Learning Center
Plans & pricing Sign in
Sign Out

phishing exposed


									Supported by Computer Studies Division, City University of Hong Kong
              Presented by

           Mr. Alan Lam
          Mr. Bernard Kan
          Mr. S.C. Leung

    • This material is NOT intended to be adopted in the course of
      attacking any computing system, nor does it encourage such
    • PISA takes no liability to any act of the user or damage
      caused in making use of this report.
    • The points made here are deliberately kept concise for the
      purpose of presentation. If you require technical details
      please refer to other technical references.

3               (PHISHING )
    • The copyright of this material belongs to the Professional
      Information Security Association (PISA).
    • A third party could use this material for non-commercial
      purpose, given that no change in the meaning or
      interpretation of the content was made and reference is
      made to PISA. All rights are reserved by PISA.

4               (PHISHING )
    1. Overview of Phishing ?
      1.1 What is Phishing?
      1.2 Examples of Phishing .. email, web site
      1.3 Current Profile of Phishing Attack

    2. Attack Strategies & Technologies and Defenses
      2.1 Cousin URL Attack
      2.2 URL Obfuscation Attack
      2.3 Face Lift Attack
      2.4 Cross-site Scripting Attack
      2.5 Visual Spoofing Attacks
      2.6 Other Attacks

    3. Defense Strategies Against Phishing Attack
      3.1 Policy and User Education
      3.2 Prevention
      3.3 Detection
      3.4 Incident Response and Collaboration
      3.5 Long Term Dev’t in technology infrastructure and legislation
            (PHISHING )
             1.1 What is Phishing?
    Phishing attacks use 'spoofed' e-mails and
    fraudulent websites designed to fool recipients
    into divulging personal financial data such as
    credit card numbers, account usernames and
    passwords, social security numbers, etc.

    Quoted from

6          (PHISHING )
                        Origin of Term

    • Phreaking + Fishing = Phishing
         • Phreaking: exploiting vulnerability of phone system to make calls
           without paying in the 70’s
         • Fishing : Use of bait to get target on hook


7             (PHISHING )
    Why Phishing becomes a threat to us?
    •   Online transaction, such as e-banking, becomes more and more popular
         – Versign July 2004 report: eCommerce yearly increase by 13.2%

    •                                                                   d
        In order to make their online transaction service easy to use an please their
        customers, some service providers sacrifice good security feature, such as user

    •   Fantasy web features (DHTML, Java, ActiveX, Flash, XML) introduce new web
        vulnerabilities which may not be caught up by most service providers and browser
        vendors. And these web features are supported by most email/newsreaders, search
        engines, chat rooms, or ICQ.

    •   Spamming technology and facilities are becoming mature. Legislation in this area
        cannot catch up.

    •   Internet being a Virtual World, it lacks a physical identity for user to validate. Trust
        building is an intrinsic problem.

    •   The current Internet infrastructure is insecure by default.

    •   It is much cheaper and safer for attackers to carry out fraud in the Internet.

    •   All the above points encourage attackers to gain financial profit by Phishing attack.
8                  (PHISHING )
              How does Phishing work?
    • Social engineering used in the crafted Spam email and Fake
      web site
       – Use spoofed identity (of trusted organization) to gain trust
       – Use the wording and tune that the trusted organization usually uses
       – Emphasize an urgency to “update” or “validate” data to rectify
       – Threaten to terminate account or process the mistaken transaction
       – Inform user to get free coupon or win lottery because of product

    • Luring victim to a bogus website (the net in fishing)
       – Convincing URL
       – Disguised web interface
           • Make the bogus web site look like the original web site.
           • Detail level down to fonts, company logo, or even the browser UI
       – When users login the bogus website, username and password are

9              (PHISHING )
               Workflow of Phishing Attack
     1.   Preparation
          a.   Research and Development
               •   Identify the target organization
               •   Identify the vulnerability of the target organization web page
               •   Iidentify the vulnerability of email reader and web browser that can
                   facilitate the attack
          b.   Prepare scam email and Capture website according to the above
               collected information
          c.   Gather or purchase email addresses
          d.   Ride on SMTP Open Relay or purchase similar services

     2.   Attacking
          a.   Send out scam mail (the bait) via open relay server / services
          b.   Post the scam mail to newsgroups, chartrooms, ICQ messages or
               Banner advertising
          c.   Submit the bogus website to search engines
          d.   Wait for victim at the Capture Website (the trapping net)

     3.   Harvesting
          a.   Capture data collected at Capture Website
          b.   Use or Sell the data or captured hosts…

