Honeynet Revealing Actual Phishing Techniques

edsonie writes "CircleID is reporting on the recent Honeynet Project, 'Know your Enemy: Phishing', aimed at discovering practical information on the practice of phishing. The study reports on a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." Check out the full report here presenting actual techniques and tools used by phishers."

Actual techniques

I've discovered that these Phishers ask questions and stupid people give them answers.

Lets not make it into brain surgery. Do we need honeynets to tell us there are stupid people out there? And there always will be stupid people out there.

Internet Darwinism

[Nytewynd]

Anyone that falls for a phishing scam is too dumb to have their money anyway.

At work, the security guys put together a phishing test. It looked exactly like our normal web page, they made is sound official by calling it some kind of Task Force, and then they emailed everyone a link to the password checker. It supposedly tested your password for security difficulty. You enter your ID and password and it would email you back the results.

I sent the link to the security guys and got an "Attaboy". About half of the people ended up on the list of idiots that handed out their secure passwords over the internet.

What goes through someone's head to enter passwords, bank account info, or personal identity information over the Internet? Don't people consider that the companies supposedly asking for this stuff should already have it. You bank is never going to ask you for your account number over email. They already have it!

Re:Internet Darwinism

[99BottlesOfBeerInMyF]

You bank is never going to ask you for your account number over email. They already have it!

Part of the reason this social engineering is successful is that companies, banks, large organizations are so lousy at keeping accurate records. Have you never had a bank screw up your name, or your balance, or some other company you do business with charge you for something you never ordered or fail to charge you for something you have ordered? I've had all these things happen, and it makes it completely unsurprising that a bank would lose your information or even have a policy of verifying your account password via e-mail. It is ridiculous and insecure and generally a really stupid idea, which is why it seems plausible that some lumbering bureaucracy would do it. Obviously, I would never give out sensitive information via e-mail, but I would actually not be surprised if some company requested it via that method. Just because it looks like phishing, does not mean it is, it could just be someone being really dumb. There is plenty of blame to go around here.

Re:Internet Darwinism

[NetSettler]

Anyone that falls for a phishing scam is too dumb to have their money anyway.

I would venture a guess that among the vulnerable are the parents and/or grandparents of most of the people who read Slashdot. You don't see an ethical obligation on the party of the technically savvy to care about and protect the technically unsavvy? Shame on you.

Software can be anything we make it be. The technologists who have shaped the world have made many choices and will continue to make choices about what our programs will and won't do, how information will be presented, etc. They make those choices on behalf of the public, and they cannot simply shirk responsibility in this way.

Almost all technological problems of this kind reduce to our desire to get as far as possible as fast as possible, and damn any ill side-effects. If browsers required you to know and approve each site before you connected to it, this wouldn't happen. "But that would slow us all down," I can hear you say. The world needs this now, now, now. Indeed, we get benefits by not holding back. But we get ill effects, too, and we can't just poo poo those as not our responsibility. They follow directly from the design decisions we make on behalf of our parents and friends, people who often don't know we're making them nor the consequences of their having been made.

If we spent half as much time, energy, and intellect solving social problems as we do solving technical ones, I suspect the world would be happier.

Re:Phishing!

[Ralin_JM]

And when a "Tom Sawyer" steals your identity, he "gets high on you".

The best defense...

[LegendOfLink]

...is still the education of users. I can't tell you how many e-mails get stuck in our company SPAM filters that mimick phony PayPal accounts. You get that one user who thinks the message is real, and there goes your identity.

Re:The best defense...

[tehshen]

One of the things e-mail clients could use from Gmail is how it handles said PayPal phishes. It lets through the message, but puts up a big red box saying:

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.

Which doesn't get in the way, and is startling enough to not be ignored. It makes most users think "Is this a real e-mail?", and if it's on some company network, they could ask for help and be told not to reply, then slowly learn not to by themselves.

Mirrors

Europe

Greece - http://honeynet.phrapes.net/
Romania - http://honeynet.iasi.roedu.net/
Croatia - http://honeynet.lss.hr/
France - http://honeynet.startx.fr/
Germany - http://honeynet.fh.net/
Germany - http://honeynet.spenneberg.org/
Germany - http://project.honeynet.de/
Ireland - http://honeynet.heanet.ie/
Italy - http://honeynet.securityinfos.com/
Netherlands - http://honeynet.hackers.nl/
Netherlands - http://honeynet.evilcoder.org/
United Kingdom - http://honeynet.ntcity.co.uk/
Asia

India - http://honeynet.tiet.ac.in/
Phillipines - http://honeynet.opensourcecommunity.ph/
Singapore - http://www.security.org.sg/honeynet/
Korea - http://honeynet.secuwiz.com/
Malaysia - http://honeynet.0ni0n.org/
China - http://honeynet.xfocus.net/
South America

Brazil - http://mirror.honeynet.org.br/
North America

Canada - http://honeynet.ihackedthisbox.com/
USA, NY - http://www.clientbox.net/
USA, TX - http://honeynet.5dollarwhitebox.org/
USA, OH - http://mirror.clevelandhoneynet.org/
USA, VA - http://honeynet.streetchemist.com/

Re:Was I the only one... ?

