Whitepapers - www.technicalinfo.net (original) (raw)


Whitepapers

The Phishing Guide (Part 1)
Understanding and Preventing Phishing AttacksPhishing is the new 21st century crime. The global media runs stories on an almost daily basis covering the latest organisation to have their customers targeted and how many victims succumbed to the attack. While the Phishers develop evermore sophisticated attack vectors, businesses flounder to protect their customers’ personal data and look to external experts for improving email security. Customers too have become wary of “official” email, and organisations struggle to install confidence in their communications.

While various governments and industry groups battle their way in preventing Spam, organisations can in the meantime take a proactive approach in combating the phishing threat. By understanding the tools and techniques used by professional criminals, and analysing flaws in their own perimeter security or applications, organisations can prevent many of the most popular and successful phishing attack vectors.

This paper covers the technologies and security flaws Phishers exploit to conduct their attacks, and provides detailed vendor-neutral advice on what organisations can do to prevent future attacks. Security professionals and customers can use this comprehensive analysis to arm themselves against the next phishing scam to reach their in-tray.

Section 1: A Case for Prevention

1.1 A 21st Century Scam

Throughout the centuries, identity theft has always been high on a criminal’s agenda. By gaining access to someone else’s personal data and impersonating them, a criminal may pursue a crime in near anonymity. In today’s 21st Century world, electronic identity theft has never been easier.

Hidden away amongst the mounds of electronic junk mail, and bypassing many of today’s best anti-spam filters, a new attack vector lies in wait to steal confidential personal information. What originally began as a malicious hobby, utilising many of the most popular Internet communication channels, professional criminals are now using spoofed messages to lure victims into traps specifically designed to steal their electronic identity.

The name on the (electronic) street is Phishing; the process of tricking or socially engineering an organisations customers into imparting their confidential information for nefarious use. Riding on the back of mass-mailings such as Spam, or using ‘bots to automatically target victims, any online business may find Phishers masquerading as them and targeting their customer base. Organisational size doesn’t matter; the quality of the personal information reaped from the attack has a value all in itself to the criminals.

Phishing scams have been escalating in number and sophistication with every month that goes by. A phishing attack today now targets audience sizes that range from mass-mailings to millions of email addresses around the world, through to highly targeted groups of customers that have been enumerated through security faults in small clicks-and-mortar retail websites. Using a multitude of attack vectors ranging from man-in-the-middle attacks and key loggers, through to complete recreation of a corporate website, Phishers can easily fool customers into submitting personal, financial and password data. While Spam was (and continues to be) annoying, distracting and burdensome to all its recipients, Phishing has already shown the potential to inflict serious losses of data and direct losses due to fraudulent currency transfers.

According to a recent study by Gartner, 57 million US Internet users have identified the receipt of email linked to phishing scams, and about 1.7 million of them are thought to have succumbed to the convincing attacks and tricked them into divulging personal information. Studies by the Anti Phishing Working Group (APWG) have concluded that Phishers are likely to succeed with as much as 5 percent of all message recipients.

With various experts extolling proprietary additions or collaborative improvements to core message delivery protocols such as SMTP, organisations may feel that they must wait for third-party fixes to become available before finding a solution to Phishing. While the security failures within SMTP are indeed a popular exploit vector for Phishers, there are an increasingly array of communication channels available for malicious message delivery. As with most criminal enterprises, if there is sufficient money to be made through phishing, other message delivery avenues will be sought – even if the holes in SMTP are eventually closed (although this is unlikely to happen within the next 3-5 years).

While many high profile financial organisations and large Internet businesses have taken some steps towards increasing their customers’ awareness, most organisations have done very little to actively combat Phishers. By taking a hands-on approach to their security, organisations will find that there are many tools and techniques available them to combat the Phisher.

With the high fear-factor associated with possible phishing scams, organisations that take a proactive stance in protecting their customers’ personal information are likely to benefit from higher levels of trust and confidence in their services. In an era of shifting customer allegiances, protection against phishing scams may just become a key deciding factor in gaining their loyalty.