10                 (PHISHING )
                    Phishing Categories
     Attackers’ Objectives
        – Fraud in money transfer
        – Fraud in personal information theft
        – Installing Key Logger and Trojan for
          other purposes such as proxy for other

     Loss and Damage
        – Financial
        – Leakage of sensitive information
        – Control of computer fallen to attacker
        – Damage to branding and corporate
        – Damage to consumer confidence in
          online transaction and eventually impact                    Image Source:
          development of e-Commerce
11              (PHISHING )
        Demonstration 1
      Examples of Phishing
      Hang Seng Bank
      US Bank
      SunTrust Bank
      Citizens Bank
12   (PHISHING )
           1.3 Current Profile of Phishing

     • Verisign Internet Intelligence Briefing (2004-07)

     • Anti-Phishing Working Group (APWG) Trend Report (2004-06)

     • Gartner Report (2004-06)
        – Internet Banking Fraud had brought about loss of US$2.4B

     • Hong Kong Police Statistics (2004-07)
13                 (PHISHING )
         Anti-Phishing Working Group Trend
                   Report (2004-06)

                         Monthly Unique phishing attacks

                                                          1125     1197
     Count of unique



                              Jan-04   Feb-04   Mar-04    Apr-04   May-04   Jun-04

14                            (PHISHING )
          Phishing Attack Target (APWG 2004-06)

     1.   Citibank
     2.   eBay
     3.   US Bank
     4.   Pay Pal

     12 VISA

     17. HSBC

15                   (PHISHING )
              Phishing Web site location
          Verisign (2004-07)                     APWG (2004-06)
                       Verisign                             APWG
             Country         Percentage            Country      Percentage
                 USA             63                    USA          27
         South Korea             10            South Korea          20
       Mainland China            5           Mainland China         16
                Brazil           2                  Taiwan          7
               Poland            2                  Holland         3

     • Phishermen usually choose location (APWG 2004-06)
        – Where there is language or time zone difference with brand owner,
          to create the barrier to close down the bogus web site
        – On compromised machines (25% by analysis)

16                 (PHISHING )
                Phishing Sender Source
     • Verisign (2004-07)       • APWG (2004-06)

           2% 5%                    1% 7%

            Spoofed Address           Spoofed Address
            Cousin Address            Cousin Address
            Web Email Address         Web Email Address

17              (PHISHING )
           Phishing impact can be great
     • Impact to USA (Gartner Report 2004-06)
       –   57 million US consumers attacked
       –   3-5% recipients became victims
       –   About 1.98 million reported their account intruded
       –   Loss involved was US$2.4 billion (average loss per victim

18              (PHISHING )
                               Phishing and Bogus Website
                                      in Hong Kong
                                             Phishing and Bogus Website Report
                      50                                                                                                              45
     Reported Cases

                      40                                                                                            36

                      30                                                                                                     28


                                             3                         3         4 4          3                 4
                               1                               2 1                                     2                 2                 2
                           0        0 0          0    0 1                   1                                                     1



















                                                                     Phishing Report
                                                                     Bogus Website

                                                                                              Source: Hong Kong Police Force
19                                 (PHISHING )
                2. Attack Strategies and
     • Before 2003, Social Engineering was the major attack
        – Email with impersonated name and logo, together with
          disguised tone of messages
        – Two technical tricks were also used
           • Cousin URL carry similar
           • Bogus URL using old techniques
     • Since 2003, technologies emerged to trick the
       browser, or even mimic the SSL web page style
           •   Face Lift
           •   Bogus URL using new techniques
           •   Cross-site Scripting
           •   Visual Spoofing
           •   Other attacks

20                (PHISHING )
                       2.1 Cousin URL
     Hong Kong Banking           Some Cousin URL as example
        Bogus Websites
                                 (Red: Bogus Cousin URL)
      2003 (Jan-Dec) 8 cases
                                 •   ? ? ? ? (
     2004 (Jan - Jul) 18 cases        •
                                 •   ? ? ? ? (
                                 •   ? ? ? ? (
                                 •   ? ? ? ? (
                                 •   ? ? ? ? (
                                 •   ? ? ? ? (
                     Source:          •
     Hong Kong Police Force •        More…

21          (PHISHING )
                    Cousin URL:

22         (PHISHING )
            2.2 URL Obfuscation Attack
     • Normal representation of URL
        – Domain:

     • Dotted representation of IP address URL
        – Decimal:
        – Hexadecimal: http://0xca.0x51.0xff.0xf2
        – Octal http://0312.0121.0377.0362

     • Dot-less representation of IP address URL
        – Decimal: http://3639552355 http://7689338866 …
        – Hexadecimal: http://0xCA51FFF2
        – Reference:
           A dot-less Decimal IP calculator can be found at

23               (PHISHING )
             2.2 URL Obfuscation Attack
     • Valid Use of “@’
        – “RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows a valid
          Uniform Resource Locators (URL) syntax
        – Application: use URL to carry username and password, e.g.