[AtariDatacenter]

The write-up certainly seems more threatening in the alternative context...

Also with regards to the speed of such attacks, "fisting attacks can occur very rapidly, with only limited elapsed time between the initial intrusion and a fisting..."

Ouch!

This is getting really frustrating

[AT-SkyWalker]

I've noticed that the number of messages I'm getting from Paypal and EBay are increasing dramatically.

The problem is that they are pretty organized; you get one, then a follow up, then a final warning and so on. I can imagine that a majority of Mom and Pop type of users finally succumb to theses sort of attacks since they seem to be pretty well coherent !

Bad definition.

[Chmarr]

From the article:

The term phishing ("password harvesting fishing")...

"Password harvested fishing"??? What a crock! The 'ph' is just a 'cooler' version of an 'f'. Like 'phreaking' or 'phat'.

Someone clearly tried too figure out where the term came from, and completely missed the obvioius :)

They're getting MUCH better at it

[DG]

That might have been true once upon a time, but the phishers are getting VERY good at hiding their phish.

I've seen a PayPal phish that was very sophisticated, doing things like putting bogus info into the URL bar, duplicating the layout of PayPal's site EXACTLY... it turned out to be very difficult to spot the smoking gun - I had to go look at the raw HTML to find it.

Had I not been as paranoid as I am, it could have easily suckered me.

Read the article, and follow some of the links to the actual attacks. It's amazing how good they are. (It's equally amazing that a web browser would do anything on link mouseover EXCEPT show the real target of a link!)

Yes, there are plenty of stupid people - some people actually buy products from spam, or send money to Nigeria, etc etc. But the quality of the phishers is getting so good that it is hard to tell (in some cases) what is valid or what is not.

DG

Re:They're getting MUCH better at it

[DrEldarion]

That's the thing, though. It doesn't matter HOW official it looks, people should ALWAYS distrust anyone asking for sensitive information like that. The majority of people are FAR too trusting.

The advice I always give people is if it looks like it could be real, call the company and check. Not one has been real so far.

It can be quite difficult to resist

[what+about]

I got an email stating that an order had been placed with my name and it was being delivered. Now, I have two choices:

Do nothing and mybe allow some delivery of goods that I do not want (I am in UK, not US) and then have to return them or anyway cancel the payment (can be difficult if made by debit card) even if the crook got the numbers from looking at you at the supermarket.

Have a look and see what it is about.

The ECommerce site was a troian installer, it didn't work since I user Opera and have activeX disabled (Quite interesting all the tecnique they used)

The point is that sometime it is quite difficult to know if something is legitimate or not and to me the only solution is to have less wizybang applications and more reliable ones.

No activex, plain HTML browsing.

Banks should NOT use funny addresses for part of their pages, just one clear address.

No magic jumping between applications, no magic installing, make it painful to install something taken from the network !

Strange Phenomenon

[Nytewynd]

One thing I don't understand about phishing is why it works so well. I imagine it is probably just the volume of the attacks, so they are more likely to catch an idiot than in the past.

Consider:

1. Most people wouldn't give out a credit card number randomly over the phone
2. Most people wouldn't return junk mail that asked for a social security number
3. Most people wouldn't walk up to a complete stranger on the street and hand them their ATM card and PIN

I think computers mystify older people to the point where they lose their mind. I see it in general. My friend's father-in-law had a "computer question" for me about ebay. He wanted me to tell him how to determine the price he should sell something for. I tried to explain to him that his question had nothing to do with ebay itself, but he was so caught up in the process of selling on ebay, he was totally confused.

Maybe phishing works so well because some people are so confused by computers in general, they simply assume that their bank would ask them for this information over email (from an account named bank_stealer@hotmail.com).

Dealing with this kind of leads to the appropriate saying:

You can give a man a fish and feed him for a day, or teach him to fish and feed him for the rest of his life.

You can't get rid of phishing by blocking sites. You have to do it by educating people not to enter their info.