Phishing ~ An Evolution

Company Confidential Copyright 2005 Secure Science Corp. 1

Phishing ~ An Evolution

July 2005July 2005

Company Confidential 2Copyright 2005 Secure Science Corp.

High

Low

1980 1985 1990 1995 2000+

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack

Cyber Attack SophisticationCyber Attack SophisticationContinues To EvolveContinues To Evolve

bots

Source: CERT


And Continue To And Continue To Grow…Grow…

Data theft grew more than 650%

over the past 3 years — CSI/FBI

137,000

security incidents in 2003, nearly twice as

many as in 2002

— CERT

Avg reported loss from attacks was $2.7M per

incident — CSI/FBI survey

85%of respondentshad breaches

— CSI/FBI survey85%

of the critical infrastructure is

owned or operated by the private sector

Source : Carnegie Mellon


Growth Or Liability?Growth Or Liability? Over twenty per cent of Internet users Over twenty per cent of Internet users

now access online banking services.now access online banking services. This total will reach 33% by 2006, This total will reach 33% by 2006,

according to The Online Banking Report. according to The Online Banking Report. By 2010, over 55 million US households By 2010, over 55 million US households

will use online banking and ePayments will use online banking and ePayments services, which are tipped as "growth services, which are tipped as "growth areas". areas".

Wamu buys Providian, BofA buys MBNAWamu buys Providian, BofA buys MBNA And so what about the ‘And so what about the ‘PhishingPhishing’ ’

threat to e-commerce?threat to e-commerce? Source: ePaynews


What Is Phishing?What Is Phishing? PhishingPhishing,, also referred to as also referred to as brand spoofingbrand spoofing, ,

as it is a variation on “fishing,” the idea being that as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. will ignore the bait, some will be tempted into biting. Phishing is the act of sending a communication to a user Phishing is the act of sending a communication to a user

falsely claiming to be an established legitimate enterprise in falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private an attempt to scam the user into surrendering private information that will be used for identity theft. information that will be used for identity theft.

The communication (usually email) directs the user to visit a The communication (usually email) directs the user to visit a Web siteWeb site where they are asked to update personal where they are asked to update personal information, such as passwords and credit card, social information, such as passwords and credit card, social security, and bank account numbers, that the legitimate security, and bank account numbers, that the legitimate organization already has. organization already has.

The Web site, however, is bogus or hostile and set up only The Web site, however, is bogus or hostile and set up only to steal the user’s information. to steal the user’s information.


Phishers Mainly US Hosted Phishers Mainly US Hosted

Source: APWG

FY04

Gartner estimates phishing cost the US over $2.4BGartner estimates phishing cost the US over $2.4B

in 2004, not including law enforcement costs.in 2004, not including law enforcement costs.


““Dear bank customer...”Dear bank customer...” Phishing:Phishing:

Impersonates respected companyImpersonates respected company Tarnishes reputation – weakened customer Tarnishes reputation – weakened customer

confidenceconfidence Is Fraud: misplaced trust to gain customer Is Fraud: misplaced trust to gain customer

accountsaccounts IsIs identity theft identity theft

AllAll phishers phishers Only 3 web attack methods, minor variationsOnly 3 web attack methods, minor variations

Impersonate, Forward, Pop-UpImpersonate, Forward, Pop-Up

Phishing Phishing


ImagesImages Link to target site so Link to target site so

images really come from images really come from targettarget

Looks real because it is Looks real because it is realreal

Mirror to a phishing Mirror to a phishing server prevents target server prevents target site from removing site from removing imagesimages Looks real, but could get Looks real, but could get

outdatedoutdated

Web pagesWeb pages Phishing page links Phishing page links

to target server’s to target server’s web pageweb page Man-in-the-middle POSTMan-in-the-middle POST

Logs user into real siteLogs user into real site Provides “real” pages; Provides “real” pages;

victim will not notice victim will not notice phishing sitephishing site

Prevents scam from being Prevents scam from being noticed AFTER victim noticed AFTER victim discloses informationdiscloses information

How Phishers OperateHow Phishers Operate


Phisher develops phishing serverPhisher develops phishing server CGI, PHP, HTML, imagesCGI, PHP, HTML, images

Phisher configures blind-dropPhisher configures blind-drop Free email address or IRC channelFree email address or IRC channel

Phisher configures hostile server (typically Phisher configures hostile server (typically compromised)compromised) Hacked or stolen credit card from previous phishHacked or stolen credit card from previous phish

Phisher tests configurationPhisher tests configuration Complex system (blind drop, hostile server, target, email) Complex system (blind drop, hostile server, target, email)

requires testingrequires testing

Phisher sends bulk mailingPhisher sends bulk mailing

Phisher collects data from blind dropPhisher collects data from blind drop

Phishing FlowPhishing Flow


Time..Time.. Create server: 1 week to 1 monthCreate server: 1 week to 1 month Create blind-drop: 1 day to 1 weekCreate blind-drop: 1 day to 1 week Hostile server config: 1 day to 1 weekHostile server config: 1 day to 1 week TestTest