     • Malicious Use of “@’ to hide bogus host
        – (IP address)
        – (decimal representation)

     • Browser’s Address bar and Status bar CAN DISPLAY the
       actual content but normal user may not notice

24                (PHISHING )
             2.2 URL Obfuscation Attack
     • Escaped Encoding (or % encoding)
        – RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows URL
          encoded as ASCII in Hexadecimal representation
        – ”%##” (## : 00 – FF)
            • %20= [space], %2E=“.”, %7E=“~”
            • %31=“1”, %32=“2”
            • %41=“A”, %61=“a”
        – Where will this URL bring you to?

     • Browser’s Address bar and Status bar CAN DISPLAY the actual
       content but normal user may not notice

     • Reference of % Encoding and online encode/decoder

25                (PHISHING )
            2.2 URL Obfuscation Attack
     • Other derived formats of URI
        – Unicode encoded URL
            • Unicode was designed to allow multiple language implementations of
              the ASCII character set
            • http://&#119;&#119;&#119;&#46;&#112;&#105;&#115;&#97;&
        – Mixed Unicode and ASCII
            • http://&#119;&#119;&#119;%2E%70%69%73%61%2E%6F%72%6

     • References
       Unicode Encoding:

       Free Online UTF Decoder (choose “Freeform numeric):

26                (PHISHING )
            2.2 URL Obfuscation Attack

     • IE or other browser Vulnerability in displaying
       proper URL at
       – Status Bar
       – Address Bar

27            (PHISHING )
     URL Obfuscation Attack (Status Bar)
     • Inline Javascript
         – <A Href= … onMouseOver=..>
     •   <Form>
     •   <Table>
     •   <Table Border>
     •   <Image Map>

28             (PHISHING )
     URL Obfuscation Attack (Address Bar)
               (IE vulnerability in displaying URL)
       • IE 5.x ? 6.0 has a vulnerability in handling URL. When
         the URL contains special characters, the character string
         after the special character cannot be displayed.
         (Microsoft knowledgebase article 834489)

       • For example, use escaped encoded characters %00 (null
         character) and %01

       • IE will bring user to “”, whereas the
         Address bar and Status bar cannot display the true visited
29             (PHISHING )
          IE vulnerability in displaying URL
     • MS04-004 (2004-02) released
       a patch to remove support in
       HTTP to the URI format


     • However, after applying the
       patch, Address bar and Status
       bar still do NOT display the
       correct URL.

30               (PHISHING )
     Known Attack using the MS04-004

     • Exploit-URLSpoof

     • McAfee alert

31                (PHISHING )
           IE vulnerability in handling URL
     • Works with DNS server which accepts dummy subdomain,


     Effective = *

     • Reference URL:

32              (PHISHING )
          2.2 URL Obfuscation Attack
     • Shortened URL
          • PISA
          • Workshop: Phishing Exposed

          • PISA
          • Workshop: Phishing Exposed

33            (PHISHING )
           Demonstration 2
        URL Obfuscation Attacks

34   (PHISHING )
                 2.3 Face Lift (                )
     • Use URL Redirect or similar technology
     • Take advantage of the real web site’s face to
       confuse the identity of Bogus Login Page

       <META HTTP-EQUIV="Refresh" CONTENT="0;

          Online Banking
          Main Page (real)        Online Login (bogus)
                                  Usename myuserid
                                  Password *******

35             (PHISHING )
     Case Study ANZ bank phishing

     Email content
     :                                                “%##” Hexidecimal format
     %30%2E%32%30%30 %32%37%38%34/%69%6E%65%74%62%61%6E%6B/%6

                                                     Bogus URL – old technique   @

36                (PHISHING )
     Content of BOGUS web page

          <script LANGUAGE="JavaScript">

     1      PopUp page      Login
          gPopupWindow = new PopupWindow("login.htm", 350, 150);
          gPopupWindow.toolbar = false;
          gPopupWindow.statusbar = true;
          gPopupWindow.resizable = true;
          gPopupWindow.ontop = true;

          <body bgcolor="#FFFFFF" text="#000000">
     2     Background     Redirect
          <META HTTP-EQUIV="Refresh" CONTENT="0;
                  (PHISHING )
          Online Banking Login (Bogus)
 1    PopUp page     Login

                                                      No SSL
 2   Background    Redirect
     <META HTTP-EQUIV="Refresh" CONTENT="0; url=">
38                 (PHISHING )
     Case Study ANZ bank phishing
                    Face Lift

