Ichthyological anatomy, or a study of phish

Michael Morgan IBM CERT A/NZ

  download slides (PDF)

This paper describes the progression of techniques at financial fraud using social engineering and other methods to obtain financial credentials, and proceeds to cover options available to financial institutions to defend themselves and their clients from exploitation of stolen credentials.

The examples are based on actual phishing expeditions against international banks and the steps taken in investigating and responding to these attacks, including the problems of obtaining a 'get out of jail free' card in such circumstances, and the embarrassment this might present.

The attacks reported range from emails inviting prospective victims to visit a fake website, emails incorporating logon processes within themselves, hijacking web-browsing activity, to keyloggers targeting specific financial institutions.

We conclude with some speculation on future vectors and possible steps to prevent widespread use of these vectors. These steps cover public education, supplementary authentication factors, behavioural analysis, and denial of services to potential perpetrators.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.