2013-04-04
Abstract
The digitization of shopping and banking, the increasing use of social media, and the popularity of the Internet have made users more vulnerable to phishing, identity theft and other forms of online fraud. Bianca Dima and Alin Damian outline some subtle differences between two of the fastest growing online traps, phishing and fraud, and highlight some of the mechanisms that fool people into placing their sensitive data and money into the hands of the attackers.
Copyright © 2013 Virus Bulletin
The digitization of shopping and banking, the increasing use of social media, and the popularity of the Internet have made users more vulnerable to phishing, identity theft and other forms of online fraud. In 2012, phishing caused losses of $1.5 billion globally, according to security firm RSA [1], and the number of attacks launched under this umbrella last year was 59% higher than in the previous year.
Cybercriminals’ earnings are likely to be a lot higher, as these figures were determined based only on registered incidents. Statistics from the Internet Crime Complaint Center [2] reveal that the most common complaints refer to police impersonation scams, identity theft and advance fee fraud.
The majority of e-threats are commercially driven, but differences exist between the targets and methods used to trick unwary users. Phishing, for instance, may have immediate, direct monetization objectives, but the initial goal of other fraudulent schemes, such as employment scams, may be identity theft or the recruitment of money mules.
This paper aims to outline some subtle differences between two of the fastest growing online traps, phishing and fraud, and to shed light on the mechanisms that fool people into placing their sensitive data and money into the hands of the attackers.
Phishing is a money-making social engineering scam whereby users have their personal details stolen through fake websites that mimic the websites of real organizations. Hundreds of fake websites are created and thousands of users are tricked every day.
Credit card details, social security numbers, usernames and passwords are among the many details mined through phishing attacks. Relying on finely tuned persuasive techniques and heavily exploiting the psychological triggers of online behaviour, phishing has been around for over 16 years, and is likely to remain a top threat for the foreseeable future.
Scammers create a sense of urgency by warning users that they will have their accounts suspended or lose their money or personal data, or by making an incredible sounding offer that is set to expire within a short period (e.g. 24 hours).
The sense of urgency encourages victims to respond to the bait, in doing so delivering their sensitive details to the criminals’ databases.
According to McGrath and Gupta’s study on the modi operandi of phishing [3], a phishing domain is live on average for three days, 31 minutes and eight seconds. Though phishing attack numbers continue to climb, the median attack duration (uptime) decreased in 2012 from 15.3 hours per attack to 11.72 hours per attack [4]. The RSA H1 2012 report [5] concluded that ‘Had attack medians remained the same, the monetary losses to phishing in H1 2012 would have exceeded US$897 million.’
Financial institutions, payment and retail services are the industries that are most commonly targeted by phishers. According to Bitdefender, some of the most well known brands used for phishing purposes include PayPal, Visa, Citibank, Bank of America, AOL, Wells Fargo and MasterCard – but cybercriminals also keep popular social networks and gaming platforms at gunpoint. The list of affected companies grows continuously, taking in countless brands and industries.
Most phishing web pages are placed under hacked URLs and are spread rapidly through spam, social media scams and poisoned web searches. In addition, highly targeted attacks such as spear phishing or whaling are directed at specific organizations and individuals.
More than half of the respondents of a Proofpoint survey [6] in June 2012 believed that, in the past year, their organization had been targeted by a spear phishing attack designed specifically to trick its employees.
The US is still the country that hosts the greatest number of phishing URLs, which can be explained by the fact that it hosts most of the world’s websites and domains. According to the Bitdefender GeoIP analysis, the UK, Brazil, Canada and Germany are also the source of a significant number of phishing sites.
Cybercriminals employ an extensive range of techniques to acquire sensitive information. In addition to typosquatting and manipulating subdomains, phishers also use link descriptions that suggest a trustworthy destination: in more complex attacks, the descriptive text is displayed when users hover the cursor over a link in the browser. An alternative trick uses JavaScript commands, which enable phishers to place an image of a genuine URL over the address bar, thus obscuring the phishing URL, or to open a new address bar containing a legitimate URL, once again obscuring the real phishing address.
Another tactic exploits vulnerable servers that host several websites. By adding a phishing page to each of the domains on the server, hundreds of phishing URLs can be created at different online locations and the scam will spread more efficiently.
Users may also be brought to phony websites through ‘tabnabbing’, a computer exploit and phishing technique which silently redirects them to the phishing location after manipulating multiple browser tabs.