            2                             2


39         (PHISHING )
     Case Study ANZ bank phishing
                    Track Hiding

                                   After entering PIN
                                   SSL padlock shown ??!!
40        (PHISHING )
     Online Banking Login (real)

                                     Real digital cert
                                          of web site

        Real login has SSL padlock

41     (PHISHING )
      Defense vs. Cousin URL (Prevention)
     • Use a consistent and persistent web interface
     • Communicate a Single Simple Domain name
       XYZBank owns these domains and have web servers for each


           They use these domains for Online banking

           They use these domains for HK and Australia Online banking

42              (PHISHING )
       Defense vs. Cousin URL (Prevention)
     • Is this better?

       XYZBank owns these domains

     (only active domain)
     (forward to
     (forward to

          They these SubDomain for Online banking
     (personal banking)
     (corporate banking)

          They use these URL paths for HK and Australia Online banking

43             (PHISHING )
         Defense vs. Cousin URL (Detection)

     •   Brand Management
     •   Domain Monitoring
                                    Can be Outsourced
     •   Web Crawling
     •   Intelligence Report from
         Spam Filtering services

44             (PHISHING )
               Detection (Server side)
     • Detect Mirroring from Copycat Web Site
       – Monitor large volume traffic, especially from a
         single subnet
       – Placing Honeypot links (invisible links with no
         effective use) to detect access check “access

     • Detect Referral Site
       – At your web server monitor the referrer
         information from the “access log”, it may give you
         information of referral site, search engine or
         attacker by FaceLift / Framing /etc. attack

45            (PHISHING )
                  Server and Site Design

     • PISA’s HK e-Commerce Security Survey 2003
       – Non-intrusive and Anonymous study on 25 local on-line
         transaction sites
          • Application design
          • SSL and Encrypted Communication Digital Certificate
          • Password Management
          • Operation Control
       – URL

46               (PHISHING )
                  Detection (Client side)
     • Browser
       – check digital certificate;
         and turn on alert when
         browser enters or
         leaves SSL mode

47             (PHISHING )
                Detection (Client side)
     • SpoofStick (browser   • eBay Toolbar (browser
       plug-in)                plug-in
                               – Incorporated “Web
                                 CallerID” technology
                                 (acquired from
                                 WholeSecurity) to detect
                                 suspicious activity in
                                 web page. Web CallerID
                                 acts like a heuristic filter
                                 for phishers, detecting
                                 previously undiscovered

48            (PHISHING )
                  Detection (Client)
     • Some Antivirus programs detect malicious
       popup javascript in web page

49           (PHISHING )
                  Detection (Client)
     • http://%32%31%31%2E%39%37%2E%32%34%38%2E%36
       %74%6D (

50            (PHISHING )
             2.4 Cross-Site Scripting
     • A cross-site scripting vulnerability allows the
       introduction of malicious content (scripts) on a
       web site, that is then served to users (clients)
       – Malicious scripts get executed on clients that trust
         the web site
       – Problem with potentially all client-side scripting
     • Use “XSS” to refer to these vulnerabilities, to
       avoid confusion with “CSS” (cascading style

51            (PHISHING )
                      XSS Concept
     • Any way to fool a legitimate web site to send
       malicious code to a user’s browser
     • Almost always involves user content (third
       – Error messages
       – User comments
       – Links
     • References
52            (PHISHING )
                    Why the Name
     • You think that you interact with site Z
     • Site Z has been poisoned by attacker
     • The “poison” (e.g. JavaScript) is sent to you,
       along with legitimate content, and executes. It
       can exploit browser vulnerabilities, or contact
       site M and steal your cookies, usernames and
                   Surfing               Poison


                 Hostile Code Executes            M

53            (PHISHING )
                          XSS Risks
     •   Theft of account credentials and services
     •   User tracking (stalking) and statistics
     •   Misinformation from a trusted site
     •   Denial of service
     •   Exploitation of web browser
         – Create phony user interface
         – Exploit a bug in the browser
         – Exploit a bug in a browser extension such as Flash
           or Java
     • Etc.
54              (PHISHING )
     XSS Risks - Stolen Account Credentials
     • With XSS, it may be possible for your
       credentials to be stolen and used by attacker
     • With sites requiring authentication need to use
       a technological solution to prevent
       continuously asking users for passwords
       – Credentials have the form of a SessionID or nonce
          • Url encoding (GET method)
          • Cookies are commonly used to store credentials
             – These are usually accessible to client-side scripts

55            (PHISHING )
     Cookie Mechanism and Vulnerabilities
     • Used to store state on the client browser
     • Access Control
       – Includes specification of which servers can access
         the cookie (a basic access control)
          • Including a path on the server
       – So cookie can be used to store secrets (sessionIDs
         or nonces)

