The Phishing Scam by me

[N4S]

Wrote this at work for some of our employees to understand this process a bit better.

Might help some others to so I figured I'd post it.

------------------------------------------------------------

A Phishing scam is an e-mail fraud method in which the enemy sends out legitimate looking email in an attempt to gain personal and financial information from the unknowing recipients.

The invention of the phishing scam marked the first time in the history of computer viruses and malware that people could make serious money off of security attacks.

In mid 2003 the first phishing scams started to arrive in inboxes all around the net. They were text heavy emails with spelling errors and poor grammar that did not fool the recipients. But phishers started to brush up on the writing and design skills and began to make it a lot more difficult to decide which emails were legit and which were not.

Some may think that launching a phishing scam could be easy with a little programming knowledge but it is no where near as easy as you think. In the next few sections I am going to break down what it takes to pull off your typical phishing scam.

The attacker first must find a list of email addresses, this can be done several different ways. They can either buy email lists or software that searches websites for email addresses. Believe it or not this particular software is at times available on Ebay. For example once you figure out how a company assigns email addresses to its employees, it's not that hard to compile a list of potential email addresses for all of that company's employees.

The next step in this process would be to write an attack script that resides on a bogus website which is set to steal information from any visitors to it. Thieves are more in tuned for looking for more than just credit card numbers, which are difficult to use without more of the account holder's information. Debit card information however is like a goldmine for them, do to the fact that a debit card with a PIN number equals "instant money".

Next we are ready for the resources from which the phishing emails are sent out attracting victims to the phishing site. One popular way this is done is to enlist a botnet army scavenge the web for unused disk space on email servers. A botnet will not come cheap and can cost as much as seven hundred dollars an hour.

Now they need a place to host the phishing site. Phishers will not buy or rent servers due to the fact that a digital paper trail can lead to the police or FBI knocking on their door. In case they will steal space in someone else's data center. They may even spread the malicious activity among several unsuspecting enterprises so it's not too obvious that they are stealing capacity from their systems. Then register the site's name with an internet authority and make sure that the site's URL resembles some existing business.



Finally they launch the attack which consists of flooding the internet with spam that seeks email users to direct to the phishing site. In some cases the users will receive two emails. The first email will notify them that a problem was discovered on their account (banking, brokerage, etc), alerting them that you'll be following up at some point to verify their account information. This email will not ask for any information or include any links to give it an official look. Then the follow-up e-mail is where they make the move, directing the victim to the site and asking them to verify their account information.

And now it is time for them to cash in on the results.

Look at it this way, if a phisher sends out 2 million spam e-mails, it's likely that 5% of those e-mails will go to legitimate e-mail addresses. About 5% of those e-mail users are likely to click on the phishing link contained in the spam. And 2% of those e-mail recipients will actually enter their information into a phishing site. That works out to about 100 people, but once the phisher has their personal and account information, the dollars can quickly add up.

Phishing is on just about every company and internet users radars these days. Phishing email and web-based efforts by online scammers to hijack personal information from unsuspecting users, faces a new obstacle. A group of global banks and technology companies have joined forces to fight the scams. The group is running a website, Anti-Phishing.Org (www.antiphishing.org), where those who have received phishing messages can report them, and personnel will follow up by trying to track down the originators of the scams.

[Alice]

Good info Paul. Thanks