July 2005 Phishing ~ An Evolution
Cyber Attack SophisticationContinues To Evolve bots Cross site scripting Tools “stealth” / advanced scanning techniques High Stagedattack packet spoofing denial of service distributed attack tools sniffers Intruder Knowledge sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code Attackers password guessing Low 2000+ 1980 1985 1990 1995 Source: CERT
And Continue To Grow… 85%of respondentshad breaches — CSI/FBI survey Avg reported loss from attacks was $2.7M per incident — CSI/FBI survey 85% of the critical infrastructure is owned or operated by the private sector 137,000 security incidents in 2003, nearly twice as many as in 2002 — CERT Data theft grew more than 650% over the past 3 years — CSI/FBI Source : Carnegie Mellon
Growth Or Liability? • Over twenty per cent of Internet users now access online banking services. • This total will reach 33% by 2006, according to The Online Banking Report. • By 2010, over 55 million US households will use online banking and ePayments services, which are tipped as "growth areas". • Wamu buys Providian, BofA buys MBNA • And so what about the ‘Phishing’ threat to e-commerce? Source: ePaynews
What Is Phishing? • Phishing, also referred to as brand spoofing, as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. • Phishing is the act of sending a communication to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. • The communication (usually email) directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. • The Web site, however, is bogus or hostile and set up only to steal the user’s information.
Phishers Mainly US Hosted FY04 Source: APWG • Gartner estimates phishing cost the US over $2.4B in 2004, not including law enforcement costs.
Phishing • “Dear bank customer...” • Phishing: • Impersonates respected company • Tarnishes reputation – weakened customer confidence • Is Fraud: misplaced trust to gain customer accounts • Is identity theft • All phishers • Only 3 web attack methods, minor variations • Impersonate, Forward, Pop-Up
How Phishers Operate • Images • Link to target site so images really come from target • Looks real because it is real • Mirror to a phishing server prevents target site from removing images • Looks real, but could get outdated • Web pages • Phishing page links to target server’s web page • Man-in-the-middle POST • Logs user into real site • Provides “real” pages; victim will not notice phishing site • Prevents scam from being noticed AFTER victim discloses information
Phishing Flow • Phisher develops phishing server • CGI, PHP, HTML, images • Phisher configures blind-drop • Free email address or IRC channel • Phisher configures hostile server (typically compromised) • Hacked or stolen credit card from previous phish • Phisher tests configuration • Complex system (blind drop, hostile server, target, email) requires testing • Phisher sends bulk mailing • Phisher collects data from blind drop
Phisher’s ROI • Time.. • Create server: 1 week to 1 month • Create blind-drop: 1 day to 1 week • Hostile server config: 1 day to 1 week • Test • Longest seen: 10 days • Shortest seen: 6 hours • Bulk mailing: up to 8 hours, usually 1-2 hours • 50% of victims in first 24 hours • 99% of victims in first 48 hours • Server take-down • 48-72 hours
Type of Phishing Attacks • Impersonate (simple attack): • Fake site looks like target • Mirror or link to images for credibility • Man-in-the-middle POST login prevents victim detection • Forward (sophisticated attack): • Typically collected via phishing email (not as effective/av) • Site collects data; performs meta-refresh to target (HTTP redirect) • Man-in-the-middle POST login prevents victim detection • Popup (creative attack): • Real site in back, hostile popup in front • Real site gives credibility, prevents victim detection • Not man-in-the-middle • Mirror or link to images for credibility
How Phishers Use Accounts • So you are a phisher and you have some accounts... “Now what?” • Steal • Money • Identity • Laundering • The big problem: getting the money out (we’ll catch you!) • Webmoney.ru (russian money service) • eGold (gold to currency service middle-man) • Western Union (for untraceable cash) • eBay / PayPal • 419 (Nigerian email scams)
Tracking Phishers • Phishers use base camps to store and analyze victim information. • These servers act as centralized communication and distribution points for group members. • They also use blind-drop servers. • These are used to collect victim information without compromising the base camps.
Tracking Phishers (cont.) • Secure Science Corporation estimates that approximately 42 (out of 53) phishing groups account for over 90% of all phishing emails. • The larger phishing groups include DPG (PG2), Citiimg (PG20), Ro-Bot (PG40) and Palka (PG30). • These 42 groups account for over 75% of all phishing emails observed over the last quarter. • (PG30 is also known as the “laptop seller” group according to PayPal, as this was their first venture).
Tracking Phishers (cont.) • Secure Science Corporation has identified the likely scope and effectiveness of a phishing bulk mailing, including: • How large are the bulk mailings? • How many people receive the emails? How many emails never reach their destination? • How many people fall victim to a single mass mailing? • When do people fall victim? • Which is worse? Email phish or phishing malware?
