The Phishing Ecosystem Wednesday, March 22nd 2006 3:00pm

1
The Phishing EcosystemWednesday, March 22nd
2006 300pm

• Andrew Klein
• Engineering Manager

2
Phishing is Everywhere
3
and sometimes it hits close to home!
4
Phishing by the numbers

• 6.1 billion The estimated number phishing email
  messages that are sent worldwide each month
• 2.4 million Number of online consumers that
  reported losing money to a phishing scam
  (Gartner, May 2005 Survey)
• 15,244 Number of unique phishing attacks in
  December 2005 (APWG)
• 7,197 Number of phishing sites operational in
  December 2005 (APWG)
• 35 The percentage of phishing sites hosted in
  the United States for December 2005 (APWG)
• 5.3 Average number of days a phishing site is
  live in December 2005 (APWG)

5
Whats Your Phishing IQ
6
http//www.mbna-mail.com/ets/...
7
LEGIT
8
http//chaseonline.rewardprogramsurvey.us/
9
http//chaseonline.rewardprogramsurvey.us/
Phish
10
https//www.sbc.com/mysbc
11
LEGIT
12
Lets Go Phishing
13
Checklist - Step 1

• Get an email list
• Develop the attack
• Locate sites to send phishing email from
• Locate sites to host the phishing site
• Launch the attack
• Collect results

14
Get a List Available on eBay
15
Checklist - Step 2

• Get an email list
• Develop the attack
• Locate sites to send phishing email from
• Locate sites to host the phishing site
• Launch the attack
• Collect results

16
The attack email
17
Welcome to our site
18
Give me some credit here
19
Checklist - Step 3

• Get an email list
• Develop the attack
• Locate sites to send phishing email from
• Locate sites to host the phishing site
• Launch the attack
• Collect results

20
Where well send our phishing email from

• Over 1,500 sending sites
• 161.58.214.148 (CodeFreeDVD)
• 66.165.106.112
• 66.165.106.111
• 66.165.106.113
• 152.146.187.172 (YR)
• 195.75.241.4 (YR)
• 212.250.162.8 (NTL)
• 60.40.182.119
• 4.29.226.58
• 221.219.243.27
• 221.168.185.104
• 218.43.179.67
• 80.182.2.12

21
Checklist - Step 4

• Get an email list
• Develop the attack
• Locate sites to send phishing email from
• Locate sites to host the phishing site
• Launch the attack
• Collect results

22
Who will host our phishing site?

• Over 12 different hosters
• 210.114.175.226
• 210.78.73.253
• 211.23.187.151
• 61.152.175.161

23
Checklist - Step 5

• Get an email list
• Develop the attack
• Locate sites to send phishing email from
• Locate sites to host the phishing site
• Launch the attack
• Collect results

24
Attack launched
25
Checklist Step 6

• Get an email list
• Develop the attack
• Locate sites to send phishing email from
• Locate sites to host the phishing site
• Launch the attack
• Collect results

26
The results of our attack

• 2,000,000 emails are sent
• 5 get to the end user 100,000 (APWG)
• 5 click on the phishing link 5,000 (APWG)
• 2 enter data into the phishing site 100
  (Gartner)
• 1,200 from each person who enters data (FTC)
• Our potential reward 120,000

In 2005 the David Levi made over 360,000 from
160 people using an eBay Phishing scam
27
Money From Mayhem
28
A little phishing gang

• The David Levi phishing gang UK
• 6 members
• Operated for 12 months
• At least 360,000 from 160 people
• Segmentation of jobs
• Techie
• Creative designer
• Money laundering mule driver

Caught received sentences from 1 to 4 years each
29
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phished information turned into Cash
The Phisher

30
The money laundering Mule

• Make Money at Home
• Recruits receive funds in their accounts
• Transfer funds from their account via Western
  Union wire transfers to a 2nd (phishers) account
• Paid 10 of the sum of each money transfer
• One or two transfers each week - 3,000 to 5,000
  each
• Nations Welfare Foundation
• Looking for a Financial Operations Manager
• Transfer money for young cancer patients in USSR
• Real looking web site complete with pictures
• Paid 7 - can make 500 to 2,000 per week

31
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phished information turned into Cash
The Phisher

Harvested Information
32
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phished information turned into Cash
The Phisher
Tools to the Trade

