What Phishers Know That You Don't
Today's headlines scream about phishing attacks that are stealing financial data, bilking billions from consumers, and contributing to identity theft. These news articles are soon followed by vendor press releases and dubious marketing propaganda seeking to capitalize on the buzzword hysteria.
Security professionals are left trying to separate the truth from the hype while looking to SSL, token authentication, e-mail encryption, A/V scanners, blacklist and take-down services for solutions. Each incident usually gets management very excited about protecting their customers and the brand.
Meanwhile, while gleefully jumping from foot to foot, the Phishers are having the last laugh because they know something you don't: None of this stuff actually works anyway. At least not for phishing scams. Don't get me wrong. These solutions have their time and place, just not when it comes to phishing and I'm here to tell you why.
Everyone's heard about "spoofed" e-mails compelling consumers to visit fake Web sites and fooling them into disclosing sensitive information. So I'm skipping that part of the conversation because it's boring. What's interesting are the increasingly sophisticated techniques Phishers are using to maintain their edge. Let's delve into the dark-arts that render phishing attacks virtually impervious to the widely advertised solutions mentioned above.
Phishers are targeting consumers by exploiting Web security loopholes for financial gain. And it makes perfect sense that they would, because 9 out of 10 Web sites are vulnerable to something serious called cross-site scripting (XSS).
A recent report issued by the Anti-Phishing Working Group (APWG), states Phishers are visibly employing cross-site scripting redirect attacks. "...Websense Security saw a number of attacks using cross-site scripting to redirect URL's from popular Web sites in order to better present themselves and as a means to prevent blocking," according to the APWG February 2005 Trends Report. Using specially crafted links, Phishers are piggybacking on legitimate domain names to pull off their scams.
Cross-site scripting is by far the most common and overlooked vulnerability in Web sites today. Coincidentally, XSS is just the "super" bait Phishers are looking for. XSS attacks are designed to target the users of a Web site, rather than the web server or operating system. A Web site is at risk if a coding oversight allows user-submitted content to be displayed without filtering out malicious data.
What a clever Phisher does is create a specially crafted link, laced with Web scripting code, and convinces a user to click on it. When the user clicks, the injected code executes and becomes part of the resulting Web page. This is where the Phisher's fun begins.
Consider the following example: http://therealwebsite.com/redirect/user/to/http://thefakewebsite.com
When a user looks at the above Web address, the link appears legitimate because the domain name shown is in fact the real Web site. Also, the link can be encoded to disguise its intention further. When the user clicks "therealwebsite.com," their browser is automatically be redirected to "thefakewebsite.com," the Web address tacked onto the end of the link. From a user perspective, everything will take place normally as they land on the fake page.
Prominent Web sites, including eBay, Google, Lycos, Citizens Bank, and SunTrust have been victimized by similar types of attacks. The good news is that consumers are wising up and learning how to identify this type of scam. The bad news is the next generation XSS attacks are proving nearly impossible for consumers to spot or technology to identify.
These attacks actually convert the real website into the fake website, thereby making consumers increasingly likely to fall for the scam. Sounds like magic doesn't it? But it’s actually just a clever trick.