First, let's go through a brief step-by-step scenario of a traditional email-based phishing scam, as illustrated in Figure 15-1. As we will see in later in the chapter, voice phishing differs only slightly in the communication mediums used for each step.
The first step for any phisher is to compromise a server, most often a web server, to use as his base of operations. This ensures that if anyone tracks him back to that server, he can, for the most part, remain anonymous.
The next step is to use this server to get his initial message out to as many possible victims in order to lure them into visiting his site. There are several toolkits that the underground phishing community uses to generate and send this initial email. This means that many of these generated phishing emails will contain small identifying characteristics that anti-phishing and anti-SPAM security vendors can use to detect them.
The one unifying characteristic among all traditional phishing emails is the inclusion of a clickable link that seemingly points to a legitimate site. Phishers use a variety of HTML obfuscation techniques to divert that URL instead to their own malicious spoofed site.
The potential email victim pool is usually culled from the same lists that spammers use. Typically, thousands of emails are sent, but only a small fraction of the recipients actually fulfill the following criteria:
They are legitimate patrons of the phisher's targeted brand (eBay, PayPal, and so on).
They are gullible enough to believe the received email is a valid note from their financial institution.
Their first reaction is to click the supplied link in the email so that an incident is averted regarding their account.
Before these conditions are met, the phisher must have prepared for the potential victim a believable spoofed copy of the targeted brand's login web page. This most often includes images and links taken directly from the targeted brand's legitimate home page.
The main login page, which collects the victim's username and password, often also leads to a second page, which asks for more specific information including account information and verification details.
After the victim enters their information into the spoofed bank site, the site stores the information or emails the goods directly to the attacker.