56            (PHISHING )
                        XSS - Point
     • XSS vulnerabilities fool the access control
       mechanism for cookies
     • The request for the cookie (by scripts) comes
       from the poisoned server, and so is honored by
       the client browser
       – No vulnerabilities needed in the client browser

57            (PHISHING )
     XSS Risk - Privacy and Misinformation
     • Scripts can “spy” on what you do
       – Access history of sites visited
       – Track content you post to a web site
     • Scripts can misinform
       – Modify the web page you are viewing
       – Modify content that you post
     • Privacy (“I have nothing to hide”)
       – Knowledge about you can be valuable and be sued
         against you
          • Divorces, religion, hobbies, opinions
          • etc.
58            (PHISHING )
      Example: Google’s XSS Vulnerability
     • Just get to public at Oct 20.
     • Scripts can be injected into Google to make it
       become a subscription service:

59             (PHISHING )
     Example: Google’s XSS Vulnerability

60        (PHISHING )
           XSS Risk - Denial of Service
     • Nasty JavaScripts can make your web site
       – Make browsers crash or become inoperable
       – Redirect browsers to other web sites

61           (PHISHING )
               XSS Risk - Silent Install
     • Exploitation of browser vulnerabilities
       – JavaScript, ActiveX, etc. allow the exploitation of
         browser vulnerabilities
          • Run locally on your machine
          • User security confirmation bypass vulnerability in
            Microsoft Internet Explorer 6.0 SP2:
             – Allows malicious users to trivially bypass the requirement for
               user confirmation to load JavaScript or ActiveX
       – Installation of malicious code

62            (PHISHING )
                   XSS Risk - Phishing
     • User Interface Modifications
       – Present fake authentication dialogs, capture information
         then perhaps redirect user to real web site
       – Replace location toolbar to make user think they are
         visiting a certain web site
     • Phishing Scenario
          • Victim logs into a web site
          • Attacker has spread “mines” using an XSS vulnerability
          • Victim stumbles upon an XSS mine
          • Victim gets a message saying that their session has
            expired, and they need to authenticate again
          • Victim’s username and password are sent to attacker

63             (PHISHING )
     Demonstration 3 -

64        (PHISHING )
     After successful user login...

65    (PHISHING )
     However, if login failed...

66   (PHISHING )
     Try to put scripts in URL...

67   (PHISHING )
     Reveal the injected scripts...

68    (PHISHING )
     Target to inject codes like this...

69      (PHISHING )
               We create the following url...


70                (PHISHING )
     Put the url in scam mails...

71   (PHISHING )
     When the hyperlink is clicked...

72      (PHISHING )
     After the user login, nothing special...

73         (PHISHING )
     • In’s web server log, login
       name and password are recorded
       – - - [14/Oct/2004:11:01:52 +0800]
         "GET /bernard:IlovePisa HTTP/1.1" 404 719

74           (PHISHING )
                    XSS - Prevention
     • For users:
       – disable scripting in browser (some personal
         firewall can selectively block/allow scripts from
         particular web sites)
       – do not trust links in e-mails, type url directly in
       – always logout before browsing elsewhere
       – keep up with web browser patches and versions

75            (PHISHING )
                    XSS - Prevention
     • For administrators/developers:
       – User input should be parsed and filtered properly,
         especially < > “ ‘ % ; ) ( & + -
       – Some decent guidelines for input filtering can be
         found in the OWASP Requirements document
         "OWASP Guide to Building Secure Web
         Applications and Web Services“
       – Output based on Input parameters should be
         encoded into ISO 8859 -1 for special characters

76            (PHISHING )
                    XSS - Prevention
     • For administrators/developers:
       – For cookies: set the HttpOnly flag. Scripts that run
         in a browser can’t access cookie values with flag
       – Keep up with web server patches
       – periodically test for XSS vulnerabilities by using
         web application scanners
          • e.g. Web Scarab

77            (PHISHING )
                          XSS - Detection
     • XSS exploits can be detected by reviewing
       web server access log, e.g.: - - [14/Oct/2004:10:38:11 +0800] "GET
     ;%22%3E HTTP/1.1" 200 4058

78                (PHISHING )
                                          XSS - Detection
     • XSS exploits can also be detected by network-
       based Intrusion Detection System (IDS), e.g.
       [**] WEB-MISC cross site scripting attempt [**]
       10/21-23:04:54.960511 ->
       TCP TTL:128 TOS:0x0 ID:28082 IpLen:20 DgmLen:307 DF
       ***AP*** Seq: 0xAB1F9A5C Ack: 0xEFB2E94B Win: 0x4470 TcpLen: 20

