Document Sample
phishing Powered By Docstoc
					Abstract:                                    analysis to arm themselves against the
Phishing is the new 21st century crime.      next phishing scam to reach their in-tray.
The global media runs stories on an
almost daily basis covering the latest
organisation to have their customers         Introduction:
targeted   and     how    many victims
succumbed to the attack. While the           Tricking others into giving out passwords or
Phishers develop evermore sophisticated      other sensitive information has a long
attack vectors, businesses flounder to
                                             tradition in the attacker community.
protect their customers’ personal data
and look to external experts for             Traditionally this activity has been
improving email security. Customers too      performed through the process of social
have become wary of “official” email, and    engineering. In the 1990s, with the
organizations     struggle    to   install   increasing growth in interconnected systems
confidence in their communications.          and the popularity of the Internet, attackers
While various governments and industry       started to automate this process and attack
groups battle their way in preventing        the mass consumer market. The first
Spam, organizations can in the meantime      systematic research to cover such activity
take a proactive approach in combating       was published in 1998 by Gordon and Chess
the phishing threat. By understanding
                                             (Sarah Gordon, David M. Chess: Where
the tools and techniques used by
professional criminals, and analyzing        There's Smoke, There's Mirrors: The Truth
flaws in their own perimeter security or     about Trojan Horses on the Internet,
applications, organizations can prevent      presented at the Virus Bulletin Conference
many of the most popular and successful      in Munich, Germany, October 1998).
phishing attack vectors.                     Gordon and Chess were researching
This paper covers the technologies and       malware on AOL, but they were faced with
security flaws Phishers exploit to           phishing attempts instead of the expected
conduct their attacks, and provides          trojan horse attacks. The term phishing
detailed vendor-neutral advice on what       ("password harvesting fishing") describes
organisations can do to prevent future
                                             the fraudulent acquisition, through
attacks. Security professionals and
customers can use this comprehensive         deception, of sensitive personal information
such as passwords and credit card details by
masquerading as someone trustworthy with         Phishing examples:
a real need for such information.
                                                 Phising Google:

Recent phishing attempts

                                                 Pay Pal phishing example

A chart showing the increase in phishing
reports from October 2004 to June 2005.

