Phishing and Intrusion PreventionPhishing and Intrusion Prevention

Tod Beardsley,TippingPoint (a division of 3Com),

02/15/06 – IMP-201

Tod Beardsley,TippingPoint (a division of 3Com),

02/15/06 – IMP-201

The Phishing Campaign

• Phishers leverage social engineering, technical trickery, and a number of protocols harvest personal financial data and account information.

Phisher

Victim Web Server Victim Users

Sends out phishing e-mail

Victim clicks a phish URL

Phish Web site is viewed

Victim submits information

Compromises a hostand installs a phish Web siteand mass mailer

Mail Drop Service

Informatio

n Transmitted to

Drop

Retrieves stolen information

Point Defense

• E-mail (SMTP) Defenses

— Monitor SMTP for suspicious e-mail messages, very similar to existing anti-spam solutions.

— Problematic when dealing with extremely terse messages, or messages designed specifically to evade anti-spam.

• Web (HTTP) Defenses

— Usually depend on blacklists of IP addresses.

— Sometimes, evaluate content to score for phishiness.

• PC Anti-Virus

— Not helpful when malware is not involved (and it’s usually not).

Social Defense

• User Education

— The victim is attacked while in a vulnerable emotional state.

• Phishing e-mail uses fear and anxiety very effectively.

— Normal customer service mail is already misleading.

• HTML markup, image tags, and redirects are common.

— A common misunderstanding of SSL has all but ruined SSL as a protective mechanism.

• Legislative Remedies

— Perpetrators are often outside the victim’s jurisdiction.

— Crime can go undetected for weeks, months, or years.

Network Defense through Intrusion Prevention

1. Initial Web Site Compromise

TippingPoint IPS protects vulnerabilities in Web sites and servers 2. Mass Phishing E-Mail

TippingPoint IPS utilizes behavior-based filters, content inspection, and pattern-matching signatures to block

3. Victim Clicks on Misleading URLThe URL itself and the corresponding DNS query is evaluated to determine if it is linking to a legitimate or fraudulent site

4. Phish Web Site is DisplayedWeb site is evaluated for exploited vulnerabilities. IPS

inspects Web content and uses behavior-based filters for signs of forgery. 5. Victim Submits Account Information

If information is submitted to a suspected phishing site, the IPS will block the information transfer.

Phisher

Victim Web Server

Victim Users

Sends out phishing e-mail

Victim clicks a phish URL

Phish Web site is viewed

Victim submits information

Compromises a hostand installs a phish Web Site and mass mailer

1

2

3

4

5