In the past couple of years, an increasing number of fraudulent websites have appeared impersonating hotels, banks, law firms, shops, online casinos, rental and escrow firms. Categories of scams include advance fee fraud, employment scams, conference fraud, money loan, pay per click, piracy, lottery and pet scams.
These types of fraud tend to be more targeted than (classic) phishing and the attackers make their money from small, gradual attacks. The average term for the registration of a fraudulent domain is one year.
Fake banks reign supreme in the online fraud category. Many of the websites are made to look very realistic, with logos and banners that are identical to those of their genuine counterparts, as well as very similar names and URLs.
Some of the recent fake bank URLs we have seen include capitalfinancebank.com, bancogulfbank.net, emspostonline.com and bancosantanderempresas.com.
While carefully orchestrated bank phishing requires the exact design of a genuine website to be copied, fake bank sites tend to focus on copying logos and banners, giving a twist to the look and feel of authentic sites. Fake banks may be used to bolster the claims of a scammer who is usually engaged in other fraud such as a standard advance fee fraud. The financial brands that fake websites are currently most commonly based around are HSBC, Santander, Wells Fargo and Sun Trust.
Some scammers register websites for fake legal firms – claiming to specialize in particular areas of practice such as petroleum and gas, banking, finance or taxation. They then attract users with links spread through targeted attacks. Commonly, fake law firms contact victims with demands for payment of fines, debt collection, cease-and-desist notices and so on.
Fraudsters also set up fake hotel websites. One of the most common ways in which these are used is in job scams – through the ‘careers’ section of the site, innocent users are tempted with the prospect of job vacancies. Fake hotel sites are often used to recruit money mules via this method: victims unwittingly transfer illegally gained money on behalf of the scammers to make it untraceable, or become accomplices for a percentage of the revenues.
Other ways in which fake hotel sites are used to generate income for the scammers include asking victims to make an advance payment for the booking of a (non-existent) room.
Many fake websites are even better crafted than some legitimate ones, but an attentive eye will catch clues as to their lack of authenticity. For instance, one fake hotel site listed a phone number that was located in the US, while the address took users to a park in Montréal, Canada (see Figure 3).
Lottery scams are among the most common scams on the Internet, targeting users who are apparently unaware that they first have to play the lottery in order to win it.
Fraudsters inform victims that they have won a lottery or sweepstake, but in order to receive the lump sum payout, they must first pay some taxes and processing fees. Lottery scams tend to be more effective when promoted through fake websites rather than widespread spam campaigns.
This fraud targets people looking for investment opportunities. Some Russian oil scams use fake banks to issue bogus cheques and facilitate advance fee payments which the scammers claim are customary in Russia. Criminals may also set up fake law firms, shipping companies and even government websites to give the process a more legitimate feel. The purpose is to fool the victim into paying advance fees for (non-existent) oil or other commodities.
Fake property rental sites are used by scammers to lure users searching for accommodation. Fake listings are posted to various property search sites, which link to fake sites that are made to look genuine by including property descriptions, photographs and addresses. The scammers make their money by insisting that the prospective tenants make a payment (often via money transfer) and/or submit their personal details, either as a reservation fee for the property or as an upfront payment of housing expenses.
As sales figures for online shopping continue to rise, users should be aware of an increasing number of fake stores. Fraudsters attract victims by offering low prices, incredible offers that will expire within a short time frame, or claiming to have goods in stock that are in short supply elsewhere.
Internet escrow services are used as an intermediary between buyers and sellers when they don’t know (or trust) each other. With the growing popularity of these services, scammers are setting up an increasing number of fake escrow websites to deliver ‘secure’ transactions.
The scammer poses as the recipient of money/seller of goods and then requests the use of an escrow service to complete the transaction – which is, in fact, the scammer’s own service. The victim sends money to the escrow service, at which point the scammer closes the site down, pocketing the money.
Genuine escrow sites are specifically set up to handle users’ money, so the involvement of third parties such as MoneyGram or Western Union should be a warning sign.
Another sign to look out for is a secure server connection (SSL) – legitimate escrow websites will use secure connections to protect their customers, so it is wise to check for https:// in the browser address bar. (However, fraudulent websites have been known to ‘borrow’ the logo of SSL verification services such as VeriSign, so users should always check that the site is listed by the relevant authentication company.)