1.2 Phishing History

The word “phishing” originally comes from the analogy that early Internet criminals used email lures to “phish” for passwords and financial data from a sea of Internet users. The use of “ph” in the terminology is partly lost in the annals of time, but most likely linked to popular hacker naming conventions such as “Phreaks” which traces back to early hackers who were involved in “phreaking” – the hacking of telephone systems.

The term was coined in the 1996 timeframe by hackers who were stealing America Online (AOL) accounts by scamming passwords from unsuspecting AOL users. The popularised first mention on the Internet of phishing was made in alt.2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker newsletter “2600”.

It used to be that you could make a fake account on AOL so long as you had a credit card generator. However, AOL became smart. Now they verify every card with a bank after it is typed in. Does anyone know of a way to get an account other than phishing?

—mk590, "AOL for free?" alt.2600, January 28, 1996

By 1996, hacked accounts were called "phish", and by 1997 phish were actively being traded between hackers as a form of electronic currency. There are instances whereby Phishers would routinely trade 10 working AOL phish for a piece of hacking software or warez (stolen copyrighted applications and games). The earliest media citation referring to phishing wasn’t made until March 1997:

The scam is called 'phishing' — as in fishing for your password, but spelled differently — said Tatiana Gau, vice president of integrity assurance for the online service.

—Ed Stansel, "Don't get caught by online 'phishers' angling for account information," Florida Times-Union, March 16, 1997

Over time, the definition of what constitutes a phishing attack has blurred and expanded. The term Phishing covers not only obtaining user account details, but now includes access to all personal and financial data. What originally entailed tricking users into replying to emails for passwords and credit card details, has now expanded into fake websites, installation of Trojan horse key-loggers and screen captures, and man-in-the-middle data proxies – delivered through any electronic communication channel.

Due to the Phishers high success rate, an extension to the classic phishing scam now includes the use of fake jobsites or job offers. Applicants are enticed with the notion of making a lot of money for very little work – just creating a new bank account, taking the funds that have been transferred into it (less their personal commission) and sending it on as an international money order - classic money laundering techniques.

Section 2: The Phishing Threat

2.1 Social Engineering Factors

Phishing attacks rely upon a mix of technical deceit and social engineering practices. In the majority of cases the Phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information.
Communication channels such as email, web-pages, IRC and instant messaging services are popular. In all cases the Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favourite online retailer, etc.) for the victim to believe.

To date, the most successful Phishing attacks have been initiated by email – where the Phisher impersonates the sending authority (e.g. spoofing the source email address and embedding appropriate corporate logos). For example, the victim receives an email supposedly from support@mybank.com (address is spoofed) with the subject line 'security update’, requesting them to follow the URL www.mybank-validate.info (a domain name that belongs to the attacker – not the bank) and provide their banking PIN number.

However, the Phisher has many other nefarious methods of social engineering victims into surrendering confidential information. In the real example below, the email recipient is likely to have believed that their banking information has been used by someone else to purchase unauthorised services. The victim would then attempt to contact the email sender to inform them of the mistake and cancel the transaction. Depending upon the specifics of the scam, the Phisher would ask (or provide an online “secure” web page) for the recipient to type-in their confidential details (such as address, credit card number and security code, etc.), to reverse the transaction – thereby verifying the live email address (and potentially selling this information on to other spammers) and also capturing enough information to complete a real transaction.

Subject: Web Hosting - Receipt of Payment QdRvxrOeahwL9xaxdamLRAIe3NM1rL

Dear friend,

Thank you for your purchase!
This message is to inform you that your order has been received
and will be processed shortly.

Your account is being processed for $79.85, for a 3 month term.
You will receive an account setup confirmation within the next
24 hours with instructions on how to access your account.
If you have any questions regarding this invoice,
please feel free to contact us at tekriter.com.
We appreciate your business and look forward to a great relationship!

