitebox.org/
    USA, OH - http://mirror.clevelandhoneynet.org/
    USA, VA - http://honeynet.streetchemist.com/

  8. Re:Was I the only one... ? by AtariDatacenter · · Score: 5, Funny

    The write-up certainly seems more threatening in the alternative context...

    Also with regards to the speed of such attacks, "fisting attacks can occur very rapidly, with only limited elapsed time between the initial intrusion and a fisting..."

    Ouch!

  9. This is getting really frustrating by AT-SkyWalker · · Score: 4, Interesting
    I've noticed that the number of messages I'm getting from Paypal and EBay are increasing dramatically.

    The problem is that they are pretty organized; you get one, then a follow up, then a final warning and so on. I can imagine that a majority of Mom and Pop type of users finally succumb to theses sort of attacks since they seem to be pretty well coherent !

  10. Bad definition. by Chmarr · · Score: 4, Insightful
    From the article:
    The term phishing ("password harvesting fishing")...


    "Password harvested fishing"??? What a crock! The 'ph' is just a 'cooler' version of an 'f'. Like 'phreaking' or 'phat'.

    Someone clearly tried too figure out where the term came from, and completely missed the obvioius :)
  11. They're getting MUCH better at it by DG · · Score: 5, Insightful

    That might have been true once upon a time, but the phishers are getting VERY good at hiding their phish.

    I've seen a PayPal phish that was very sophisticated, doing things like putting bogus info into the URL bar, duplicating the layout of PayPal's site EXACTLY... it turned out to be very difficult to spot the smoking gun - I had to go look at the raw HTML to find it.

    Had I not been as paranoid as I am, it could have easily suckered me.

    Read the article, and follow some of the links to the actual attacks. It's amazing how good they are. (It's equally amazing that a web browser would do anything on link mouseover EXCEPT show the real target of a link!)

    Yes, there are plenty of stupid people - some people actually buy products from spam, or send money to Nigeria, etc etc. But the quality of the phishers is getting so good that it is hard to tell (in some cases) what is valid or what is not.

    DG

    --
    Want to learn about race cars? Read my Book
    1. Re:They're getting MUCH better at it by DrEldarion · · Score: 4, Insightful

      That's the thing, though. It doesn't matter HOW official it looks, people should ALWAYS distrust anyone asking for sensitive information like that. The majority of people are FAR too trusting.

      The advice I always give people is if it looks like it could be real, call the company and check. Not one has been real so far.

    2. Re:They're getting MUCH better at it by CrashPoint · · Score: 2, Interesting
      In my experience, the best quick-and-easy way to spot a PayPal phish is to check the salutation at the beginning of the email. If it addresses you as "Dear Valued PayPal Customer" or some such, it's definitely a phish. PayPal always addresses you by name in their emails.

      This, I have found, is not only an easy way for us geeks to spot phishers, but a way we can easily explain to non-geeks how to spot them.

  12. It can be quite difficult to resist by what+about · · Score: 4, Interesting

    I got an email stating that an order had been placed with my name and it was being delivered. Now, I have two choices:

    Do nothing and mybe allow some delivery of goods that I do not want (I am in UK, not US) and then have to return them or anyway cancel the payment (can be difficult if made by debit card) even if the crook got the numbers from looking at you at the supermarket.

    Have a look and see what it is about.

    The ECommerce site was a troian installer, it didn't work since I user Opera and have activeX disabled (Quite interesting all the tecnique they used)

    The point is that sometime it is quite difficult to know if something is legitimate or not and to me the only solution is to have less wizybang applications and more reliable ones.

    No activex, plain HTML browsing.

    Banks should NOT use funny addresses for part of their pages, just one clear address.

    No magic jumping between applications, no magic installing, make it painful to install something taken from the network !

    1. Re:It can be quite difficult to resist by Slashcrap · · Score: 2, Interesting

      I got an email stating that an order had been placed with my name and it was being delivered. Now, I have two choices:

      Sorry, I fail to see why this is a problem. I mean you knew you didn't order it, right?

      So fucking what if something turns up at your door? I'd be like "Great! Free stuff!".

      Do you think that someone would steal your card details and then use them to order something for you? It doesn't seem likely to me.

      Why couldn't you just check with your bank or credit card provider? I would expect them to be able to tell me if someone had ordered something with my card. I'd hardly waste time reverse engineering the website.

  13. Strange Phenomenon by Nytewynd · · Score: 5, Insightful
    One thing I don't understand about phishing is why it works so well. I imagine it is probably just the volume of the attacks, so they are more likely to catch an idiot than in the past.

    Consider:
    1. Most people wouldn't give out a credit card number randomly over the phone
    2. Most people wouldn't return junk mail that asked for a social security number
    3. Most people wouldn't walk up to a complete stranger on the street and hand them their ATM card and PIN

    I think computers mystify older people to the point where they lose their mind. I see it in general. My friend's father-in-law had a "computer question" for me about ebay. He wanted me to tell him how to determine the price he should sell something for. I tried to explain to him that his question had nothing to do with ebay itself, but he was so caught up in the process of selling on ebay, he was totally confused.

    Maybe phishing works so well because some people are so confused by computers in general, they simply assume that their bank would ask them for this information over email (from an account named bank_stealer@hotmail.com).

    Dealing with this kind of leads to the appropriate saying:

    You can give a man a fish and feed him for a day, or teach him to fish and feed him for the rest of his life.