Longest seen: 10 daysLongest seen: 10 days Shortest seen: 6 hoursShortest seen: 6 hours

Bulk mailing: up to 8 hours, usually 1-2 hoursBulk mailing: up to 8 hours, usually 1-2 hours 50% of victims in first 24 hours50% of victims in first 24 hours 99% of victims in first 48 hours99% of victims in first 48 hours

Server take-downServer take-down 48-72 hours48-72 hours

Phisher’s ROIPhisher’s ROI


Impersonate (simple attack):Impersonate (simple attack): Fake site looks like targetFake site looks like target Mirror or link to images for credibilityMirror or link to images for credibility Man-in-the-middle POST login prevents victim detectionMan-in-the-middle POST login prevents victim detection

Forward (sophisticated attack):Forward (sophisticated attack): Typically collected via phishing email (not as effective/av)Typically collected via phishing email (not as effective/av) Site collects data; performs meta-refresh to target (HTTP Site collects data; performs meta-refresh to target (HTTP

redirect)redirect) Man-in-the-middle POST login prevents victim detectionMan-in-the-middle POST login prevents victim detection

Popup (creative attack):Popup (creative attack): Real site in back, hostile popup in frontReal site in back, hostile popup in front Real site gives credibility, prevents victim detectionReal site gives credibility, prevents victim detection Not man-in-the-middle Not man-in-the-middle Mirror or link to images for credibilityMirror or link to images for credibility

Type of Phishing AttacksType of Phishing Attacks


How Phishers Use How Phishers Use AccountsAccounts

So you are a phisher and you have some So you are a phisher and you have some accounts... “Now what?”accounts... “Now what?” StealSteal

MoneyMoney IdentityIdentity

LaunderingLaundering The big problem: getting the money out (we’ll catch you!)The big problem: getting the money out (we’ll catch you!)

Webmoney.ru (russian money service)Webmoney.ru (russian money service) eGold (gold to currency service middle-man)eGold (gold to currency service middle-man) Western Union (for untraceable cash)Western Union (for untraceable cash) eBay / PayPal eBay / PayPal 419 (Nigerian email scams)419 (Nigerian email scams)


Tracking PhishersTracking Phishers Phishers use base camps to store and Phishers use base camps to store and

analyze victim information.analyze victim information. These servers act as centralized These servers act as centralized

communication and distribution points communication and distribution points for group members. for group members.

They also use blind-drop servers.They also use blind-drop servers. These are used to collect victim These are used to collect victim

information without compromising the information without compromising the base camps.base camps.


Tracking Phishers Tracking Phishers (cont.)(cont.)

Secure Science Corporation estimates that Secure Science Corporation estimates that approximately 42 (out of 53) phishing approximately 42 (out of 53) phishing groups account for over 90% of all groups account for over 90% of all phishing emails.phishing emails. The larger phishing groups include DPG (PG2), The larger phishing groups include DPG (PG2),

Citiimg (PG20), Ro-Bot (PG40) and Palka Citiimg (PG20), Ro-Bot (PG40) and Palka (PG30). (PG30).

These 42 groups account for over 75% of all These 42 groups account for over 75% of all phishing emails observed over the last quarter.phishing emails observed over the last quarter.

(PG30 is also known as the “laptop seller” group (PG30 is also known as the “laptop seller” group according to PayPal, as this was their first venture).according to PayPal, as this was their first venture).



Secure Science Corporation has identified Secure Science Corporation has identified the likely scope and effectiveness of a the likely scope and effectiveness of a phishing bulk mailing, including:phishing bulk mailing, including: How large are the bulk mailings?How large are the bulk mailings? How many people receive the emails? How How many people receive the emails? How

many emails never reach their destination?many emails never reach their destination? How many people fall victim to a single mass How many people fall victim to a single mass

mailing?mailing? When do people fall victim?When do people fall victim? Which is worse? Email phish or phishing Which is worse? Email phish or phishing

malware?malware?



Phishing base camps frequently contain the Phishing base camps frequently contain the actual mailing lists used by the phishers, as actual mailing lists used by the phishers, as well as the list of proxy hosts used to well as the list of proxy hosts used to anonymize the mass mailing.anonymize the mass mailing. While the total number ranges from 1 to5 million While the total number ranges from 1 to5 million

email addresses, the large phishing groups have email addresses, the large phishing groups have divided the address lists into files containing divided the address lists into files containing 100,000 addresses. This means that they likely 100,000 addresses. This means that they likely generate 100,000 emails per mass mailing.generate 100,000 emails per mass mailing.

While the larger groups uses open proxies to While the larger groups uses open proxies to anonymize the mass mailing, a few of the smaller anonymize the mass mailing, a few of the smaller phishing groups use the phishing server to also phishing groups use the phishing server to also perform the mass mailing. perform the mass mailing.

One small group had an email list that contained over one One small group had an email list that contained over one million addresses. They likely sent out one million emails million addresses. They likely sent out one million emails for their mass mailing.for their mass mailing.