Tracking Phishers (cont.) • Phishing base camps frequently contain the actual mailing lists used by the phishers, as well as the list of proxy hosts used to anonymize the mass mailing. • While the total number ranges from 1 to5 million email addresses, the large phishing groups have divided the address lists into files containing 100,000 addresses. This means that they likely generate 100,000 emails per mass mailing. • While the larger groups uses open proxies to anonymize the mass mailing, a few of the smaller phishing groups use the phishing server to also perform the mass mailing. • One small group had an email list that contained over one million addresses. They likely sent out one million emails for their mass mailing.
Tracking Phishers (cont.) • Of the estimated 42 active phishing groups worldwide, some phishing groups send emails daily, while others operate on weekly or monthly cycles. • Similarly, some groups only operate one phish per day, while the larger groups may operate a dozen blind drops on any given day. The average per group is approximately 750,000 emails per day.** • Considering that there are an estimated 42 active groups, that makes the total daily amount of phishing emails approximately 31.5 million emails per day ** It is important to emphasize that this is strictly an average per group. The larger groups generate much more email than the smaller groups. And very few groups generate email daily.
What’s Worse? • Email Phish or Phishing Malware? • Some of the larger phishing groups have associations with both phishing emails and key-logging malware. • While phishing email is very effective, the number of victims is significantly smaller than the victims of phishing malware. • Logs recovered from base camps for phishing emails and malware show a startling difference.
Phishing Malware (cont.) • In November of 2003, the concept of a single mega-virus changed. • Gaobot, followed by Sasser and Berbew, took a different tact: rather than one mega-worm, these consisted of hundreds of variants – each slightly different. • The goal of the variant was not to become a mega-worm, but rather to infect a small group of systems.
Phishing Malware (cont.) • This approach provided two key benefits to the malware authors: • Limited distribution; limited detection. As long as the malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a detection signature for the virus.) • Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, carders, and generic malware authors that are not detected by anti-virus software. • Rapid deployment.. Nearly a hundred variants of Sasser were identified in less than three months. Each variant requires a different detection signature. The rapid modification and deployment ensures that anti-virus vendors will overtax their available resources, becoming less responsive to new strains. It also ensures that some variants will not be detected.
Phishing Malware (cont.) • 2004 saw a significant increase in malware used by phishing groups. • It also ended with multiple warnings, where phishers may use cross-site scripting (XSS) attacks. • SSC has taken a closer look at the malware and XSS attacks used by phishing groups. While we believe that malware will continue to be a major collection method used by phishers, XSS has taken an underestimated backseat.
Phishing Malware (cont.) • A few phishing groups have been associated with specific malware. • The malware is used for a variety of purposes: • Compromising hosts for operating the phishing server; • Compromising hosts for relaying the bulk mailing; • Directly attacking clients with key-logging software. • A single piece of malware may serve any or all of these purposes.
Malware Trends • In early 2004, the malware associated with phishing groups rarely appeared to be created specifically for phishing. Instead, was focused on botnet* attributes: • Email relay. The software opens network services that can be used to relay email anonymously. This is valuable to phishers, and spammers in general. • Data mining. The malware frequently contains built-in functions for gathering information from the local system. The gathering usually focuses on software licenses (for game players , warez, or serialz dealers**) and Internet Explorer cache. The latter may contain information such as logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets. * A compromised system with remote control capabilities is a “bot”. A “botnet” is a collection of these compromised hosts. ** Illegally distributed software applications (warez) and the associated license keys (serialz) are frequently available and propagated through the underground software community.
Malware Trends (cont.) • Remote control. The malware usually has backdoor capabilities. This permits a remote user to control and access the compromised host. For a phisher, there is little advantage to having a backdoor to a system unless they plan to use the server for hosting a phishing site. But for other people, such as virus writers or botnet farmers*, remote control is an essential attribute. * A “botnet farmer” is an individual or group that manages and maintains one or more botnets. The botnet farmers generate revenue by selling systems or CPU time to other people. Essentially, the botnet becomes a large timeshare computer network.
Malware Trends (cont.) • By Q3 of 2004, a few, large phishing groups had evolved to support their own specific malware. • While the malware did contain email relays, data mining functions, and remote control services, these had been tuned to support phishing specifically. • Viruses such as W32.Spybot.Worm included specific code to harvest bank information from compromised hosts.
Malware Trends (cont.) • A few phishing groups also appeared associated with key logging software. • While not true “key logging”, these applications capture data submitted (posted) to web servers. • A true key logger would generate massive amounts of data and would be difficult for an automated system to identify account and login information.