Advance fee fraud (also known as ‘foreign money transfer scams’ or ‘419 fraud’) is a method used by scammers to make quick money and sometimes to steal users’ identities. It involves the victim paying an initial sum of money (sometimes in several instalments), on the understanding that not only will it be refunded, but that they will receive a share of a much larger sum once the initial transfer (usually to a foreign country) has been made. Western Union and MoneyGram are the two most popular money transfer services used by scammers wanting to obscure their trail.
Victims may be duped into parting with their money after receiving a ‘business proposal’, usually describing some urgent need to transfer a large sum of money out of the country, and requesting assistance in doing so.
Buying or adopting pets online has become a risky business, as scammers have infiltrated legitimate services. They advertise animals (often particularly popular breeds, at very competitive prices) via various online services and usually claim that the animal has to be shipped to the recipient, requiring various fees to be paid up front. Of course, in reality the animals do not exist.
Loan scammers trick victims with the lure of very low interest rates. They entice them to fake websites, then request advance fees for setting the loan up, citing reasons such as insurance, deposits, certificates or registration.
In employment scams, scammers posing as recruitment agencies or employers offer attractive job opportunities but require the applicant (victim) to make advance payments for things such as work visas, travel expenses, finder’s fees and so on. Names, addresses, banking information and other personal details obtained throughout the ‘recruitment’ process may also be used for identity theft.
Fake warez and piracy websites usually appear in search results when users are looking for pirated software or ‘original’ software for a lower price than is available on the legitimate market. The sites usually take the users through several loops to reach a download link – which is fake. Either the promised software doesn’t exist, or it has malicious components. Users risk having their money and credit card details stolen, and may end up with malware on their devices as well.
In pay-per-click advertising, publishers display clickable links in exchange for a fee for each time someone clicks on the link, taking them through to the advertiser’s website.
Fake pay-per-click companies target advertisers seeking to increase the volume of visitors to their website. Victims are asked to pay a fee and hand over their details in advance. Fake hits are then created either manually or by automated means.
Fake conference websites are set up to collect fees and personal details from potential conference participants.
Targeted emails are sent inviting the recipient to the fictitious conference and including a link to the fake conference website. Typically, participants are asked to provide their personal details and to make an upfront payment, either as a conference registration fee, for the reservation of hotel accommodation, or even for assistance with visa application processing and travel booking.
The scammers go to considerable lengths to make the fake websites look authentic, and target their scams carefully – examples of conferences scams seen recently include conferences on climate change, human rights issues and biochemistry, NGO workshops and many more.
Phishing and fraud may be driven by the same money making goals, but subtle differences between their mechanisms justify separate classification and blacklisting processes.
| Differences | Phishing | Fraud | |
|---|---|---|---|
| 1 | Uptime | Short period of time | Longer period of time |
| 2 | Domain | Hijacked | Specially designed |
| 3 | Promotion | Spam widespread campaigns | Social media targeted campaigns |
Table 1. Differences between phishing and fraud.
One important distinction focuses on the median attack duration (uptime). The average length of time that a phishing attack is online is shorter than the uptime of a targeted fraud or fake website created from scratch.
This may be due to the fact that organizations and hosting companies have become better at detecting phished URLs that damage their brand and reputation. In registering and creating a website from scratch for a completely fictitious organization, fraudsters rarely affect renowned brands. With fake banks, the potential for damage is greater, as fraudsters often try to pose as the local offices of legitimate financial institutions.
Individual users rarely have the know-how or power to fight targeted fraud, and even financial institutions do not always put up their best weapons in the battle against fraud. Europol’s 2012 payment card fraud report stated: ‘Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards.’ [7], [8].
Different promotion strategies also allow fraudulent websites to have a longer uptime, while phished websites are taken down more rapidly. Depending on how heavily they are promoted, some fraudulent URLs persist for longer than others.
Phishing web pages aim to replicate the exact content of websites owned by real organizations – most commonly a bank or a payment service – usually on a hacked or compromised domain. Cases of fraud, however, often have bogus entities created from scratch, using domains bought anonymously and registered for a longer period.
Another contrast between phishing and fraud is the manipulation of addresses. For instance, the URL of a legitimate hotel’s website, ‘http://realandnicehotel.com’, might be used as the basis for a fake website, ‘http://real and-nicehotel.com’.
When creating URLs, cybercriminals sometimes aim to create the impression that the fake site is affiliated to a legitimate company. Meanwhile, (most) phishing URLs are less well crafted, as they are usually placed on compromised legitimate domains.
