Phishing: Swiming with the sharks


Published on

Presentation used to discuss types of phishing attacks and solutions

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Phishing: Swiming with the sharks

    1. 1. Phishing: Swimming with the Sharks By Nalneesh Gaur InfoSecurity New York Oct 24, 2006
    2. 2. Outline <ul><li>What Is Phishing? </li></ul><ul><li>The Attacks, Lifecycle and Players </li></ul><ul><li>Trends and Implications </li></ul><ul><li>Solutions For The Enterprise </li></ul><ul><li>Solutions For The Individual </li></ul><ul><li>Resources </li></ul>
    3. 3. What Is Phishing? Phishing uses both social engineering and technical ploy to steal personal information for financial gain <ul><li>The Antiphising Work Group (APWG) defines it as the use of both social engineering and technical ploy to steal consumers' personal identity data and financial account credentials. </li></ul><ul><li>Email is the most common channel for attacks. However, attacks via search engines, user forums, Instant Messengers (IM), VOIP, Mobile phones and fake advertisement banners are not uncommon. </li></ul><ul><li>Six commonly seen attacks follow: </li></ul><ul><ul><li>Fraudulent Link: WYSINWYG – What You See Is Not What You Get </li></ul></ul><ul><ul><li>Trojan Crimeware </li></ul></ul><ul><ul><li>Forms in Email </li></ul></ul><ul><ul><li>Address Bar Forgery </li></ul></ul><ul><ul><li>Out-of-band Reply </li></ul></ul><ul><ul><li>Pharming </li></ul></ul>Technical ploys range from simple to sophisticated
    4. 4. Example Attacks (Fraudulent Link) The link in the phishing attack will take you to a look-alike site source: The Anti-phishing group
    5. 5. Example Attacks (Fraudulent Link) Criminals capitalize on global events Global events such as a tsunami, crisis in the middle-east or Michael Jackson trial are all exploited to trick the user into submitting personal information. source: The Anti-phishing group
    6. 6. Example Attacks (Trojan Crimeware) Users are tricked into installing Trojans that capture personal information <ul><li>An Instant Message window prompts the user to click on a link. Most unsuspecting user will just click on the link. The attachment actually tries to install a Trojan Crimeware on your system. </li></ul>
    7. 7. Example Attacks (Trojan Crimeware) Trojan Crimeware are capable of key stroke and screen capture, redirection, and more <ul><li>This phish is an email purported to be from ebay. When the link in the email is clicked, the website tries to use an Internet Explorer exploit (MHTMLRedir.Exploit) causing Internet Explorer to execute code on your PC without the users permission. In this case, Internet Explorer is used to install a keylogger on your machine. The keylogger is then used to fetch any private information that you may type. This type of attack is detectable by some anti-virus/anti-virus software. </li></ul>source: The Anti-phishing group
    8. 8. Example Attacks (Forms in Email) HTML enabled emails will deliver the phish within the body of the email The email requests the victim for personal information within the email message itself. source: The Anti-phishing group
    9. 9. Example Attacks (Address Bar Forgery) Address bar forgery succeeds because it relies on default desktop settings After the initial splash screen the phish proceeds to request personal information. Phished address bar Phished address bar again
    10. 10. Example Attack (Address Bar Forgery) Address bar forgery will even trick the user who relies on the site address to detect a phish source: The Anti-phishing group The unsuspecting user may not be able to detect that they are dealing with a phish. Address bar forgery again
    11. 11. An Example Attack (Out-of-band Reply) Even savvy users may be tricked when asked to provide a response over phone <ul><li>The user receives an email requiring them to provide Identity information via phone. The phisher creates a special purpose VoIP phone number along with a PBX system. </li></ul>Dear Customer, We've noticed that you experienced trouble logging into Santa Barbara Bank & Trust Online Banking. After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure. Call this phone number ( 1-805-214-4801 ) to verify your account and your identity. Sincerely, Santa Barbara Bank & Trust Inc. Online Customer Service source: Gary Warner, The Anti-phishing group