Thank You,

The Tekriter.com Team

ORDER SUMMARY
-------------
Web Hosting............. $29.85
Setup................... $30.00

Domain Registration..... $20.00
Sales Date.............. 08/04/2004
Domain.................. nashshanklin.com

Total Price............. $79.85
Card Type............... Visa

2.2. Phishing Message Delivery

2.2.1. Email and Spam

Phishing attacks initiated by email are the most common. Using techniques and tools used by Spammers, Phishers can deliver specially crafted emails to millions of legitimate “live” email addresses within a few hours (or minutes using distributed Trojan networks). In many cases, the lists of addresses used to deliver the phishing emails are purchased from the same sources as conventional spam.

Utilising well known flaws in the common mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organisation they choose. In some cases, they may also set the “RCPT To:” field to an email address of their choice (one which they can pickup email from); whereby any customer replies to the phishing email will be sent to them. The growing press coverage over phishing attacks has meant that most customers are very wary of sending confidential information (such as passwords and PIN information) by email – however it still successful in may cases.

Techniques used within Phishing emails:

A Real-life Phishing Example
The following is an email sent to many thousands of Westpac banking customers in May 2004. While the language sophistication is poor (probably due to the writer not being a native English speaker), many recipients were still fooled.

Subject: Westpac official notice

Westpac
AustraIia's First Bank

Dear cIient of the Westpac Bank,

The recent cases of fraudulent use of clients accounts forced the Technical services of the bank to update the software. We regret to acknowledge, that some data on users accounts could be lost. The administration kindly asks you to follow the reference given below and to sign in to your online banking account:

https://oIb.westpac.com.au/ib/defauIt.asp

We are gratefuI for your cooperation.

Please do not answer this message and follow the above mentioned instructions.

Copyright © 2004 - Westpac Banking Corporation ABN 33 007 457 141.

Things to note with this particular attack:

https://oIb.westpac.com.au/ib/defauIt.asp

2.2.2. Web-based Delivery

An increasingly popular method of conducting phishing attacks is through malicious web-site content. This content may be included within a web-site operated by the Phisher, or a third-party site hosting some embedded content.

Web-based delivery techniques include:

Fake Banner Advertising
Banner advertising is a very simple method Phishers may use to redirect an organisations customer to a fake web-site and capture confidential information. Using copied banner advertising, and placing it on popular websites, all which is necessary is some simple URL obfuscation techniques to obscure the final destination.

With so many providers of banner advertising services to choose from, it is a simple proposition for the Phisher to create their own online account (providing a graphic such as the one above and a URL of their choice) and have the service provider automatically distribute it to many of their managed websites. Using stolen credit cards or other banking information, the Phisher can easily conceal their identity from law enforcement agencies.

2.2.3. IRC and Instant Messaging

New on the Phishers radar, IRC and Instant Messaging (IM) forums are likely to become a popular phishing ground. As these communication channels become more popular with home users, and more functionality is included within the software, specialist phishing attacks will increase.

As many IRC and IM clients allow for embedded dynamic content (e.g. graphics, URL’s, multimedia includes, etc.) to be sent by channel participants, it is a trivial task to employ many of the phishing techniques used in standard web-based attacks.

The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels, means that it is very easy for a Phisher to anonymously send semi-relevant links and fake information to would-be victims.

2.2.4. Trojaned Hosts

While the delivery medium for the phishing attack may be varied, the delivery source is increasingly becoming home PC’s that have been previously compromised. As part of this compromise, a Trojan horse program has been installed which allows Phishers (along with Spammers, Warez Pirates, DDoS Bots, etc.) to use the PC as a message propagator. Consequently, tracking back a Phishing attack to an individual initiating criminal is extremely difficult.

It is important to note that the installation of Trojan horse software is on the increase, despite the efforts of large anti-virus companies. Many malicious or criminal groups have developed highly successful techniques for tricking home users into installing the software, and now operate large networks of Trojan deployments (networks consisting of thousands of hosts are not uncommon) capable of being used as Phishing email propagators or even hosting fraudulent web-sites.