Malware Trends (cont.) • Instead, these applications hook into Internet Explorer’s (IE) form submission system. • All data from the submitted form is relayed to a blind drop operated by the phishers. • The logs contain information about the infected system, as well as the URL and submitted form values. • More importantly, the malware intercepts the data before it enters any secure network tunnel, such as SSL or HTTPS.
Malware Trends (cont.) • The end of 2004 showed a significant modification to the malware used by some phishing groups. • The prior key logging systems generated gigabytes of data in a very short time. This made data mining difficult, since only a few sites were of interest to the phishers. • By the end of 2004 and into 2005, the phishers had evolved their software. • Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. • It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was collected. • More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware developers associated with phishers are in communication or have a common influencing source.
Phishing Trends • A year+ ago, phishing was a very manual process. • A server was required and the phishing system was manually installed and tested. • 9 months ago, “scam kit” packages began to appear. • Consisted of phishing sites stored in an archive (e.g., .zip) • These archives would be transferred to the server, unpacked, tested, and used. • The archives significantly decreased the time needed to install and configure the phishing server. • Over the last quarter, the popularity of these archives has dramatically increased – nearly every phishing group, both new and old, are using prepackaged archives.
Phishing Trends (cont.) • Two recent trends have surfaced over the last few months: • Targeting 2nd tier and 3rd tier banks. • Spawning off intermediate phishing groups to increase distance between mules and organized crime. • These trends may actually be related: as phishers distance themselves from the mules, they are likely to target a wider variety of financial and corporate entities. • Phishing trends generally follow spam trends. • The latest spam trends show more malware with specialized purposes.
Phishing Trends (cont.) • Secondary & Tertiary Targets • Phishers have consistently and repeatedly targeted a small set of companies: eBay, Citibank, and PayPal. • These primary targets are believed to be desirable for the following reasons: • Large customer base. Emails sent to random addresses are likely to hit a significant number of customers for these companies. Since the hit-per-email ratio is high, the likelihood of a successful phish is high.
Phishing Trends (cont.) • Low threat response. • Internally, most organizations are actively working on the phishing problem. However, their apparent public external reactions are lacking. • From a phisher’s point of view, the primary targets are not immediately responsive to the phishing threat. • Active challenges. • Most phishers are active in the hacking, warez, and Internet underground. • In this case, many financial institutions continually run commercials offering identity theft protection. The phishers see this as a challenge, and target them to show that they do not actually offer identity theft protection. • Similarly, eBay’s anti-phishing toolbar is an enticement for phishers to demonstrate how it does not protect eBay from phishers. • Vulnerable Web Servers that aid phishers with cross-user attacks against their customers.
Phishing Trends (cont.) • Consumer Mis-education. Many companies are known to periodically send out real emails that look similar to phishing emails. Customers become unable to distinguish the rare “real” emails from the common “phishing” emails. • Multiple Uses. An account at any of these primary targets offers multiple uses. • Exploition of eBay/PayPal/E-gold enables multiple methods for laundering. • Blending in. The result of aggressive phishing has made it difficult to distinguish/identify specific groups, which provides safety in numbers.
Phishing Trends (cont.) • Known processes. Known internal processes and policies of an institution enable a fraudster to potentially benefit from this knowledge. • For example, if international transfers of amounts under $10,000 do not trigger an alarm, then phishers may use this information to transfer appropriate amounts. • Secure Science has observed that phishers continue to actively collaborate with ‘insiders’ to understand internal mechanisms that could enable fraudulent endeavors. • Future regulatory compliance efforts should seriously consider phishing.
Mid 2005 Phishing Trends • Phishers are refining their email techniques. • Emails are much more effective than regular spam emails. A single mass mailing of 100,000 emails may have a receive rate as high as 10% and collect as much as 1% in victims. • Phishers have found a use for every account they acquire: from money laundering to theft, and shuffling to identity theft. • Phishers are refining their key-logging malware. • Rather than collecting data from all web sites, they are now looking for data from specific URLs.
Mid 2005 Phishing Trends (cont.) • Phishers are becoming more technically savvy. • Besides using known and 0-day exploits to configure the systems used for the phishing, they also use weaknesses in the telephone infrastructure, such as Caller-ID (CID) spoofing, to protect themselves from the mules that they contact. • Phishers have consistently shown an interest in internal policies and practices. These serve two purposes: policy weaknesses can be leveraged, and policy strengths can be avoided. • With the ongoing addition of national and global policies such as Sarbanes-Oxley and HIPAA, companies have new challenges: avoiding the pitfalls and limitations of widely accepted policies and required practices.
