1 / 37

Phishing: When Attacks Get Embedded in Legitimate Websites

Phishing: When Attacks Get Embedded in Legitimate Websites. Live Webinar May 26, 2005. A Word from our Sponsor Imperva. Mission Secure the Data Center Product SecureSphere Dynamic Profiling Firewall Protects proprietary information, custom business applications, and critical servers

Download Presentation

Phishing: When Attacks Get Embedded in Legitimate Websites

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005

  2. A Word from our SponsorImperva Mission Secure the Data Center Product SecureSphere Dynamic Profiling Firewall • Protects proprietary information, custom business applications, and critical servers • Addresses phishing, identity theft, data theft, malicious robots, worms, denial of service, and SQL injection • Stops web attacks, database breach, and worm infection Data Center Internal Users Proprietary Information Custom Business Applications and Critical Servers SecureSphere Gateways SecureSphere Management Server Imperva Confidential

  3. Today’s PresenterAmichai Shulman - CTO of Imperva Amichai Shulman • Lecturer on Info Security for Technion - Israel Institute of Technology • CTO of Edvice, security consultant to banks and financial services firms • Leads the Application Defense Center (ADC) Application Defense Center (ADC) • Attack and defense techniques presented today are the result of research done at Imperva’s Application Defense Center ADC Data Center Security Series • Monthly live webinars on attacks targeting corporate data centers • “Identity Theft” on 6/23 - register at impervaevents.webex.com Imperva Confidential

  4. PhishingAgenda • What is Phishing • Sizing the Threat • Types of Phishing (demo) • Commonly Proposed Solutions • Phishing Techniques • Cross Site Scripting Phishing (demos) • Script Injection Phishing (demo) • Phishing Defenses • Traditional Defenses • Evasion Techniques • Alternative Solutions Imperva Confidential

  5. Phishing ThreatWhat is Phishing? • Phishing = Social Engineering + Technical Subterfuge • Objective • Steal victim’s credentials • Commit crimes using stolen credentials • Delivery Mechanism • Spoofed E-mail (or website or IM or Weblogs) • Link Sends User to… • Bogus Website Phishing • Real Website Phishing Imperva Confidential

  6. Phishing ThreatHow Significant? • 64 brands reported hijacked by Phishing in Feb., 05 • Dramatic growth over past 2 years • Attack Implications • Lost Revenue • Brand Erosion • Regulatory Issues • GLB • SoX • CA 1386 • HIPAA Source: antiphishing.org Imperva Confidential

  7. Bogus Website Phishing Attack Stealing login and password

  8. Bogus Website Phishing The Bait • Use social engineering (such as email) to get the victim to click on a link with attack Imperva Confidential

  9. Bogus Website Phishing Attack - Easy to Detect • Manual Solutions • User education • User looking at URL sees the website is fraudulent • Automated Solutions • Industry efforts for strict server authentication • Ex. client side plug-ins (TrustBar, NetIBA, etc.) http://www.attacker.com Imperva Confidential

  10. Real Website Phishing Demonstration Stealing login and password T

  11. Proposed Solutions for Phishing Problem Are they sufficient?

  12. Real Website Phishing ThreatProposed Solutions • User awareness • Real Website Phishing has the correct URL and real certificates • Server authentication • Real Website Phishing attacks will authenticate correctly • Hardware Tokens • Real Website Phishing attacks are run on victim’s system • Time sensitive or one-time use passwords • Real Website Phishing can exploit the credentials in real-time Imperva Confidential

  13. Real WebsitePhishing Techniques

  14. Real Website Phishing ThreatPhishing Techniques • Cross Site Scripting • User interacts with real website • The malicious code is stored at theattacker’s site or in the link itself • Script Injection • User interacts with real website • The malicious code is stored inside thereal website’s application database Imperva Confidential

  15. Technique #1Cross Site Scripting (XSS)

  16. Cross Site Scripting How is it Done? • Attack code written in standard client side script language • E.g. JavaScript, VBScript, etc • Link in e-mail mixes calls to real website with attack code • Attack code could be invoked from attackers website • http://www.superveda.com/login.asp?return=javascript.src=http://www.attacker.com/logincapture.jscript • Attack could be completely incorporated into the link • http://www.superveda.com/dosearch.asp?return=<script> ATTACK </script> • Returned webpage mixes both real website and attack Imperva Confidential

  17. Cross Site Scripting (XSS) Phishing Demonstration Stealing cookie credentials T

  18. Technique #2Script Injection

  19. Script Injection How is it Done? • A close relative of Cross Site Scripting (XSS) • Difference is location of attack code • XSS - attacker’s website or in the malicious link • Script Injection - real web application’s database • Location makes all the difference • No action required by user • Attack runs when victim loads the web page • Link can be totally benign • Attack not in the link, the attack is in the site • Potentially liability for website owner since the attack is inside the website Imperva Confidential

  20. Script Injection Phishing Demonstration Attack embedded in real website database T

  21. Real Website Phishing ThreatAttacks Can Be Anything… • Steal user login credentials • Steal cookies credentials • Force victim to execute an action • Any action the victim is allowed to do on the website • Script injected in banking site to transfer funds: f = document.forms[‘transfer_money’] f.to_account.value = ‘Attackers Account’ f.amount.value = 1000000; f.submit() Imperva Confidential