Harvested Information

• DHA
• Site Crawlers
• Spyware

• Templates
• Sitecopy wget

• Botnets
• Trojans
• Worms
• Keyloggers

• Hacks Attacks
• Real Domain Names

33
Botnets

• Botnet A collection of compromised computers
  that are run under a common control structure
• Functions
• Email senders
• DHA, spam, phishing, virus
• DOS attacks
• Rented out for 300 to 700 per hour
• Jeanson James Ancheta made 60,000 by selling
  access
• Over 10,000 botnets become active each day
  (Symantec)

34
The name game

• citibank-validate.info
• earthlink-reactivation.net
• services-bankofamerica.com
• sales-aol.net
• secure-ebay.com
• msn-reactivation.net
• secure-usbank.info
• service-visa.net
• verification-e-gold.com

• rewardprogramsurvey.us
• customer-verification.com
• banking-account-renewal.com
• security-update.cc
• citibanhk.de
• Valid SSL certificate issued
• credltlyonaisse.com
• Registrar info copied
• paypal.com
• Cyrillic a in name

35
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phished information turned into Cash
The Phisher
The Malware Community
Tools to the Trade

Harvested Information

• DHA
• Site Crawlers
• Spyware

• Templates
• Sitecopy wget

• Botnets
• Trojans
• Worms
• Keyloggers

• Hacks Attacks
• Real Domain Names

36
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phishing Kit
Phished information turned into Cash
The Phisher
The Malware Community
Tools to the Trade

Harvested Information

• DHA
• Site Crawlers
• Spyware

• Templates
• Sitecopy wget

• Botnets
• Trojans
• Worms
• Keyloggers

• Hacks Attacks
• Real Domain Names

37
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phishing Kit


Phished information turned into Cash
The Phisher
The Malware Community
Tools to the Trade

Harvested Information

• DHA
• Site Crawlers
• Spyware

• Templates
• Sitecopy wget

• Botnets
• Trojans
• Worms
• Keyloggers

• Hacks Attacks
• Real Domain Names

38
The phishing ecosystem
Construct
Collect
Launch

• Account Info
• Credit Info
• Identity Info
• Logins Passwords

Email list
Sending Machines
Hosting Sites
Email Web site
Phishing Kit


Phished information turned into Cash
The Phisher The Malware Community
Tools to the Trade
Harvested Information

• DHA
• Site Crawlers
• Spyware

• Templates
• Sitecopy wget

• Botnets
• Trojans
• Worms
• Keyloggers

• Hacks Attacks
• Real Domain Names

39
Scaling a phishing gang

• The Campina Grande - Brazil
• 65 members
• Operated for at least 3 months
• 200 accounts in six banks
• 4.7 million stolen from bank accounts

Feb 2006 41 members caught, 24 more still on
the run
40
The Four Parts of the Solution
41
The email process
The Brand A company that sends email to its
customers or employees and therefore is a target
for phishing scams
The Web Site The web site where you are directed
to by the email
The Mailman A company that receives email and
delivers it to its employees/customers
You The person who receives email
42
The brand

• Cut-and-Paste links, minimize links
• Use personal information where possible
• Dear John J. Smith
• Account ending in 1234
• Your zip code is 94304
• Provide non-email ways to verify
• Use standard company domain names
• Identify your partners
• Set and follow standard communication practices
• Internally and externally

43
The mailman

• Preemptive
• Protect your email address
• Phishing is more than spam think Virus
• Technology
• Multi-faceted solution No silver bullet
• Sender authentication and reputation, content,
  contact point divergence, URL exploits, real-time
  phish lists, etc.
• World-wide community collaboration
• Change is part of the business
• Psychology
• Educate your customers/employees their
  PhishingIQ
• Email is still Good! Really it is!

44
The web site

• Company and personal sites
• Monitor your site
• Know your content
• Practice good passwords
• Keep logs, report phishing to authorities
• Hosting services
• Monitor new customers
• Take phishing seriously
• Unless they are eBay, assume they are not eBay!
• Domain name registration services
• Be diligent about domain registrations
• Actively work to shut down phishing sites

45
You

• Know your senders
• Is this someone I do business with?
• Is this something I was told Id receive?
• Look for other ways to respond
• Be aware
• Look for clues improve your PhishingIQ
• Dont be afraid to ask
• Protect your system
• Know how your system is updated
• Check your records

46
What did we do today

• Your PhishingIQ
• Phishing 101
• Mayhem and money
• What to do about phishing
• Take away Its your money/identity/job that is
  lost!

47
Thank you

• Andrew Klein
• aklein_at_sonicwall.com
• www.sonicwall.com