I have had several conversations recently about phishing, in particular spear phishing or social phishing. This is an example of how attacks have become much more targeted, and because of this, successful.
There was a study performed at the University of Indiana a little over a year ago on how spear phishing compared in success rate to that of blind or traditional phishing attacks. Within the paper they discuss the success rates of blind phishing attacks ranging anywhere between 3% (Gartner Group estimate) and 16% (blind attacks against the same or similar control group of the study). While this in itself is rather high when you consider the sheer volume of phishing attacks out there, it’s nothing compared to the success rate of spear phishing. Using the same control group within the University of Indiana experiment, the success rate of the spear phishing attack was a ridiculous 72%!
When you think about it, it makes a lot of sense. Messages have been bombarded into users why they should never click on a link in an email from someone they don’t know. But this is from someone they DO know. How many of us click on links sent to us via email or instant messenging by friends? Apparently 72% :-).
Now let’s combine this experiment in spear phishing with some cross site scripting (XSS) and cross site request forgery (CSRF) vulnerabilities out there to make it a bit more interesting. There have been a number of XSS vulnerabilities identified in some very large social networking sites recently. If we were to exploit one of these vulnerabilities, we could send our phishing site link to user X’s friends from user X. Assuming a success rate similar to that in the control group of the University of Indiana study (72%), we could end up with several million entries in our phishing database chock full of financial and personal data!
The fact is, this has already been successful on MySpace without nearly the malicious intent.
Phishing has become much more targeted recently, and one would presume much more successful. The proliferation of XSS and CSRF is staggering. Cross site scripting was listed as the most common vulnerability discovered in 2006, making up 21.5% of all new vulnerabilities. The popularity of web 2.0 and social networks continues to increase rapidly. This is a problem that will only become worse with all of these factors playing a part.
Ed Bellis - ClearText 