Phishers tapping botnets to automate attacks (criminals using home PCs to host baiting sites)

The Register (U.K.) ^ | November 26, 2004 | John Leyden

[Stoat]

Phishers tapping botnets to automate attacks

By John Leyden

Published Friday 26th November 2004 13:55 GMT

Computer criminals are making phishing more potent by automating attacks. Anti-Phishing Working Group (APWG) analysts reckon fraudsters are using automated tools and botnets to ramp up attacks. It estimates attacks grew by an average of 36 per cent a month between July and October.

Scam emails that form the basis of phishing attacks often pose as 'security check' requests from well-known businesses. These messages attempt to trick users into handing over their account details and passwords to bogus sites. The details collected this way are used for credit card fraud and identity theft. First seen more than a year ago, phishing emails are becoming increasingly sophisticated, directing users to bogus websites which accurately reproduce the look and feel of legitimate sites.

Home PCs used to host baiting sites

In October, there were 6597 new, unique phishing email messages reported to the APWG, compared to 2158 such reports in August. The number of active baiting sites reported to the APWG in October was 1142, 25 per cent up on September, targeting customers of 44 brands. According to the working group, fraudulent sites were online for an average of 6.4 days. The number of phishing sites hosted on compromised broadband PC rose by more than 50 per cent.

APWG reports an explosion of phishing activity at the start of October. "Starting on the afternoon of 5 October, we started seeing a massive increase in the amount of phishing sites. Evidence indicated that the phishing exploits were not targeting one particular brand, but several targeted simultaneously. The one common theme of these phishing sites is that nearly all are being hosted on IP addresses and mostly outside of the US," the report states.

"It appears as though some sort of toolkit is available and/or a set of tools that are being used to produce similar exploits. The sudden large spike may, however, indicate that some automation may be involved. We are also seeing multiple brands being spoofed from the same machine over a few days. For example a site will be an eBay spoof one day, and then Paypal, then Citbank, etc. The content of the attacks is quite varied."

The US is home to the majority of these baiting sites, hosting 29 per cent of those reported to the APWG in October, a slight decrease over the month. China, Korea, and Russia are next on the list with 16 per cent, nine per cent, and eight per cent respectively of the total sites hosted. APWG's report, jointly written by security researchers at Websense and Tumbleweed Communications, is available here (PDF).

Let's factor out phishing

Services to monitor phishing attacks, allowing targeted sites to respond more quickly, or browser add-ons (such as Comodo's Verification Engine) that allow consumers to detect fraudulent sites have been developed by security firms to tackle the problem. One promising approach is to apply two-factor authentication, long a mainstay of corporate remote access, to internet banking. Swiss and Scandinavian banks have been using this approach for some time but use of the technique is rare in the US and UK, for example.

Earlier this month two New Zealand banks - ASB and Bank Direct - set up a service to provide two-factor authentication with text messages to their customers mobile phones to authorise transactions over $2500. The service, called Netcode, uses technology from RSA Security. Independent security experts think the idea shows considerable promise.

"The scheme is elegant, simple to use, cost-effective and requires no new hardware outlay," said Pete Simpson, ThreatLab Manager at security firm CLEARSWIFT. "This will thwart phishers who lure victims to fake websites and will defeat those that surf to the real site and display impostor popups for input of credentials. Clearly, those older attacks using HTML forms in the email are also dead-in-the-water." ®

Related stories

Phishing for dummies: hook, line and sinker
Botnets trawl for phishing victims
UK preps major security awareness campaign
Four charged in landmark UK phishing case
UK banks launch anti-phishing website

[Libertina]

Hey Stoat, thanks for putting this up. I hope many more people are warned about giving out their personal information over the internet.

[Eagle9]

Source: TechWeb
Bot Networks Behind Big Boost In Phishing Attacks
November 24, 2004
By Gregg Keizer

Phishing fraudsters dramatically anted up last month by using automated tools and networks of hacked computers to double the number of sites that illegally collect financial information, the Anti-Phishing Working Group (APWG) said Wednesday.

A massive spike in the number of phishing sites in October lead the group's analysts to conclude that criminals are getting more sophisticated in their attack techniques and technologies. From September to October, phishing sites increased more than 100 percent.

