Rather than simply cloning credit cards and going on a shopping spree, the AT&T hackers decided to augment their stolen information lode to make it more suitable for full-scale identity theft. To achieve this, they decided to execute a follow-up attack using a new twist on a tried-and-true phishing tactic. They sent "phished" messages to the email addresses they stole, using the last four digits of recipients' real credit cards to establish credibility. The goal was to lure victims into clicking links to a fake AT&T Web site, where they would be asked to provide their dates of birth and social security numbers. Essentially the bad guys were using a little bit of the information they had stolen to get a lot more.
While some diligent customers (including at least one journalist) recognized the .org suffix on the bad guys' fake Web site and realized it was a con, it's worth wondering what the AT&T marketing and human factors people were thinking when they created the original sbcdslstore.com URL. What if the bad guys had registered close variations of the address, such as sbdslstore.com, sbcdsllstore.com, or anything else in this alphabet soup of names? Branding problems and URLs aside, it is quite clear that the days when we could tell users to spot phishing attacks by merely looking for mistyped words in their email are long gone.
So, what can enterprises do to educate users and defend against this new type of phishing attack? You can start by instilling an inherent mistrust of email. Explain that messages are typically easy to spoof and are sent in clear text. Instruct them that should they receive an email requesting sensitive information, regardless of whether the message is suspicious or not, to follow up using methods independent of the email itself. Also, tell users not to click on email links received from credit card companies, banks or e-commerce sites that describe a problem with their accounts.
Instead, users should call the company using the phone number on their credit card, billing statement or a recent receipt. Never call a phone number included in an email, because phone-phishing threats are on the rise as well. If the user doesn't have a phone number to use, another option is to browse to the provider's site (again, not by using the link in the email, but instead by typing in a known legit URL into their browser). Then, login to the known, trusted site.
Next, consider deploying Web site-checking software, such as McAfee Inc.'s free SiteAdvisor (www.siteadvisor.com). This Internet Explorer and Firefox extension inspects Web sites in real time to determine if they are legitimate or fake. Then using McAfee's own research and analysis, SiteAdvisor gives the site a safety rating. It's important to note, however, that SiteAdvisor's results aren't perfect. I learned this when my own website, was deemed a potential menace simply because I have written articles on malware. Nonetheless it does give users a little more to go on than blind trust.
Also, deploy and vigorously update the antimalware and antispam software associated with your mail servers. Although they may have trouble with very targeted phishing attacks like that in the AT&T case, a huge number of widespread phishing attacks are stopped by such products.
Finally, given the newly raised stakes in the phishing game, user awareness programs and technical defenses against such attacks should be augmented.
About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions relating to information security threats.
This was first published in October 2006