That is not to say that Phishers are not capable of using Trojan horse software against a customer specifically to observe their confidential information. In fact, to harvest the confidential information of several thousand customers simultaneously, Phishers must be selective about the information they wish to record or be faced with information overload.

Information Specific Trojans
Early in 2004, a Phisher created a custom key-logger Trojan. Embedded within a standard HTML message (both in email format and a few compromised popular web sites) was code that attempted to launch a Java applet called “javautil.zip”. Although appearing to be a binary zip file, it was in fact an executable file that would be automatically executed in client browsers that had lax security permissions.

The Trojan key-logger was designed specifically to capture all key presses within windows with the titles of various names including:- commbank, Commonwealth, NetBank, Citibank, Bank of America, e-gold, e-bullion, e-Bullion, evocash, EVOCash, EVOcash, intgold, INTGold, paypal, PayPal, bankwest, Bank West, BankWest, National Internet Banking, cibc, CIBC, scotiabank and ScotiaBank.

2.3 Phishing Attack Vectors

For a Phishing attack to be successful, it must use a number of methods to trick the customer into doing something with their server and/or supplied page content. There are an ever increasing number of ways to do this. The most common methods are explained in detail below, and include:

2.3.1. Man-in-the-middle Attacks

One of the most successful vectors for gaining control of customer information and resources is through man-in-the-middle attacks. In this class of attack, the attacker situates themselves between the customer and the real web-based application, and proxies all communications between the systems. From this vantage point, the attacker can observe and record all transactions.

This form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-based application server – typically in real-time.

In the case of secure HTTPS communications, an SSL connection is established between the customer and the attackers proxy (hence the attackers system can record all traffic in an unencrypted state), while the attackers proxy creates its own SSL connection between itself and the real server.

Figure: Man-in-the-middle attack structure

For man-in-the-middle attacks to be successful, the attacker must be able to direct the customer to their proxy server instead of the real server. This may be carried out through a number of methods:

Transparent Proxies
Situated on the same network segment or located on route to the real server (e.g. corporate gateway or intermediary ISP), a transparent proxy service can intercept all data by forcing all outbound HTTP and HTTPS traffic through itself. In this transparent operation no configuration changes are required at the customer end.

DNS Cache Poisoning “DNS Cache Poisoning” may be used to disrupt normal traffic routing by injecting false IP addresses for key domain names. For example, the attacker poisons the DNS cache of a network firewall so that all traffic destined for the MyBank IP address now resolves to the attackers proxy server IP address.

URL Obfuscation Using URL obfuscation techniques, the attacker tricks the customer into connecting to their proxy server instead of the real server. For example, the customer may follow a link to http://www.mybank.com.ch/ instead of http://www.mybank.com/

Browser Proxy Configuration By overriding the customers web-browser setup and setting proxy configuration options, an attacker can force all web traffic through to their nominated proxy server. This method is not transparent to the customer, and the customer may easily review their web browser settings to identify an offending proxy server.
In many cases browser proxy configuration changes setting up the attack will have been carried out in advance of receipt of the Phishing message.

2.3.2. URL Obfuscation Attacks

The secret for many phishing attacks is to get the message recipient to follow a hyperlink (URL) to the attacker’s server, without them realising that they have been duped. Unfortunately phishers have access to an increasingly large arsenal of methods for obfuscating the final destination of the customer’s web request.
The most common methods of URL obfuscation include:

Bad Domain Names
One of the most trivial obfuscation methods is through the purposeful registration and use of bad domain names. Consider the financial institute MyBank with the registered domain mybank.com and the associated customer transactional site http://privatebanking.mybank.com. The Phisher could set up a server using any of the following names to help obfuscate the real destination host:

It is important to note that as domain registration organisations move to internationalise their services, it is possible to register domain names in other languages and their specific character sets. For example, the Cyrillic “o” looks identical to the standard ASCII “o” but can be used for different domain registration purposes - as pointed out by a company who registered microsoft.com in Russia a few years ago.