"Some automation had to be involved, with a bot network to either send more e-mails and/or host more sites," said Dan Hubbard, the senior director of security at Websense, one of the two investigators who analyzed the phishing data for the group.

"In October, not only did the amount of reported phishing e-mails increase, but the number of phishing sites that were unique dramatically spiked," said Hubbard. "Once we started investigating the characteristics of those sites, a lot of same traits kept repeating."

The shared characteristics of those phishing sites -- which host phony pages that look remarkably like real credit card, bank, online retailer, or e-payment sites -- ranged from using a little-known Web server to being hosted on broadband-connected systems to running at IP addresses outside the U.S.

More than half of the phishing sites, for instance, are hosted on what appears to be broadband-connected PCs, and the common Web server -- SHS -- is a favorite of phishers, since its small footprint makes it easy to plant on a hacked PC.

"Our suspicion that it's a bot network [behind the increase] is really based on these shared characteristics," admitted Hubbard.

A bot network is a collection of already-hacked machines, often compromised weeks or months earlier by attackers using worms or viruses to plant backdoor components. Those backdoors let the attackers access the machines anytime they want, for any purpose. Spammers, hackers, and other cyber-criminals are thought to be acquiring or renting bot networks to do their dirty work, making it harder for authorities to track down the real culprits.

Scammers probably have other tools at their disposal besides the bot networks, the APWG said. "It appears as though some sort of toolkit is available [to phishers] and/or a set of tools that are being used to produce similar exploits," said Hubbard. Unfortunately, no one has yet "captured" a copy of this toolkit.

"There's no question that we're starting to see more and more sophisticated phishing attacks," said Hubbard. Phishers are running multiple phony sites from one hacked PC, he said, and beginning to blend spyware and phishing tactics to run application-level attacks which plant a keylogger on a machine and then silently watch for passwords or account numbers for specific targets, like an online banking session.

"Multiple brands are being spoofed from the same machine over a few days," he said. "A site will be an eBay spoof one day, PayPal the next, then Citbank. They're getting smarter. Why not host multiple targets on one machine?

"The problem's getting worse," Hubbard admitted. "Not only are the number of phishing sites up and attacks getting more aggressive, but even small targets are being scammed." In the last several days, for instance, Websense sent out alerts that several small banks were being hit with phishing scams. On Tuesday, it discovered the first attack written in Swedish, one that targeted users of the Eurocard.

Nor will they cease anytime soon.

"Just put two and two together," urged Hubbard. "If [scammers] weren't successful we wouldn't see a rise in the sophistication and the number of attacks."

[Publius6961]

I there any web site, governmental or otherwise, that tracks how many of these crooks are actually caught and executed?

[sandviper]

NEVER, NEVER, NEVER! GIVE OUT INFORMATION REQUESTED THRU EMAIL. This includes any and all info ie. name, ssan, address. No ethical company will ask for this info.

I use the internet to do a ton of business but do it thru a 3d party such as Paypal and have never been burned.

[snarks_when_bored]

Are most broadband users unaware of on-going internet activity on their machines? Do they not notice that their modem lights are blinking for long periods of time even though they themselves aren't currently engaged in downloading or uploading? Do they not have firewall programs (such as ZoneAlarm) that graphically indicate when downloading and uploading activities are taking place?

...

Never mind.

[Musket]

I Visited one of my sisters yesterday. She has had her new computer for one month. She has a cable modem. She has an expired trial version of Norton Anti-Virus, and no plans to buy it. She doesn't have a software firewall or a NAT router. I cleaned 91 pieces of spyware off for her. I told her what she needed to do and she said she didn't care. She thinks it's the job of the ISP and Microsoft to keep the Internet and her machine clean and there's nothing you can say to change her mind.

[RichLane]

OK just a few odd misconceptions in the article that have me wondering The one common theme of these phishing sites is that nearly all are being hosted on IP addresses and mostly outside of the US," the report states. the author has to be a mac user every thing is hosted on an IP address www.whatever.com is an easier to remember than 199.15.126.3/index.htm come on people at least send a reporter that knows something about computers to do a computer story

.... and a few lines downThe US is home to the majority of these baiting sites, hosting 29 per cent of those reported to the APWG in October so which is it are the they being hosted mainly in the us or mainly overseas? Consistacny please!

