Blog

Three years later clearly Phishing has become a much more sophisticated problem than once thought and is at the forefront of security companies and technologists globally. The rise in numbers and techniques has simply been staggering during these three years.

As a research fellow of the APWG I have always thought it was important to stay on top of what could be the next phase of techniques we may see. I did this three years ago when we discussed smaller targets and two years ago when we started researching the use of malicious code attacks in phishing (what is now called "crimeware").

So, this year I presented something called "Phishing Phutures". It was not just a tongue and cheek look into some potential attacks, but was meant to give some thoughts into where phishing could go (and has gone) in many cases. Although these were outlined as potential future attack methods they have all been seen in the wild.

Note: I am not one who recommends we give anymore names for phishing or online information theft. However I decided to spruce up the presentation by adding some more words not in our dictionary that make use of the overuse of "PH". You have been warned !

Presentation link: http://www.websense.com/securitylabs/images/alerts/Phishing_Phutures_apwg_2007sf.pdf

Highlights:

"Wishing" or "Whale Phishing"

Spear Phishing that does not go after groups or companies but goes directly after individuals who match pre-determined criteria

Designed for:

High ranking government personnel such as politicians and people who have access to a lot of information
High Ranking corporate officers
Information Technology administrators who have access to data

Code designed to lay dormant much longer than regular malcode and perform analysis on end-users behaviors for the purpose of information stealing. Some examples:

Record search information
Record stock portfolio information
Search for sensitive documents
Collect information on mergers, acquisitions, elections, takeover plans, gossip, etc.

"Blow Phish"

Cryptovirology becomes commonplace. Combination of cryptology and malicious code.

Will start to be used as protection against rival groups
PKI and PKI-like infrastructure part of toolkits
Drop boxes will not be as easy to access anymore
Code will be a lot more difficult to reverse
Credentials will be a lot more difficult to obtain
Systems also become more distributed
Data trickling also an option through ICMP,DNS,etc

"Sishing" or Search Engine Phishing

Targeted advertising within search engines for specific users.

Entice users to click on links for high-ticket items with the knowledge that you are going after larger bait
eg:

“Mercedes P8 convertible”
“retirement vacation homes”
“student loans”
“spyware removal”

Could also be used in Auction fraud
Can be combined with Whale Phishing

 “Hishing” or Hardware Phishing

Embed software into hw devices for data gathering.

There are 4500 mobile phones for sale on Ebay, 600 keyboards, 500 MP3 players, and 150 Wireless AP’s
More costly than other attacks but much easier to be covert and gather data
Could embed infection code to attached devices, re-route traffic, or simply gather data from the device
Can gain more access to more information