Of the estimated 42 active phishing groups worldwide, Of the estimated 42 active phishing groups worldwide, some phishing groups send emails daily, while others some phishing groups send emails daily, while others operate on weekly or monthly cycles. operate on weekly or monthly cycles.

Similarly, some groups only operate one phish per day, Similarly, some groups only operate one phish per day, while the larger groups may operate a dozen blind drops while the larger groups may operate a dozen blind drops on any given day. The average per group is on any given day. The average per group is approximately 750,000 emails per day.approximately 750,000 emails per day.**** Considering that there are an estimated 42 active groups, that Considering that there are an estimated 42 active groups, that

makes the total daily amount of phishing emails approximately makes the total daily amount of phishing emails approximately 31.5 million emails per day 31.5 million emails per day

**** It is important to emphasize that this is strictly an It is important to emphasize that this is strictly an average per group. The larger groups generate much average per group. The larger groups generate much more email than the smaller groups. And very few more email than the smaller groups. And very few groups generate email daily.groups generate email daily.


What’s Worse?What’s Worse? Email Phish or Phishing Malware?Email Phish or Phishing Malware?

Some of the larger phishing groups have Some of the larger phishing groups have associations with both phishing emails associations with both phishing emails and key-logging malware. and key-logging malware.

While phishing email is very effective, the While phishing email is very effective, the number of victims is significantly smaller number of victims is significantly smaller than the victims of phishing malware. than the victims of phishing malware.

Logs recovered from base camps for Logs recovered from base camps for phishing emails and malware show a phishing emails and malware show a startling difference.startling difference.


Email –vs- MalwareEmail –vs- MalwarePhishing Emails Phishing Malware / Keyloggers

Average number of accounts compromised in a week

100 500,000

Type of information compromised

Name, address, phone, SSN, credit card, VCC2, bank account numbers, logins and passwords, and even items such as mother’s maiden name or the answer to the “forgot your password” prompt.

Generally, victims provide all of the information asked.

Account login, or credit card number with expiration and address.

Generally, a single victim only loses a single amount of information. Few victims lose more than one type of information. And the information compromised may not match the information desired by the phisher.

Volume of data generated

Each victim = < 500 bytes of data.1 week = < 50Kbytes. A single person can process the data in

minutes.

A single key logging Trojan can generate hundreds of megabytes of data in a week. The data is not processed by hand. Instead, scripts are used to filter the information. Potentially valuable information is frequently ignored due to the filtering process.


Email –vs- Malware Email –vs- Malware (cont.)(cont.)Phishing Emails Phishing Malware / Key loggers

How often is the method viable?

Reused regularly for weeks or months before requiring a change. Due to simple changes in the mailing list, a variety of people can be solicited – information is almost never collected from the same person twice.

Most malware is effective for a week before anti-virus vendors develop signatures.

Some phishing groups use malware in limited distributions. While these programs may exist for much longer durations, they generally collect less information.

A single person that is infected may compromise the same information multiple times.

Total development cost to the phishers?

A single phishing server may take one week to develop. The server may then be applied to hundreds of blind drop servers and reused for weeks or longer. Changes to the phishing email content (bait) can be measured in hours and may not need a change to the phishing server.

A single malware system, including Trojan and receiving server, may take months to develop. Each variant may take a week or longer to develop. When generic anti-virus signatures appear, redevelopment may take weeks or months.


Phishing MalwarePhishing Malware Phishing technology generally follows spam Phishing technology generally follows spam

technology by 6-12 months.technology by 6-12 months.

The recent developments in spam provide insight into The recent developments in spam provide insight into upcoming changes in phishing technology. upcoming changes in phishing technology.

Over the last six months, spam as a whole has shown a Over the last six months, spam as a whole has shown a dramatic increase in malware. The malware ranges from dramatic increase in malware. The malware ranges from common attachment worms and Trojans to hostile common attachment worms and Trojans to hostile JavaScript/Object exploits.JavaScript/Object exploits.

Over the last few years, malware consisted of a single Over the last few years, malware consisted of a single executable that infected hundreds of thousands, or millions, executable that infected hundreds of thousands, or millions, of systems. of systems.

These mega-viruses, such as Sobig, Blaster, Code Red, and These mega-viruses, such as Sobig, Blaster, Code Red, and Nimda used a single executable to infect a large system base. Nimda used a single executable to infect a large system base. After the primary infection, other variants were released, but After the primary infection, other variants were released, but these were designed to be additional mega-viruses.these were designed to be additional mega-viruses.


Phishing Malware Phishing Malware (cont.)(cont.)

In November of 2003, the concept of In November of 2003, the concept of a single mega-virus changed. a single mega-virus changed. Gaobot, followed by Sasser and Berbew, Gaobot, followed by Sasser and Berbew,

took a different tact: rather than one took a different tact: rather than one mega-worm, these consisted of hundreds mega-worm, these consisted of hundreds of variants – each slightly different. of variants – each slightly different.

The goal of the variant was not to The goal of the variant was not to become a mega-worm, but rather to become a mega-worm, but rather to infect a small group of systems. infect a small group of systems.



