A primer on phishing tactics
1 / 24

A Primer on Phishing Tactics - PowerPoint PPT Presentation

  • Uploaded on

A Primer on Phishing Tactics. Practical Counter-Fraud Solutions. Introduction. About Me: Tod Beardsley, todb@planb-security.net Employed at TippingPoint, a division of 3com Lead Counter-Fraud Engineer About Phishing: Massive growth over the last 18 months.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' A Primer on Phishing Tactics' - rae-mccarty

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A primer on phishing tactics

A Primer on Phishing Tactics

Practical Counter-Fraud Solutions


About Me:

Tod Beardsley, todb@planb-security.net

Employed at TippingPoint, a division of 3com

Lead Counter-Fraud Engineer

About Phishing:

  • Massive growth over the last 18 months.

  • ChoicePoint and Lexus-Nexus hacks are great targets, but 0wning your mom’s bridge friends is a lot easier.

  • Very effective at convincing said mom’s friends.


  • So now what? Enter the money mules:

Dear Future Employee,

We have received your contact information from employment agency.

My name is Karl Jorgensen, project coordinator and your direct

supervisor at Odono Inc. Please read the information below about

our company and your job description.

Odono Inc. leader in wholesale produce distribution is looking for

responsible individuals to be responsible for the areas of shipping

operations, customer service, transaction and bank operations.

Current openings: Transaction Manager

You will receive transfers for our company, send/receive funds.

You should have your local bank branch locating near you,

so you can withdraw money from your account within several hours.

You should have home, work or cell phone number (preferably), so

we can contact you immediately.


* Be able to check your email several times a day

* Be able to respond to emails immediately

* Be able to work overtime if needed

* Be responsible and hard working

If you are interested in this position and meet the minimum requirements please

visit and register here:


E mail trust building tactics
E-Mail Trust Building Tactics

  • Between two and five percent of phishing e-mail is responded to.

  • Several thousand e-mail addresses are used in a given campaign.

  • Compare to spam: a typical, successful run of millions of addresses generate a rate of %0.01 or so click throughs.

  • Phishing click-throughs are qaulified – once hooked, they almost always provide information to the attacker.

E mail forging from fields
E-mail: Forging From Fields

  • Very complicated task… well, not really.

C:\>nc mail.cox-internet.com 25

220 jupiter ESMTP server (InterMail vK. 201-232-140-20030416 license f

e37ca4dbd17753103b2892ad5fc6c09) ready Sat, 4 Jun 2005 02:18:24 -0500

HELO paypal.com

250 fe4.cox-internet.com

MAIL From: accounts@paypal.com

250 Sender <accounts@paypal.com> Ok

RCPT To: victim@example.com

250 Recipient <victim@example.com> Ok


354 Ok Send data ending with <CRLF>.<CRLF>

Dear Valued Customer,

Due to a problem with our servers, you need to give us your

password right away. Please click here:


Thank you for your continued patronage.


250 Message received: 20050604071934.TGZA4425.fe4@paypal.com


221 fe4.cox-internet.com ESMTP server closing connection


E mail forging received fields
E-mail: Forging Received Fields

A normal Received path:

Received: (qmail 48182 invoked from network); 18 May 2005 15:46:48 -0000

Received: from outbound2.den.paypal.com (

by mail.example.com with SMTP; 18 May 2005 15:46:48 -0000

Received: from denweb159.den.paypal.com (denweb159.den.paypal.com [])

by outbound2.den.paypal.com (Postfix) with SMTP id A9CAC11802C

for <customer@example.com>; Wed, 18 May 2005 08:46:47 -0700 (PDT)

Received: (qmail 6332 invoked by uid 99); 18 May 2005 15:46:47 -0000

A Slightly Altered Received path:

Received: (qmail 68233 invoked from network); 2 Jun 2005 09:36:47 -0000

Received: from s01060010dcf9b811.vc.shawcable.net (

by mail.example.com with SMTP; 2 Jun 2005 09:36:47 -0000

Received: from paypal.com (smtp1.sc5.paypal.com [])

by S01060010dcf9b811.vc.shawcable.net with esmtp

id ABEFBBB123 for <ageddyn@minitru.org>; Thu, 02 Jun 2005 09:36:35 -0700

E mail evading anti spam
E-mail: Evading Anti-Spam

  • Looks like a regular message…

E mail evading anti spam1
E-mail: Evading Anti-Spam

  • But it’s really an inline GIF. Trickiness.