       47   45   54   20   2F   62   61   6E   6B   6C   6F   67   69   6E   2E   6A   GET /banklogin.j
       73   70   3F   65   72   72   3D   3C   73   63   72   69   70   74   3E   61   sp?err=<script>a
       6C   65   72   74   28   27   58   53   53   27   29   3C   2F   73   63   72   lert('XSS')</scr
       69   70   74   3E   20   48   54   54   50   2F   31   2E   31   0D   0A   41   ipt> HTTP/1.1..A
       63   63   65   70   74   3A   20   2A   2F   2A   0D   0A   41   63   63   65   ccept: */*..Acce
       70   74   2D   4C   61   6E   67   75   61   67   65   3A   20   7A   68   2D   pt-Language: zh-
       68   6B   0D   0A   55   73   65   72   2D   41   67   65   6E   74   3A   20   hk..User-Agent:
       4D   6F   7A   69   6C   6C   61   2F   34   2E   30   20   28   63   6F   6D   Mozilla/4.0 (com
       70   61   74   69   62   6C   65   3B   20   4D   53   49   45   20   36   2E   patible; MSIE 6.
       30   3B   20   57   69   6E   64   6F   77   73   20   4E   54   20   35   2E   0; Windows NT 5.
       30   29   0D   0A   48   6F   73   74   3A   20   77   77   77   2E   70   69   0)..Host: www.pi
       73   61   62   61   6E   6B   2E   63   6F   6D   0D   0A   43   6F   6E   6E
       65   63   74   69   6F   6E   3A   20   4B   65   65   70   2D   41   6C   69   ection: Keep-Ali
       76   65   0D   0A   43   6F   6F   6B   69   65   3A   20   4A   53   45   53   ve..Cookie: JSES
       53   49   4F   4E   49   44   3D   32   42   43   43   39   44   45   36   43   SIONID=2BCC9DE6C
       44   43   46   45   44   44   37   45   32   35   42   43   46   33   44   36   DCFEDD7E25BCF3D6
       38   39   35   38   30   46   32   0D   0A   0D   0A                            89580F2....


79                         (PHISHING )
                  2.5 Visual spoofing
     • Target to the web browser interface
     • Display fake menu bar, status bar, dialogue
       box on a web browser
       – The address bar displays the fake URL address
       – The status bar shows displays the golden “lock”
         icon indicating a secure SSL session, which has
         often been cited as a differentiator between
         legitimate sites and scams
       – The download or installation dialogue box shows
         fake information

80            (PHISHING )
                          How it works?
     Graphic substitution approach
     1. The bogus web page are opened without the
        menu bar and status bar
 “bogus.htm", "_blank", "height=700, width=683,
               location=no, menubar=no, toolbar=no, status=no, resizable=no,

     2. The menu bar and status bar (with the golden
        “lock” icon) images are displayed at the top and
        bottom of the bogus web page to disguise as part of
        the browser user interface

81              (PHISHING )
     Graphic Substitution Approach
                              Header image

                              Bogus web content

                                 Footer image

82    (PHISHING )
      Graphic Substitution Approach
     3. Combine with the java commands
        “window.createPopup()” and
        “”, attacker can hijack the
        entire user’s desktop and construct a
        fake interface to capture and manipulate
        what the user sees.

83           (PHISHING )
            Browser UI Rebuild Approach
     1. The bogus web page are opened without the menu
          bar and status bar
     2. Some browser user interface functions (including
          the certification view function) are rebuilt on the
          bogus web page through download XUL (XML-
          based User interface Language. Standards based
          language developed by to create cross-
          platform user interfaces for Mozilla-based products
          such as the browser.)

84             (PHISHING )
     Browser UI Rebuild Approach

85     (PHISHING )
       Overriding Page Content Approach
     • IE browser allows creation of chromeless
       windows which are screen objects that do not
       have the normal borders and other controls
       attached to them. Through javascript, they can
       be positioned to hide or replace (by “sitting on
       top”) underlying content.
     • Attackers make use of these chromeless
       windows to spoof the graphical components of
       browser, such as URL address bar and
       dialogue boxes for file download, software
       installation, and bookmark.

86            (PHISHING )
                 2.5 Visual spoofing
     • Defense
       – Keep your web browser updated
       – Disable the javascript functions which hide
         your web browser menu and status bar
       – Check the page info and property of the
         view web page before proceed
       – Print mark browser UI

87           (PHISHING )
              Demonstration 4
                 Visual Spoofing

             Graphical Substitution
     FireFox Browser UI Rebuild Approach
             Chromeless Window

88      (PHISHING )
                  2.6 Other Attack
         Trojan, Keylogger, Screen Grabber
     Attacker can lure victim to install Trojan horse program
     through a bogus software patch or update web page. Once the
     victim has installed the Trojan horse program, the attacker can
     closely monitor the victim PC activities by capturing its
     keystroke and screen display.

