Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 –...
-
Upload
edith-webster -
Category
Documents
-
view
213 -
download
1
Transcript of Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 –...
Phishing and Intrusion PreventionPhishing and Intrusion Prevention
Tod Beardsley,TippingPoint (a division of 3Com),
02/15/06 – IMP-201
Tod Beardsley,TippingPoint (a division of 3Com),
02/15/06 – IMP-201
The Phishing Campaign
• Phishers leverage social engineering, technical trickery, and a number of protocols harvest personal financial data and account information.
Phisher
Victim Web Server Victim Users
Sends out phishing e-mail
Victim clicks a phish URL
Phish Web site is viewed
Victim submits information
Compromises a hostand installs a phish Web siteand mass mailer
Mail Drop Service
Informatio
n Transmitted to
Drop
Retrieves stolen information
Point Defense
• E-mail (SMTP) Defenses
— Monitor SMTP for suspicious e-mail messages, very similar to existing anti-spam solutions.
— Problematic when dealing with extremely terse messages, or messages designed specifically to evade anti-spam.
• Web (HTTP) Defenses
— Usually depend on blacklists of IP addresses.
— Sometimes, evaluate content to score for phishiness.
• PC Anti-Virus
— Not helpful when malware is not involved (and it’s usually not).
Social Defense
• User Education
— The victim is attacked while in a vulnerable emotional state.
• Phishing e-mail uses fear and anxiety very effectively.
— Normal customer service mail is already misleading.
• HTML markup, image tags, and redirects are common.
— A common misunderstanding of SSL has all but ruined SSL as a protective mechanism.
• Legislative Remedies
— Perpetrators are often outside the victim’s jurisdiction.
— Crime can go undetected for weeks, months, or years.
Network Defense through Intrusion Prevention
1. Initial Web Site Compromise
TippingPoint IPS protects vulnerabilities in Web sites and servers 2. Mass Phishing E-Mail
TippingPoint IPS utilizes behavior-based filters, content inspection, and pattern-matching signatures to block
3. Victim Clicks on Misleading URLThe URL itself and the corresponding DNS query is evaluated to determine if it is linking to a legitimate or fraudulent site
4. Phish Web Site is DisplayedWeb site is evaluated for exploited vulnerabilities. IPS
inspects Web content and uses behavior-based filters for signs of forgery. 5. Victim Submits Account Information
If information is submitted to a suspected phishing site, the IPS will block the information transfer.
Phisher
Victim Web Server
Victim Users
Sends out phishing e-mail
Victim clicks a phish URL
Phish Web site is viewed
Victim submits information
Compromises a hostand installs a phish Web Site and mass mailer
1
2
3
4
5