    You can't get rid of phishing by blocking sites. You have to do it by educating people not to enter their info.
    --
    /. ++
    1. Re:Strange Phenomenon by sharp-bang · · Score: 2, Informative

      According to this Gartner study (warning: PDF), the success rates for phishing are between 3-6%, similar to those for spam. It's a volume business.

      --
      #!
    2. Re:Strange Phenomenon by Have+Blue · · Score: 3, Insightful
      It's not that simple. Consider the following situations:
      1. You receive a phone call. The caller ID says it is from a firm you do business with frequently. The caller informs you that there is a problem with the credit information for your most recent order, and that you must provide it again. Maybe you really do have a most recent order with that company, and it's plausible that human error somewhere in the process resulted in your CC info getting damaged (the order was placed over the phone, or in person). Maybe this is for a pretty important item that you can't spend extra days waiting for if there really is a problem with your order.
      2. You receive a letter on what appears to be official government letterhead, with a return address that could plausibly be a government office in the state capitol. The letter informs you that you are in danger of noncompliance with obscure regulations, and includes a form to fill out so that the agency will, for a small fee, send you materials you need to remain in the clear and avoid harsh penalties.
      3. You are standing in line at a bank waiting to see a clerk. A person approaches you wearing the uniform of a bank employee and carrying papers that look like bank documents and offers to help you. He leads you to an empty desk and walks you through the task you would like to have performed, and tells you the process will be completed in a day or two. You leave without noting his name.
      All of these situations could easily occur in real life and all of them could easily be scams. Unless you are automatically paranoid at all times or willing to go out of your way to spend time on verification, chances are you'd fall for at least one of them. We got one of the second type at work the other day- it was very convincing, and in all honesty if it was my responsibility to handle it I would have been taken in.
    3. Re:Strange Phenomenon by dioscaido · · Score: 2, Insightful

      1. Most people wouldn't give out a credit card number randomly over the phone

      I'm going to have to disagree with you on this one. I think a phone call would have even more weight than an official looking e-mail, and naive people would happily supply their account information. Especially if you work off of the phone book, you could call and say "mr. So and So, we show we have an account with you, at XXX address. As the first step in our verification, please verify your account number. (proceeds to ask for the number)"

    4. Re:Strange Phenomenon by snorklewacker · · Score: 2, Informative

      > 1. Most people wouldn't give out a credit card number randomly over the phone

      You'd be very surprised. Phishing is a variation of a scam that has been around as long as the telephone. Ever heard of the "bank examiner scam"? Hell, some brave souls were probably even doing it door to door before then, though it's easier to do charity scams that way.

      --
      I am no longer wasting my time with slashdot
  14. Re:Speed? by sharp-bang · · Score: 3, Insightful

    Try complaining to the bank or other business being targeted, and identify the ISP in your complaint.

    As papers like this one reveal the methods of phishers, it's going to be much more difficult for ISPs to claim ignorance of the problem, because knowledge of tools and methods contribute to standards of due care from which liability arises. The threat of legal action might improve the overall response.

    --
    #!
  15. Re:Hmm, can't be bothered to read TFA fully but... by xnderxnder · · Score: 2, Insightful

    Huh?

    Maybe you should read TFA, especially if you're comparing them with a bunch of criminals..

    What I've read of the Honeynet projects, they set up a network of easy marks and record and examine what traffic they receive. In the case of spammers/phishers, they blast their crap across the net already - it's not like the Honeynet is their only target or its existence is influencing when a phish-run is made.

    It's not entrapment. It's research.

    --
    hooked up funny
  16. New Phishing Technique ... by tomhudson · · Score: 2, Insightful
    After reading TFA, it strikes me that the easiest way to get personal details is to set up a honeypot, allow it to be "compromised" by phishers, and log all the data their victims post to your honeypot (before modifying it so that the phishers don't get valid data).

    This way, the phishers are doing all the hard work (mass email spam, etc), and getting none of the benefit.

    The article even goes on to tell you what tools to use ... so expect this to be the next level of phishing scam.

    I'm almost tempted ... must resist the dark side ... do you think we can get the phishers to offer up free pr0n? [tt]

  17. Easier way by int999 · · Score: 3, Insightful

    What prevents someone from simply setting up an online store site, complete with pictures of items and everything, and with rockbottom prices? Run it for a week, collect credit card numbers from orders, then close shop. If you do it right, it can be untraceable.

  18. Rent a botnet here! by Animats · · Score: 3, Interesting
    You, too, can run a phishing scam. You'll need a botnet, bulk-friendly hosting, and bulletproof credit card processing. And you can get them all here.

    Yes, "Specialham", the spammer hangout, is back! "SpecialHam is the premier online destination for email marketing professionals." With great new topics like "What are the most anonymous ways to transfer money".

    That site seems to be aimed at low end and clueless spammers.

    Further up the food chain, we have Black Box Hosting. "Fully featured bullet proof dedicated server. Allows direct mailing and website hosting. All our plans allow Adult, Gambling and Pharmacy Content." They also offer "Mailing Servers". You have to supply your own list of proxies, and your own bulk mailing program. They recommend DarkMailer.

    So you go on Specialham and rent some open proxies. Then order a mailing server and a web server from Black Box Hosting. Run your scam. Launder the money through an offshore credit card processor. Profit!

    What we really need in honeynets is for about 10% of these support operations to be sting operations run by law enforcement. That would make phishing and spamming a much higher risk operation.