Finally, it is worth noting that even the standard ASCII character set allows for ambiguities such as upper-case “i” and lower-case “L”.

Friendly Login URL’s
Many common web browser implementations allow for complex URL’s that can include authentication information such as a login name and password. In general the format is URI://username:password@hostname/path.

Phishers may substitute the username and password fields for details associated with the target organisation. For example the following URL sets the username = mybank.com, password = ebanking and the destination hostname is evilsite.com.

http://mybank.com:ebanking@evilsite.com/phishing/fakepage.htm

This friendly login URL can successfully trick many customers into thinking that they are actually visiting the legitimate MyBank page. Because of its success, many current browser versions have dropped support for this URL encoding method.

Third-party Shortened URL’s
Due to the length and complexity of many web-based application URLs – combined with the way URL’s may be represented and displayed within various email systems (e.g. extra spaces and line feeds into the URL) – third-party organisations have sprung up offering free services designed to provide shorter URL’s.

Through a combination of social engineering and deliberately broken longs or incorrect URL’s, Phishers may use these free services to obfuscate the true destination. Common free services include http://smallurl.com and http://tinyurl.com. For example:

Dear valued MyBank customer,

Our automated security systems have indicated that access to your online account was temporarily blocked on Friday 13th September between the hours of 22:32 and 23:46 due to repeated login failures.

Our logs indicate that your account received 2935 authentication failures during this time. It is most probable that your account was subject to malicious attack through automated brute forcing techniques (for more information visit http://support.mybank.com/definitions/attacks.aspx?type=bruteforce).

While MyBank were able to successfully block this attack, we would recommend that you ensure that your password is sufficiently complex to prevent future attacks. To log in and change your password, please click on the following URL:
https://privatebanking.mybank.com/privatebanking/ebankver2/secure/customer
support.aspx?messageID=3324341&Sess=asp04&passwordvalidate=true
&changepassword=true

If this URL does not work, please use the following alternative link which will redirect to the full page - http://tinyurl.com/4outd

Best regards,
MyBank Customer Support

Host Name Obfuscation Most Internet users are familiar with navigating to sites and services using a fully qualified domain name, such as www.evilsite.com. For a web browser to communicate over the Internet, this address must to be resolved to an IP address, such as 209.134.161.35 for www.evilsite.com. This resolution of IP address to host name is achieved through domain name servers. A Phisher may wish to use the IP address as part of a URL to obfuscate the host and possibly bypass content filtering systems, or hide the destination from the end user.

For example the following URL:
http://mybank.com:ebanking@evilsite.com/phishing/fakepage.htm
could be obfuscated such as:
http://mybank.com:ebanking@210.134.161.35/login.htm

While some customers are familiar with the classic dotted-decimal representation of IP addresses (000.000.000.000), most are not familiar with other possible representations. Using these other IP representations within an URL, it is possible obscure the host destination even further from regular inspection.

Depending on the application interpreting an IP address, there may be a variety of ways to encode the address other than the classic dotted-decimal format. Alternative formats include:

These alternative formats are best explained using an example. Consider the URL http://www.evilsite.com/, resolving to 210.134.161.35. This can be interpreted as:

URL Obfuscation
To ensure support for local languages in Internet software such as web browsers and email clients, most software will support alternate encoding systems for data. It is a trivial exercise for a Phisher to obfuscate the true nature of a supplied URL using one (or a mix) of these encoding schemes.

These encoding schemes tend to be supported by most web browsers, and can be interpreted in different ways by web servers and their custom applications. Typical encoding schemes include:

2.3.3. Cross-site Scripting Attacks

Cross-site scripting attacks (commonly referred to as CSS or XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these CSS techniques are the result of poor web-application development processes.

While there are numerous vectors for carrying out a CSS attack, Phishers must make use of URL formatted attacks. Typical formats for CSS injection into valid URL’s include: