WHITEPAP E
R
WHITEPAP E R
How Successful are Targeted Phishing Attacks - A Real
World example
ThreatMetrix® Labs Report May 2015
Author: Andreas Baumhof, CTO, ThreatMetrix Inc.
WHITEPAP E R
Contents
Introduction ................................................................................................................................... 4
Key Takeaways ............................................................................................................................... 4
The convergence of Phishing and Malware ................................................................................... 5
Targeted Phishing Attack ............................................................................................................... 5
How to remove obviously fake entries ....................................................................................... 7
How the Internet makes it easy to "enrich" stolen PII with other available PII ............................ 8
Reverse Telephone Lookup ........................................................................................................ 8
Match rates ............................................................................................................................. 8
Social Networking Sites .............................................................................................................. 9
Example 1 ................................................................................................................................ 9
Example 2 .............................................................................................................................. 10
Example 3 .............................................................................................................................. 10
Example 4 .............................................................................................................................. 11
Example 5 .............................................................................................................................. 11
Data .............................................................................................................................................. 11
How accurate is the Geolocation of IP addresses? .................................................................. 11
Operating System ..................................................................................................................... 13
Password stats (strength...) ...................................................................................................... 14
Common phrases used .......................................................................................................... 15
Password Strength................................................................................................................. 15
Password Length ................................................................................................................... 16
Password distribution............................................................................................................ 17
Page 2
WHITE P AP E R
Demography ............................................................................................................................. 17
Gender ................................................................................................................................... 17
Age ......................................................................................................................................... 18
Conclusion .................................................................................................................................... 18
Appendix A ................................................................................................................................... 19
Appendix B ................................................................................................................................... 19
Appendix C ................................................................................................................................... 19
More Information ........................................................................................................................ 19
Page 3
WHITEPAP E R
Introduction
Personal Information is being lost everywhere. Some called 2014 the year of the data breaches and 2015
the year of the mega data breaches. At the same time, we spend a lot of time looking at really
sophisticated malware attacks, but how successful are phishing attacks in 2015?
Well, it turns out they are very successful by every measure. And phishing attacks are well and truly alive.
They are certainly not these horrible looking and poorly worded websites anymore, and sophisticated
Trojans such as the Dyre Trojan combine social engineering, sophisticated malware attacks and classical
phishing attacks into one hell of an attack.
So what can a fraudster expect in 2015 when running a sophisticated phishing attack? How much
personal information are people willing to provide – if convinced properly? How easy is it to enrich the
data with other data sources (either public or private)?
This ThreatMetrix Labs report looks behind the scenes of one such phishing campaign1 in detail, and the
results are shocking.
Key Takeaways
This research confirms one of the best known secrets in the industry: Targeted attacks produce high
quality results. This phishing attack wasn’t a poorly written website spammed out to millions of Internet
users around the world. This phishing attack was very targeted and as such the quality of the data is very
high.
Some key takeaways:

It is mind-blowingly easy to remove the fake phishing entries. In fact just three simple rules
eliminated 100 percent of the fake entries, but they still left 17 percent genuine and high-quality
entries – which was far beyond our expectations.
o
We have found publicly available databases to confirm that the remaining good data is
indeed valid in 92 percent of the cases!

It is very easy as a fraudster to "enrich" stolen data with other available data sources (either publicly
available sources such as social media, or other data breach databases).

IP geolocation is surprisingly accurate. The average distance between the geolocation of the IP address and
the geolocation of the mailing address is just 63 miles and in more than 50 percent of the cases, the
distance is less than 10 miles.
1
We have notified the relevant financial institutions with this information immediately upon getting access to this information
to make sure the accounts of the victims can be protected.
Page 4
WHITE P AP E R

The chosen passwords from the victims are a mess: More than 98 percent of the passwords used fall under
the category of "shouldn't be used for anything serious."

Almost 25 percent of the victims responded to the phishing attack on their mobile phone – which is very
high considering that the phishing attack forced the victims to respond to 22 questions!
The convergence of Phishing and Malware
Phishing got popular after 2001, mainly targeting the financial community. Phishing is a tactic whereby
an attacker tricks a victim to disclose personal information into a website. Often the website mimics the
look and feel of the phished brand to trick the victim into entering his or her personal information.
Phishing quickly became very popular with a peak period in 2009 and2010, when this attack was very
successful.
After that time, more and more phishing attacks moved toward a more targeted approach. This had a lot
to do with many financial institutions implementing two-factor authentication, whereby phished
information (such as the one-time password) has a very limited lifespan.
But the fraudsters evolved too. I remember the case of a financial institution in Europe in 2008 finding
out that there was a phishing site asking users to provide their phone numbers. This bank had
implemented transactional two-factor authentication tokens and wondered what this is all about. This
was until they found out that the fraudsters would ring up the victims pretending to call from the bank
and trick them to disclose their one-time-password from their two-factor authentication devices.
More recently, malware such as Dyre includes phishing components as part of their social-engineered
attacks, where they combine malware infections with phishing sites.
In the end, phishing means stealing personal information from you and there are hundreds of different
ways to do it. Only a fool believes that if we mitigate against a successful attack vector that the fraud will
stop. It will move and evolve, which is exactly what we are seeing with phishing.
Targeted Phishing Attack
The data we’ll be looking at in this report is from a targeted phishing attack. This phishing attack included
many layers to hide the origin of the attack. It also included data encryption and moving it around
various C2 servers.
But as mentioned in the last paragraph, in the end what mattered was the information that the
fraudsters have been able to collect.
And it was a lot. Below is the information that we found in the data set. It is comprised of 22 individual
attributes.
Page 5
WHITEPAP E R

