Identity theft and phishing have become prominent issues in the lastfew years. In this time, many users have become savvy to phishingschemes and are less likely to fall for traditional phishing attacks.In order to keep the stream of revenue flowing, attackers have had tobegin using more advanced techniques. One of the more recent techniquesis called "context-aware" phishing. A context-aware phishing attackuses specific personal information about intended victims to gain theirtrust. With the right information and implementation, this type ofattack can be very effective. To get the necessary personal informationfor this attack, phishers have become more like private investigators.
In this blog, I'll talk about one of the techniques used byattackers to find the information necessary to carry out effectivecontext-aware phishing attacks. This includes identifying targets,finding which brands can be phished for a given target, and researchingpersonal information to supply the context for the attack.
As a precursor for a context-aware phishing attack, attackers cansend a pre-phishing recon attack. This is a mass mailed genericphishing attack targeting a popular non-critical site. A site isconsidered non-critical if access does not give an attacker animmediate financial payoff. Examples of non-critical sites areWeb-based email accounts and social networking sites. In the blog entry"Attack of the Facebook Snatchers",I discussed how a generic phishing attack might be performed on thesocial networking site Facebook. If the pre-phishing recon attack issuccessful, the phisher obtains two important pieces of information:the victim’s username/password for the site, and knowledge that thevictim is likely to fall for a context-aware phishing attack.
The phisher can also determine which sites have been visited by thevictim by implementing the CSS history hack that I discussed in "Revealing Web History without JavaScript"into the phishing Web site. The attacker can check to see if the victimused other social networking sites, Web-based email, online banking, oronline retailers. Once the phisher knows which online services thevictim uses, they can pick a particularly juicy target for theirdirected phishing attack and decide on a course of action.
This list of sites also makes the task of information gathering mucheasier for the attacker. Since many people use the same user name andpassword for many of their online activities, this list can providephishers with places to try the stolen account. These other sites maycontain more personal information that can be useful for context-awarephishing attacks. The phisher could also use the same password to gainaccess victim’s email account. Email accounts are especially usefulbecause many online services have a "forgot password?" option thatcreates a new password and sends it to the user’s email address.
This sort of information-gathering attack is particularly dangerousbecause it can be partially automated. This reduces the amount of workneeded to perform the attack, allowing phishers to target more victims.
In summary, by giving away their credentials to a non-critical site,a user can end up giving away much, much more. Each successfulpre-phishing recon attack will give an attacker a profile to be used infuture context-aware attacks. This profile can include the target’semail address, name, physical address, phone number, employer, mother’smaiden name, friend and business relationships, typical password,visited Web sites, and more. The type of context-aware phishing attacksthat can be thought up using this set of information is limited only bythe attacker’s creativity.