1 / 46

Anatomy of a Phishing Email

Anatomy of a Phishing Email. Emil Leong MailFrontier Inc. The Problem. Phishing is Everywhere. MailFrontier Employee/Contractor ,

roman
Download Presentation

Anatomy of a Phishing Email

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anatomy of a Phishing Email Emil Leong MailFrontier Inc.

  2. The Problem Phishing is Everywhere

  3. MailFrontier Employee/Contractor, Your e-mail account was used to send a large number of unsolicited spam messages during the past 5 days. We suspect your account has been compromised. Please click here to change your account password in the next 24 hours. Failure to change your account password will result in the suspension of your login to the system. Virtually yours, The MailFrontier Support Team … and sometimes it can hit close to home! click here

  4. http://www.mbna-mail.com/ets/...

  5. LEGIT

  6. http://confirm-bankone.com/?Parm=MAHsDC/...

  7. PHISH

  8. https://www.sbc.com/mysbc

  9. LEGIT

  10. https://auctions.overstock.com/cgi-bin/auctions...

  11. LEGIT

  12. Phishing by the numbers • 5.7 billion – The estimated number phishing email messages that are sent worldwide each month • 73 million – The number of adults who “believe” they have received at least 50 phishing emails in the last year (Gartner) • 14,135 – Number of unique phishing attacks in July 2005 (APWG) • 2,944 – Number of phishing sites operational in July 2005 (APWG) • 46% – The percentage of phishing sites hosted in the United States for July 2005 (APWG) • 5.9 – Average number of days a phishing site is live (APWG)

  13. The Psychology of a Phishing Email

  14. www.paypal-verify.info Social engineering: consumer • Build credibility • Spoof of a real company • Spoofed company sender • Links to the company site • Create a reason to act • Plausible premise • Generate urgency • Require a quick response • Have a call to action • “Good” visual URL • “Good” hidden URL as well

  15. Social engineering: corporate • Build credibility • Spoof of a real company • Spoofed company sender • Links to the company site • Create a reason to act • Plausible premise • Generate urgency • Require a quick response • Have a call to action • “Good” visual URL • Hidden URL could be an IP address

  16. Phishing is not spam

  17. The Technology of a Phishing Email

  18. Phishing with forms “Action” Mailto This email appears to be from eBay, but it actually sends the information it collects to the fraudster’s email address listed in the <form action=> statement.

  19. http://219.163.9.224/manual/login_trigger.php Sprechen sie deutsch “Action” Execute …or the action executes a program on the phishing server.

  20. Email link tricks • Stupid link tricks • URL hiding • Misdirection

  21. Link tricks • Credible IP string • Uses a credible looking text string within the URL • http://81.109.43.102/ebay/account_update/now.php • The @ sign • Everything to the left is forgotten, everything to the right is used • http://www.usbank.com/update.pl@81.109.43.102/usb/upd.pl • Long status line • The URL is so long is can not be completely displayed in the status bar • Often combined with the @ trick • http://www.usbank.com/update/cust=90119323... 100 characters later… status=1@www.usbank-verify.us/update • Similar names • Uses a credible sounding, but fraudulent, domain name • http://www.ebay-secure.com/verify

  22. The @ in action Disguising the URL <a href="http://internal/login/update/accounts/securid/secureupdatecode=3D849E459FB77AC8C5783450459c3849aa23cd94834839913449913445223cd9483991344523D@http://www.sisterstuff.com/images/index.html">http://internal/loginupdate.htm</a> Display Link: http://internal/loginupdate.htm Status Bar:http://internal/login/update/accounts/securid/secureupdatecode=3D849E... Reality: http://www.sisterstuff.com/images/index.html

  23. Similar names The Click Here link in this fraudulent PayPal email takes the user to: http://www.paypal-supports.com • Some of my favorites • banking-account-renewal.com • citibank-validate.info • customer-verification.com • earthlink-reactivation.net • services-bankofamerica.com • sales-aol.net • secure-ebay.com • secure-usbank.info • security-update.cc • service-visa.net • verification-e-gold.com

  24. Links tricks – URL hiding • URL encoding • Encodes the URL to disguise its true value using hex, dword, or octal encoding. • http://www.visa.com@%32%32%30%2E%36%38%2E%32%31%34%2E%32%31%33, translates into220.68.214.213 • Image maps • The URL is actually a part of an image, which uses map coordinates to define the click area and the real URL, with the fake URL from the <A> tag being displayed • URL as a button • The displayed URL is contained in the text description of a Form button • The button itself is formatted to match the email background • The fake URL does not display in the status bar of the email client • onMouseOver • Places a fake URL in the onMouseOver message