     – Keylogger
         • Capture the victim keystroke in all windows
     – Screen Grabber
         • Screen dump or even video stream the victim screen display

89            (PHISHING )
           Demonstration 5
     Keylogger and Screen Grabber

90   (PHISHING )
                       2.6 Other Attack
                    Man in the Middle Attack
        By poisoning the victim DNS server, attacker can redirect the traffic of a
        legitimate site to the attacker server where the attacker can sniff
        password information even in the HTTPS connection.
                                                                                       web server

                               The victim thought that he is talking to the
                               legitimate site

     Victim PC

                                Actually, the victim is talking to the attack server

                               Attacker server which sniff the password
                               information and proxy the HTTPS traffic
                               between the victim and legitimate web server

91               (PHISHING )
          New Quiet Attack (4-Nov-2004)
     • Change of HOST file
       – Capture online banking details WITHOUT requiring users
         to click on a website link
       – Works even if USER TYPE IN URL MANUALLY
       – Working Principle
          • Execution of trojan to modify HOSTS file
          • HOSTS file override DNS resolution
          • User brought to malicious site next time he go to that online
            transaction site.
     • Defense
       – Ensure Windows Scripting Host is disabled
       – Have AV and antispyware software installed

     • Reference:

92             (PHISHING )
                Defense Strategies
     At end user side
     • NEVER follow any link in e-mail, post article,
       chart room, ICQ message, or Banner
     • Enable your personal firewall to allow only
       necessary traffic to go through
     • Keep your software (mail reader, web browser,
       virus definition) patched and updated
     • Use the PKI properly

93           (PHISHING )
                   Defense Strategies
     At server side
     • Make sure the web programs are fully tested such as input
       parsing and invalid input handling
     • Monitor any cousin domain created
     • Monitor any phishing e-mail or post message that targeting
       your organization in major search engines and your Honeypot
     • Monitor your web server log and identify any suspicious web
       pages from the referer information
     • Provide secure web proxy service for their customers. This
       web proxy can only connect their legitimate web sites and
       nothing else
     • Provide secondary authentication for transaction. E.G. send
       one-time password to client through mobile SMS

94              (PHISHING )
                      Defense Strategies
     At system and network admin side
     • Deploy anti-spamming and anti-virus measures
           E.G. Black/white lists, keywords lists, semantics analysis, various rules
           and characteristics, Bayesian Filtering, Challenge-Response Filtering,
           SMTP Session Verification, TurnTideT Anti-spam Router … etc.
     • Deploy Firewall, Intrusion Detection System and Intrusion
        Prevention System to block attack and Trojan backdoor
     • Put all non-server machines in private IP networks
     • Educate the users and make sure they stay with the updated
        software patch
     At the software vendor side
     • Do not assume users have certain security knowledge or
        awareness to use their products safety and wisely
     • Do not lower the security level in their product default setting
     • Don’t just make money. Spend more time to fix the bug and
        fully test the product
95                (PHISHING )
                                The Picture of Trust
                                         Perception             - Social engg.
                                         Look and Feel          - Cousin URL
                                        Message and Tone        - Face Lift
           Trust                            Branding                              Trust

                                         Physical Settings

                                             CA                 Weak
                                      Operational Security      Validation
                                          Chain of Trust
                                     Certificate & Revocation

                                     Email Sender Validation       XSS
        Application                                                          Application
                      Visual        *Browser*
     Transport (Host)
                    Spoofing                           SSL                       Transport

     Network (Internet)                  DNS, Hosts file
                                        Network Routing
                                                                DNS poison Network

        Link (LAN)                           ARP                 Sniffing          Link

          Client                      IT Infrastructure                          Server

96                     (PHISHING )
                 Defense Strategies
     •   Policy and User Education
     •   Prevention
     •   Detection
     •   Incident Response and Collaboration

97             (PHISHING )
          3.1 Policy and User Education
         – HKMA Guideline
            • Circular on monitoring Online Banking Regulation of Bogus web
         – Regulating the use of domain name
            • HKMA and HKIRC cooperate in regulating the use of words
              “bank” and “banque” in “.hk” domain
            • Is a further regulation to mandate all authorized banking institutions
              to use “” a useful strategy?
                – Note: it still cannot stop technique like “Visual Spoofing”

