Trust Me: Adventures in Social Engineering
Jon Oliver, MailFrontier‘s Director Of Research, describes social engineering as the means by which identity thieves extract passwords and account data from unwitting users. Oliver’s session outlines how criminals are using progressively more sophisticated techniques as users awareness increases.
- 51m adults were ‘phished in 2004’; a 1126% increase from 2003.
- In a survey, around 30% of users incorrectly identified a genuine or ‘phish’ email message.
- Only 9% of users identified all ten messages correctly.
- 5% of phished users, will click on an enclosed link.
- Interestingly, demographic analysis shows that the supposedly Internet-savvy 18-25 age group is most gullible.
In many cases, ‘harvesting’ sites are unwittingly hosted on computers where the owner is unaware of illicit activity. Oliver cited the cases of an eBay phishing site hosted on the PCs in a South Korean Internet cafe; the cafe owner was horrified to discover that a counterfeit eBay site was being served from his PCs. Interestingly, personalised phishing is a new trend – where a user experiences a definite uptick in phishing attempts following the sale of an item on eBay.
Phishing attacks tend to follow an established pattern of presentation:
- Build credibility by spoofing a real company with authentic sender addresses, and links to the company’s official site.
- Create a reason to act through a plausible and urgent premise, requiring a quick response from the user.
- Have a call to action combining an authentic visual URL with a hidden URL for the phishing site. For example, messages come from ‘www3.fashion.sony.com’ rather than ‘firstname.lastname@example.org’.
Phishers can openly purchase mailing lists list on eBay, as well as packages of template messages from leading sites. All that remains is to develop an attack email and the ‘fake’ website and locate servers from which to send the phishing messages.
In examining the motivations of phishers, Oliver illustrated the high return on investment for phishers:
- 2m emails are sent
- Assume only 5% of messages (100’000 people) will be successfully delivered; phishing messages are more likely than spam to get through filtering algorithms
- Assume only 5% (5’000 people) of recipients click through
- Assume only 2% (100 people) of users who click through enter sensitive data
- The FBI estimates that, those that reach this stage of a phishing attack, lose an average of $1200
- Hence, the phishers can potentially earn $120’000 within a very short period of time. A good return on their investment.
Interestingly, Oliver describes corporate phishing attacks as a recent growth area, whereby a corporate infrastructure comes under attack through Differential Harvest Attacks (DHAs) that seek to identify new employees through messages describing ‘essential security upgrades’ and ‘registration reminders’. The outsourced services of corporates (accounting, finances, CRM, remote meeting, credit cards, IT systems, DNS records) are invariably vulnerable points of attack. even a simple message to HR@company.com! Indeed the harm is far greater than individual phishing attacks.
There are a number of methods for identifying phishing attacks, though there is no silver bullet or ‘catch-all’ method:
- Identifying the sending server
- Identifying links to the fake web server
- Identifying that the email does not originate from who it purports to come from (authentication)
- Identifying suspicious content; through statistical analysis of text
- Identifying attempts to exploit browser security
One audience member suggested that ‘white-hat’ phishing attacks could help to identify weaknesses and sensitise users to exert greater care. Another suggested that the falling trust in email would lead to more communication through an RSS-like medium.
Oliver concluded that phishing and other email security threats are real, malicious and eroding trust in the use of email as a communications medium. Solutions must use multiple techniques to be effective, but in essence the best solutions require widespread change in user behavior – such as the use of PGP and S/MIME.