360 likes | 587 Views
Fighting Phishing site at the front line --CNCERT/CC Anti-Phishing activities review. CNCERT/CC. Jun. 2005 FIRST www.cert.org.cn. Abstract :. Overview of Phishing Responsibility Experience of CNCERT/CC Review and prospect Conclusion . Overview of Phishing. What is Phishing?.
E N D
Fighting Phishing site at the front line --CNCERT/CC Anti-Phishing activities review CNCERT/CC Jun. 2005 FIRST www.cert.org.cn
Abstract: • Overview of Phishing • Responsibility • Experience of CNCERT/CC • Review and prospect • Conclusion
Overview of Phishing What is Phishing? -- Phishing attacks use 'spoofed' e-mails and fake websites designed to bamboozle recipients into revealing confidential information with economic value such as credit card numbers, account usernames and passwords, social security numbers, etc.
Overview of Phishing Phishing is Epidemic: --7 of 10 people, who received phishing E-mail, are spoofed --15% are tricked into providing personal information
Overview of Phishing • Damage --Average economic loss of $115 per adult duped. (E-Trust) --$500 million lost due to Phishing in U.S. (APWG) --A Phishing site had been visited 98 time in 48 hour (98 different IPs) 49 person/day*10*15%*$115=$8452.5/case
Overview of Phishing • Statistics Till the end of 2004, CNCERT/CC received 230 Phishing report from over 33 worldwide financial and security organization.
Overview of Phishing • Statistics
Overview of Phishing • Statistics Dec. 2004-March 2005(APWG)
Overview of Phishing • Statistics in March, 2005 (APWG) --Number of active phishing sites reported in March: 2870 --Average monthly growth rate in phishing sites July 2004 through March 2005: 28 % --Number of brands hijacked by phishing campaigns in March: 78 --Number of brands comprising the top 80% of phishing campaigns in March: 8
Statistics in March, 2005 (APWG) --Country hosting the most phishing websites in March: United States --Contain some form of target name in URL: 31 % --No hostname just IP address: 48 % --Percentage of sites not using port 80: 3.89 % --Average time online for site: 5.8 days --Longest time online for site: 31 days
Responsibility • Who has the Responsibility? Bank -provide a secure internet dealing environment -new Phishing tech is also developed fast
Responsibility Law enforcement -Investigate and arrest the ‘Phisher’ -most of the Phishing incident cross multi-country, it take long time through the law procedure. In certain region, the ISP only keep the log for 30 days, the procedure may take more than that.
Responsibility • Service provider -locate the host, find out the user information -most of the host was intruded, they are also the victim cannot force them to take down the phishing site.
Responsibility • Bank customer -Report the Phishing site, prevent from the Phishing scam -They may not know how to different the Phishing site and normal site.
Responsibility • CSIRT -CSIRT have trust contact cross multi-region -CSIRT have the research ability to follow the new Phishing trick. -CSIRT provide the professional consultant to public
Responsibility • CSIRT -Public user trust and willing to cooperate with CSIRT -CSIRT provide public awareness education
Responsibility CISRT is a chain to link every point in Anti-Phishing
Experience of CNCERT/CC • Phishing tech is changing rapidly - Since 2004, Phishing has passed three generation.
Experience of CNCERT/CC • First generation, (Previous – Oct. 2004) --Fake appearance, IE redirection, address bar cover, pop-up log window. --Purpose to appear like normal Bank site, hard to be different.
Experience of CNCERT/CC • Address bar block
Experience of CNCERT/CC • Pop-up log window
Experience of CNCERT/CC • unconventional Port Pid Process Port Proto Path 436 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 492 msdtc -> 1025 TCP C:\WINNT\system32\msdtc.exe 912 MSTask -> 1026 TCP C:\WINNT\system32\MSTask.exe 792 sqlservr ->1433 TCP d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe 896 r_server -> 4899 TCP C:\WINNT\System32\r_server.exe 964 http -> 5121 TCP c:\winnt\system32\http.exe 964 http -> 5125 TCP c:\winnt\system32\http.exe 964 http -> 5180 TCP c:\winnt\system32\http.exe 996 web -> 6121 TCP c:\winnt\system32\web.exe 996 web -> 6125 TCP c:\winnt\system32\web.exe 996 web -> 6180 TCP c:\winnt\system32\web.exe
Experience of CNCERT/CC • Extra info --most of the Phishing web server, which was planted in the host, are Russian version. --and some of the evidence are related to Russian region.
Experience of CNCERT/CC • Second generation (Oct. 2004-Mar. 2005) --Combine with backdoor, key logger, or Trojan. --Purpose to hijack the user info through the Spyware.
Experience of CNCERT/CC The Spyware detected on the Phishing site -JS/Stealus -W32.Netsky -Web/HTTP (Russian version Web server) It has been used as a spyware
Experience of CNCERT/CC • Third generation (Mar.2005- ) --Exploit DNS Cheat, Bot-net, and Dynamic Domain --Purpose to make the Phishing site hard to be detected and investigated
Experience of CNCERT/CC Pharming, the revival of old trick uses malware/spyware to redirect users from real websites to the fraudulent sites (typically DNS hijacking).
Experience of CNCERT/CC Devious DNS Tricks Dynamic Domain, Dynamic IP CNCERT/CC found many Phishing site host in ADSL user’s PC, which is live only when the user online.
Experience of CNCERT/CC Devious DNS Tricks AusCERT found: • A domain name was registered, similar to the bank. • 5 name servers were listed in the WHOIS record. These changed every day or so. • each of these 5 name servers resolved the fake bank domain to 5 other servers. These changed every 30 minutes or so. • we saw the IP of the phishing site move across 44 different in a short space of time (see below for IPs).
Experience of CNCERT/CC Bot-net Netcraft said Bot-net can be used as nameserver to Phish. CNCERT/CC deteced a bot-net with 100 thousand bot. It is serious situation, once a bot-net is used to ‘Phish’
Review and prospect • CNCERT/CC -Public Awareness education -Anti-phishing consultant -Anti-phishing investigation and take down -Anti-phishing tech research -Participant the APWG WG
Review and prospect • Future Trend -- Financial institution will continue to be top targets. Phishing attacks will victimize the identity of small to medium size institutions. -- Phishing attacks will increase in sophistication. -- Use of Trojans, screen captures and key loggers will increase. -- Attacks that target the DNS, Router Infrastructure will increase.
Review and prospect • Future Trend -- Phishing attacks will exploit global events such as tsunami's and holidays. -- The distinction between Phishing, spyware, and malware will blur. -- The time between the discoveries of an exploit to its use in a Phishing will shrink. --Browser specific Phishing attacks will emerge.
Review and prospect Establish a procedure of cooperation with Law enforcement is considerable
Conclusion -Anti-Phishing is a long time fight -Anti-Phishing is a good place for CSIRT practice -Trust relationship is required -Anti-Phishing is a way to establish the trust relationship.
Thank you E-mail:larryliu@cert.org.cn