    12. 12. Pharming Pharming attacks are difficult to detect because they target infrastructure elements <ul><li>Attacks the Internet infrastructure elements. Attack involves: </li></ul><ul><ul><li>Exploiting weakness in the DNS infrastructure (Known since 1998 – InterNic hijacked) </li></ul></ul><ul><ul><li>Tampering routers (Attacks on the Brazilian ISP, 2003) </li></ul></ul><ul><ul><li>Replacing/tampering proxy servers </li></ul></ul><ul><ul><li>Installing Bogus Access points also referred to as evil twins (Wi-phishing) </li></ul></ul><ul><li>Attacks on end user machines (with malware): </li></ul><ul><ul><li>Tampering with hosts file </li></ul></ul><ul><ul><li>Configuring user’s machine to use a rogue proxy server </li></ul></ul><ul><ul><li>Hooking browser functions (such as, HttpSendRequest on wininet.dll); </li></ul></ul><ul><li>Unsuspecting user is directed to a fake site because the DNS points to an IP address of a malicious site: </li></ul><ul><ul><li>DNS:  Actual IP: </li></ul></ul><ul><ul><li>DNS:  Malicious site IP: </li></ul></ul><ul><li>Examples of DNS poisoning attacks: </li></ul><ul><ul><li>11/04: Google and Amazon users were sent to &quot;Med Network,&quot; an online pharmacy. </li></ul></ul><ul><ul><li>11/04: The Trojan Banker A/j worm watched for users to visit specific banking sites and then grabbed the personal information. </li></ul></ul><ul><ul><li>03/03: Users to Al-Jazeera site was hijacked by a so-called group &quot;Freedom Cyber Force Militia&quot; using DNS poisoning. Al-Jazeera users read a message: &quot;God bless our troops.&quot; </li></ul></ul>
    13. 13. Phishing Attack Lifecycle The crime syndicates are highly organized source: The FSTC Counter-phishing solution survey The phishers distribute automated tools and kits over the Internet to speed up each step in the lifecycle.
    14. 14. Phishing Kits Phishing kits contain the necessary content to launch a phishing attack Phishing kits are easily available on the Internet for as little as $150. The particular phishing kit shown below can be used to target up to 20 institutions.
    15. 15. Trojan Crimeware Kits Crimeware kits distribute and administer Trojans and collect personal information. Source: Enrique Gonzalez, Panda Software
    16. 16. Crimeware Tools Crimeware tools are sophisticated and easy to use
    17. 17. Crimeware is for Real Sophisticated screen scrappers bypass anti-keylogging mechanisms Source: Hispasec Sistemas/
    18. 18. Crimeware Evades Detection Anti-Virus tools are unable to detect Crimeware Trojans
    19. 19. After The Phish Phishers use the captured information for money laundering and to commit financial fraud <ul><li>Examples of how criminal’s use stolen information: </li></ul><ul><li>Contact victim’s credit card issuer and change mailing address. </li></ul><ul><li>Requesting additional credit/debit cards, and new PIN to facilitate cash advance fraud. </li></ul><ul><li>Obtain new credit cards, using victim’s name, date of birth and SSN, but some other mailing address. </li></ul><ul><li>Maximizing credit card limits. </li></ul><ul><li>Establishing phone or wireless service in victim’s name. </li></ul><ul><li>Opening a bank account in victim’s name </li></ul><ul><li>Filing for bankruptcy using victim’s name to avoid paying debts incurred in your name or to avoid eviction. </li></ul><ul><li>Counterfeiting checks or debit cards to drain victim’s bank account. </li></ul><ul><li>Purchasing automobiles, boats etc. through loans obtained using victim’s personal information. </li></ul><ul><li>Giving victim’s name to the police during an arrest. </li></ul>Credit Cards/ Personal Information Carders Phishing Mules e b a y Paypal Financial Gain Money Laundering Carders and Phishing Mules are the means to commit financial fraud.
