cacr logo

apwg logo


Reducing Risk of Phishing

Most phishing attacks have several technical shortcomings that are detectable by well informed users. However, the particular inconsistencies change as phishers develop more sophisticated methods to spoof legitimate email and web sites. A few high level principles can reduce the risk of fraud victimization, and these general strategies will outlast the latest phishing ploy.

When responding to an email that requires web action (i.e. following a link), navigate to the web site independently. If the message appears to be from a financial institution, look up the website using a search engine instead of trusting the message's link. If you happen to have an account with the financial institution, cross-reference your billing statement for the URL of authoritative web site. Similarly, if the email prompts you to call their customer service, do not trust the supplied phone number; use an independently verified number (perhaps from the back of your credit card). Using independent sources for contact information breaks a potential victim out of a phisher's sphere of influence. Assuming that the computer system is not subverted by some other means, the phisher can only control the contents of the bait message and corresponding web hosts.

Wait. Phishing web sites are under immense pressure to vanish quickly. On average they last 5-6 days according to the APWG, although some network administrators have reported 3 day server uptimes for confirmed servers, while some financial institutions claim takedown response in 4 to 5 hours. Most victims respond to the bait email message within 24 hours of reciept, and 95% of victims respond within 3 days. Many bait messages have some kind of veiled threat to coerce a quick response: e.g., "We will be forced to shut down your account if you do not respond within 48 hours."

The following message was recieved with a notable date of receipt and the deadline imposed by the threat. It was received after the deadline! This may have been a copycat message where the phisher forgot to update the message contents.

Click for full-size image

Use separate accounts or computers when possible for critical transactions. This is a tall order for home users, but the principle of separation is an important one. The internet provides many novelties, spectacles and services of wide ranging interest: peer file sharing networks, online video games, internet surveys and quizzes, just to name a few. Any software that you install has the opportunity to hijack control of your computer. Perhaps you need to install the latest version of a video codec to view a movie clip, or need the latest graphics drivers to play a hot new game demo. The host website may even "mirror" a copy - a copy that may contain spyware or a virus; you put yourself at risk when you trust their copy. Installing the new codec or driver may well install the latest crimeware simultaneously. These nasty programs are responsible for stealthily sniffing passwords, redirecting legitimate URLs, and snooping your browsing habits. Some operating systems allow accounts with/without admin control. The one without admin control is safer because software will have the same amount of control as the user; i.e. software in a non-admin account cannot install new programs. This restricted-access account should be used by kids in the family - they are less likely to think before they click and this way they will not accidentally install malware that could compromise your private data.

Trying new things is part of the joy of using the Internet. Balancing vigilence and exploration is a difficult task. You can reduce your risk by using separate accounts or (better yet) separate computers for your critical transactions and recreation. On the "high assurance" account, limit interactions to sensitive operations such as online financial management. Currently, about 90% of phishing attacks target the financial sector, so isolating these transactions from the rest of your (possibly unsafe) computer usage eliminates an important attack vector for phishers. Further, an isolated email address that is only distributed to your financial institutions can reduce exposure to spam related phishing. Use a different address when signing up for free trials, new profiles (e.g. a discussion forum), and mailing lists. This will not eliminate spam, just reduce the volume in the limited access account. One should be careful to simply increase suspicion of messages "from your financial institution" in the regular account rather than increase trust in those the limited access account.

Attune yourself to current phishing trends. "Copycat attacks" are among the most voluminous kind of phishing messages. This is due in part to the usage of phishing toolkits that automate the attack setup and in part to the phisher's recognition of good tactics. Effective bait messages are quickly adapted to serve the needs of particular phishers. As a result, regular examination of your spam/junk folder will inform you of current phishing tactics. While the filters are not perfect, many of the messages that evade them are easily recognized by humans as the same scam. The details of why a particular message assails a filter are often invisible to the casual observer; variances in the header information, formatting and hidden text can make the difference between delivery and quarantine.

The following screenshots show two spam (although not phishing) emails that have the same message. The first one was stopped by a spam filter on July 10, 2006 -- 12 days prior to the followup message that bypassed the same filter. Note the differences in the text on the right side and to the bottom of each message. In a phishing message these changes could be concealed by making the text invisible (e.g., using the same background and foreground color for these sections).

Click for full-size image

Similarly, examining the links referenced by a known bait message can improve your risk assessments. However, be sure to limit exploration to your high risk email and computer accounts. Following a phishing link alerts the phisher to a live (and susceptible) email address, and may elevate that account's exposure to phishing. Similarly, a phishing website may also exploit an unknown vulnerability in your web browser that enables the installation of malware; this is not common, but should be noted as a potential risk.

Understanding Web Browser Displays

There are many components to a web broswer. Large portions of the display are controlled by web hosts, while others are controlled by your computer. Some portions are determined by third parties. Internet web servers control the largest area of web browser displays. The diagram below illustrates a web browser's most important standard components with respect to phishing/fraud.

Click for full-size image

The website has complete control over the main display area. In particular, the main displays for phishing websites and authentic websites can look and behave in exactly the same way. Since the main display is the largest area of the web browser, this is enough to fool most people, particularly when the right context has been established. The title frame, though not part of the main display area, is also specified by the server.

The protocol field of the address bar indicates how data was transferred from the server to the web broswer for the currently displayed page, and is controlled by the browser. It is best practice to only enter sensitive information, such as usernames and passwords, when the form display page uses https://. The https:// protocol has the property that only the web browser and the web host can read the data. The intermediaries that transfer the communication between these two cannot read the contents of the transmission. For this reason, https:// is considered the "secure" version of the universally readable http:// protocol. However, this point-to-point unreadability property does not protect against misuse of the data by a fraudulent end host. To assure the identity of web hosts, the https:// protocol requires a digital certificate from the web host. The digital certificates are issued by a trusted third party and can not be faked. In a normal https:// transaction, exchange and verification of certificates is transparent to the user. The user is alerted if the computer detects a problem with the certificate, e.g. it is self signed or by an untrusted third party. As a result of the third party scrutiny required for a smooth https:// transaction, most fraudulent web sites use http:// instead. Legitimate sites should always use https:// when handling your sensitive data to protect it from interception by intermediaries. https:// is an encrypted protocol for transferring your data. In order to enter an https:// without additional user intervention, a web site must present a certificate that has been verified by a third party that your browser trusts. This requirement raises the cost of attack, so most fraudulent hosts resort to the unencrypted http:// (no 's' at the end) protocol when asking users for sensitive information.

Unfortunately, to speed up the loading time of a web site, some legitimate institutions use an SSL post to send data to their servers. In this case, the entry form was acquired by the unencrypted http:// protocol, but the actual submission occurs through https:// after the submit button is pressed. Attackers may easily mimic a site that does this since they do not have to establish a secure connection before you enter your date. One way to avoid the SSL post is to enter a bogus password and username. After denying your login attempt, most legitimate web sites will follow up with an https:// submittion form. Do not trust a web site that fails to do this -- they may never establish a secure connection!

The status bar on Internet Explorer has two components. Most of the bar, beginning at the left and consuming about 75% of the area, is a text display. By default this shows the URL of hyperlinks on mouse-over, and the download status as a particular page loads. However, on some older web browsers, the text in here may also be programmed by the web page. In particular, display of the target URLs on mouse-over could be spoofed by a fraudulent web site. Place your mouse over this link; the status bar displays "your browser is vulnerable" in the status bar on mouse-over if it allows status bar programming.

The other component of the Internet Explorer status bar is on the right side. It shows a number of graphics to indicate additional properties of the currently displayed web page. This can not be programmed by the web host. The best known icon is a padlock that coincides with the use of https:// protected pages. Phishers (and legitimate institutions, too) often try to generate trust by placing a copy or similar icon in a display area of the browser that is web host programmable. These padlocks are meaningless, and do not indicate usage of https://. Other icons indicate the browser's classification of the web host; the classification policy is user configurable to determine trust by domain names.

Click for full-size image

The domain name is a function of the computer's domain name service. Name resolution, e.g., mapping the human readable to the "machine-readable", depends on a system of servers outside the end user's client and outside the web host. It is trustworthy so far as the DNS (domain name service) system is trustworthy. Phishing websites are often exposed because they employ incorrect domains names in the address bar. The following diagram show the web site corresponding to the Citibank phishing bait message above:

Click for full-size image

Subversion of DNS is known as pharming. Pharming attacks misdirect requests for legitimate website to fraudulent hosts. It is an especially dangerous attack because of the trust placed in the third party DNS system. Weak points in the DNS chain include the client's internal settings (such as the host file, a local map between names and addresses) and the router settings of the local network. Setting a strong password for a local router's administrative access eliminates one large vulnerability. Running up-to-date anti-malware software helps to stop client originated DNS subversion as well as and other client side compromises.

How can I identify a phishing email?

This can be an incredibly difficult task, and usually just takes practice. eBay has put together a nice tutorial on how to spot spoofed emails that appear to come from eBay, but it is also a good tutorial on how to spot fraudulant emails in general.

Additional Resources

What to do if you've given out private information: The Anti-Phishing Working Group's instructions on what to do if you are a victim of identity theft.