     • Human is the weakest link
         – Trust too easily

98               (PHISHING )
       3.1 User Education
     • Consumer Education
       – Pamphlet “Internet Banking – Keeping Your Money
          • by HKAB(Hong Kong Association of Banks)
       – TV and Radio programs
           • by HKMA and HKPF
       – Public seminars
           • by HKCERT
       – Alerts on some bank web sites

99   (PHISHING )
           3.2 Prevention Technical
      • HKMA announced in June 2004 that within
        12 months, all authorized institutions should
        deploy two-factor authentication in high
        risk transactions
         – One time password (e.g. secure ID token, SMS
           one time password)
         – Digital certificate in Smart ID Card

100             (PHISHING )
          3.2 Other Prevention & Detection
      • See previous sections on specific attacks

101            (PHISHING )
           3.4 Incident Response and
      • Report and Alert
         – SFC (Security and Futures Commission) reward the report
           of fraudulent copycat websites and phishing scams
           targeting Hong Kong investors.
            • Smart Investor Award

         – HKMA and SFC publish Unregistered financial and stock
           transaction web site

         – Quick reaction and publishing of news in Media and Press
102        to alert the public
                (PHISHING )
            3.4 Incident Response and
      • Local Collaboration

        – Police, HKCERT and ISPs cooperating to close down
          bogus web sites in Hong Kong

        – Police, HKMA and HKAB has standing collaboration
          body, meeting regularly on banking fraud prevention
          and response

103            (PHISHING )
                3.4 Incident Response and
      • Cross Border Collaboration
         – Police plays an important role in cross-border crimes like phishing
         – CERT Teams around the world are developing close collaboration in
           information exchange and pin down of bogus website

                                                         Asia Pacific

104                 (PHISHING )               
                 3.5 Long Term Development
                      (Technology Infrastructure)
                               PHISHING & SPAM
                           One of the Core Issues:
            How to validate identity of Sender and Sender Domain,
               and if the Sending Mail Server is authorized?
      •   In the current Internet Mail Infrastructure implementation, there is flaw in
          the validation of sender

      Plausible but not widely implemented methods of validation
      • Sender Validation
           – Use Digital Signature (S/MIME or PGP)

      •   Authenticated SMTP to minimize abuse of Open Mail Relay
           – RFC2554 - SMTP Service Extension for Authentication
           – RFC2487 - SMTP Service Extension for Secure SMTP over TLS

105                  (PHISHING )
            3.5 Long Term Development
                (Technology Infrastructure)
      • Domain Validation (work at DNS level)
        – Standard based
           • Reverse DNS Lookup

        – Proprietary Solution
           • AOL: SPF                Sender ID
           • Microsoft: Caller ID
           • Yahoo: Domain Keys

106            (PHISHING )
               Sender Policy Framework SPF

                                 DNS server of

         2. Recipient Mail Gateway                    3. DNS server returns a list of
           issues a DNS query to                        authorized IP addresses of
           SENDER.COM, asking for                       mail servers for
           the list of authorized IP
           addresses of mail servers
                                           ?            SENDER.COM

                                                           4.Check if the Sender Mail Server is
                                                              in the authorized IP address.
                                                           If so, the mail server is authorized
                                                              and mail is forwarded to recipient’s
                1.Sender sends out email
                  from SENDER.COM                             mailbox


       Sender                                     Recipient
      Mail Server                                Mail Gateway                       Recipient
107                      (PHISHING )
       Proprietary Domain Validation
      • Caller ID
        – “XML version of SPF” with more options
      • Domain Keys
        – Use PKI. Validate sender identity AND message

      • Recent Development
        – Domain Keys was submitted as RFC to IETF
        – SPF merge with Caller ID to Sender ID.
        – SenderID submitted to IETF as RFC in July 2004; got
          rejected in Oct 2004 due to compatibility and IP issue.
          Microsoft had re-submitted with amendment. The
          industry is still discussing the new amendment.

108          (PHISHING )
          3.5 Long Term Development
                  PHISHING & SPAM

      – Legislate on cross-border jurisdiction, and
        establish mutually accepted process to handle
        phishing and spamming

      – Legislate on anti-spam, to reduce Open Mail Relay
        and Directory Harvesting Attacks

109          (PHISHING )

      • Phishing adversely impacts the growth of e-Commerce
      • Phishermen are using both old social engineering tricks
        and more advanced technologies now.
      • Should adopt Multi-dimensional Anti-Phishing Strategies
         – User Education, Prevention, Detection, Incident Response and
         – Collaboration of Law Enforcement and Business sector, and
           crossing the border are vital elements of success.

      • Hit SPAM can hit Phishing. There is a need for legislative
        and technological reforms.

110             (PHISHING )

To top