This approach provided two key benefits to the This approach provided two key benefits to the malware authors:malware authors:

Limited distribution; limited detectionLimited distribution; limited detection.. As long as the As long as the malware is not widespread, the anti-virus vendors would malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton doesn’t be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a detection know about a virus, then they cannot create a detection signature for the virus.) signature for the virus.)

Over the last 12 months Secure Science Corporation has Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, carders, identified dozens of virus variants used by phishers, carders, and generic malware authors that are not detected by anti-and generic malware authors that are not detected by anti-virus software.virus software.

Rapid deploymentRapid deployment.... Nearly a hundred variants of Sasser Nearly a hundred variants of Sasser were identified in less than three months. Each variant were identified in less than three months. Each variant requires a different detection signature. The rapid requires a different detection signature. The rapid modification and deployment ensures that anti-virus modification and deployment ensures that anti-virus vendors will overtax their available resources, becoming vendors will overtax their available resources, becoming less responsive to new strains. It also ensures that some less responsive to new strains. It also ensures that some variants will not be detected.variants will not be detected.



2004 saw a significant increase in 2004 saw a significant increase in malware used by phishing groups.malware used by phishing groups. It also ended with multiple warnings, where It also ended with multiple warnings, where

phishers may use cross-site scripting (XSS) phishers may use cross-site scripting (XSS) attacks. attacks.

SSC has taken a closer look at the malware SSC has taken a closer look at the malware and XSS attacks used by phishing groups. and XSS attacks used by phishing groups. While we believe that malware will continue While we believe that malware will continue to be a major collection method used by to be a major collection method used by phishers, XSS has taken an underestimated phishers, XSS has taken an underestimated backseat.backseat.



A few phishing groups have been A few phishing groups have been associated with specific malware.associated with specific malware. The malware is used for a variety of The malware is used for a variety of

purposes:purposes: Compromising hosts for operating the phishing Compromising hosts for operating the phishing

server;server; Compromising hosts for relaying the bulk mailing;Compromising hosts for relaying the bulk mailing; Directly attacking clients with key-logging Directly attacking clients with key-logging

software.software.

A single piece of malware may serve any A single piece of malware may serve any or all of these purposes.or all of these purposes.


Malware TrendsMalware Trends In early 2004, the malware associated with phishing In early 2004, the malware associated with phishing

groups rarely appeared to be created specifically for groups rarely appeared to be created specifically for phishing. Instead, was focused on botnet* attributes:phishing. Instead, was focused on botnet* attributes:

Email relayEmail relay.. The software opens network services that can be The software opens network services that can be used to relay email anonymously. This is valuable to phishers, and used to relay email anonymously. This is valuable to phishers, and spammers in general.spammers in general.

Data miningData mining.. The malware frequently contains built-in functions The malware frequently contains built-in functions for gathering information from the local system. The gathering for gathering information from the local system. The gathering usually focuses on software licenses (for game players , warez, or usually focuses on software licenses (for game players , warez, or serialz dealersserialz dealers****) and Internet Explorer cache. The latter may ) and Internet Explorer cache. The latter may contain information such as logins. For phishers, this type of data contain information such as logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets.mining primarily focuses on account logins to phishing targets.

* * A compromised system with remote control capabilities is a “bot”. A A compromised system with remote control capabilities is a “bot”. A “botnet” is a collection of these compromised hosts. “botnet” is a collection of these compromised hosts.

**** Illegally distributed software applications (warez) and the associated Illegally distributed software applications (warez) and the associated license keys (serialz) are frequently available and propagated through the license keys (serialz) are frequently available and propagated through the underground software community.underground software community.


Malware Trends Malware Trends (cont.)(cont.)

Remote controlRemote control. The malware usually has . The malware usually has backdoor capabilities. This permits a remote backdoor capabilities. This permits a remote user to control and access the compromised host. user to control and access the compromised host. For a phisher, there is little advantage to having For a phisher, there is little advantage to having a backdoor to a system unless they plan to use a backdoor to a system unless they plan to use the server for hosting a phishing site. But for the server for hosting a phishing site. But for other people, such as virus writers or botnet other people, such as virus writers or botnet farmersfarmers**, remote control is an essential attribute, remote control is an essential attribute..

* * A “botnet farmer” is an individual or group that manages A “botnet farmer” is an individual or group that manages and maintains one or more botnets. The botnet farmers and maintains one or more botnets. The botnet farmers generate revenue by selling systems or CPU time to other generate revenue by selling systems or CPU time to other people. Essentially, the botnet becomes a large timeshare people. Essentially, the botnet becomes a large timeshare computer network.computer network.



By Q3 of 2004, a few, large phishing By Q3 of 2004, a few, large phishing groups had evolved to support their groups had evolved to support their own specific malware.own specific malware. While the malware did contain email While the malware did contain email

relays, data mining functions, and relays, data mining functions, and remote control services, these had been remote control services, these had been tuned to support phishing specifically. tuned to support phishing specifically.

