The Phishing Process by Christopher Cranston

Department of Computer and Information Sciences, University of Strathclyde, Glasgow

Online PR News – 02-December-2010 – – Department of Computer and Information Sciences, University of Strathclyde, Glasgow

Strathclyde University and Associates - Most phishing attacks take four distinct steps toward defrauding unwary recipients: (1) the scam operators set
up the phishing website. This website usually imitates an established, legitimate site; (2) using guessed or
copied email addresses, the scammers send out emails purporting to come from the legitimate site; (3) the
recipient downloads their email and receives the phishing message. The email asks the user to click on a
hyperlink and enter personal details on the resulting website. If the user clicks on the hyperlink the phishing
site will be displayed. If duped, the user may then enter the requested personal information; (4) the recipient's
personal details are now held by the scam operators. The scammers may now assume the identity of the
recipient and gain illicit access to funds. These steps are elaborated below.

Step 1: Construct the Phishing Website
The first task is to establish a phishing website. These are simple to set up, requiring little more than an
Internet-connected computer serving web pages. The Web pages are usually altered copies of pages
belonging to the targeted organisation. Sometimes, the phishing site appears as a pop-up window over the
legitimate site. Generally, phishing sites are contrived to appear authentic.
Most phishing sites do not have a domain name and Web links to the site in the phishing email usually
take the form of IP addresses, e.g. Sometimes phishing sites do use
domain names, often cleverly crafted to mimic established sites, e.g.
However, registering a domain name entails some financial cost and provides additional information that
may be used to track the perpetrators.

Strathclyde University and Associates - Recent analysis by the Anti-Phishing Working Group (APWG) found that most (27%) of phishing sites
were hosted in the US (op. cit.). This was closely followed by South Korea with 20% and China with 16%.
For comparison, the UK hosted only 1% of phishing sites. The report also estimated that 25% of phishing
sites were hosted on hacked computers, without their owners’ knowledge. Finally, the report states that on
average phishing sites are only live for 2.25 days - the longest noted was a site serving content for 15 days.
Sites with a longer lifespan tend to operate from countries where there may be difficulties in closing down
sites, where there are different or no Internet crime laws.

Step 2: Write and Send Phishing Emails
Once the phishing site is set-up, the next step is for large numbers of phishing emails to be sent out. For this
to be possible the scam operators must collate a large number of email addresses. These are acquired using
address harvesting techniques perfected by spammers. Like other spammers, phishing scam operators must
accumulate as many email addresses as possible in order to maximize the response rate.

Address harvesting techniques vary, but one popular methods is to use programs that search the web for
published email addresses. These programs target Usenet posts, web forums, mailing lists and guest books,
since these resources are likely to contain email addresses (Hird, 2002). Another technique is dictionarybased
address generation. Finally, rather than collect addresses themselves, phishing scammers may simply
purchase a list of addresses from an unscrupulous third party. Regardless of the selected technique, large
numbers of addresses are acquired by the scammers. Although many of these addresses will be malformed,
duplicates or out-of-date, and many of the valid addresses will belong to individuals who are not customers
of the organization being impersonated (and so cannot be defrauded by the scam), this will not deter the
scammers, since sending email is of negligible cost. The scammers’ concern is simply to maximize the
quantity of phishing emails sent.

The content of a phishing email is often carefully crafted. A typical email attempts to alarm the recipient
by describing security or maintenance issues at an established legitimate organization. The message will ask
the recipient to resolve these issues by confirming personal information on a web page. An embedded
hyperlink in the email often provides easy access to the web page. This hyperlink is often disguised to
resemble a link to the legitimate website, although it points to the phishing site.

Some emails contain embedded forms for users to enter their personal details. This removes the need for a
separate phishing web site. Other phishing emails do not ask for personal details at all, but urge the user to
install an attached piece of software. Software offered in this way is usually malicious and may be a virus,
worm, Trojan horse or spyware program. Spyware programs are particularly dangerous, as they can intercept
and transmit sensitive personal information, without the user's knowledge.

Regardless of whether the goal is to have recipients visit a web page, enter details in a form or install a
program, the user must be convinced that the email is authentic. To accomplish this, phishing emails often
contain images, slogans or disclaimers taken from the organization being impersonated. Fortunately not all
phishing emails look authentic. Many have poor spelling or grammar and may also bear little resemblance to
legitimate emails from the genuine organization. Such clues may alert users to the email's true purpose.
When phishing emails are sent out, it is common to spoof the sender's address. Spoofing the sender's
address is possible since the current email Simple Mail Transfer Protocol (SMTP) does not validate the
purported ‘From’ address. This loophole allows scammers to send phishing emails that appear to come from
legitimate organizations. A recent Anti-Phishing Working Group Report indicates that in June 2004, 92% of
phishing emails were sent with a spoofed sender's address. This technique is prevalent as it convinces many
recipients that the email is authentic.

Once phishing emails have been written, disguised and addressed, the final step is to send them. This step
employs standard spamming techniques, e.g., sending the phishing emails using someone else's mail server.
In the past this was easily done through open relays and open proxies. Although these vulnerabilities are now
rare, they are still occasionally used to send spam and phishing emails. Todays phishing emails are
commonly sent from mail servers or proxies running on virus infected machines. Viruses such as Sobig
contain built-in SMTP servers, turning infected machines into unwitting spam senders (Sophos, 2006). This
permits the perpetrators to remain hidden, while an estimated 60% of all spam is sent using virus infected
machines (Spamhaus, 2003).

Contact Information
University of Strathclyde
16 Richmond Street, Glasgow G1 1XQ. Scotland, United Kingdom
Glasgow G1 1XQ. Scotland, United Kingdom, G1 1XQ.

+44 (0)141 552 4400