Does phishing make up a large percentage of emails?
Paul Wood: When we look at the statistics we published in the August MessageLabs Intelligence Report, one in 363 emails were identified as some form of phishing scam. Though, that's a relatively small proportion, that's slightly up compared to the previous month. It does seem to go in cycles. I think that's where the phishing groups are targeting particular organizations using certain toolkits. We saw at the beginning of 2009 the increased availability of phishing toolkits and attack tools like the Zeus Trojan. They enabled people to create very sophisticated phishing attacks at very low cost. In fact zero-cost in many cases because the code for Zeus leaked into the public domain. It enabled people to create these small custom botnets that would then hook into people's Web browsing activity and intercept calls directly to websites whereas with most phishing scams that we are familiar with is usually in the form of an email.
Are many phishing campaigns geographically localized?
Wood: What we find is that they use the same or similar templates for an attack and they will switch out the brand name that they are targeting. If it's a bank, they'll switch the name of the bank and the actual logos they might be using in the email. But essentially it's the same templates. They also look at the time zone. In Europe you may see phishing emails go out at a particular time of the day then five or six hours later you might get a similar wave of phishing emails targeting North America. The templates and toolkits make it very much easier and lowers the barrier to entry. You don't have to be a technical wizard in order to conduct one of these attacks if you can get a hold of one of these types of toolkits.
When people think of phishing they think of cybercriminals harvesting user names and passwords. Are phishers stealing other data as well?
Wood: Yes and it depends on the type of phishing attack and how it is conducted. For example, you may find in a social networking environment that there may be an application that someone has asked you to plug in. It may be a questionnaire or one of these personal quiz type things. The danger is that they'll ask you for a mobile phone number and then you suddenly find that you've subscribed to some premium-rate service that costs several dollars every time they send you a text message. And then it's very difficult to unravel from that. So, it doesn't matter how you answer those questions, that's just the bait. Phishing similarly is trying to get you to do something that you wouldn't naturally do. These are the kind of things that you need to be aware of when you've received unsolicited email. Phishing is really just spam messages that have been dressed up for a particular purpose. You have to be very careful about responding to any type of spam that you receive. If you go to a website in order to continue with the process, that website could also be laden with malware.
Are most of these attacks relatively unsophisticated? Are there examples of more sophisticated phishing attacks that are more targeted?
Wood: The more targeted attacks are much more difficult to recognize because very often there would have been a lot of effort before they send you the email to make sure that it is tailored and personalized for you. This is one of the dangers for things like social networking environments and even many of the most popular social websites. We tend to put a lot of information on those sites, but perhaps not taking enough consideration of the privacy settings that are often available to lock down what information is visible. The bad guys are very often looking at social networks, creating fake profiles and trying to link with people and many phishing attacks will also target people's social networking accounts because they are very valuable. For example, if we were joined by a social network and my account became compromised if I fell for a phishing attack. That means that the bad guys can approach all of my contacts to send their messages. You are more likely to respond if you receive a message from someone you know and trust. It's not really in the spam category anymore. If they can get a user to a website and install malware on their machine, it's not really about phishing anymore. It enables them to bypass the social engineering and then install components into your Web browser, which is how the Zeus Trojan works. If you visit a particular website the bad guys can intercept that traffic, inject their own html instructions in there and siphon off whatever you type in.
The Rustock botnet is responsible for 41% of spam globally, according to your report. Do phishing campaigns often come from botnets like Rustock?
Wood: Some of the botnets are used for phishing attacks. If you look at Cutwail for example, that has been heavily used for phishing attacks over the last few months or so. But Cutwail used to be far more dominant than it is now. It has fallen back significantly. It's very aggressively sending out malware and phishing to try and make the best of the remaining botnets that it has under its control and also regenerate the botnet itself.