1 Copyright © 2004 M. E. Kabay. All rights reserved. Phishing Information Systems Security...

1 Copyright © 2004 M. E. Kabay. All rights reserved.

PhishingInformation Systems Security Association

New England ChapterTuesday 16 Nov 2004

M. E. Kabay, PhD, CISSPAssoc. Prof. Information Assurance

Division of Business & Management, Norwich University mailto:[email protected] V: 802.479.7937


Come With Me, Little Child

Microsoft Customer

This is the latest version of security update, the ‘September 2003, Cumulative Patch’update which resolves all known security vulnerabilities affecting MS Internet Explorer,MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now tohelp maintain the security of your computer from these vulnerabilities. This updateincludes the functionality of all previously released patches.

From: Microsoft Corporation Technical Bulletin [ljseedwnge- Sent: Thu 9/18/2003 3:32 [email protected]]

To: MS CustomerCc: Subject: Network Critical Patch


Topics

Phishing BasicsSerious ProblemAPWG Regular ReportsRecent Examples Phishing Harms FirmsProblem IncreasingAnti-Phishing Steps Public EducationPossible Solutions


Phishing Basics (1)

Pronounced "fishing" Scam to steal valuable information such as

credit cards, social security numbers, user IDs and passwords.

Also known as "brand spoofing" Official-looking e-mail sent to potential

victims Pretends to be from their ISP, retail store,

etc., Due to internal accounting errors or some

other pretext, certain information must be updated to continue the service.


Phishing Basics (2) Link in e-mail message directs the user to a Web page

Asks for financial informationPage looks genuine

Easy to fake valid Web siteAny HTML page on the real Web can be copied and

modified E-mails sent to people on selected lists or to any list

Some % will actually have account “Phishing kit"

Set of software tools Help novice phisher imitate target Web site Make mass mailingsMay include lists of e-mail addresses

From Computer Desktop Encyclopedia v17.4http://www.computerlanguage.com/


Serious Problem

“Illegal access to checking accounts, often gained via phishing scams, has become the fastest-growing form of consumer theft in the United States, accounting for a staggering $2.4 billion in fraud in the previous 12 months.”

-- Gartner Group


APWG Regular ReportsPhishing Activity Trends Report Oct 20041142: Number of active phishing sites reported in Oct

200425%: Average monthly growth rate in phishing sites

July through Oct44: # brands hijacked Oct6: # brands comprising top 80% of brands hijacked by

phishing campaigns in OctUSA: country hosting most phishing Websites20%: contain some form of the target name in URL63%: no hostname, just IP address6 days: average time online for phishing site

http://www.antiphishing.org/APWG_Phishing_Activity_Report-Oct2004.pdf


Recent Examples of AttacksFrom APWGNov 15 - People's Bank - 'New Mail from People' Nov 10 - Citibank - 'Citibank Alert Service' Nov 9 - Paypal - 'Your Account Will Be Suspended' Nov 2 - Sovereign Bank - 'Sovereign Bank

Unauthorized Account Access' Nov 1 - Citibank - 'Security Alert on Microsoft

Internet Explorer' Oct 29 - eBay - 'TKO NOTICE: Verify Your Identity' Oct 28 - Verizon - 'Update your Verizon billing

profile' Oct 27 - Washington Mutual Bank - 'Washington

Mutual Bank : Notification of Washington Mutual Internet Banking Account‘


People’s Bank

Not the proper

domain for peoples.com


Citibank (Nov 10)

Links tohttp://82.90.165.65/

citi


PayPal (1)


PayPal (2)Actually links to

http://212.45.13.185/.paypal/

index.php


Citibank (Nov 1)

Links tohttp://200.189.70.90/citi/


eBay

http://signin-ebay.com-cgi-bin.tk/

eBaydll.php


APWG (antiphishing.org)

Anti-Phishing Working Group


Phishing Harms Firms

Harmful at many levels Threatens effective communication Undermines goodwill and trust

Customers Direct harm from stolen IDs, passwords Could perceive business as not taking

adequate steps to protect users Diminishes value of brand

Could affect shareholders Possibility of liability for failure to exercise

due diligence in protecting trademarkBased in part on material that iscopyright © 2004 Don Holden, CISSPUsed with permission (and thanks).


