While the rise of phishing is not a new development, it has become a ubiquitous phenomenon and a serious on-line security problem only in the last year or so. In this fast-moving threat landscape, F-Secure had to come up with some quick solutions to keep our customers protected.
The term phishing was originally coined around 1996 for a kind of fraud which was targeted especially towards users of America On-Line (AOL), probably because AOL users at the time were among the first non-technical consumers who were getting familiar with the Internet. The fraudster would connect to AOL "chat rooms" (an early form of instant messaging) masquerading as an AOL support technician, and send private messages to users in the chat rooms about a "security issue". The messages would request the victims to change their password to a particular one, or to tell the "technician" their password and/or credit card number so a technical problem could be resolved.
With "rich-text" e-mail clients being the de facto norm, and banks usually offering their customers access to their account over the web, this kind of fraud has now migrated to the Internet at large, using e-mail and fake web sites to pull off the scam.
"Phishing" has in fact become something of a household word recently, with the usual loss of precision. Many users seem to lump almost any on-line fraud with phishing, including "Nigerian 419" (advance fee fraud) letters, stock spam (frequently used for "pump and dump" stock fraud), and actually more or less any spam.
To be clear, this article focuses on the kind of fraud where the recipient is selected more or less at random, and receives a message pretending to be from an institution which the victim has a relationship with (it could be a bank or an ISP, or why not a local department store), asking for "account confirmation", or directly requesting the victim to divulge sensitive personal information such as a password or credit card number.
Granted, the line is getting tough to draw, as viruses and worms start to use the same social engineering tactics; more and more fraud is committed via spam; worms and viruses are appearing to be increasingly entangled with the spam problem; and new types of fraud are inevitably being invented which cross-pollinate these Internet nuisances in interesting new ways.
Casting the Net
During the first nine months of this year, there was an enormous growth in phishing spam, driving victims to sites masquerading as legitimate banking sites. Some of these e-mail messages were being identified as "malware" by our virus scanning engines, but the coverage was nowhere near 100%, and classifying these scams as malware was not very accurate.
In order to quickly deploy a protection mechanism for these messages, we had to build upon what was already available in our existing products. Shipping a new feature takes several months, and for some products, there is no guarantee that customers would be installing the upgrade, even if it were good sense to do so.
However, the spam filtering component is flexible enough to easily accommodate entirely new types of rules, and they can be installed as simple "database updates" which clients pull down and install in near real time (although the "database" in question could in fact contain e.g. a new executable plug-in, and not just data). Thus, we managed to quickly implement and deploy phishing e-mail filtering in the form of a set of rules for the spam engine.
There are several types of rules. The simplest type is just reactive when we have samples of a phishing message, we can identify related messages based on some unique feature of the sample e-mail; often, this will be the URL (web link address) which directs the user to a fraudulent site, or perhaps part of the URL.
The other two types are proactive. We can anticipate some tricks which the phishers will try; for example, if there are related samples for banking sites in, say, Finland and Germany, we can guess that they will send similar messages to some other North European country next.
As a further generalization, we look for certain content obfuscation techniques which are common in spam, but notably frequent in phishing messages. When such patterns are detected in messages ostensibly from a bank or other typical phish target and especially when some of these patterns indicate that the sender information is forged the e-mail message is flagged as highly suspect, and we classify it as a phishing message.
In order to keep our filters up to date, we are very dependent on phishing samples (with full headers, please). In addition to customer and partner-submitted samples, we receive phishing samples through various anti-phishing cooperation channels, such as anti-phishing.org, a working group of the IETF.
Next Up Ahead: Product Integration
While we now have a stopgap measure in place, there is still some room for improvement. The products should probably handle phish differently from spam, and we should be able to block phishing-generated traffic as well as the phishing e-mail messages themselves.
Currently, the phishing messages we catch are simply stored in the spam folder along with other spam. This might not suffice, as there is a very real risk that some user would find a phish message in the spam folder and not recognize that it is forged, believing it was filtered as spam by mistake. They might well think it was a genuine, important message from their bank, and click it open in a panic. It would be better if the phishing messages were clearly marked as such, and perhaps quarantined in a separate folder, or even blocked altogether.
Furthermore, since the anti-phishing technology we use is based on the spam filter, it is obviously only available in the products which include the spam filtering engine. In particular, the corporate client software, Anti-Virus Client Security, does not include the spam filter. One would of course hope and pray that most AVCS installations will be behind a network perimeter protection product, such as our Internet Gatekeeper, which does include the spam filter, and thus also the phishing filter, but this is regrettably not always the case.
Finally, given that we cannot realistically block 100% of all phishing e-mail in all situations, and because the phishers might switch from e-mail to e.g. instant messaging, we should have a facility for blocking outgoing connection attempts to known phishing sites, too. This is a high priority for the next release of our products. In the meantime, expect the phishers to come up with new insidious schemes. They will have a much stronger incentive to get their messages through than your average massmailer worm author.
Further Reading:
http://en.wikipedia.org/wiki/Phishing
http://fraudwatchinternational.com/
http://www.anti-phishing.org/
Author: Era Eriksson, Senior Content Filter Researcher
Begin | 
Back