In addition to email-based attacks, phishing can be carried out through a technical subterfuge scheme by infecting users’ PCs with malware or exploiting the browser vulnerability of websites.
Infecting PCs with malware
A technical-subterfuge phishing plants malware, in particular Trojan horses, onto Internet user’s PCs to scan the stored information or intercept their activities or keystrokes and thereby obtain
75 Juels, Ari, Stamm, Sid, and Jakobsson, Markus (2007), 'Combating click fraud via premium clicks', Proceedings of
16th USENIX Security Symposium on USENIX Security Symposium (Boston, MA. USA: USENIX Association), 1-10;Kshetri, Nir (2010), 'The Economics of Click Fraud', IEEE Security & Privacy, 8 (3), 45-53.
53
credit card credentials, passwords or other sensitive personal information directly. A Trojan horse or Trojan is a type of malware that has been widely used in phishing attacks. It is named after the wooden horse that infiltrated Troy, which is actually a piece of harmful software that masquerades as benign files used to trick users into loading or executing them on their system. As Trojans do not reproduce by infecting other files nor do they self-replicate, Trojans have to spread through user interaction such as opening a malicious email attachment or downloading and running a file from the websites that are embedded with malware. Users unwillingly download Trojans either by clicking on links which contains malicious code or even simply by visiting malicious injection URLs.
A Trojan can make several attacks on the infected host after it has been activated, ranging from irritating the users or damaging the host, such as deleting files, stealing data, or activating and spreading other malware. Trojans are also well known for their use in creating back doors of compromised hosts. By installing malware onto users’ PCs, it may turn the compromised machines into members of botnet for subsequent criminal use.
In addition to opening PCs’ Internet ports and exposing the ports to bot installation, Trojans can be used to steal data from infected PCs through key-logging interception or access to stored information. A variety of information, such as banking data, passwords or other sensitive information, will be automatically output to another computer controlled by the phishers for receiving data when victims input it on their PCs. Phishers may even directly access the data stored in a Trojan-infected PC if they can gain substantial control over it.
54
Milletary provided some examples of Trojans that are prevalent in phishing attacks.76 Bancos, originally identified in July 2003, is a representative of phishing malwares that monitors Internet Explorer for specific bank URLs and attempts to capture account information. Bancos can overlay certain banking websites with a counterfeit one to trick users into disclosing their information. Bankash is the first known piece of malware that targets AntiSpyware.77 It attempts to disable Microsoft anti-spyware program and steal online banking login information of targeted banks by using a keylogger or displaying a fake login page.
Exploiting the browser vulnerability of websites
A typical phishing attack is heavily based on a huge number of fake email messages claiming to be sent from trusted resources. However, the increasing sophistication of spam filtering driven by ISPs has made it more difficult to ensure that spoof emails reach the targeted objects successfully. Removing the email component, phishing techniques thus have been enhanced to abuse the vulnerabilities in web browsers that provide phishers with the ability to obfuscate URLs or install malware on users’ machines. Exploitation of web browser vulnerabilities could allow attackers to create a pop-up window that overlays the address bar to hide the illegitimate URL of a phishing website or to change or replace content within the browser window containing the legitimate websites.78
A good example of exploitation of web browser vulnerabilities is ‘in-session attack’, which is carried out by making use of web-based fake alerts to convince the end users to provide their login
76 Milletary (2005), op. cit.
77 Broersma, Matthew 'Trojan Targets Microsoft's AntiSpyware Beta',
<http://www.eweek.com/c/a/Security/Trojan-Targets-Microsofts-AntiSpyware-Beta/>, accessed 15 June 2014.
55
information. In 2008, Trusteer found a JavaScript flaw in all leading browsers, such as Internet Explorer, Firefox, Safari, and Chrome, which allows a website to trace the footprint and check whether a user is currently logged onto another website.79 Once a user is identified as being logged onto a website with malicious code injection, the said code would present a web-based pop-up window pretending to be from the website. It may ask users to complete a customer survey or ask users to retype their usernames or passwords by claiming that “Your login session has expired. Please sign in again” and thereby capture users’ login credentials.80
A website with malicious code injection may also generate a fake security warning pop-up that cautions users that their computer has been infected by Trojan (see figure 2.6) and strongly prompt them to install the antimalware software it provides (see figure 2.7). However, there are in fact no Trojans infections but users will soon be the next victims of Trojans if they decide to click to install a Trojan that is masquerading as antimalware software.
79 Trusteer (2008), 'In session phishing attacks', Trusteer Research Paper. 80 Vijayalekshmi and Rabara (2010), op. cit.
56
Figure 2.6: Fake spoofed infection warning pop-up (1)
57