    20. 20. The Carders The Carders trade or deal in stolen credit card information <ul><li>Carders are sophisticated and organized and they use automation (using bots) and specialized IRC channels and related web sites to exchange information. </li></ul><ul><ul><li>A command language is utilized to access the bots database. The bot simply listens on the IRC channel and responds to issued commands. Channel participants often use open proxies/compromised hosts to obfuscate themselves. </li></ul></ul><ul><ul><li>Bulk of the activity seems to originate from South Asia, former Eastern block and the PacRim. </li></ul></ul><ul><li>They Recruit other Carders </li></ul><ul><ul><li>Sample of command sets carders use: </li></ul></ul><ul><ul><ul><li>!cc Obtains a credit card number from a database </li></ul></ul></ul><ul><ul><ul><li>!cclimit card_number Determines the available credit </li></ul></ul></ul><ul><ul><ul><li>!chk card_number Checks a credit card for validity. </li></ul></ul></ul><ul><ul><li>Example IRC transaction (Source: Project Honeynet) </li></ul></ul><ul><ul><ul><li>#MasterCcs 10:00:49 newbie: what i have to type to get cc info ? </li></ul></ul></ul><ul><ul><ul><li>#MasterCcs 10:01:15 helper: type !cc </li></ul></ul></ul><ul><ul><ul><li>#MasterCcs 10:04:04 newbie: !cc </li></ul></ul></ul><ul><ul><ul><li>#MasterCcs 10:05:33 Ccs`: newbie!cc Name: Yukio XXXXXXXX |Address: X-X-X-XXX |City: Koduru-shi |State: Tokyo |Zip: XXX-XXXX |Phone: NA </li></ul></ul></ul><ul><ul><ul><li>|Country: Japan |CardType: American Express |Card Number: XXXXXXXXXXXXXXX XXXX </li></ul></ul></ul>
    21. 21. Forging a magnetic card is easy The equipment and card stock to forge magnetic cards can be obtained for under $1000 Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters. Track two is 75 bpi, and holds 40 4-bit plus parity bit characters. Track three is 210 bpi, and holds 107 4-bit plus parity bit characters. <ul><li>Stripe Snoop is an open source suite of tools tools that captures, modifies, validates, generates, analyzes, and shares data from magstripe cards. </li></ul><ul><li>The perpetrator can then modify Track1 & 2 information to suite their needs. </li></ul><ul><li>Note: </li></ul><ul><ul><li>PIN Offset ≠ PIN, </li></ul></ul><ul><ul><li>CVV ≠ CVV2 </li></ul></ul><ul><li>With ATM and PIN debit fraud criminals can immediately get their hands on cash. </li></ul><ul><li>Often, financial institutions are not validating Track 2 security data while authorizing ATM and PIN debit transactions. </li></ul><ul><li>PIN Offsets needs to be re-recorded on the magnetic strip each time the PIN is changed, </li></ul><ul><li>CVV can be brute forced. </li></ul><ul><li>Track 1: </li></ul><ul><li>Primary account number </li></ul><ul><li>Name </li></ul><ul><li>Expiration date </li></ul><ul><li>Discretionary data </li></ul>1 <ul><li>Track 3: (not standardized) </li></ul><ul><li>Encrypted PIN </li></ul><ul><li>Amount Authorized </li></ul>3 <ul><li>Track 2: </li></ul><ul><li>Primary account number </li></ul><ul><li>Expiration date </li></ul><ul><li>PIN Offset and CVV code (ATM/Debit cards) </li></ul>2
    22. 22. Phishing Mules Phishers recruits “mules” to launder money using a ploy <ul><li>Thousands of Australians were lured into a training program with Credit Suisse </li></ul><ul><li>With promise of a career opportunity. Once hooked the mules were asked to transfer money as part of the training exercise. A very convincing URL is used for the site located at: </li></ul><ul><li> en/application_form.html </li></ul><ul><li>Viagra, Rolex Watches, and Work from home offers are other means that phishers use to lure unsuspecting users. </li></ul><ul><li>All accounts are useful: </li></ul><ul><ul><li>Lots of Money – Spend it, </li></ul></ul><ul><ul><li>No Money – Use it for laundering, </li></ul></ul><ul><ul><li>Good Credit – New Accounts </li></ul></ul>
    23. 23. Trends – Rise in Crimeware Financial Institutions are clearly the target and use of crimeware is increasing source: The Anti-phishing group