Username (Username of the online application)

Password

Description (This field was empty for all entries)

Home phone

Mobile Phone

ATM Pin

Tel Pin

Driver’s License (DL)

Date of Birth (DOB)

Mothers Maiden Name (MMN)

Social Security Number (SSN)

Full Name

Secret Question 1

Secret Answer 1

Secret Question 2

Secret Answer 2

Secret Question 3

Secret Answer 3

Secret Question 4

Secret Answer 4

Secret Question 5

Secret Answer 5

The IP address of the victim (IP)

Browser String (The User Agent of the victim)
From this raw information, we "enriched" this by adding the following attributes:

Browser Type
Page 6
WHITE P AP E R

Browser Name

Browser Version

OS Version

IP Country

IP ISP

IP Region

IP City

IP Latitude

IP Longitude

IP First Seen (TMX)

Trust Tags (TMX)

IP Score (TMX)
How to remove obviously fake entries
The task was to remove all obviously fake entries from this database, something we thought would
involve a lot of manual work but it turns out that this is surprisingly easy and fully automatic.
First of all,as a fraudster, you have to be ready to be abused. The most common name was "F... you." It is
also amazing how many people think that they can hunt a fraudster down.
Just three rules (attached in Appendix A) eliminated 100 percent of the fake entries (!). These rules
eliminated 83 percent of the entries – leaving 17 percent of the entries, which is still pretty high.
Out of the remaining entries, we ran detailed manual checks of approximately 10 percent and they are all
confirmed to be legitimate information (more on this later). We later found out that in more than 75
percent of the cases, we could use a public reverse telephone number search engine to confirm that all
these entries are indeed valid.
Two things are astonishing
1. It is very easy for a fraudster to "weed" out the fake information to focus on the real valuable information
with just three simple rules.
2. Of the rest, we could establish very easily that 92 percent of the submitted information is genuine
information, which is much higher than we ever thought it would be.
Page 7
WHITEPAP E R
A. It is very easy to ascertain that this is real information, which will be important if the fraudster
doesn't intend to use the information, but to sell it in underground markets. Better quality data
equals more money.
How the Internet makes it easy to "enrich" stolen PII with other available PII
One of the assumptions that is quoted quite a bit is that once fraudsters have stolen some part of PII, it is
easy for them to complement this with other sources to come up with a complete picture. In this section,
we'll look into this claim a bit.
Reverse Telephone Lookup
Most of the phished users were from a particular country that was targeted and there are really nice
websites available that allow you to search for people (like a telephone book or yellow pages). In many
countries, there are services available that allow you do to a reverse phone number lookup.
As the phished information contained the phone number, but not the address, we checked on how many
entries we could find that had an associated entry with the telephone number.
Match rates
In more than 92 percent of the returned information from the reverse phone lookup, the name matched
the phished name. This, together with all the information above, confirms that all the remaining entries
are "good," legitimate entries.
This number is much higher than we anticipated and indicates that the quality of this phishing campaign
is very high.
Page 8
WHITE P AP E R
Social Networking Sites
There is this assumption that virtually all of our personal information has been leaked in one of the data
breaches over the last couple of years. While this is certainly true, we were very interested to find out
how much are people willingly sharing on social media sites and how easy it is to take one piece of data
and "enrich" it with publicly available data.
One particular "problem" we faced with this campaign is that many of the victims were not the
millennials who engage heavily in social media. The average age of the (cleaned) dataset was 57.
We still found many example of the power of social media sites and below are a few examples of this.
Example 1

Facebook: Through Facebook, we can confirm that the person exists.

LinkedIn: Provides the information that the person is a self-employed bookkeeper.

Airbnb reveals that
Page 9
o
The city matches the geolocation of the IP address from the victim
o
The last two digits of the telephone number (which matches, too)
o
The partner's name
o
A family picture
WHITEPAP E R

o
Date when the person joined Airbnb
o
Description of the household
o
Confirmation of the job from LinkedIn
Another apartment rental website
o
Confirms all of the above, inclusive of the telephone number in clear.
o
Tells me the address, which matches our records
Example 2

Twitter: Location from Twitter matches the geolocation of the IP address

Dating Site: Date of birth matches the date of birth of the phished credentials
Example 3

Facebook: City on Facebook matches the city from the geolocation of the IP address

Telephone book: confirms the name and the address
Page 10
WHITE P AP E R
Example 4

MeetMe: searching for the name confirms
o
The city (match with the geolocation of the IP address)
o
The age and date of birth
Example 5

Government Agency
o
Name, job title, employer, age and date of birth confirmed by publicly available CV
o
Salary is publicly disclosed too
Data
How accurate is the Geolocation of IP addresses?
The dataset provided us a unique opportunity to see the value of IP addresses. The original dataset did
not include a postal address, only an IP address. Through external services (social media sites, reverse
telephone lookups), we've been able to enrich the data with the postal address.