  25. <A onmouseover="window.status 'https://www.paypal.com/cgi-bin/webscr?cmd_login-run'; return true“ onmouseout "window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'“ href "http://leasurelandscapes.com/snow/webscr.dll">https://www.paypal.com/cgi-bin/webscr?cmd_login-run</A> https://www.paypal.com/cgi-bin/webscr?cmd=_login-run onMouseOver Shows a false URL in the status bar of the user’s email application

  26. Misdirection  link tricks • The simple redirect • Uses the “known” redirects to send the user to the phishing site • http://r.aol.com/cgi/redir?http://www.ebay_secure.info/update_user • Wearing a mask • Uses a URL masking service such as cjb.net or tinyurl.com • http://jne9rrfj4.CjB.neT/?uudzQYRgY1GNEn • Just stopping by • Link points to a page on a legitimate site which points to phishing site. • http://www.google.com/url?q=http://www.geocities.com/mibmib4321/ • The mibmib4321 site contains a “redirect” to 218.214.130.51 • Go here then here then here then here then here… • http://www.google.com/url?q=http://www.google.co.uk/url?=http://www.google.it/url?q=http://www.geocities.com/mibmib4321/

  27. Phishing web site tricks • Validate information • Pop-up SSL certificates • Address bar tricks

  28. SSL Certificates • The email has a fake “https://” address shown • When the “https” link is clicked in the email, the phisher pops up a “Security Alert” window • Additional fake pop-ups appear if the “View Certificate” button is clicked

  29. Address bar tricks: Replacement bar We arrive at the website. Is something phishy?

  30. Address bar tricks: Replacement bar There is no address bar!

  31. Address bar tricks: Replacement bar Now there’s two!

  32. The first browser window What’s really there! + http://www.bis1bp.com/a12/index.html Plus a second “floating” browser window https://www.usbank.com/secure/-run = What you see https://www.usbank.com/secure/-run https://www.usbank.com/secure/-run Address bar tricks: floating window

  33. What can be done?

  34. Spam Virus • Technology • Keyloggers • Trojans • Encoding • Distribution • Sent to millions • Can be targeted Phishing Good email • Credibility • Your bank • Your business • Capability • Marketing • Communications Understand the Threat

  35. Economic Money Credit cards Identities Machine Info Corporate Info Perpetuation Pharming Web bugs DHA attacks Trojans Keyloggers Worms Understand the Enemy

  36. Understand the email threat environment

  37. Understand the attack environment Thousands of email servers Millions of emails sent Hundreds of web sites

  38. Protect against all threats

  39. Integrated Security Management

  40. Make it Easy Installation, Maintenance and Administration

  41. Easy means Only 10 minutes of administration per week “MailFrontier told me that I would spend less than 10 minutes a week managing spam after installing the MailFrontier Gateway Server. They were wrong. I only spend five.” Niall Pariag Senior Network Administrator

  42. Message Delivery Rate MailFrontier - 40%- 290% faster 40% CipherTrust 70% Brightmail/Symantec 165% Sophos 290% Proofpoint Speed is good • High performance through preemptive scanning 1Delivery rate, msg/sec, NetworkWorld, Analyzing the Spam Test Results, 12/20/04

  43. Powerful Reporting • Reports Dashboard • Over 20 reports included • Ability to customize reports • Reports are “emailable” • Data can be exported

  44. A solution to fit every organization MailFrontier GatewayTM Server • Medium and large enterprises that wish to implement an email security solution in a server environment • Organizations that want a pre-configured, pre-hardened solution with immediate deployment (500-10,000 seats) MailFrontier GatewayTM Appliance MailFrontier GatewayTM Server, Small Business Edition • Organization of up to 50 users

  45. Extraordinary Awards & Reviews NetworkWorld Top-Rated Enterprise Anti-Spam Software “…MailFrontier’s ASG put up some impressive results in terms of blocking spam and letting legitimate mail pass.” - Sept 15, 2003 Recommends MailFrontier be included on “Short List” of products evaluated for large-scale, high-performance anti-spam systems – December 20, 2004 InfoWorld Rated Excellent “MailFrontier's provides excellent accuracy, easiest install and lots of control to the admin.” – September 27, 2004 Recommended “MailFrontier's hands-off approach can help ease the administration burden on IT departments. – June 7, 2004 “Visionary” – Magic Quadrant for Enterprise Spam Filtering “…a gateway product with strong detection and management.” – Q1, 2004 E-Mail Hygiene Vendor Comparison MailFrontier receives highest possible score for spam filtering– November 19, 2004 Red Herring 100 Recognizing the company for its innovation and strategy – May 2004

  46. The Leader in Email Security Best Protection •Effortless Control •High Performance www.mailfrontier.com

More Related