To make the scams more believable, more than 90% of fake banks and financial institutions are registered on the top level domain ‘.com’. The second choice for fraudsters is ‘.net’ (almost 4%), followed by ‘.biz’, ‘.org’ and ‘.uk’, each with 2% of the overall fake banks registered.
Many fraudulent websites (over 90%) are registered for just a year, which is something to check using the WHOIS tools available on the Internet. In most cases, a one-year registration combined with a webmail address for the registrant (e.g. Yahoo!, Gmail or Hotmail) is a strong indication of a scam.
The following are some tips to help users stay away from fraud and phishing attacks:
Before making any payment online, booking a hotel room or hiring a law firm, check the WHOIS information for the website, which will give you clues about the website’s domain registration, hosting and online activity. Remember that more than 90% of fake websites are registered for just one year. Also, fraudsters tend to use registrant emails that offer anonymity, such as ‘[email protected]’ or ‘[email protected]’, as well as free webmail addresses from providers such as Yahoo!, Hotmail, and Gmail. A legitimate organization is unlikely to do this. According to Bitdefender, 19.09% of all fake banks are registered to the email address [email protected], while almost 6% are registered to [email protected].
Always be on guard when making an online payment, and don’t use your credentials unless you are 100% sure it’s a genuine website.
An unclear web address, spelling errors and poor grammar might be clues that point to a phishing attack. Typing the legitimate URL directly into the browser rather than clicking a link in an email may also help you stay away from scams.
Check the list of unauthorized banks [9] in your country when dealing with a financial organization you haven’t heard of before.
Double check a banker’s or seller’s identity when he calls or sends you a targeted email. Remember that scammers may go as far as creating a fake website to trick a single user, making money out of small, but successful attacks.
Be on your guard when using social networks. Select online ‘friends’ carefully and consider the information you share, and the way you interact with applications.
‘UK global redirecting’ numbers that start with +4470 are a major warning of a scam. Though the country code ‘+44’ may look like a British number, the ‘70’ prefix means the phone call will be redirecting to a number which may be in any country but the UK.
With minimal investment in technology and time, phishing and fraudulent websites provide endless income for cybercriminals. Though many organizations strive to create a safer online environment, victims are still sending their financial information and money to unknown destinations all over the world.
Use of an anti-virus solution will help protect users not only from malware, but also from phishing, identity theft and targeted fraud attacks. User education and raising awareness of phishing and targeted fraud may also help contribute to a safer online environment and a drop in cybercrime revenues.
[1] Kessem L.S. Laser Precision Phishing – Are You on the Bouncer’s List Today? Speaking of Security The Official RSA Blog and Podcast. http://blogs.rsa.com/laser-precision-phishing-are-you-on-the-bouncers-list-today/.
[2] Internet Crime Complaint Center. 2011 Internet Crime Report. http://www.ic3.gov/media/annualreport/2011_IC3Report.pdf.
[3] McGrath, D.K.; Gupta, M. Behind Phishing: An Examination of Phisher Modi Operandi. http://static.usenix.org/event/leet08/tech/full_papers/mcgrath/mcgrath_html/.
[4] Anti-Phishing Working Group. http://www.antiphishing.org/.
[5] Phishing in Season: A Look at Online Fraud in 2012. Speaking of Security The Official RSA Blog and Podcast. http://blogs.rsa.com/phishing-in-season-a-look-at-online-fraud-in-2012/.
[6] Proofpoint Reports Findings from Email and Information Security Trends Survey Conducted at Microsoft TechEd Conference. http://www.proofpoint.com/about-us/press-releases/07182012.php.
[7] Payment Card Fraud in the European Union. Perspective of Law Enforcement Agencies. https://www.europol.europa.eu/sites/default/files/publications/1public_full_20_sept.pdf.
[8] Payment Card Fraudsters Earn 1.5 Billion Euros a Year, Europol Says. Bitdefender Resource Center. http://www.bitdefender.co.uk/security/payment-card-fraudsters-earn-1-5-billion-euros-a-year-europol-says.html.
[9] Unauthorised internet banks. Financial Services Authority. http://www.fsa.gov.uk/pages/doing/regulated/law/alerts/internet.shtml.
![Fake law firm claiming its ‘sole mission is the total satisfaction of [its] clients’.](/uploads/images/figures/2013/04/PhishingFraud2.jpg)