More recent phishing attempts have targeted
the customers of banks and online payment
services. E-mails supposedly from the
Internal Revenue Service have also been
used to glean sensitive data from U.S.
taxpayers. While the first such examples
were sent indiscriminately in the hope of        An example of a phishing email targeted at
finding a customer of a given bank or            PayPal users.
service, recent research has shown that
phishers may in principle be able to             In an example PayPal phish (right), spelling
establish what bank a potential victim has a     mistakes in the email and the presence of an
relationship with, and then send an              IP address in the link (visible in the tooltip
appropriate spoofed email to this victim..       under the yellow box) are both clues that
Targeted versions of phishing have been          this is a phishing attempt. Another giveaway
termed spear phishing. Social networking         is the lack of a personal greeting, although
sites are also a target of phishing, since the   the presence of personal details is not a
personal details in such sites can be used in    guarantee of legitimacy.
identity theft. Experiments show a success
rate of over 70% for phishing attacks on
social networks. In late 2006 a computer
worm took over pages on My Space and
altered links to direct surfers to websites      The Phishing Threat:
designed to steal login details
                                                 Social Engineering Factors
Phishing attacks rely upon a mix of technical     email – however it still successful in may
deceit and social engineering practices. In       cases.
the majority of cases the Phisher must            Techniques used within Phishing emails:
persuade the victim to intentionally perform      • Official looking and sounding emails
a series of actions that will provide access to   • Copies of legitimate corporate emails with
confidential information.                         minor URL changes
Communication channels such as email,             • HTML based email used to obfuscate
web-pages, IRC and instant messaging              target URL information
services are popular. In all cases the            • Standard virus/worm attachments to
Phisher must impersonate a trusted source         emails
(e.g. the helpdesk of their bank, automated       • A plethora of anti spam-detection
support response from their favourite online      inclusions
retailer, etc.) for the victim to believe.        • Crafting of “personalized” or unique email
To date, the most successful Phishing             messages
attacks have been initiated by email – where      • Fake postings to popular message boards
the Phisher impersonates the sending              and mailing lists
authority (e.g. spoofing the source email         • Use of fake “Mail From:” addresses and
address and embedding appropriate                 open mail relays for disguising the source of
corporate logos). For example, the victim         the email
receives an email supposedly from (address is spoofed)           B) Web-based Delivery
with the subject line 'security                   An increasingly popular method of
update’, requesting them to follow the URL        conducting phishing attacks is through (a domain name           malicious web-site content. This content
that belongs to the attacker – not the bank)      may be included within a web-site operated
and provide their banking PIN number.             by the Phisher, or a thirdparty site hosting
                                                  some embedded content.
A) Email and Spam                                 Web-based delivery techniques include:
                                                  • The inclusion of HTML disguised links
                                                  (such as the one presented in the Westpac
Phishing attacks initiated by email are the       Email example). Within popular web-sites,
most common. Using techniques and tools           message boards.
used by Spammers, Phishers can deliver            • The use of third-party supplied, or fake,
specially crafted emails to millions of           banner advertising graphics to lure
legitimate “live” email addresses within a few    customers to the Phishers web-site.
hours (or minutes using distributed Trojan        • The use of web-bugs (hidden items within
networks). In many cases, the lists of            the page – such as a zero-sized graphic) to
addresses used to deliver the phishing            Track a potential customer in preparation for
emails are purchased from the same                a phishing attack.
sources as conventional spam.                     • The use of pop-up or frameless windows to
Utilizing well known flaws in the common          disguise the true source of the Phishers
mail server communication protocol (SMTP),        message.
Phishers are able to create emails with fake      • Embedding malicious content within the
“Mail From:” headers and impersonate any          viewable web-page that exploits a known
Organisation they choose. In some cases,          Vulnerability within the customers web
they may also set the “RCPT To:” field to an      browser software and installs software of the
email address of their choice (one which          Phishers choice (e.g. key-loggers, screen-
they can pickup email from); whereby any          grabbers, back-doors and other Trojan
customer replies to the phishing email will       Horse programs).
be sent to them. The growing press                • Abuse of trust relationships within the
coverage over phishing attacks                    customers web-browser configuration to
has meant that most customers are very            make use of site-authorized scriptable
wary of sending confidential information          components or data storage areas
(such as passwords and PIN information) by