Armed with the IP address, we can now use geolocation to get the latitude and longitude coordinates
(plenty of providers available).
Page 11
WHITEPAP E R

Armed with the postal address, we can resolve as well the latitude and longitude coordinates of the postal
address (plenty of services available).
Now we can compare these two and the geolocation of the IP address is surprisingly accurate.
For the data below, we removed less than 3 percent of outliers where the geolocation was completely
different (e.g. on a different continent).
The average distance between the geolocation of the IP address and the geolocation of the mailing
address is just 63 miles.
In more than half of the data sets (54%), the distance between the geolocation of the IP address and the
geolocation of the mailing address was less than 10 miles!
The distribution is
Page 12
WHITE P AP E R
Operating System
The operating system of the victims’ computers isn’t really surprising, with Windows holding 60 percent.
More interesting is the difference between desktop and mobile and it is quite surprising that the amount
of victims on the mobile platform is almost 25%!
Page 13
WHITEPAP E R
Password stats (strength...)
There is no better introduction to this section other than https://xkcd.com/936/.
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for
humans to remember, but easy for computers to guess.”
Page 14
WHITE P AP E R
With the above being said, we took the liberty in making high level assessments in regards to the
passwords used by the phishing victims.
Common phrases used
The first thing we wanted to check was whether common passphrases are used. We used a very simple
list of only 7,187 common passwords (attached in Appendix B) and found that 7 percent of the
passwords were based on common swear words.
A quick Google search reveals hundreds of sites that provide password lists containing millions of common
passwords...
Password Strength
Having set the scene with the xkcd, we tried to evaluate the password strength by calculating the
entropy for the password (in bits). The number of bits listed for entropy is an estimate based on letter
pair combinations in the English language.
We then categorize the passwords into

Very weak (< 28 bits)

Weak (28 - 35 bits)

Reasonable (36 - 59 bits)

Strong (60 - 127 bits)

Very strong (> 128 bits)
Page 15
WHITEPAP E R
Anything less than 60 bits shouldn't be used for anything serious (such as online banking)
The results are devastating:

Not a single password was "very strong" as per this definition

45% of the passwords chosen were "very weak"
o

With a typical desktop PC, a "very weak" password can be cracked in less than 10 minutes (often
just seconds).
More than 98% of the passwords used fall under the category of "shouldn't be used for anything serious"
Password Length
The vast majority (80%) had less than 10 characters with eight characters being the most commonly used
password length.
Page 16
WHITE P AP E R
For an 8-digit password, there are 6.63 quadrillion possibilities - which sounds like a lot, however, with
the advent of dedicated password cracking hardware, 8 digit passwords can be cracked in less than 6
hours! (see http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windowspassword-in-6-hours/)
Password distribution
The most commonly used password was… “password” (big surprise there).
However, looking at the distribution, more than 98 percent of the passwords were unique, so there
wasn’t much overlap in terms of commonly used passwords.
Demography
Gender
From a gender point of view, there was virtually no difference between male and female.
Page 17
WHITEPAP E R
Age
The youngest victim was 15, the oldest 90 with the average age being 57.
Conclusion
The data analytics exercise presented in this report shows that phishing attacks in 2015 are still highly
effective and that targeted phishing attacks produce high quality results. The trend that phishing is used
with sophisticated malware (such as Dyre) is certainly a trend that we see will continue. The other trend
is that more complex technology being deployed to the customer base (such as two-factor
Page 18
WHITE P AP E R
authentication) actually opens up an opportunity for cybercriminals by leveraging social-engineered
attacks. One great example of this was the aforementioned case where phishing sites were capturing the
telephone numbers of victims where the fraudsters rang up the victims to trick them into revealing the
two-factor authentication code.
Appendix A
The content in Appendix A is not available in the public version. Please request a private version of the
ThreatMetrix Labs report at [email protected].
Appendix B
The content in Appendix B is not available in the public version. Please request a private version of the
ThreatMetrix Labs report at [email protected].
Appendix C
The content in Appendix C is not available in the public version. Please request a private version of the
ThreatMetrix Labs report at [email protected].
More Information
For more information on this report please contact [email protected].
© 2015 ThreatMetrix. All rights reserved. ThreatMetrix, ThreatMetrix Labs, and the ThreatMetrix logo
are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All
other brand, service or product names are trademarks or registered trademarks of their respective
companies or owners.
Page 19