FY05 Phishing Trends • Increase. • With the success of phishing malware, there is an inevitable increase in variations and capabilities. Although few phishing groups were associated with malware in 2004, more phishing groups are adopting this trend in 2005. • Ability to go back to compromised system at will • Use as tool for distributed botnet (mass mailing already observed) • Dynamic. • The malware observed in 2004 contained hard-coded URLs. In order to change the URL, a new variant needed to be released. Malware in 2005 has become remotely configurable (BotNets). DNS Host Poisoning will be come popular with more sophisticated groups. XSS will become a problem.
FY05 Phishing Trends (cont.) • BotNets – PG40 Case Study • First discovered 11/04 • Demonstrates an aggressive campaign targeting secondary and tertiary financial institutions. • SouthTrust and Huntington Banks have been observed to be under attack daily, this week alone. • Have not targeted any primary financial institutions to-date. • First group to be observed utilizing a logo server. • Malware used: BO2K and IRC backdoors • Spoof sites consistently outside the US (China/Germany/Japan/Korea) • Demonstrate a consistent pattern of rapidly compromising systems via specific web vulnerabilities. • Compromises subnets, as opposed to sites • Automated attack vector, such as a botnet/automated tool.
FY05 Phishing Trends (cont.) • Caller ID • The trust of caller-id at home opens up phishing scams off of the internet and directly into homes. • It's less scalable, but can be quite effective combined with clever social engineering. • The compromising of voicemail systems and the ability to take over telephony networks can add to the information they mine to gain what they need. • Phishers have been observed doing full background credit checks on target individuals, to obtain all the information they can. • Telecommunication systems are quickly becoming a target for information and identity theft. • T-Mobile database compromise – defonic crew
FY05 Phishing Trends (cont.) • Telephony Exploitation • It has been observed that phishers use it to contact mules when conducting money-laundering schemes. • Public SIP/VOIP networks are primitive, (similar to early days of SMTP and their open relays). • There is no authentication (even if there is, it can be bypassed), it is readily available, and free (see sipphone.com and freeworld dialup). • Anonymous telephony becomes trivial with CPN Spoofing (CPN == Caller Party Number). Most systems rely on it heavily for authentication. • Examples of these are T-mobile, Verizon, SBC/Pacbell, Callwave.com and Ureach. • Not to mention the PSTN (Public Switched Telephone Network) aka POTS (Plain Old Telephone Service). • The intersection of the technologies has caused the POTS lines to be vulnerable and makes it nearly impossible to trace. • Subpoena of voice over IP carriers only causes headaches. • The VOIP carrier has to find what POTS carrier it went through; • Then send back to the Feds that they need to subpoena that carrier. • By the time it's all done, you may not get what you wanted, since the BTN (Billing Telephone Number) is pretty much the last hop on a PSTN line.
FY05 Phishing Trends (cont.) • Cross-Site Scripting (XSS)
Misplaced Trust • Cross-User attacks: • Only 1 cross-site scripting attack has been spotted so far • Bank of America – predicted due to consumer mis-education • Disappointing exploitation • Defines potential • Few Cross-User attacks in the wild • Redirects such as: • Google • eBay • Impact is high • Generates “Misplaced Trust” • Breaks SSL and Domain Keys • Both server and customer ends up being compromised
Subject: Update Contact Information Dear Cardmember, Our records indicate that your billing address is no longer valid for your account ending in xxxxx. Having your most updated contact information is critical to our ability to service your account and to provide you with information on important changes that impact your account. Please take a moment to update your contact information on https://www.americanexpress.com/updatecontactinfo. If you prefer, you can copy and paste or type the URL directly into your address bar. If you have any questions regarding this message, please call the telephone number on the back of your card for assistance from a Customer Service Representative. Thank you for your time and continued business with American Express. Sincerely, American Express Customer Service To Reply to this e-mailSimply log in to our Secure Message Center at https://www.americanexpress.com/messagecenter and send your inquiry via secure e-mail. If clicking on this link does not work, please cut and paste it into the "address" bar of a new browser window. This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Notice About Servicing E-mailsThis e-mail was sent to you by American Express Customer Service to provide important information about your account and/or online products and services for which you are registered. You may receive customer service e-mails even if you have requested not to receive e-mail marketing offers from American Express. Privacy StatementFor details on our e-mail practices, please visit the American Express Privacy Statement at http://www.americanexpress.com/privacy. AGNEUATH0003001
Misplaced Trust (cont.) • Target Types • Redirects • 301/302 Headers and Meta-Refresh • Landing page attacks • Allow HTTP Response Injection • Cross-Site enabled! • Vulnerable sites include: • American Express • American Stock Exchange (AMEX) • Ebay • Bank of America • TD Waterhouse (Breaks SSL) • University of Wisconsin (no offense) • http://www.uc.wisc.edu/track.php?pageName=http://www.wisc.edu/&queryString=&url=%0d%0a%3Cscript%3Ealert(%22Vulnerable%22);%3C/script%3E