Most people think of phishing as authentic-looking but bogus e-mails designed to trick them out of their bank account numbers. But recent research by the Honeynet Project & Research Alliance shows it's much more complicated -- and scarier -- than that.
"The speed with which the site was set up was very quick indeed, and all pre-prepared," Honeynet researcher Arthur Clune said of one attack the alliance studied. "The guys who installed the site were obviously ready for it since we started seeing connections even before it was ready. And the whole process was heavily automated, including scanning for new vulnerable servers. It all indicates attackers who are serious, prepared and looking for as many hosts as possible."
He said the quality of the sites and spam is improving. "There's better use of English and embedded graphics to make it look more like the real site…" he said by e-mail. "As users become more aware of phishing and how it works, attackers have to raise their game."
Another researcher, David Watson, said by e-mail the number of users who seem to be getting duped by these attacks surprised him.
"In a number of observed incidents we were surprised that users did attempt to access fake phishing content," he said. "Education and safe Internet usage messages are clearly not always getting through to end users."
Research was done using honeypots, computers deliberately set up without protection. When attacked, researchers can study them and get a better sense of the tactics used. In this case, researchers watched as phishers successfully used three distinct attack methods:
Compromised Web servers
For one approach, phishers broke into vulnerable servers and installed malicious Web content. In a typical scenario, attackers:
- Scanned for vulnerable servers;
- Hacked them and installed a rootkit or password-protected backdoor;
- Accessed the server through the encrypted back door;
- Dowloaded pre-built phishing Web sites in cases where the compromised server was Web-based;
- Performed limited content configuration and Web site testing, potentially revealing their true IP address when first accessing the Web server;
- Downloaded mass e-mailing tools, using them to advertise fake Web sites via spam e-mail; and
- After that, Web traffic began to arrive at the phishing Web site and potential victims accessed the malicious content.
"Often the time taken for this incident life cycle is only a matter of hours or days from when the system is first connected to the Internet, and our research suggests that such activity is taking place on many servers and targeting many organizations at once," the alliance said in a statement.
On Jan. 11, 2005, an attacker successfully entered a honeypot by exploiting a flaw in Redhat Linux 7.3, the alliance said.
"This incident was unusual in that once the attacker had gained access to the compromised system, no phishing content was uploaded directly. Instead, the attacker installed and configured a port redirection service on the honeypot," the researchers said.
The attacker then downloaded and installed a tool called "redir" on the honeypot, a port redirection utility "designed to transparently forward incoming TCP connections to a remote destination host," the researchers said. "The attacker configured the tool to redirect all incoming traffic on TCP port 80 [HTTP] of the honeypot to TCP port 80 on a remote Web server in China."
Between September 2004 and January 2005, the German Honeynet Project deployed a series of unpatched Windows-based honeypots to observe botnet activity. During this period more than 100 separate botnets were activated.
Researchers said some versions of the bot software they captured had the capability to remotely start a SOCKS proxy on a compromised host.
"If an attacker with access to a botnet enables the SOCKS proxy functionality on a remote bot, this machine can then be used to send bulk spam e-mail," the alliance said. "If the botnet contains many thousands of compromised hosts, an attacker is then able to send massive amounts of bulk e-mail very easily, often from a wide range of IP addresses owned by unsuspecting home PC users.
"Perhaps unsurprisingly, resourceful botnet owners have begun to target criminal activity and it is now possible to rent a botnet," the alliance continued. "For a fee, the botnet operator will provide a customer with a list of SOCKS v4 capable server IP addresses and ports. There are documented cases where botnets were sold to spammers as spam-relays."
Having picked apart these attack methods, researchers concluded that phishing assaults can happen very quickly, with little time between the initial system intrusion and a phishing Web site going online. This makes the attacks hard to track and prevent. The research also showed many phishing schemes are the work of multiple, complex organizations and that the methods described above are often combined.
What's an IT administrator to do?
"Blackhats are routinely scanning large blocks of IP address space looking for vulnerable hosts to compromise, and this activity is indiscriminate," Watson said. "The lowest hanging fruit will usually fall first, so always follow security best practices and patch your systems, deploy firewalls and implement strong authentication or block unnecessary inbound connections altogether."
Clune agreed, recommending IT managers:
Keep a good eye out. "This stuff gets set up and goes active very quickly," he said. "These guys expect the site to not last very long, which is why they need so many of them. But a lot of harm can be done in a short period before it's noticed, say, over a weekend."
Mind the simple things. "Simple things like blocking direct outbound SMTP access to all your machines and inbound HTTP/HTTPS would make your machines much less useful to any attackers and so they would be more likely to go for the low hanging fruit elsewhere," he said. "A combination of forcing SMTP via your gateway and running some spam-spotting software on it would probably stop any e-mail from being sent out at all -- a very good thing from a reputation point of view."