Original URL: http://www.theregister.co.uk/2005/05/18/honeynet_phishing_research/

Home PCs launch phishing attacks

Honeynet project dissects the risks

By John Leyden

Posted in Security, 18th May 2005 12:03 GMT

Phishing attacks are growing more sophisticated as attackers devise ever more devious means to stay at least one step ahead of banks and others fighting the contain fraudulent scams, according to a study from The Honeynet Project.

The report, Know your Enemy: Phishing, draws on data collected by the German Honeynet Project and UK Honeynet Project and focuses on picking apart real world incidents to discern the tactics of phishing fraudsters. As with a previous study on botnets, the findings come from monitoring a network of PCs deliberately left open to attack. What emerged from the study is the most detailed technical description of the modus-operandi of phishing attacks we've seen to date. It also discovered that lax security practices by consumers and small business are giving fraudsters a base from which to launch attacks.

The researchers discovered that phishers compromised honeypot machines for four main purposes: to set up phishing websites targeting well-known online brands; sending junk mail emails advertising phishing websites; installing redirection services to deliver web traffic to existing phishing websites or for the propagation of spam and phishing messages via botnets.

"We have learned that phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing website going online with supporting spam messages to advertise the website, and that this speed can make such attacks hard to track and prevent," the researchers concluded. "IP address blocks hosting home or small business DSL addresses appear to be particularly popular for phishing attacks, presumably because the systems are often less well managed and not always up to date with current security patches, and also because the attackers are less likely to be traced than when targeting major corporate systems."

The research backs up the theory, advanced by groups like Spamhaus as well as police investigators, that the trade in compromised machines (botnets) to send out spam is linked to groups carrying out phishing attacks.

"Our research also suggests that phishing attacks are becoming more widespread and well organised. We have observed pre-built archives of phishing websites targeting major online brands being stored, ready for deployment at short notice, suggesting the work of organised phishing groups... Our research demonstrates a clear connection between spamming, botnets and phishing attacks, as well as the use of intermediaries to conceal financial transfers," the report concludes. ®

Related stories

Microsoft hunts web nasties with honey monkeys
Britain tops zombie PC charts
Rise of the botnets
Phishing gets personal
DNS attacks attempt to mislead consumers (pharming attacks)