    24. 24. Trends and Implications Crimeware will improve in sophistication and increasingly exploit new vulnerabilities. <ul><li>Trends </li></ul><ul><li>Financial institution will continue to be top targets. Phishing attacks will increasingly victimize the identity of small to medium size institutions and their clients. </li></ul><ul><li>Phishing attacks and other frauds will continue to exploit global events such as tsunami’s and holidays. </li></ul><ul><ul><li>According to Louis M. Reigel, assistant director for the FBI, there were roughly 2,300 Katrina-related Web sites identified as of September 1st, only three days after the hurricane hit. Of the 800 Web sites that the FBI investigated, 60% were presumed to be fraudulent. </li></ul></ul><ul><li>Phishers will use multiple channels to solicit and collect Phishing responses. </li></ul><ul><li>Crimeware will get more sophisticated and its distribution more aggressive. </li></ul><ul><li>Implications </li></ul><ul><li>Medium and Small size institutions will collaborate to address the threat of phishing. </li></ul><ul><li>Regulations targeting Identity theft will be signed into law. </li></ul><ul><li>Site takedown services will likely be the only direct response for many organizations in response to a phish. </li></ul><ul><li>Browsers will detect phishing with increased sophistication. </li></ul><ul><li>Institutions will increasingly encourage their clients, via various means, to actively protect their own end points (their PC's), via anti-virus, anti-spyware, OS patching, and firewalls. </li></ul>
    25. 25. Enterprise Preventative Measures Strong Authentication will defeat credential capture <ul><li>Address the inherent problem of reusable passwords </li></ul><ul><li>Use of two-factor authentication and/or user X509 certificates helps address the problem </li></ul><ul><li>Use of two-step authentication </li></ul><ul><li>Use of anti key-logging mechanism </li></ul><ul><li>Currently used by: </li></ul><ul><ul><li>AOL </li></ul></ul><ul><ul><li>HSBC </li></ul></ul><ul><ul><li>Bank of America – 13.2 Million customers </li></ul></ul><ul><ul><li>Stanford Federal Credit Union </li></ul></ul><ul><li>Pros: Replay attacks fail </li></ul><ul><li>Cons: Large scale deployment is a challenge </li></ul>
    26. 26. Enterprise Preventative Measures Digitally Signed Email authenticate the sender <ul><li>Uses industry standard such as S/MIME (supported by MS Outlook, Notes, etc). Provides assurance that the “From:” address is not spoofed. </li></ul><ul><li>Addresses spam issue and provides a trail to phisher. </li></ul><ul><li>Signing email at the email gateways will allow for faster adoption rather than making every individual user sign outgoing email. </li></ul><ul><li>Pros: Legitimacy of email is verified </li></ul><ul><li>Cons: Suffers from SSL pad lock syndrome </li></ul>
    27. 27. Enterprise Preventative Measures Sender Email Server Authentication ensures that email sender is verified <ul><li>A number of proposed systems have surfaced for validating a sender's email. These include: SPF (Sender Permitted From), Microsoft's SenderID, and Yahoo’s Domain Keys. </li></ul><ul><li>All of these determine whether email from a particular domain is permitted to originate from a particular IP address. </li></ul><ul><li>This primarily addresses the spam issue but does not prevent a spammer from registering their own domain. </li></ul><ul><li>Pros: Largely addresses spam </li></ul><ul><li>Cons: Not all spam or phishing is addressed </li></ul>
    28. 28. Enterprise Preventative Measures Improving user awareness is effective when done properly but should not be the only solution <ul><li>Companies can provide their customer/employees with information on how to prevent phishing attacks. </li></ul><ul><li>For internal communication consider a combination of the following: </li></ul><ul><ul><li>Internal Security Web Site </li></ul></ul><ul><ul><li>Internal Blog </li></ul></ul><ul><ul><li>Mandatory Security Training </li></ul></ul><ul><ul><li>Annual Security Forum/Days </li></ul></ul><ul><ul><li>Phishing/Pharming Quiz </li></ul></ul><ul><ul><li>Computer Security Day </li></ul></ul><ul><li>Most successful when communication is frequent and uses a variety of different mediums (email, web, post card) </li></ul><ul><li>Pros: Most effective for those who get it </li></ul><ul><li>Cons: Time consuming </li></ul>
    29. 29. Enterprise Preventative Measures Use of personalization features act as a shared secret between the user and the Institution <ul><li>Provides a clue to users by means of colors, sounds, images, and captchas. Use of themes and colors are effective with users who are not well versed with the details of Internet security. </li></ul><ul><li>Authentication usually involves two steps: </li></ul><ul><ul><li>1 st step: Username: Image </li></ul></ul><ul><ul><li>2 nd Step: Password: Authenticated </li></ul></ul><ul><li>Pros: Intuitive to users </li></ul><ul><li>Cons: User may not use personalization features unless forced upon them </li></ul>
    30. 30. Enterprise Preventative Measures Improving web application security will minimize the exposures available to phishers <ul><li>Perform content validation to address cross-site scripting issues. </li></ul><ul><li>Careful handling of session information is critical. e.g. </li></ul><ul><ul><li>Expire session ID’s </li></ul></ul><ul><ul><li>No Recycled session ID’s </li></ul></ul><ul><ul><li>Avoid URL based session ID’s </li></ul></ul><ul><ul><li>Differentiate between HTTP and HTTPS session ID’s </li></ul></ul><ul><li>Perform URL validation to prevent phisher from supplying malicious URL’s. e.g. </li></ul><ul><li>Pros: Keeps control on the server side </li></ul><ul><li>Cons: Requires preiodic review and modification </li></ul>
    31. 31. Enterprise Preventative Measures Maintaining consistent URL’s will help users who rely on them to detect phish <ul><li>Do not use tiny URL’s. e.g. becomes </li></ul><ul><li>Use one domain for all customer communication. </li></ul><ul><li>Pros: Simple and good for brand identity </li></ul><ul><li>Cons: May require application modification </li></ul>
    32. 32. Enterprise Preventative Measures Improving Infrastructure security will thwart pharming attacks <ul><li>Establish Minimum Security Baseline standards for routers and firewalls (see </li></ul><ul><li>Although obvious - Patch management, Anti-spam, Anti-Spyware and Anti-virus software must be implemented and updated. </li></ul><ul><li>Proactively register related Internet Domains. </li></ul><ul><li>Upgrade DNS Servers to BIND 9. </li></ul><ul><li>Address DNS Cache poisoning: Configure DNS servers to reject spurious additional records - If query is for, only accept records for the domain. Reject additional record for any other domain such as (see </li></ul>
    33. 33. Enterprise Detective/Corrective Measures A holistic solution should incorporate detective and corrective features <ul><li>Detective </li></ul><ul><ul><li>Follow domain registrations closely </li></ul></ul><ul><ul><li>Active web monitoring </li></ul></ul><ul><ul><li>Honeypots and Anti-Spam solutions can be used to detect phishing attempts </li></ul></ul><ul><li>Corrective </li></ul><ul><ul><li>Phish take down services </li></ul></ul><ul><ul><li>Victim rehabilitation </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><li>Lessons learned/Review </li></ul></ul>
    34. 34. Solution Categories Approximately 200 vendors seek to provide solution to phishing Vendors Matrix for each category available at the Antiphishing members only site -, Solution Evaluation/Trial group
    35. 35. Solutions For The Individual The individual user needs to be vigilant and exercise caution <ul><li>Use security best practices for workstations and application </li></ul><ul><ul><li>E.g. Patch frequently, Use strong passwords </li></ul></ul><ul><li>Individuals need to modify their behavior </li></ul><ul><li>Use a different web browser </li></ul><ul><li>Assess user rights </li></ul><ul><li>Where available, use site personalization features </li></ul><ul><li>Deploy browser based plug in solution to detect phishing attacks </li></ul><ul><li>Understand how your on-line account information is updated </li></ul><ul><li>Create unique passwords for each site </li></ul><ul><li>Add a fraud alert to your credit history </li></ul><ul><li>Report Phishing Attack attempts to </li></ul><ul><li>Report Phishing Attacks that succeeded. Call 1-877-ID-THEFT </li></ul>
    36. 36. The Statistics <ul><li>Verisign’s iDefense found that the number of keyloggers unleashed by hackers increased this year by 65 percent in 2005. </li></ul><ul><li>A recent study by Forrestor found that some 600,000 of the UK’s 15 million internet banking customers have turned away from online financial transactions because of concerns about keystroke logging software and phishing emails </li></ul><ul><li>A recent study by IDG of 1500 respondents found that 49%, couldn't identify &quot;phishing&quot; scam e-mail messages </li></ul><ul><li>Phishing is one of the Top 10 list of Internet frauds, ranking as much of a problem for the vulnerable as Nigerian bank frauds, according to the National Consumers League. </li></ul><ul><li>A recent study by TowerGroup claimed that the value of potential fraud losses from phishing will total just $137.1 million globally in 2004. </li></ul><ul><li>A Gartner study estimated that 30 million Americans have received a phishing attack, and about 3% (1.78 million) submitted personal and/or financial information. In another study, Gartner believes that phishing will inhibit ecommerce growth rates by 1-3%. </li></ul><ul><li>An APWG study released in 07/06 noted 23,670 phishing email messages reported. Decrease in traditional phishing sites but increase in crimeware. A few other highlights: </li></ul><ul><ul><li>Number of brands hijacked by phishing campaign in July: 154 </li></ul></ul><ul><ul><li>Average lifespan of a phishing site in July: 4.8 days </li></ul></ul><ul><ul><li>Longest time online for site: 31 days </li></ul></ul><ul><ul><li>US leads with number of hosted phish sites (27.9%), followed by China (12%), Korea (10%), France, Australia, and Germany </li></ul></ul><ul><ul><li>Financial Services (93.5%), followed by ISP’s, and retailers tend to be the most targeted Industry sectors </li></ul></ul><ul><li>A study conducted by the Ponemon Institute revealed that Phishing could cost consumers $500 million this year. The same study also found that 70% of the its surveyed users have unintentionally visited a spoofed Web site, and more than 15% admit to revealing sensitive personal information in the process. (November 2004) </li></ul>
    37. 37. Resources <ul><li> This is the Anti-Phishing Workgroup site - A professional working group dedicated to understanding and eradicating online identity theft </li></ul><ul><li> This is the Internet Crime Complaint Center site. </li></ul><ul><li> This is an Australian Web site to combat not just phishing but in general Internet Fraud. </li></ul><ul><li> FBI - Internet Fraud Complaint Centre </li></ul><ul><li> This site contains a phishing quiz that tests awareness. </li></ul><ul><li> ID Theft Quiz from Better Busines Bureau </li></ul><ul><li> Site shows how to obscure a URL. </li></ul><ul><li> This is the site that provides consumer advise on “How to Not get hooked by a phishing scam” </li></ul><ul><li> The FTC Web site on consumer ID theft. </li></ul><ul><li> The Financial Services Technology Consortium effort to address the problem off phishing. </li></ul><ul><li> The sender ID framework. </li></ul><ul><li> The Reverse Mail Exchanger (RMX) specification. </li></ul><ul><li> The Sender Permitted From (SPF) specification. </li></ul>
    38. 38. Resources Cont. <ul><li> Federal Government site for phishing awareness. </li></ul><ul><li> This site contains a demonstration of the Frame Injection vulnerability. </li></ul><ul><li> Phishing prevention tips brochure </li></ul><ul><li> UK Government website on Identity theft. </li></ul><ul><li> Microsoft/eBay/VISA Antiphishing aggregation service </li></ul><ul><li> The National Consumer League’s informational site on phishing. </li></ul><ul><li> Anti-phishing tool bar for Internet Explorer and Firefox </li></ul><ul><li> Spam data mining portal. </li></ul><ul><li> joint enforcement initiative between industry and law enforcement </li></ul><ul><li> The Stanford University unique passwords via password hashing solution. </li></ul><ul><li> Phisihing attack demonstrations. </li></ul>