CAPEC-98 - Phishing

Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.






  • Attack Methods 2
  • Social Engineering
  • Spoofing
  • Purposes 1
  • Reconnaissance
  • Scopes 3
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Read application data
  • Confidentiality
  • Modify application data
  • Integrity

Medium level:

An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.

An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.

An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.

The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.

Some web development tools to put up a fake website.

Step 1 - Obtain domain name and certificate to spoof legitimate site

This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate..

Tecnique ID: 1 - Environment(s) env-Web

Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is vs. (the first one contains a capital i, instead of a lower case L)

Tecnique ID: 2 - Environment(s) env-Web

Optionally obtain a legitimate SSL certificate for the new domain name.

Security Control ID: 1

Type: Preventative

Websites can acquire many domain names that are similar to their own. For example, the company should be sure to register, .org, .biz, .info and so on. Likewise they should register,, (and possibly .net, .org variations). Although this does not preclude the possibility of phishing, it makes the attackers' job harder because all the easily believable names are taken.

Step 2 - Explore legitimate website and create duplicate

An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that he or she is trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here..

Tecnique ID: 1 - Environment(s) env-Web

Use spidering software to get copy of web pages on legitimate site.

Tecnique ID: 2 - Environment(s) env-Web

Manually save copies of required web pages from legitimate site.

Tecnique ID: 3 - Environment(s) env-Web

Create new web pages that have the legitimate site's look at feel, but contain completely new content.

Step 1 - Convince user to enter sensitive information on attacker's site.

An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user..

Tecnique ID: 1 - Environment(s) env-Web

Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.

Tecnique ID: 2 - Environment(s) env-Web

Place phishing link in post to online forum.

Security Control ID: 1

Type: Detective

Monitor server logs for referrers. Phishing websites frequently include links to "terms and conditions" "privacy" and other standard links on the legitimate site. Users' web browsers will generally reveal the phishing site in the Referrer header. Since the URL may not visually stand out compared to the legitimate URL, some programmatic consolidation of referrers from log files may be required to ensure that stands out from, for example.

Outcome ID: 1

Type: Success

Legitimate user clicks on link supplied by attacker and enters the requested information.

Outcome ID: 2

Type: Failure

Legitimate user realizes that the e-mail is not legitimate, or that the attackers' website is not legitimate, and therefore, does not enter the information requested by the attacker.

Step 2 - Use stolen credentials to log into legitimate site

Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice..

Tecnique ID: 1 - Environment(s) env-Web

Log in to the legitimate site using another user's supplied credentials

Security Control ID: 1

Type: Preventative

Use a human verifiable shared secret between legitimate site and end user such as the one provided by PassMark Security (now part of RSA Security). This prevents the attacker from using stolen credentials. Note that this does not protect against some man-in-the-middle attacks where an attacker establishes a session with the legitimate site and convinces an end user to establish a session with him. The attacker then records and forwards information flowing between the end user and the trusted site. This security control is currently used by many online banking websites including Bank of America's website.

Security Control ID: 2

Type: Preventative

Use an out-of-band user authentication mechanism before allowing particular computers to "register" to use the legitimate site with particular login credentials. This also prevents the attacker from using stolen credentials. An example may be sending a SMS message to the user's cell phone (cell phone number previously acquired by site) with an "activation code" every time the user attempts to log into the site from a new computer. This solution also does not protect against the man-in-the-middle attack described in the previous security control. This mechanism is currently used by several online banking websites including JP Morgan Chase's website.

Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.