                                                  c) Fake Banner Advertising
Banner advertising is a very simple
method .Phishers may use to redirect an            Defence Mechanisms
organizations customer to a fake web-
site and capture confidential
information. Using copied banner                   a) Countering the Threat
                                                   As already shown in Section 2, the Phisher
                                                   has a large number of methods at their
                                                   disposal –consequently there is no single
                                                   solution capable of combating all these
                                                   different attack vectors. However, it is
                                                   possible to prevent current and future
                                                   Phishing attacks by utilizing a mix of
                                                   information security technologies and
                                                   For best protection, these security
                                                   technologies and techniques must be
                                                   deployed at three
d) Trojaned Hosts                                  logical layers:
While the delivery medium for the phishing         1. The Client-side – this includes the users
attack may be varied, the delivery source is       PC.
Increasingly becoming home PC’s that have          2. The Server-side – this includes the
been previously compromised. As part of            businesses Internet visible systems and
this compromise, a Trojan horse program            custom applications.
has been installed which allows Phishers           3. Enterprise Level – distributed
(along with Spammers, Warez Pirates,               technologies and third-party management
DDoS Bots, etc.) to use the PC as a                services
message propagator.                                This section details the different defence
Consequently, tracking back a Phishing             mechanisms available at each logical layer.
attack to an individual initiating criminal is     B) Client-side
extremely difficult.                               The client-side should be seen as
It is important to note that the installation of   representing the forefront of anti-phishing
Trojan horse software is on the increase,          security. Given the distributed nature of
despite the efforts of large anti-virus            home computing and the widely varying
companies. Many malicious or criminal              state of customer skill levels and awareness,
groups have developed highly successful            client-side security is generally much poorer
techniques for tricking home users into            than a managed corporate
installing the software, and now                   workstation deployment. However, many
operate large networks of Trojan                   solutions exist for use within both the home
deployments (networks consisting of                and corporate environments.
thousands of hosts are not uncommon)               At the client-side, protection against
capable of being used as Phishing email            Phishing can be afforded by:
propagators or even hosting                        • Desktop protection technologies
Fraudulent web-sites.                              • Utilization of appropriate less sophisticated
That is not to say that Phishers are not           communication settings
capable of using Trojan horse software             • User application-level monitoring solutions
against a customer specifically to observe         • Locking-down browser capabilities
their confidential information. In fact, to        • Digital signing and validation of email
harvest the confidential information of            • General security awareness
several thousand customers simultaneously,
Phishers must be selective about the
information they wish to record or be faced        Desktop Protection Agents
with information overload.                         Most users of desktop systems are familiar
                                                   with locally installed protection software,
                                                   in the form of a common anti-virus solution.
                                                   Ideally, desktop systems should be
configured to use multiple desktop
protection agents (even if this functionality
duplicates any corporate perimeter
protection services), and be capable of           Enterprise level
performing the following services:                Businesses and ISP’s may take enterprise-
• Local Anti-Virus protection                     level steps to secure against Phishing
• Personal Firewall                               scams –
• Personal IDS                                    Thereby protecting both their customers and
• Personal Anti-Spam                              internal users. These enterprise security
• Spy ware Detection                              solutions work in combination with client-
Many desktop protection software providers        side and server-side security mechanisms,
(e.g. Symantec, McAfee, Microsoft, etc.)          offering     considerable       defence-in-depth
now provide solutions that are capable of         against phishing and a multitude of other
fulfilling one or more of these functions.        current threats.
Specific to                                       Key steps to anti-phishing enterprise-level
Phishing attack vectors, these solutions (or      security includes:
a combination of) should provide the              • Automatic validation of sending email
following                                         server addresses,
functionality:                                    • Digital signing of email services,
• The ability to detect and block “on the fly”    • Monitoring of corporate domains and
attempts to install malicious software (such      notification of “similar” registrations,
as Trojan horses, key-loggers, screen-            • Perimeter or gateway protection agents,
grabbers and creating backdoors) through          • Third-party managed services.
email attachments, file downloads, dynamic
HTML and scripted content.                        a) Mail Server Authentication
                                                  Multiple methods have been proposed to
Browser Capabilities                              authenticating sending mail servers. In
The common web browser may be used as             essence,
a defense against phishing attacks – if it is     the senders mail server is validated (e.g.
Configured securely. Similar to the problems      reverse resolution of Domain information to
with email applications, web browsers also        a specific IP address or range) by the
offer extended functionality that may be          receiving mail server. If the senders IP
abused (often to a higher degree than email       address is not an
clients). For most users, their web browser       Authorized address for the email domain,
is    probably       the  most      technically   the email is dropped by the receiving mail