  22. Cross Site Scripting Phishing Demonstration (2) Victim unknowingly makes an purchase T

  23. Traditional Defenses

  24. Traditional DefensesIdentifying Attacks • Attack contain <script>, javascript, or vbscript tags • Widely known attack vectors • <script>alert()</script> • <script src=“http://attacker/script.js”></script> • <img src=“javascript: alert()”> • <img src=“vbscript: alert()”> • Other HTML attributes may contain active code • <body background="javascript: alert()"> • <bgsound src="javascript: alert()"> • <iframe src="javascript: alert()”></iframe> Imperva Confidential

  25. Traditional DefensesAre Signatures Enough? • Solution? • Signature based mechanism • Block all requests with specified text string • “<script>”, “javascript:” or “vbscript:” • NO! • Numerous ways to evade signature engines • Evasions exploit richness and lax parsing of HTML language Imperva Confidential

  26. Signature Evasion Techniques Whitespaces Numerical Character Encoding CSS (Cascade Style Sheets) Event Handlers T

  27. Evasion TechniquesWhitespaces • When between tokens or inside HTML strings, HTML parsers usually ignore line feeds, carriage returns, horizontal tabs and null characters • Instead of “javascript:” we can write J avasc ri p t: Imperva Confidential

  28. Evasion TechniquesNumerical Character Encoding • Encode characters inside HTML strings as numerical values • Only the word string in <tag attribute=“string”> can be numerically encoded • Enables attack to evade detection of the “javascript:” pattern string by encoding one or more of its characters • 25 different ways to encode ‘j’: ‘j’ = &#106; = &#0106; = … = &#0000106; = &#x6a; = &#x06a; = … = &#x00006a; = = &#X6a; = &#x6A; ... • The semicolons are many times not required, so we get an even greater variety of encodings Imperva Confidential

  29. Evasion TechniquesCSS (Style Sheets) • Style attributes can also be dynamically computed using JavaScript code: • <div style="width: expression(alert(‘Imperva’))"> • Style sheets need not be embedded in HTML code; it can be imported from another file, even on a different host (e.g, the attacker’s) using the <link> tag • In http://attacker/attack.css: p { background-image: expression(alert(“Imperva")); } • In the attack vector: <link rel="stylesheet" href=“http://attacker/attack.css"> <p></p> Imperva Confidential

  30. Evasion TechniquesEvent Handlers • HTML event handlers are implicitly assumed to be in JavaScript, and therefore do not require the “javascript:” directive: • <body onLoad="alert(c)"> • <img src="http://wherever/doesnt_exist.jpg" onError="alert()"> • <marquee onStart="alert()"></marquee> • More: • <div style='position: absolute; left: 0px; top: 0px; height=1000px; width=1000px' onMouseOver="alert()"></div> • <table onMouseOver="alert()" height=1000 width=1000> • Many more event handlers (up to 80!) can be utilized Imperva Confidential

  31. Evaluating Alternative Defenses Traditional Defenses Application Aware Defenses

  32. Evaluating Alternative Defenses Traditional Defense • Apply very large set of signatures to ALL traffic • onLoad, onMouseOver, onFocus, … • <script>, <link>, <img>, style=, … • Many more we haven’t covered here • Problems • Easy to evade with client-side encoding features • e.g. whitespace, numerical encoding, etc • Multiple signatures have performance penalty • Multiple signatures results in false positives • Can not block everything that remotely resembles HTML (i.e. that have <angular> brackets or an equal sign) • In some places users are allowed to type in HTML code Imperva Confidential

  33. Evaluating Alternative Defenses Application Aware Defense • Focus the search • Only inspect relevant fields • identify dynamic pages, parse HTTP correctly • Don’t bother with fields that normally accept scripts • e.g. forms that allows editing of HTML text • Detect attacks only if field contains suspicious characters • < > = & # etc. • Cover all cases • Normalize input using client-side decoding • Remove redundant white space and decode numerical HTML and style sheet encodings • Apply client side decoding only if required • Create a comprehensive set of signatures • Minimize performance penalty & maximize accuracy Imperva Confidential

  34. A Practical Approach to Real Website Phishing

  35. SecureSphere Dynamic Profiling FirewallApplication Aware Defense • ADC Signatures • Comprehensive set of signatures • Dynamic Profiling • Identifies the relevant fields for signature checking • Automatically models the structure and dynamics of.. • Web Application: URLs, cookies, users, parameters, sessions, etc. • Database: SQL queries, tables, parameters, users, etc. • Automatically updated • ADC Signatures updated on regular basis • Dynamic Profiling automatically adapts to app/db changes Internal Users Data Centers SecureSphere Gateways SecureSphere Management Server Imperva Confidential

  36. Q & A

  37. Thank You Imperva, Inc. 950 Tower Lane, Suite 1710Foster City, CA 94404   Sales: (866) 926-4678 www.imperva.com Imperva Confidential

More Related