In a previous post, I explored how fraudsters go about staging phishing attacks. This post reviews how, once staged, phishing attacks are launched.

With the phishing site now staged and active, the cybercriminal needs to trick customers of the targeted institution into visiting the site and divulging credentials and other sensitive information. This means:

• setting up an emailer (or spamming tool)
• gathering a list of target emails
• crafting convincing phishing email messages.

Phishing email tools

Before launching the attack campaign, phishers need to establish the capability to send mass email. This is typically done via the following methods:

• Installing a PHP-based emailer program on a hacked webserver
• Using spam bots
• Using underground spamming services like Send-Safe

Using PHP-based emailer programs is the most common method used by phishers. If they can hack a vulnerable webserver and install a backdoor, it is relatively easy to then upload a PHP-based emailer to the compromised host.

Crafting a phish email

For a phishing attack to work, the email lure used in the attack (or “phish letter”) needs to trick recipients into visiting the phishing site. Phish letters for specific institutions, as well as customizable templates, are freely available online. Phishers may also create their own. This includes copying legitimate emails sent from the institution and replacing the correct links with links to the phishing site.

Example Phishing Email Lure

Obtaining an email address list

There are two ways for phishers to gather lists of email addresses to attack. The first method is simply to buy or download email address lists online. There are many underground sellers of bulk email lists that will rent or sell email addresses for a fee. The other method frequently used is to create your own list by harvesting email addresses from the Web. Harvesting email addresses most commonly involves using bots to crawl publicly accessible websites and collect email addresses. There are also several other ways to gather email addresses, such as downloading contacts from compromised webmail accounts or malware that collects contact data from infected PCs.

To learn more about how phishing attacks work and how to stop them, check out the "How to Fight Back against Phishing" white paper.