sophisticated application they use.               server.
The most popular web browsers offer such a        Alternatively, through the use of Secure
fantastic array of functionality – catering to    SMTP, email transport could be conducted
all users in all environments – that they         over an encrypted SSL/TLS link. When the
• Disable all window pop-up functionality         sender mail server connects to the recipient
• Disable Java runtime support                    mail server, certificates are exchanged
• Disable ActiveX support                         before an encrypted link is established.
• Disable all multimedia and auto-play/auto-      Validation of the certificate
execute extensions                                can be used to uniquely identify a trusted
• Prevent the storage of non-secure cookies       sender. Missing, invalid or revoked
• Ensure that any downloads cannot be             certificates will prevent a secure connection
automatically run from the browser, and           from occurring and not allow delivery of
must Instead be downloaded into a directory       emails.
for anti-virus inspect                            If desired, an additional check with the DNS
                                                  server can be used to ensure that only
                                                  authorized mail servers may send email
                                                  over the secure SMTP connection.
                                                binary attachments that contain Trojan horse
                                                • Gateway Anti-Spam Filtering – rule-based
                                                inspection of email content for key phrases
                                                (such as Viagra) and bad words, typically
                                                used to identify common spam, but also
                                                capable of stopping many forms of phishing
                                                attack that are designed to look like
                                                Legitimate spam.
                                                • Gateway Content Filtering – inspection of
                                                many types of communication methods
                                                (e.g. email, IM, AOL, HTTP, FTP) for bad
                                                content or requests. Simple protection
                                                against users visiting known bad or
b) Digitally Signed Email                       dangerous websites.
                                                • Proxy Services – management
                                                concatenation of Internet protocols and
Extending the processes for digitally signed
                                                control over
email, enterprises can configure their
                                                types of degress communications.
receiving email servers to automatically
                                                Protection against inbound attacks through
validate digitally signed emails before they
                                                the use
reach the recipient. This process may prove
                                                of network address translation. Good
to be more efficient for an organisation, and
                                                protection against common information
automatic steps can be taken to alert
recipients of invalid or unsigned emails.
                                                of internal network configurations.
In addition, the enterprise email server can
                                                Advantages Disadvantages
be configured to always sign outbound
                                                Update Efficiency
email. By doing so, a single “corporate”
                                                It is far easier, and faster, for a large
digital certificate can be used and customers
                                                institution to update a relatively small
who receive these
signed emails can be confident that their
                                                of gateway scanner than it is to ensure that
received message is legitimate
                                                all desktop scanners are up to date.
                                                Automated desktop virus scan updates help,
                                                but is still somewhat slower than gateway
                                                ISP Independence
                                                Gateway content filtering is very effective at
                                                blocking access to known phishing sites or
                                                content, without waiting for an ISP to
                                                remove the offending phishing site.
                                                Pre-emptive Protection
                                                Malicious code can be blocked from entering
c)Gateway Services                              the network.
The enterprise network perimeter is an ideal    Traffic Limitations
place for adding gateway protection services    Some forms of network traffic cannot be
that can monitor and control both inbound       Scanned.
and outbound communications. These              Firewall Changes
services can be used to identify malicious      Some gateway implementations may require
Phishing content; whether it be located         manual configuration of firewalls and other
within email or other communication             gateway devices to implement blocking
streams.                                        rules.
Typical enterprise-level gateway services       Roaming User Protection
include:                                        Roaming users such as mobile salesmen
• Gateway Anti-Virus Scanning – used to         are not protected by the gateway services.
detect viruses, malicious scripting code and
By understanding the tools and technologies
Phishers have in their arsenal, businesses
and their customers can take a proactive
stance in defending against future attacks.
Organizations have within their grasp
numerous techniques and processes that
may be used to protect the trust and integrity
of their customers personal data. The points
raised within this paper, and the solutions
proposed, represent key steps in securing
online services from fraudulent phishing
attacks – and also go a long way in
protecting against many other popular
Hacking or criminal attack vectors.
By applying a multi-tiered approach to their
security model (client-side, server-side and
enterprise) organizations can easily manage
their protection technologies against today’s
and tomorrows threats – without relying
upon       proposed      improvements        in
communication security that are unlikely to
be adopted globally for many years to come.

Tan, Koon. Phishing and Spamming via IM
Ollmann, Gunter. The Phishing Guide:
Understanding and Preventing Phishing

Shared By: