Phishing, Pharming, and the latest potholes on the Information Highway A Presentation by Ian Loe, CISSP

Agenda Malware Latest potholes on the Information Highway Spyware Phishing Pharming Security industry approach to emerging Malware Corporate Information Security Office approach Recommendations Q & A

Malware

Latest potholes on the Information Highway

Spyware

Phishing

Pharming

Security industry approach to emerging Malware

Corporate Information Security Office approach

Recommendations

Q & A

Malware Short for mal icious soft ware Any software designed specifically to damage or disrupt a system

Short for mal icious soft ware

Any software designed

specifically

to damage or disrupt

a system

Traditional Types of Malware Virus Attaches itself to a program or file and reproduces itself Cannot be spread without a human action Worm Spreads without human intervention Could send out thousands of copies of itself Tunnels into a system to control it remotely Trojan Horse Appears to be useful software/files from a legit source Could delete files and destroy information on a system Creates a back door for malicious access spread Do not reproduce by infecting files nor self-replicate

Virus

Attaches itself to a program or file and reproduces itself

Cannot be spread without a human action

Worm

Spreads without human intervention

Could send out thousands of copies of itself

Tunnels into a system to control it remotely

Trojan Horse

Appears to be useful software/files from a legit source

Could delete files and destroy information on a system

Creates a back door for malicious access spread

Do not reproduce by infecting files nor self-replicate

Phishing and Pharming belong to the family of Spyware Along with many others: Adware Key loggers Dialers Downloaders Back doors Latest Types of Malware

Phishing and Pharming

belong to the family of Spyware

Along with many others:

Adware

Key loggers

Dialers

Downloaders

Back doors

What is Spyware? Any software that covertly gathers information on user activities through the user's Internet connection without his or her knowledge and ships it off to an unknown third-party server over the Internet

Any software that covertly gathers

information on user activities

through the user's Internet connection

without his or her knowledge

and ships it off to an

unknown third-party server

over the Internet

What is Adware? Adware is Commercial Spyware Developed by commercial advertising companies who claim “not malicious intent” Usually created for advertising/marketing purposes

Adware is Commercial Spyware

Developed by commercial

advertising companies

who claim “not malicious intent”

Usually created for

advertising/marketing purposes

How does Spyware work? Independent executable able to: Deliver unsolicited advertising – pop-up ads Monitor keystrokes Scan files on the hard drive Snoop other apps (e.g. chat, word processors) Install other Spyware programs Read cookies Change the default home page on the browser Consistently relays info back to source for: Advertising/marketing purposes Selling the information to another party

Independent executable able to:

Deliver unsolicited advertising – pop-up ads

Monitor keystrokes

Scan files on the hard drive

Snoop other apps (e.g. chat, word processors)

Install other Spyware programs

Read cookies

Change the default home page on the browser

Consistently relays info back to source for:

Advertising/marketing purposes

Selling the information to another party

Spyware Concerns Ethics and privacy Computer’s resources Internet connection bandwidth System crashes or general instability Licensing agreements for software downloads may not always be read The notice of a Spyware installation is couched in hard-to-read legal disclaimers Producers of Adware also produce Anti-Spyware tools – It is a profitable industry

Ethics and privacy

Computer’s resources

Internet connection bandwidth

System crashes or general instability

Licensing agreements for software downloads may not always be read

The notice of a Spyware installation is couched in hard-to-read legal disclaimers

Producers of Adware also produce Anti-Spyware tools – It is a profitable industry

Getting Spyware is Easy Drive-By Installations Social engineering Spoof certificates Web Exploits Every MS Security Bulleting that “Could Allow Code Execution” can be used to install Spyware Bundles Users unwittingly install the product when they install something else – freeware/shareware > Kazaa > Games > Pirated Software > Screensavers > Smileys > Anti-Spyware programs

Drive-By Installations

Social engineering

Spoof certificates

Web Exploits

Every MS Security Bulleting that “Could Allow Code Execution” can be used to install Spyware

Bundles

Users unwittingly install the product when they install something else – freeware/shareware

> Kazaa > Games

> Pirated Software > Screensavers

> Smileys > Anti-Spyware programs

Malicious Spyware Types Key-loggers Log keystrokes and send over the Internet It steals information including passwords Dialers Cause a user’s modem to dial a 900 or 976 number

Key-loggers

Log keystrokes and send over the Internet

It steals information including passwords

Dialers

Cause a user’s modem to dial a 900 or 976 number

Malicious Spyware Types (cont…) Back doors Provide hacker with complete control (e.g. Back orifice) Downloaders Download and install Spyware, Adware, key loggers, dialers, back doors, etc Most commonly installed using web exploits Phishing & Pharming

Back doors

Provide hacker with complete control (e.g. Back orifice)

Downloaders

Download and install Spyware, Adware, key loggers, dialers, back doors, etc

Most commonly installed using web exploits

Phishing & Pharming

What is Phishing? The act of sending a message to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft

The act

of sending a message to a user

falsely claiming to be an established

legitimate enterprise in an attempt to

scam the user into surrendering

private information that will be used

for identity theft

Phishing Purpose They will cast the bait and if you bite, they can lure your personal information out of you ID & Passwords Credit Card Information NRIC / Passport Information Bank Account Numbers

They will cast the bait and if you bite,

they can lure your personal

information out of you

ID & Passwords

Credit Card Information

NRIC / Passport Information

Bank Account Numbers

Bogus Websites to which victims are redirected without their knowledge or consent, look the same as a genuine website But information like login name and password is captured by criminals

to which victims are redirected

without their knowledge or consent,

look the same as

a genuine website

But

information like

login name and password

is captured by

criminals

Pharming Out-Scams Phishing First came Phishing, in which con artists hooked unwary internet users one by one into compromising their personal data Pharmers can scoop up many victims in a single pass

First came Phishing,

in which con artists hooked unwary

internet users one by one into

compromising their personal data

Pharmers

can scoop up many victims

in a single pass

What is Pharming? New use for a relatively old concept: domain spoofing Pharmers simply redirect as many users as possible from legitimate commercial websites to malicious ones

New use for a relatively old concept:

domain spoofing

Pharmers

simply redirect as many users as

possible from

legitimate commercial websites

to malicious ones

Pharming most alarming threat DNS poisoning Large group of users to be silently shuttled to a bogus website even when typing in the correct URL You no longer have to click a URL link to hand over your information to identity thieves

DNS poisoning

Large group of users to be silently shuttled to a bogus website even when typing in the correct URL

You no longer have to click

a URL link

to hand over your information to

identity thieves

Technical Challenges New and evolving technology Quickly adopts all latest techniques from Viruses, Worms and Trojans Attracts the best & brightest hackers Application level threat – existing enterprise defenses lack granularity

New and evolving technology

Quickly adopts all latest techniques from Viruses, Worms and Trojans

Attracts the best & brightest hackers

Application level threat – existing enterprise defenses lack granularity

Spyware Market Place Many providers have started to offer products Market still resembles the wild west and the early days of the Internet Standards and Commercial winners-&-losers have yet to emerge

Many providers have started to offer products

Market still resembles the wild west and the early days of the Internet

Standards and Commercial winners-&-losers have yet to emerge

Enterprise Solutions Emerging Spyware specific desktop tools Desktop agent with no centralized management Use of signatures Desktop Antivirus Detecting a small subset of known Spyware Use of signatures URL Filtering Gateway solution Blocks known Spyware sources – change often Proxy Appliance Stop drive-by installation URL filtering and use of signatures

Spyware specific desktop tools

Desktop agent with no centralized management

Use of signatures

Desktop Antivirus

Detecting a small subset of known Spyware

Use of signatures

URL Filtering

Gateway solution

Blocks known Spyware sources – change often

Proxy Appliance

Stop drive-by installation

URL filtering and use of signatures

Industry Approach - Phishing Based on social engineering – Self defense relies on common sense of the user The automated detection of new Phishing fraud is very difficult Only an extensive forensic analysis by law enforcement can prove the evidence of Phishing Try to mitigate by URL blocking of known URLs of Phishing websites Spam blocking of emails of Phishing scams that are sent en mass

Based on social engineering – Self defense relies on common sense of the user

The automated detection of new Phishing fraud is very difficult

Only an extensive forensic analysis by law enforcement can prove the evidence of Phishing

Try to mitigate by

URL blocking of known URLs of Phishing websites

Spam blocking of emails of Phishing scams that are sent en mass

Industry Approach - Pharming Browsers that could authenticate website identity Browser toolbars displaying the true physical location of a website's host (e.g. Russia) Some financial institutions are experimenting with "multi-factor authentication" logins, including: single-use passwords (e.g. tokens) automatic telephone call-backs

Browsers that could authenticate website identity

Browser toolbars displaying the true physical location of a website's host (e.g. Russia)

Some financial institutions are experimenting with "multi-factor authentication" logins, including:

single-use passwords (e.g. tokens)

automatic telephone call-backs

Security Recommendations Do not open e-mail attachments unless you know the source and are expecting the attachment Do not reply to the e-mail from an unknown source Do not click on entrusted hyperlinks to the Internet Do not download unapproved software from the Internet Do not respond or visit the website indicated by an instant message or e-mail Do not give out personal information over the Internet Before revealing any identifying information, ask how it will be used and secured.

Do not open e-mail attachments unless you know the source and are expecting the attachment

Do not reply to the e-mail from an unknown source

Do not click on entrusted hyperlinks to the Internet

Do not download unapproved software from the Internet

Do not respond or visit the website indicated by an instant message or e-mail

Do not give out personal information over the Internet

Before revealing any identifying information, ask how it will be used and secured.

Questions?

Thank You!