First, lets look at the snare. An official looking email is sent to a large number of recipients. It is unknown to the phisher whether or not the recipients have an account with the particular bank. In a large enough set, a small percentage of the recipients will actually have an account with the bank and will proceed to the trap. Two percent of a million recipients is plenty of accounts for the phisher to steal from.
In the email, the source address is spoofed to appear as coming from the legitimate bank support address. Source email address spoofing has been a problem for many years, but many of today's email servers have anti-spoofing capabilities that help to prevent it. However, the phisher may get around those by sending the mail from a very similar domain, such as bankofamericaa.com, welllsfargo.com (3 L's), etc.
The body of the email will contain a message urging the victim to click on a URL and log in to the online support site. In order to further fool the victim into believing the email is legitimate, the email may contain the same format layout and images used by the bank. Typically, the nature of the message is a "security alert", such as that the victim's account is being broken into and the victim needs to log in to change their password or verify their identity. A URL to the online site is "conveniently " placed in the email for quick access to the log in site. The link does not go to the real login site, but rather towards the trap.
Next, the misdirection. The URL in the email may not go directly to the phishing site, but rather through a proxy server. A proxy is a host that redirects visitors on to another site or will make the communication requests on behalf of the visitor. In this particular case, the proxy was a home computer on a DSL line that was unknowingly compromised. By exploiting known security vulnerability in hundreds of home computers, the phisher increases the number of proxies under their control and can better evade detection from anti-phishing groups.
On to the trap. For reference, here is a screenshot of the particular phishing page. Click on the image for a larger picture.
The format and images used in the phish login page are the exact same as those used on the real login page. However, this is the login page for Bank of America ("BoA") from several years ago. Since then, BoA has implemented a system called "SiteKey", which helps authenticate the site to the user before the password is transferred. After entering the user's ID, the site shows a short text string and picture that the user previously picked. If the image or text does not match, the user is to be suspicious. In this phish page, the user ID and password are requested on the same page with the old format.
The old style login page is a dead give away, but lets look for other technical subtleties. The URL at the top of the browser may appear to be from a BoA site, but knowledge of the correct URL format will indicate that this is actually from a firewall host at some domain other than the bank. The site serving the phish page is likely an unknowingly compromised host, like with the proxy desktops.
Another technical detail that indicates this is a fake login page is the lack of Secure Sockets Layer ("SSL") security. In short, SSL is encryption that allows browsers to send and receive information from web sites in a secure manner. Without SSL, the sensitive login information can be "sniffed", or seen, by anyone that is in the communication path. Any login page that does not use encryption should always be avoided.
Now that we've seen the snare, the misdirection, and the trap, how can we put a stop to this? While there is not a single "Internet Police" unit, the bank and volunteer groups have the means and know-how on how to handle these situations and hopefully lead to a criminal prosecution. The fine folks in the PIRT on Castlecops receive and act on phishing reports. Bank of America acts on tips sent to their abuse email address. Our own Tod Beardsley has a nifty tool for identifying phishing sites called MonkeySPAW, which can also be used to submit to the Castlecops PIRT.
I hope this helps explain how phishing works in general and how to spot it. Be smart, stay safe.
