Phishing, Bot Herding, and
Other Emerging Cyber Terms
Sophos: “Sharp increase in web-based
malware this year”
The number of websites Sophos was blocking
jumped from about 5,000 per day a year ago to
29,700 by this Spring
SC Magazine, July 26, 2007
2
The annual loss due to computer crime was
estimated to be $67.2 Billion for U.S. organizations,
with the majority of that ($49.3 billion) being related
to Identity Theft, and $1 billion associated
specifically with phishing.
U.S. GAO Report to Congressional Requesters (GAO-07-705), titled
“CYBERCRIME: Public and Private Entities Face Challenges in Addressing
Cyber Threats”
- June 2007
3
Agenda
 Phishing
 Spear Phishing
 Whaling
 Pharming
 Botnets
 Bot Herding
4
What is “Phishing”?
 Phishing is nothing more than social engineering.
 Definitions:
– Social Engineering: the practice of obtaining confidential
information by manipulating users.
– Phishing: spoofed email messages and websites designed
to fool recipients into divulging personal financial information
 Phishing is set apart by the broad scale and low cost
afforded by the Internet and its on-line anonymity.
5
How to Spot a Phish
 Language that is informal or uncharacteristically
unprofessional for the size of the apparent institution
– Look for misspellings and typos
– Look for missing words and unpolished grammar
 Urgent instructions to take specified action
– “Click on the link or your account will be closed”
– “Supply requested details to remove this charge from your
credit card …”
– “You will not be able to access your <your bank name>
account without <your bank name> Online Banking Tool
after …”
6
How to Spot a Phish (cont’d)
 Generic greeting
– Messages beginning with “Dear Member” or “Valued
Customer” are likely phish attempts.
– Legitimate business emails are far more likely to address
you by name.
 Request leaves you feeling something is not right
– Most financial institutions and service providers will NEVER
contact you by telephone or email to ask you for your
sensitive account details
– You don’t even have an account with the company the email
appears to have come from
7
How to Spot a Phish (cont’d)
 Overt offer to download software
– Banks will virtually never ask you to download and install
software.
– NEVER respond to a solicitation to download and install
software without first independently validating the source.
 “Mouse over” any hyperlink in your email
– While not foolproof, a mismatch between the hyperlink text
and the address shown in the status bar is a give-away.
8
How to Spot a Phish (cont’d)
 Phishing attacks ultimately want to draw you to a web
page
– Web page may install malicious software on your PC,
without your knowledge or any action on your part.
– Web page may request you provide sensitive information on
web forms.
 What signs suggest a web page may not be what it
seems?
– Browser padlock icon is not “locked” and/or web page
address begins “http” instead of https”
– Web site suggests that a displayed, 3rd party icon proves
security. TRUSTe, for example, is just a service to certify
privacy practices … nothing more.
9
Spear Phishing
 Works much like phishing, but source is well-known,
trusted, and intent is to gather information about
corporate systems accounts.
– Example: Email received from the CIO, saying IT is
conducting an account audit, and you must cooperate per
instructions or face disciplinary action.
– “Spear phishing is a pinpoint attack against some subset of
people (users of a website or product, employees of a
company, members of an organization) to attempt to
undermine that company or organization.” [1]
1
Spear Phishing, May 9th, 2007, By Stephen Northcutt
(http://www.sans.edu/resources/securitylab/spear_phish.php)
10
Whaling
 If spear phishing is a specifically targeted phishing
attack, then “whaling” is a very narrowly focused
spear phishing attack.
– Focuses upon a very small group of senior personnel within
an organization and tries to steal their credentials.
– Example: A CD, delivered via normal postal mail systems,
supposedly containing evaluation software from a known
supplier to the CIO, but containing a hidden malware
installer.
Description and example from “Spear Phishing and Whaling,” June 28, 2007, Posted by Gunter
Ollmann
(http://blogs.iss.net/archive/SpearPhishing.html)
11
Pharming
 Pharming is an attack intended to trick a web user
into landing on a false copy of a desirable web site.
– Internet routing instructions are altered either at the user’s
PC or at their Internet Service Provider.
– Even by manually typing a web address you know to be
accurate, you might be misrouted to a close or exact copy of
what you expected to see.
 Newer web browsers have features to help identify
suspicious web sites.
 Beware of any changes to the logon screen. If you
are asked for anything out of the ordinary, do not
enter ANY information.
12
Pharming (cont’d)
 The ‘hosts’ file -- C:\WINDOWS\system32\drivers\etc
13
Test Yourself . . .
14
Test Yourself . . .
15
16
17
18
19
20
21
What Can We Do?
 Do not provide personal information or information
about your organization to unknown persons.
 Do not reveal personal or financial information in E-
mail.
 Don't send sensitive information over the Internet
before checking a Website's security.
 If you are unsure whether an E-mail request is
legitimate, try to verify it by contacting the company
directly, calling the number on your financial
statements or on the back of your credit card.
22
Other Resources
 U.S. Federal Trade Commission's "How Not to Get
Hooked by a ‘Phishing’ Scam":
http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm
 U.S. Computer Emergency Readiness Team's Cyber
Security Tip, "Avoiding Social Engineering and
Phishing Attacks":
http://www.us-cert.gov/cas/tips/ST04-014.html
23
Botnets
 “Generally used to refer to a collection of
compromised computers (called zombie computers)
running programs, usually referred to as worms,
Trojan horses, or backdoors, under a common
command and control infrastructure.” [1]
 Common Botnet uses:
–
–
–
–
1
Distributed Denial of Service (DDoS)
Email spam
Adware/spyware
Click fraud
Botnet definition, Wikipedia.org
(http://en.wikipedia.org/wiki/Botnet)
24
Anatomy of a Botnet
 Introducing the cast members:
Bot-herder or Bot-master: amasses thousands, or
hundreds of thousands of bots/zombies for hire
Trojan software: used to compromise and control
victim PCs
Victim: owner/user of a computer that is compromised
with Trojan code and turned into a zombie
Cyber-criminal: pays bot-herders large sums of $$ for
the nefarious use of their botnets
25
26
What Can We Do?
 Protect your PC
– Apply operating system and other software patches.
– Install antivirus and antispyware software (and maintain
subscriptions to updated definition files).
– Install (or enable) personal PC firewall software.
– Be cautious when opening email attachments (open only
expected attachments).
– Be cautious when clicking on hyperlinks in emails and web
pages.
– Use a “phish aware” web browser.
27
FBI’s “Operation Bot Roast”
 “More than 1 million computers - possibly yours, too - are used
by hackers as remote-controlled robots …”
 “What was viewed seven years ago as a kind of prank to boot
people off-line has evolved into schemes to defraud people by
stealing credit card and Social Security data, by crashing retail
Web sites and through "pump-and-dump" online stock deals.”
 Recent busts of botnet hackers, as part of the FBI's
"Operation Bot Roast" sting:
– James C. Brewer, of Arlington, Texas … indicted … on charges of
infecting more than 10,000 computers globally.
– Robert Alan Soloway of Seattle … for allegedly using botnets to
send out millions upon millions of junk e-mails since 2003.
– Jason Michael Downey, of Covington, Ky … accused … of flooding
his botnet-linked computers with spam for an 11-week period in
2004.
28
Questions?
29