SAN FRANCISCO — Using free tools and cheap online services, anyone can quickly become a professional cyberthief, using phishing emails to steal information and money from fellow Internet users, a researcher said at the BSides SF security conference here yesterday (April 20).
"The costs are relatively low," explained Kevin Bottomley, a security analyst at OpenDNS here. "A [Web] server costs you about five dollars [to rent], and then to buy a name, if you choose to set up your own proxy [server], costs you about another ten bucks. So it's about $15."
With that infrastructure in place, Bottomley said, an attacker could clone a legitimate website, such as one belonging to Apple or PayPal, and then generate phishing emails that would lure unwitting victims to the fake site, where their personal information and account credentials would be captured for later resale on cybercrime black markets.
Bottomley showed slides of an actual fake PayPal site that asked not only for the visitor's user ID, password and credit-card number, but also items PayPal would never ask for, such as a debit-card PIN, a driver's license number and a passport number.
Phishing emails are designed to trick the recipient into clicking on malicious Web links or opening malicious attachments. The links lead to phishing pages, where personal information is solicited and collected, or to malicious sites that drop malware onto visiting computers. Malicious email attachments contain malware that infects the recipient's machines without the need to link out to a website.
Both fake sites and phishing emails, Bottomley explained, can be created with free tools, easily found online, that have legitimate uses. Websites are easy to clone with HTTrack, used by developers and researchers to rapidly download and replicate entire sites for offline browsing on the user's hard drive. An attacker could use HTTrack to create and put up a malicious variant of a legitimate website.
Phishing emails are easy to craft and send with the Social Engineering Toolkit (SET), Bottomley said. The SET was developed for penetration testers, "white hat" hackers who attack corporate networks at the behest of the network owners to find weaknesses. The toolkit, which Bottomley demonstrated on his own computer, helps the user identify would-be victims, and even sends them the malicious email messages.
Phishing campaigns can be very successful. The recently revealed penetrations of the White House and State Department computer networks are thought to have been the work of Russian hackers using phishing emails, Bottomley said.
In 2011, another phishing email, thought to be the work of Chinese cyberspies, breached the network of security vendor RSA, which in turn led to the theft of American military secrets from U.S. defense contractors who protected their networks with RSA secure-login keyfobs.
(The RSA breach involved a malicious attachment. Bottomley did not demonstrate that technique, but it could be done using the Metasploit Framework, another free penetration-testing tool that is constantly updated with the latest attacks against known software vulnerabilities.)
While phishing for account credentials and sensitive personal information is often successful, Bottomley said, it's also relatively easy to defend against.
"Protect yourself through two-factor authentication," he said. "Check for secure HTTPS connections [in the browser address field]. Use password keepers."
"And," Bottomley added, "don't click on random crap."
- Best Wireless Home Security Cameras 2015
- Synthetic Identity Theft: How Crooks Create a New You
- Best Cloud Backup Services