Viruses such as W32.Spybot.Worm Viruses such as W32.Spybot.Worm included specific code to harvest bank included specific code to harvest bank information from compromised hosts.information from compromised hosts.



A few phishing groups also appeared A few phishing groups also appeared associated with key logging software. associated with key logging software. While not true “key logging”, these While not true “key logging”, these

applications capture data submitted applications capture data submitted (posted) to web servers.(posted) to web servers.

A true key logger would generate massive A true key logger would generate massive amounts of data and would be difficult for an amounts of data and would be difficult for an automated system to identify account and automated system to identify account and login information.login information.



Instead, these applications hook into Instead, these applications hook into Internet Explorer’s (IE) form Internet Explorer’s (IE) form submission system.submission system. All data from the submitted form is relayed All data from the submitted form is relayed

to a blind drop operated by the phishers. to a blind drop operated by the phishers. The logs contain information about the The logs contain information about the

infected system, as well as the URL and infected system, as well as the URL and submitted form values. submitted form values.

More importantly, the malware intercepts More importantly, the malware intercepts the data before it enters any secure the data before it enters any secure network tunnel, such as SSL or HTTPS.network tunnel, such as SSL or HTTPS.



The end of 2004 showed a significant modification The end of 2004 showed a significant modification to the malware used by some phishing groupsto the malware used by some phishing groups. . The prior key logging systems generated gigabytes of data The prior key logging systems generated gigabytes of data

in a very short time. This made data mining difficult, since in a very short time. This made data mining difficult, since only a few sites were of interest to the phishers. only a few sites were of interest to the phishers.

By the end of 2004 and into 2005, the phishers had evolved By the end of 2004 and into 2005, the phishers had evolved their software. their software.

Loggers focus on specific URLs, such as the web logins to Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. Citibank and Bank of America.

It is believed that this was intended to pre-filter the data It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was collected. submitted data, only submitted data of interest was collected.

More importantly, multiple viruses appeared with this More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved at capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware the same time. This strongly suggests that malware developers associated with phishers are in communication or developers associated with phishers are in communication or have a common influencing source.have a common influencing source.


Phishing TrendsPhishing Trends A year+ ago, phishing was a very manual A year+ ago, phishing was a very manual

process.process. A server was required and the phishing system was A server was required and the phishing system was

manually installed and tested.manually installed and tested. 9 months ago, “scam kit” packages began to 9 months ago, “scam kit” packages began to

appear.appear. Consisted of phishing sites stored in an archive Consisted of phishing sites stored in an archive

(e.g., .zip)(e.g., .zip) These archives would be transferred to the server, These archives would be transferred to the server,

unpacked, tested, and used. unpacked, tested, and used. The archives significantly decreased the time needed to The archives significantly decreased the time needed to

install and configure the phishing server. install and configure the phishing server. Over the last quarter, the popularity of these archives Over the last quarter, the popularity of these archives

has dramatically increased – nearly every phishing has dramatically increased – nearly every phishing group, both new and old, are using prepackaged group, both new and old, are using prepackaged archives. archives.


Phishing Trends Phishing Trends (cont.)(cont.)

Two recent trends have surfaced over the last Two recent trends have surfaced over the last few months:few months: Targeting 2Targeting 2ndnd tier and 3 tier and 3rdrd tier banks. tier banks. Spawning off intermediate phishing groups to Spawning off intermediate phishing groups to

increase distance between mules and organized increase distance between mules and organized crime.crime.

These trends may actually be related: as These trends may actually be related: as phishers distance themselves from the mules, phishers distance themselves from the mules, they are likely to target a wider variety of they are likely to target a wider variety of financial and corporate entities.financial and corporate entities.

Phishing trends generally follow spam trends. Phishing trends generally follow spam trends. The latest spam trends show more malware with The latest spam trends show more malware with

specialized purposes.specialized purposes.


Secondary & Tertiary TargetsSecondary & Tertiary Targets Phishers have consistently and repeatedly Phishers have consistently and repeatedly

targeted a small set of companies: eBay, targeted a small set of companies: eBay, Citibank, and PayPal. Citibank, and PayPal.

These primary targets are believed to be These primary targets are believed to be desirable for the following reasons:desirable for the following reasons:

Large customer baseLarge customer base.. Emails sent to random Emails sent to random addresses are likely to hit a significant number addresses are likely to hit a significant number of customers for these companies. Since the of customers for these companies. Since the hit-per-email ratio is high, the likelihood of a hit-per-email ratio is high, the likelihood of a successful phish is high.successful phish is high.



Low threat responseLow threat response.. Internally, most organizations are actively working on the Internally, most organizations are actively working on the

phishing problem. However, their apparent public external phishing problem. However, their apparent public external reactions are lacking. reactions are lacking.

From a phisher’s point of view, the primary targets are not From a phisher’s point of view, the primary targets are not immediately responsive to the phishing threat.immediately responsive to the phishing threat.

