A technical study of phishing techniques published this week by the Honeynet Project has found that large numbers of users are still being readily tricked into visiting fake sites designed to harvest banking and financial details, despite massive efforts to educate consumers.
The study found that, far from being carried out by isolated hackers, such scams appear to be the work of highly organized groups employing huge networks of compromised systems—called botnets—and using increasingly sophisticated techniques.
Phishing is a type of online scam that attempts to collect information such as credit card and bank account details by luring users to malicious Web sites counterfeiting those of well-known, trusted institutions. Popular targets include major banks and e-commerce sites such as eBay or PayPal. Users are typically lured to the sites via authentic-looking e-mails that appear as if they come from the institution; these are sent out in bulk from the same types of compromised systems used to host the fake sites.
Security experts have warned of a dramatic increase in phishing activity for months, but the Honeynet study offers a new level of technical detail into the workings of such scams, as well as fresh evidence of the growing scale of the problem.
The project drew its analysis from honey pots, or systems set up to present attractive targets for attackers—for instance with older operating systems that contain well-known vulnerabilities. A honey net is a large network of such systems. The study is based on analysis of multiple attacks against honey pots deployed by the German and U.K. Honeynet Projects.
Researchers said they were surprised at the ease with which hundreds of users were lured to the fake sites set up using the honey nets. A site set up on the U.K. honey net, mimicking a bank, received 265 visits in four days. The German system was used to redirect traffic to a fake site in China, and researchers observed the redirection of 721 unique IP addresses within a period of about 36 hours.
"We were surprised by how many users were apparently being tricked into accessing such content through phishing e-mails," the study said.
The way the scams were set up hinted at groups of well-organized, technically advanced scammers, researchers said. In some cases users began trying to access a site before it had been completely set up, suggesting the spam e-mails promoting the bogus site were being sent from an entirely different server. "Well-constructed and officially branded pre-built fake Web sites are routinely being deployed onto compromised servers—often targeting multiple organizations via separate micro sites, with separate Web server document roots, along with the necessary tools to propagate spam e-mails to potential phishing victims," the study said.
Researchers found evidence that the scammers were making use of botnets, or large networks of remotely controlled systems, for sending spam, hosting sites or redirecting traffic. During a five-month period late in 2004, the German Honeynet Project observed 100 separate botnets. Scammers also appeared to be using intermediaries to transfer funds internationally, in order to escape detection by financial authorities.
While security professionals are well aware of the scale of phishing scams, the ordinary people targeted by the scammers often havent even heard the term before, according to Carole Theriault, a security consultant with Sophos plc. "Phishing is essentially a con trick, its an age-old technique using new technology," she said. "They look good, and when people see these they cant imagine that its some guy trying to get in their pocket and get their cash."
Technical solutions can only go so far toward preventing the problem, she said. "By definition there is no malware in it. It goes after the bug in peoples brains that makes them want to believe the experts," she said. "Being vigilant is paramount in stopping this."