OK here's the trick to safer DSL/CABLE 1) if some one really wants to mess with your computer they will more than likely be able to do it. (thank you big brother and INTEL)If your worried about some one seeing financial data on your computer make sure that computer never hits the net and is a stand alone. That is the only 100% way that your data will not get hacked. 2)Use a firewall and keep it updated. You want one that blocks all ports (ports are basically what lane on the free way the info travels on www is port 80 but folks can hit you on any number of ports)and has the option of stopping all data flow in and out when you tell it to(like when your going to work or off to bed) 3)KILL ALL SPYWARE! this stuff comes embedded in free download programs. And depending on what it does it can just forward your cookies to a 3rd party(tracks where you surf) it can record your keystrokes and send it back to them(great way to steal someones passwords and account numbers btw) 4)Keep your anti virus up to date and every so often go to your anti virus web sight and have them run a remote scan. some of these new nasties trick your Norton into thinking "nothings wrong just skip over me" and having a remote computer scan for these little nasties is a big help. 5)use common sense. never send any password info that you don't want any one to see over a sight that dosn't have the little pic of the lock on the bottom of your browser when your on that sight. 6)make your passwords hard to crack. Don't use a password like PeggysCar most passwords are case sensitive so PeggysCar is better than peggyscar but you'd be better off with a password that looked like #P&gg^$ C@r little bit harder to remember but a lot harder to break and some places will let you use a space in a password if you can do it. keep all passwords over 8 letters or numbers(goes back to binary 8 numbers has to be spread out on 2bits instead of 1 making it a little more secure and when they play with the algortimoms they can scramble it better) 7)e-mail is cheep and easy to send. If it sounds to good to be true it is. Microsoft is not going to pay you to forward this e-mail to a bunch of people. Some rich guy in south Africa is not going to wire you money so he can move his family don't send him your bank number. You didn't just win the lottery from Europe if you did they would send you a Western Union message not an e-mail 8) use Netscape or some other 3rd party browser Internet explorer has always been buggy and sense its the most commonly used its the one the hackers go after first.

[FReepaholic]

...She thinks it's the job of the ISP and Microsoft to keep the Internet and her machine clean and there's nothing you can say to change her mind....

Democrat, right?

[snarks_when_bored]

"The one common theme of these phishing sites is that nearly all are being hosted on IP addresses and mostly outside of the US," the report states.

I think this means that (1) the actual sites run by the phishers themselves (on which they trade information and/or tools with each other) are hosted on IP numbers for which 'whois' returns no WWW address, and (2) these IP numbers are on overseas sub-nets.

[Musket]

LOL! Absolutely.

[snarks_when_bored]

My condolences ...

[nw_arizona_granny]

Ping

[Flyer]

Scam emails that form the basis of phishing attacks

I have seen a large increase in the number of these I receive, relating to eBay and PayPal accounts.

They should be forwarded to spoof@ebay.com and spoof@paypal.com

[RichLane]

did you explain to her that if Microsoft and her isp take care of that for her they also will tell her where she can and cant surf. Won't she be mad if they told her that NO you cant use Yahoo mail any more because were Microsoft and we say you have to use hotmail! Or no You can't go to FreeRepublic.com because we thing they are hate mongers but you can go to DU all you want. Hackers are the nuisance we have to put up with in order to have a free network. And in order to have freedom you have to be willing to pay a little more a year to buy anti virus software and keep a current firewall up. Or the other approach is sell her on Dial Up that way there is not an easy target static ip number

[RichLane]

never mind #15 don't confuse her with the facts her mind is made up.

[Musket]

She wouldn't care. With her it's in one ear and out the other. I suspect she'll either go down from a virus or become so infested with crapware that it'll be unusable, and then she'll reinstall and start from scratch.

[RichLane]

Hey now you can't discriminate against crapware. Just because its Vile, Evil and out to get you, It must not be discriminated against, Just like Islam.

[VOA]

bump

[jimtorr]

I have a broadband cable modem. The data light blinks constantly, it never stops. I also have an NAT router. The router sees data in constantly, but does not pass any of it on to my computer.

I also have all e-mail protocols, ports, whatever, blocked. Even if I get infected with an e-mail virus, very unlikely on my Mac, my machine only sends e-mail for the brief periods when I unblock the router.