This is a multi-part message in MIME format.


Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

<html><p><font face="Arial"><A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map><img SRC="cid:part1.07060107.05040003@custservice_id_6142187@southtrust.com" border="0" usemap="#rtaiz"></A></a></font></p><p><font color="#FFFFF0">Tennis Warner Bross Alyssa Milano XFL Cheerleaders Metallica </font></p></html>


Content-Type: image/gif;


Content-Transfer-Encoding: base64

Content-ID: <part1.07060107.05040003@custservice_id_6142187@southtrust.com>

Content-Disposition: inline;





E mail misdirection and redirection
E-Mail: Misdirection and Redirection

  • Crafted “Automatically generated” links

<A HREF="">https://www.suntrust.com/update/</A>

  • Hex-Encoded URLs


  • Overlapping Area Map Tags

<A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map>

  • Open Redirection Services

<A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map>

Detecting phishy links
Detecting Phishy Links

Best and most Draconian:

  • No HTML rendered e-mail, ever.

    More realistic:

  • No hex-encoded printable ASCII characters in domain names

  • No HTTP link containing “http” more than once.

  • No nested <A> and <AREA> links.

  • Correlate obfuscation techniques to From addresses.

    Is there some reason anti-spam can’t handle this already?

Web site trust building
Web Site Trust Building

  • Once you’re on the page, you’re pretty much compelled to execute.

  • Pages today are much more cookie-cutter than their e-mail lures.

  • Sometimes pages don’t match up with the bank; How significant is this?

  • The pages themselves may suck, but the exploits being used to control the web servers… well they kind of suck too.

The magic of copy and paste
The Magic of Copy and Paste

  • Yes, quite magical. File | Save As | Upload | Done.

  • Typically the only elements that need touching are perhaps the image locations, some of the javascript source files, and redirect the <FORM> to your PHP form mailer.

  • Many leave traces of their copying:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- saved from url=(0036)http://secure.netbank.com/login.htm -->

<HTML><HEAD><TITLE>NetBank Account Login</TITLE>

Window createpopup

var vuln_x, vuln_y, vuln_w, vuln_h;

function vuln_calc() {

var root= document[

(document.compatMode=='CSS1Compat') ?

'documentElement' : 'body'


vuln_x= window.screenLeft+72;

vuln_y= window.screenTop-20;

vuln_w= root.offsetWidth-520;

vuln_h= 17;



var vuln_win;

function vuln_pop() {

vuln_win= window.createPopup();

vuln_win.document.body.innerHTML= vuln_html;

vuln_win.document.body.style.margin= 0;

vuln_win.document.body.onunload= vuln_pop;



function vuln_show() {

if (vuln_win)

vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);


var vuln_html= '<div style="height: 100%; line-height: 17px;

font-family: \'Tahoma\', sans-serif; font-size:


Window createpopup continued1
window.createPopup continued

Presto Change-o

But why bother?

  • Many sites incorporate this code, probably just due to cookie-cutter practices.

  • The victims of phishing don’t usually qualify the sites they visit off the Location Bar anyway, or anything else in the browser.

Signed sealed who cares
Signed, Sealed… Who Cares?

Thank you, Verisign!

A more obvious and much easier to forge security seal.


  • It is silly to think that users will take care of themselves. A decade of wildly successful spam campaigns prove this. (75% of all Internet e-mail is junk mail today.)

  • The only reason why people notice phishing is because traditional anti-spam has failed to catch it – partly because the keywords are already in everyone’s “known good” set, and because people whitelist e-mail from their banks.

  • The overmarketing and near total lack of understanding of SSL is also partly to blame. Browsers are terrible at preventing this out of the box, and this is one thing they ought to be good at.

  • A billion dollars a year of capital flight kind of sucks, and it’s probably more.

  • Not all phishers are ID10Ts. Some use very advanced techniques, write effective malware, and deploy very complex networks of SMTP and HTTP relays to conduct their business.

Thank you todb@planb security net

Thank Youtodb@planb-security.net