Active challengesActive challenges.. Most phishers are active in the hacking, warez, and Internet Most phishers are active in the hacking, warez, and Internet

underground. underground. In this case, many financial institutions continually run In this case, many financial institutions continually run

commercials offering identity theft protection. The commercials offering identity theft protection. The phishers see this as a challenge, and target them to show phishers see this as a challenge, and target them to show that they do not actually offer identity theft protection. that they do not actually offer identity theft protection.

Similarly, eBay’s anti-phishing toolbar is an enticement for Similarly, eBay’s anti-phishing toolbar is an enticement for phishers to demonstrate how it does not protect eBay from phishers to demonstrate how it does not protect eBay from phishers.phishers.

Vulnerable Web Servers that aid phishers with cross-user Vulnerable Web Servers that aid phishers with cross-user attacks against their customers.attacks against their customers.



Consumer Mis-educationConsumer Mis-education.. Many companies are Many companies are known to periodically send out real emails that known to periodically send out real emails that look similar to phishing emails. Customers look similar to phishing emails. Customers become unable to distinguish the rare “real” become unable to distinguish the rare “real” emails from the common “phishing” emails.emails from the common “phishing” emails.

Multiple Uses. Multiple Uses. An account at any of these An account at any of these primary targets offers multiple uses. primary targets offers multiple uses.

Exploition of eBay/PayPal/E-gold enables multiple Exploition of eBay/PayPal/E-gold enables multiple methods for laundering.methods for laundering.

Blending inBlending in.. The result of aggressive phishing The result of aggressive phishing has made it difficult to distinguish/identify specific has made it difficult to distinguish/identify specific groups, which provides safety in numbers.groups, which provides safety in numbers.



Known processesKnown processes. Known internal . Known internal processes and policies of an institution processes and policies of an institution enable a fraudster to potentially benefit from enable a fraudster to potentially benefit from this knowledge. this knowledge.

For example, if international transfers of amounts For example, if international transfers of amounts under $10,000 do not trigger an alarm, then under $10,000 do not trigger an alarm, then phishers may use this information to transfer phishers may use this information to transfer appropriate amounts. appropriate amounts.

Secure Science has observed that phishers Secure Science has observed that phishers continue to actively collaborate with ‘insiders’ to continue to actively collaborate with ‘insiders’ to understand internal mechanisms that could enable understand internal mechanisms that could enable fraudulent endeavors.fraudulent endeavors.

Future regulatory compliance efforts should Future regulatory compliance efforts should seriously consider phishing.seriously consider phishing.



Mid 2005 Phishing Mid 2005 Phishing TrendsTrends

Phishers are refining their email techniques.Phishers are refining their email techniques. Emails are much more effective than regular spam Emails are much more effective than regular spam

emails. A single mass mailing of 100,000 emails may emails. A single mass mailing of 100,000 emails may have a receive rate as high as 10% and collect as have a receive rate as high as 10% and collect as much as 1% in victims.much as 1% in victims.

Phishers have found a use for every account Phishers have found a use for every account they acquire: from money laundering to theft, they acquire: from money laundering to theft, and shuffling to identity theft. and shuffling to identity theft.

Phishers are refining their key-logging malware.Phishers are refining their key-logging malware. Rather than collecting data from all web sites, they Rather than collecting data from all web sites, they

are now looking for data from specific URLs.are now looking for data from specific URLs.


Mid 2005 Phishing Mid 2005 Phishing Trends Trends (cont.)(cont.)

Phishers are becoming more technically savvy.Phishers are becoming more technically savvy. Besides using known and 0-day exploits to configure Besides using known and 0-day exploits to configure

the systems used for the phishing, they also use the systems used for the phishing, they also use weaknesses in the telephone infrastructure, such as weaknesses in the telephone infrastructure, such as Caller-ID (CID) spoofing, to protect themselves from Caller-ID (CID) spoofing, to protect themselves from the mules that they contact.the mules that they contact.

Phishers have consistently shown an interest in Phishers have consistently shown an interest in internal policies and practices. These serve two internal policies and practices. These serve two purposes: policy weaknesses can be leveraged, purposes: policy weaknesses can be leveraged, and policy strengths can be avoided. and policy strengths can be avoided. With the ongoing addition of national and global With the ongoing addition of national and global

policies such as Sarbanes-Oxley and HIPAA, policies such as Sarbanes-Oxley and HIPAA, companies have new challenges: avoiding the pitfalls companies have new challenges: avoiding the pitfalls and limitations of widely accepted policies and and limitations of widely accepted policies and required practices.required practices.


FY05 Phishing TrendsFY05 Phishing Trends IncreaseIncrease..

With the success of phishing malware, there is an With the success of phishing malware, there is an inevitable increase in variations and capabilities. inevitable increase in variations and capabilities. Although few phishing groups were associated with Although few phishing groups were associated with malware in 2004, more phishing groups are adopting malware in 2004, more phishing groups are adopting this trend in 2005.this trend in 2005.

