This article has been modified from its original version. Certain quoted material has been removed because its veracity could not be confirmed.
When going up against hackers and organized crime intent on fraud through phishing, strategy is everything. Here are popular schemes listed (loosely) in order of severity.
Threat: Manipulates basic emotions: trust, fear, greed, kindness. Almost every phishing attack has a social-engineering component.
Recent ploys urge people to fill out a form to receive a job, prizes, or gift certificates. Just before Christmas, phishers sent e-mails warning that recent online orders might be delayed unless recipients clicked on the URL and provided log-in names as well as passwords.
Countermeasure: Ongoing user education
Threat: Allows phishers to launch attacks directly from compromised Web sites or to spoof legitimate sites.
Greyhats Security Group recently demonstrated a flaw in IE’s DHTML Edit ActiveX control that allows phishers to spoof secure e-commerce sites. When users click on a URL within an e-mail, the correct URL of the malicious Web site briefly appears in their browser’s address bar and is then replaced by whichever URL the phisher designates. Phishers can also make the SSL padlock icon appear at the bottom of the browser.
Countermeasure: Proper filtering and validation of received Web site input and proper encoding or filtering of the output returned to the user (see CERT's “UnderstandingMalicious Content Mitigation for Web Developers”).
Threat: Relies on cross-site scripting, but rather than spoofing a legitimate site, scammers send victims to an authentic site by way of an e-mailed URL that contains malicious code.
When the target arrives on the site, code embedded in the URL produces a legitimate looking pop-up log-in box that redirects the victim to a page on the phisher’s Web site or simply collects log-in information.
Countermeasure: Same as that for cross-site scripting
Rewrite and Redirect
Threat: Exploits Windows Scripting and does not require users to click on a link embedded in an e-mail. Instead, a small bit of programming code runs as soon as the e-mail is opened. The code attempts to rewrite the host files of infected machines. If the attack is successful, when users attempt to access online banking sites they are instead automatically redirected to a fraudulent Web site, which then attempts to capture the victim’s banking log-on name, password, and other personal information.
Countermeasure: Disable Windows Scripting Host.