Problem Increasing


Get a Job – and Lose Money

Free training offer is latest spam scamBy John LeydenPublished Tuesday 2nd November 2004

12:35 GMThttp://www.theregister.com/2004/11/02/

training_spam_scam/ Apply for “training” and “job” at Credit

SuisseFill in banking details (!)Lose control over your financial information

to criminals


Spoofed Page and Address Bar

Based on a slide copyright © 2004 Don Holden, CISSPUsed with permission (and thanks).

Not the realaddress bar

See http://www.antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html


Spoofed Address Bar

Problem JavaScript device replaces address bar Allows complete control Can show one URL while going to another Viewing source code for page does NOT

show Java source code Implications

With address bar installed, could track other sites visited

Could do a man-in–the-middle attack to see everything entered


Recent Alert

@RISK: Consensus Security Vulnerability Alert 3(45) Nov 14, 2004From SANS Institute

Internet Explorer Phishing VulnerabilityAttacker can construct malicious hyperlinkHundreds of attacks reported per weekObject element embedded in hyperlink

Can embed flash movie or other executable code in a hyperlink


Tabbed Browser Problems (1) Phishing for dummies: hook, line and sinker

By Scott Granneman, SecurityFocusPublished Tuesday 2nd November 2004 14:55 GMThttp://www.theregister.com/2004/11/02/

phishing_tabbed_browsers/ Vulnerabilities in many “tabbed” browsers that allow

easy switch from one window to anotherMozilla 1.7.3Mozilla Firefox 0.10.1Camino 0.8Opera 7.54Konqueror 3.2.2-6Netscape 7.2Avant Browser 9.02 build 101 and 10.0 build 029Maxthon (MyIE2) 1.1.039


Tabbed Browser Problems (2)

Dialog box can be spawned in active window from connection to an inactive windowE.g., visit PayPalGet popup box to “verify” passwordActually comes from rogue site in different

windowPossibility of diverting data into a form on a

different window for a malicious WebsiteWould try to enter data into form on

legitimate siteData would actually go somewhere else


Anti-Phishing Steps

Proclaim, Protect, Pursue Proclaim in all correspondence the use of an

official mark (e.g. TrustedSender stamp) Protect all messages, Web pages with the

mark Pursue all impostors – actively seek reports

of phishing

Copyright © 2004 Don Holden, CISSPUsed with permission (and thanks).


Public Education

Use digitally-signed documents ONLYDon’t release unsigned documentsGet consumers used to idea that an unsigned

document is an untrustworthy documentUse public education campaigns

“No one will ever ask you to confirm your password”

“Don’t believe alerts that address you as ‘Dear Customer.’”

Link to APWG documents; e.g.,http://www.antiphishing.org/consumer_recs.html


Possible Solutions

Strong Website authenticationMail server authenticationDigitally-signed e-mail with desktop

verificationDigitally-signed e-mail with gateway

verification

AWPG: Proposed Solutions to Address the Threat of Email Spoofing Scams

http://tinyurl.com/5bo55


APWG Resources Page


CloudMark’s Community Approach

Cloudmark SafetyBarhttp://www.cloudmark.com/ Works for Outlook and Outlook Express

Community members report new spam or fraud at push of buttonInformation sent worldwide to improve

blockingAnti-fraudster measures

Reliability of reports affects credibility of reporter

Spammers and fraudsters would lose credibility fast


Cloudmark SafetyBar (2)


DISCUSSION

1 Copyright © 2004 M. E. Kabay. All rights reserved. Phishing Information Systems Security...

Documents

Transcript of 1 Copyright © 2004 M. E. Kabay. All rights reserved. Phishing Information Systems Security...