Ability to go back to compromised system at willAbility to go back to compromised system at will Use as tool for distributed botnet (mass mailing already observed)Use as tool for distributed botnet (mass mailing already observed)

DynamicDynamic.. The malware observed in 2004 contained hard-coded The malware observed in 2004 contained hard-coded

URLs. In order to change the URL, a new variant URLs. In order to change the URL, a new variant needed to be released. Malware in 2005 has become needed to be released. Malware in 2005 has become remotely configurable (BotNets). DNS Host Poisoning remotely configurable (BotNets). DNS Host Poisoning will be come popular with more sophisticated groups. will be come popular with more sophisticated groups. XSS will become a problem.XSS will become a problem.


FY05 Phishing Trends FY05 Phishing Trends (cont.)(cont.)

BotNets – PG40 Case StudyBotNets – PG40 Case Study First discovered 11/04First discovered 11/04

Demonstrates an aggressive campaign targeting Demonstrates an aggressive campaign targeting secondary and tertiary financial institutions. secondary and tertiary financial institutions.

SouthTrust and Huntington Banks have been observed to be SouthTrust and Huntington Banks have been observed to be under attack daily, this week alone.under attack daily, this week alone.

Have not targeted any primary financial institutions to-date.Have not targeted any primary financial institutions to-date. First group to be observed utilizing a logo server.First group to be observed utilizing a logo server.

Malware used: BO2K and IRC backdoorsMalware used: BO2K and IRC backdoors Spoof sites consistently outside the US Spoof sites consistently outside the US

(China/Germany/Japan/Korea)(China/Germany/Japan/Korea) Demonstrate a consistent pattern of rapidly Demonstrate a consistent pattern of rapidly

compromising systems via specific web vulnerabilities. compromising systems via specific web vulnerabilities. Compromises subnets, as opposed to sites Compromises subnets, as opposed to sites

Automated attack vector, such as a botnet/automated Automated attack vector, such as a botnet/automated tool.tool.



Caller IDCaller ID The trust of caller-id at home opens up phishing The trust of caller-id at home opens up phishing

scams off of the internet and directly into homes.scams off of the internet and directly into homes. It's less scalable, but can be quite effective combined with It's less scalable, but can be quite effective combined with

clever social engineering. clever social engineering. The compromising of voicemail systems and the The compromising of voicemail systems and the

ability to take over telephony networks can add to ability to take over telephony networks can add to the information they mine to gain what they need.the information they mine to gain what they need.

Phishers have been observed doing full background Phishers have been observed doing full background credit checks on target individuals, to obtain all the credit checks on target individuals, to obtain all the information they can.information they can.

Telecommunication systems are quickly becoming Telecommunication systems are quickly becoming a target for information and identity theft. a target for information and identity theft.

T-Mobile database compromise – defonic crewT-Mobile database compromise – defonic crew



Telephony ExploitationTelephony Exploitation It has been observed that phishers use it to contact mules when It has been observed that phishers use it to contact mules when

conducting money-laundering schemes.conducting money-laundering schemes. Public SIP/VOIP networks are primitive, (similar to early days of Public SIP/VOIP networks are primitive, (similar to early days of

SMTP and their open relays).SMTP and their open relays). There is no authentication (even if there is, it can be bypassed), it is readily There is no authentication (even if there is, it can be bypassed), it is readily

available, and free (see sipphone.com and freeworld dialup). available, and free (see sipphone.com and freeworld dialup). Anonymous telephony becomes trivial with CPN Spoofing (CPN Anonymous telephony becomes trivial with CPN Spoofing (CPN

== Caller Party Number). Most systems rely on it heavily for == Caller Party Number). Most systems rely on it heavily for authentication.authentication.

Examples of these are T-mobile, Verizon, SBC/Pacbell, Callwave.com and Examples of these are T-mobile, Verizon, SBC/Pacbell, Callwave.com and Ureach.Ureach.

Not to mention the PSTN (Public Switched Telephone Not to mention the PSTN (Public Switched Telephone Network) aka POTS (Plain Old Telephone Service). Network) aka POTS (Plain Old Telephone Service).

The intersection of the technologies has caused the POTS lines to be The intersection of the technologies has caused the POTS lines to be vulnerable and makes it nearly impossible to trace. vulnerable and makes it nearly impossible to trace.

Subpoena of voice over IP carriers only causes headaches.Subpoena of voice over IP carriers only causes headaches. The VOIP carrier has to find what POTS carrier it went through;The VOIP carrier has to find what POTS carrier it went through; Then send back to the Feds that they need to subpoena that carrier. Then send back to the Feds that they need to subpoena that carrier. By the time it's all done, you may not get what you wanted, since the BTN By the time it's all done, you may not get what you wanted, since the BTN

(Billing Telephone Number) is pretty much the last hop on a PSTN line.(Billing Telephone Number) is pretty much the last hop on a PSTN line.



Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)


Misplaced TrustMisplaced Trust Cross-User attacks:Cross-User attacks:

Only 1 cross-site scripting attack has been Only 1 cross-site scripting attack has been spotted so farspotted so far

Bank of America – predicted due to consumer mis-Bank of America – predicted due to consumer mis-educationeducation

Disappointing exploitationDisappointing exploitation Defines potentialDefines potential

Few Cross-User attacks in the wildFew Cross-User attacks in the wild Redirects such as:Redirects such as:

GoogleGoogle eBayeBay

Impact is highImpact is high Generates “Misplaced Trust”Generates “Misplaced Trust” Breaks SSL and Domain KeysBreaks SSL and Domain Keys Both server and customer ends up being compromisedBoth server and customer ends up being compromised


Subject: Update Contact Information

Dear Cardmember,

Our records indicate that your billing address is no longer valid for your account ending in xxxxx.

Having your most updated contact information is critical to our ability to service your account and to provide you with information on important changes that impact your account.

Please take a moment to update your contact information on https://www.americanexpress.com/updatecontactinfo. If you prefer, you can copy and paste or type the URL directly into your address bar.

If you have any questions regarding this message, please call the telephone number on the back of your card for assistance from a Customer Service Representative.

Thank you for your time and continued business with American Express.

Sincerely, American Express Customer Service

To Reply to this e-mail Simply log in to our Secure Message Center at https://www.americanexpress.com/messagecenter and send your inquiry via secure e-mail. If clicking on this link does not work, please cut and paste it into the "address" bar of a new browser window. This e-mail was sent from a notification-only address that cannot accept incoming e-mail.

Notice About Servicing E-mails This e-mail was sent to you by American Express Customer Service to provide important information about your account and/or online products and services for which you are registered. You may receive customer service e-mails even if you have requested not to receive e-mail marketing offers from American Express.

Privacy Statement For details on our e-mail practices, please visit the American Express Privacy Statement at http://www.americanexpress.com/privacy.

AGNEUATH0003001


Misplaced Trust (cont.)Misplaced Trust (cont.) Target TypesTarget Types

RedirectsRedirects 301/302 Headers and Meta-Refresh301/302 Headers and Meta-Refresh Landing page attacksLanding page attacks Allow HTTP Response InjectionAllow HTTP Response Injection

Cross-Site enabled!Cross-Site enabled! Vulnerable sites include:Vulnerable sites include:

American ExpressAmerican Express American Stock Exchange (AMEX)American Stock Exchange (AMEX) EbayEbay Bank of AmericaBank of America TD Waterhouse (Breaks SSL)TD Waterhouse (Breaks SSL) University of Wisconsin (no offense)University of Wisconsin (no offense)

http://www.uc.wisc.edu/track.php?pageName=http://http://www.uc.wisc.edu/track.php?pageName=http://www.wisc.edu/&queryString=&url=%0d%0a%3Cscriptwww.wisc.edu/&queryString=&url=%0d%0a%3Cscript%3Ealert(%22Vulnerable%22);%3C/script%3E%3Ealert(%22Vulnerable%22);%3C/script%3E


Misplaced Trust (cont).Misplaced Trust (cont).

Target Types (cont.)Target Types (cont.) Reflective queriesReflective queries

FormsForms Session EnginesSession Engines Reflecting Parameters Reflecting Parameters

Vulnerable sites include:Vulnerable sites include: CA.com (aren’t they a security company?)CA.com (aren’t they a security company?) Comcast.netComcast.net Apple Online StoreApple Online Store Barclays BankBarclays Bank Adelaide Bank (Australia)Adelaide Bank (Australia)


Misplaced Trust (cont).Misplaced Trust (cont).

Target Types (cont.)Target Types (cont.) Misconfigured 404’sMisconfigured 404’s

ReflectingReflecting Lack Input validationLack Input validation Glorified 404’sGlorified 404’s

Vulnerable sites include:Vulnerable sites include: Bank of America Bank of America BuckKnives.comBuckKnives.com RIT.eduRIT.edu Military Banking (BofA company)Military Banking (BofA company)


Misplaced Trust (cont.)Misplaced Trust (cont.) Cross-Site Request Forging (CSRF)Cross-Site Request Forging (CSRF)

Session RidingSession Riding Amazon and their long session cookiesAmazon and their long session cookies

Browser Hijacking (Browser Botnet)Browser Hijacking (Browser Botnet) Force a user to send spamForce a user to send spam

Breaks Domain KeysBreaks Domain Keys No need for Spoofed Phish Site!No need for Spoofed Phish Site!

Banks and online commerce lend hand to Banks and online commerce lend hand to phishersphishers

Injection can be invisible from source codeInjection can be invisible from source code Verification of trust becomes difficultVerification of trust becomes difficult Reputation of FI is questionableReputation of FI is questionable


Request ForgingRequest Forging


Contact InfoContact Info

Secure Science CorporationSecure Science Corporation

7770 Regents Rd.7770 Regents Rd.

Suite 113-535Suite 113-535

San Diego, CA. 92122-1967San Diego, CA. 92122-1967

(877)570-0455(877)570-0455

http://www.securescience.nethttp://www.securescience.net

Email: Email: [email protected]@securescience.net

Lance James ~ CTOLance James ~ CTO


QuestionsQuestions

Phishing ~ An Evolution

Documents

Transcript of Phishing ~ An Evolution