The Psychology of Phishing Scams We all get unwanted email, referred to as spam, but why so much? Does anyone really fall for these obvious scams? Even as we ask these questions, a small voice inside our heads repeats a common retort, “If spam wasn’t making money for someone, would it continue to be sent?” Let’s start by defining spam to make sure we are all on the same page: Spam is the use of electronic messaging systems (including most broadcast and digital media) to send unsolicited bulk messages indiscriminately. That’s exactly what we all receive: a lot of unsolicited messages. To get your attention and confirm your suspicions about the magnitude of the spam epidemic, I’ll quote a few facts from the MessageLabs Intelligence Report issued by the security firm Symantec: • • 95.1 billion spam emails will have been sent in 2010 89 percent of all emails sent are spam Can any of us look at these numbers and not be blown away? Think about it. More than 95 billion spam emails were sent in 2010 – 260 million every day – and 90 percent of them were designed to separate you from your hard‐earned money. As with every ecosystem of this magnitude, there’s a complex support structure and a pecking order within it. At the bottom are emails that promise cheap performance‐enhancing drugs and other scams that entice you with semi‐legitimate deals. At the top are phishing scams that would make a New York marketing firm cry from envy at their elegance. Let’s define phishing, as well: Phishing is a way of attempting to acquire information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. As you’ll see, the keyword here is trustworthy. Unlike most spam, phishing is done through an electronic relationship that gains your confidence and promises you a legitimate benefit if you comply. I have spent a fair amount of time reading about phishing and threading through the phishing emails I receive. Fortunately, the MessageLabs Intelligence Report indicates that only one in 444.5 emails contain phishing scams. The following notes first present a few examples of phishing emails that I found particularly compelling, followed with several extractions from papers written on the psychology of phishing. Phishing Example #1 From: "Bank Of America Alert"<[email protected]> Date: November 30, 2011 10:47:57 PM EST Subject: Security Alert: Your Online Banking Has Been Blocked Note the seemingly legitimate email address. Your Online Banking Has Been Blocked Note the sense of urgency. Dear Customer, Due to concerns, for the safety and integrity of the Bank of America we have issued this warning message. It has come to our attention that your Bank of America account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online banking experience and update your personal records you will not run into any future problems with the online service. This URL actually goes to http://193.203.205.226/~fitclub/wp‐content/themes/yaml/core/index.html, but looks legitimate on the surface. To start the update now click https://www.bankofamerica.com This is required for us to continue to offer you a safe and risk free environment. However, failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. Thanks for your co-operation. Accounts Management as outlined in our User Agreement, Bank of America will periodically send you information about site changes and enhancements. Security Checkpoint: This email includes a Security Checkpoint. The information in this section lets you know this is an authentic communication from Bank of America. Remember to look for your SiteKey every time you sign in to Online Banking. Nice touch. Means nothing, but adds confidence. Bank of America Email, 8th Floor-NC1-002-08-25, 101 South Tryon St., Charlotte, NC 28255-0001 Bank of America, N.A. Member FDIC. Equal Housing Lender © 2011 Bank of America Corporation. All rights reserved. This URL goes to an actual BoA web page. How this scam operates: This email was sent to millions of random consumers (a simple phishing attack) or to known Bank of America clients (a spear phishing attack). In either case, a click on the update link will send the consumer to a legitimate‐looking, but fake, Bank of America ‘update’ page where the consumer will be asked to enter bank numbers and PINs. Once collected, this information is used to access the account and transfer funds to the hackers. At the end of the collection, the consumer will be assured his account has been reactivated. Phishing Example #2 The domain gooplaces.info is used throughout. Most people will miss the fact that it is fake. From: "Google Places Registrations" <[email protected]> Date: November 29, 2011 11:10:08 AM EST To: [email protected] Subject: only 1 day left to list your business on first page of Google Places for your city Reply‐To: [email protected] Google Places Note the sense of urgency. 24 Hours Left! to list your business Warning! after 24 hours we are no longer accepting anymore business for 1st page listing Google receives millions of clicks every month from people looking for products and services online. (list your business now) These searches range from attorneys to vehicles, only those businesses showing on the first page of Google are the ones who people contact and conduct business with. (list your business now) Today we want to select only 2 businesses of each category to display on the first page of Google Places in your city. If you want to see your business on the first page of Google Places for your city, you must register now. There is only 24 hours left to register. In 24 hours we will no longer accept any more businesses. if you want to be the first to register please list your business here. This is the real logo from Google Places. List your business today, never any clicks or monthly fees, receive unlimited traffic to your website, this is a lifetime listing. This email was sent to [email protected], click here to unsubscribe. goolocalplaces.com po box 0225, mIami, florida | E-mail: [email protected] COPYRIGHT 2011. goolocalplaces.com. ALL RIGHTS RESERVED. How this scam operates: This email was sent to millions of consumers, some of who own businesses that have recently heard of the very desirable Google Places feature. Most people will not pick up on the misspelled domain (goolocalplaces), a poor derivative of Google Local Places. When the registration link is clicked, the business owner will be asked to enter his or her business information (perhaps a lengthy process, so the user hates to stop once it’s started) with a small fee charged at the end. The entered credit card information will be sold on the cyber‐crime market within hours of its collection. The consumer will believe he has just improved the social networking viability of his business. Phishing Example #3 From: "Mailbox Administrator"<[email protected]> Date: November 14, 2011 8:40:13 PM EST To: undisclosed‐recipients: Subject: Your Mailbox Has Exceeded It Quota/Limit® Note the sense of urgency. Your Mailbox Has Exceeded Its Quota/Limit As Set By Your Administrator, And You May Not Be Able To Send Or Receive New EMails Until You Re-Validate It. To Re-Validate, Please CLICK: Re-Validate Your Mailbox Clicking this link will display the web page seen below. Note the odd URL that the link takes you to: http://test3.3dnet.rs/images/index.php All the page wants is your email address and password. How this scam operates: This phish is the slickest of the three. Who among us doesn’t worry about running out of email space – perhaps missing emails and images from friends and relatives? And what could be more benign than just entering our email address and password – doesn’t the email provider have that information already anyway? The scam is the collection of email addresses. The scam makes use of the fact that more 31 percent of all users reuse their password for all of their accounts. This would indicate one‐third of the username/password combinations collected by this scam might be valid at other websites frequented by the user (e.g., PayPal, eBay, Schwab). The hacker will try this username/password combination, along with thousands of others, on any website that might provide a profit. Digging into the Psychology of Phishing Why does phishing work? As noted above, phishing scams work because they are presented in a form that engenders trust in the consumer. The creators of these scams are clever, patient people who have turned phishing into a well‐studied science. Think about the ultimate psychology test lab – access to millions of test subjects where literally hundreds of scams can be tried and tested, with tens of thousands of subjects in each trial. A single trial will result in information as to who opened the phishing email, who clicked on the embedded links, who fell for the scam or who aborted at the final moment. The hacker can tweak the trial and try again, with each trial generating cash as well as additional knowledge about the psychology of consumers. After a few years, the phishing artist understands the psychology of phishing far better than any PhD candidate working with college students as test subjects. Several good papers have been written on this fascinating subject. Below, I’ve researched two of them and extracted the sections I found most interesting and relevant to the examples above. Paper: Some Psychological Factors of Successful Phishing By: Don Mosley, Graduate Student in Information Security, East Carolina University Reference URL: (http://www.infosecwriters.com/text_resources/pdf/Phishing_DMosley.pdf) A great definition of the origin of phishing referenced in Mosley’s paper reads: “The word 'phishing' originally comes from the analogy that early Internet criminals used email lures to 'phish' for passwords and financial data from a sea of Internet users. The use of 'ph' in the terminology is partly lost in the annals of time, but most likely linked to popular hacker naming conventions such as 'Phreaks' which traces back to early hackers who were involved in 'phreaking' – the hacking of telephone systems.” (Gunter Ollmann, “The Phishing Guide”, NGSSoftware Insight Security Research, 9 Sept. 2004) Mosley offers several thoughts on why people fall for phishing. I found the following three to be well worth repeating. 1. Trust of authority Our society has been built up since the dawn of humanity to trust, obey and follow some type of authority figure, whether it be a god, a strong alpha male, parents, the school principal, a rock star or a political leader. Obedience to commands occurs almost at the genetic level. If you receive a personal email purported to come from Bank of America questioning the validity of your account data, you will have a strong compulsion to respond, and respond quickly. The email in Example #1 above demonstrates an attempt to declare itself an authority (a bank) as the reason for the consumer to trust the institution and, by extension, the email. The call to link to the update page and enter Bank of America credentials in order to fix a banking problem seems more like a service to the consumer than a scam. The use of the Bank of America logo, Security Checkpoint graphics and the legitimate office and email addresses almost screams, “Trust me – I am in charge of your financial future.” 2. Text and graphics lack traditional clues of validity Our socio‐economic culture has given us certain modes of discrimination regarding the validity of business institutions. We don't hesitate to deposit our paycheck at the corner bank because it's been there for years, our parents deposited checks there and it “looks” like a bank. Without clues from the verbal and physical realms, our ability to determine the validity of business transactions is diminished. While the emails in Examples #1 and #2 cannot provide these verbal and physical realms, they do try to relate to institutions we already feel confidence in with various clues embedded in the emails. Unless one looks closely, the Bank of America email looks perfectly legitimate, as does the corresponding update web page. The Bank of America logo, email address and physical office address all add to this illusion of validity. The Google Places email, while not as solidly legitimate as the Bank of America email, presents the well‐ known multi‐colored Google logo as its strongest tie to the real Google. 3. Clues to the fraudulent nature of phishing scams are often below the threshold of the average recipient Prior to the Internet, the typical scam or swindle scenario involved face‐to‐face or verbal interaction between swindler and victim. “Hey buddy – want to buy a Rolex?” “Ma'am, I was driving through your neighborhood and noticed that your shingles were about to blow off.” With careful attention to the peripheral clues present in the details surrounding the transaction, the victim has a much greater chance of recognizing and avoiding the swindle. Is the “roofer” driving a car with no ladders or roofing materials? Why is the cheap Rolex watch not actually ticking? The clues that can be gleaned from a typical phishing email tend to be of a technical nature that might not be obvious to the average email user. A user is going to look at the tag of an embedded link in a message instead of the browser's address bar after he clicks the link. To the untrained or unobservant consumer, each of the three example emails does not seem to contain any blatantly fraudulent indicators. If one were to step back and carefully consider each of these, however, many possible questions might arise: 1. Why is Bank of America asking me for my account information – shouldn’t they know this already? 2. Why isn’t my name on the email? (Note that on a spear phishing attack, it would be.) 3. The Bank of America update URL seems correct, until you look to see where it really takes you. 4. The Bank of America Security Checkpoint section just seems like the email is trying too hard to convince me it is legitimate. 5. Why is Google Places spelled so poorly? 6. Why would Google limit this offer to only two businesses in each category? 7. Does Google charge anyone for anything? Why would they start now? 8. Shouldn’t my email vendor already know my email name and password? In the rush of our daily lives and the majority of the population only superficially technical, these questions won’t be asked, and the average consumer will continue to be a prime phishing target. Paper: Social Engineering & “Influence” by Dr. Cialdini By: K K Mookhey Reference URL: http://niiconsulting.com/checkmate/2010/06/03/social‐engineering‐influence‐by‐ dr‐cialdini/ This excellent post by Mookhey takes the influences described in Dr. Cialdini’s book, “Influence,” and relates these to the psychology of phishing. While the entire post is good reading, I found the Mookhey’s notes on scarcity to be particularly relevant to our email examples: Dr. Cialdini on scarcity: Collectors of everything from baseball cards to antiques are keenly aware of the influence of the scarcity principle in determining the worth of an item. Mookhey as it relates to phishing: One of the most common tactics is to build time pressure. The scarcity of time often makes people comply with requests in violation of their policies and their own common sense. In each of the phishing examples above, we see the scarcity of time and the sense of urgency to be an implicit or explicit driver to consumer action. Let’s take a look at a few of the lines in these example emails that are obvious scarcity drivers: 1. Example 1: If you could please take 5‐10 minutes out of your online banking experience and update your personal records, you will not run into any future problems with the online service 2. Example 1: Failure to do so may result in temporary account suspension 3. Example 2: Subject: only 1 day left to list your business on first page of Google Places for your city 4. Example 2: 24 Hours Left! to list your business 5. Example 2: after 24 hours we are no longer accepting anymore business for 1st page listing Example 3: Subject: Your Mailbox Has Exceeded Its Quota/Limit 6. Example 3: And You May Not Be Able To Send Or Receive New EMails Until You Re‐Validate It Looking at these scarcity drivers, one can only get the sense that the best course of action is to act immediately or lose access to your bank account, miss a great Google opportunity or risk the loss of personal emails – any of which might cause personal hardship. Conclusion Phishing artists are very good – they have the ultimate test lab (the world’s population) to hone their skills, with millions of dollars at stake. Phishing attacks are usually orchestrated in countries with little or no fear of prosecution; therefore, there is no downside of being a phishing hacker. The technology behind phishing has evolved to the point where a phishing hacker will run his botnet (a collection of compromised computers connected to the Internet) from the comfort of his home, with the actual command and control computers possibly located in distant countries. The spoils of phishing (i.e., credits card numbers, bank account information, email addresses and passwords) are sold on a thriving cyber black market, again with little concern of being caught and prosecuted. The three examples of phishing attacks above are just a few of literally thousands of attack variations, each of which might take many forms. Again, for a reference of the magnitude of the phishing problem, keep in mind that there were more than 235 million phishing emails sent in 2010. Phishing will be with us for many years to come, primarily targeted at the consumer, the one group least likely to understand and avoid phishing. By Alan Wlasuk WDDinc Indianapolis, Ind. [email protected] www.WDDinc.com
© Copyright 2024 Paperzz