Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.

www.cuispa.org

Fraudulent Site Take Down Guidance

Author:John Brozycki, CISSPHudson Valley FCUCUISPA Member Advisor

LEGAL DISCLAIMER: This document is provided for informational purposes only. CUISPA and the author make no warranties or representations as to the accuracy or completeness of such information and CUISPA and the author assume no liability or responsibility for errors or omissions in the content of this information. Your use of this information is AT YOUR OWN RISK and applies to all CUISPA legal notices and terms of use.

www.cuispa.org

Overview

• Responding to phishing attacks has become a routine task for many credit union IT departments. Rapidly taking down these fraudulent websites is a prudent and often necessary measure for preventing losses.

• This presentation outlines some of the processes, challenges, and techniques involved in getting a fraudulent website, impersonating your institution, taken down.

www.cuispa.org

Take-down Steps:

1) PREPARATION2) DETERMINE THE SOURCE3) RESEARCH THE DOMAIN 4) RECON / INTELLEGENCE5) CONTACTING 3rd PARTIES6) WORKING WITH LAW

ENFORCEMENT

www.cuispa.org

Prepare Environment

• Prepare your environment in advance.• Remember that the site may host

malicious code. • Do not use a production machine that

can’t afford to be compromised. Always use a test PC that can be “sacrificed.”

• If possible, do not use your production network.

• A separate broadband connection is preferable.

• Full Internet access (no proxy server or restricted ports) is advantageous.

• Useful common Internet tools: ping, traceroute, nslookup etc.

www.cuispa.org

Helpful Tools

VMware Workstation or PlayerAllows you to create a test environment without sacrificing a production PC. Disks can be “undoable” so you can get back to the original state without rebuilding from scratch.

www.cuispa.org

Helpful Tools

SandboxIE A freeware utility that allows you to

launch an app, such as IE, in a controlled area, prohibiting writes to the hard drive and registry.

www.cuispa.org

2) Determine the SOURCE

• The phishing site may be accessible via FQDN (Fully Qualified Domain Name) and/or IP address.

• Try to determine the FQDN if applicable, IP address, and path information

www.cuispa.org

2) Determine the SOURCE

• If you have the phish email, view the underlying source to determine the true link URL

Example (FQDN):

http://www.hackedsite.com/mycreditunionexploited/

Example (IP address): http://192.168.0.1/mycreditunionexploited

www.cuispa.org

3) Researching the DOMAIN

• The Domain often be contained in the FQDNExample: http://www.hackedsite.com/mycreditunionexploited(domain is hackedsite.com)

• Use a WHOIS utility to determine information on the domain.

• WHOIS gives us:1) Domain owner and contact information (email and hopefully a phone number)

2) Determine who is authoritative for DNS. May be owner, ISP, or DNS hosting service.

www.cuispa.org

• For US-based .com and common domains, start with: www.netsol.com click on “whois” link.

• For a more expansive search, try one of the following:

www.arin.net www.allwhois.com (free service from

MarkMonitor)

www.completewhois.com

3) Researching the DOMAIN

www.cuispa.org

3) Research the DOMAIN

ARIN:• Start with ARIN (American Registry

for Internet Numbers, www.arin.net) WHOIS tool. Enter the IP address.

• If IP is not domestic, ARIN will tell you where to look next, ie: RIPE, APNIC, etc.

• If IP only leads back to site owner, use a traceroute to determine how packets get to the site. The IPs right before the site will be the ISPs and you can look them up.

www.cuispa.org

3) Researching the DOMAIN

• If given an IP address only:1. Any website that may be

viewable from the IP only should be viewed on a safe test machine (ex: http://192.168.0.1)

1. PING –a 192.168.0.1

www.cuispa.org

SAMPLE RESULTS FOR 10.32.15.1

BOB’S INTERNET, BOBI-IPNET (NET-10-32-15-0-1) 10.32.15.0 - 10.32.19.255My Credit Union BOBI-MYCU-1 (NET-10-32-15-0-1) 10.32.15.0 - 10.32.15.255

# ARIN WHOIS database, last updated 2006-01-29 19:10# Enter ? for additional hints on searching ARIN's WHOIS database.

The above results tell us that “Bob’s Internet” owns the range of addresses from 10.32.15.0 through 10.32.19.255. A class “C” range (255 addresses from 10.32.15.0 through 10.32.15.255) are assigned to “My Credit Union”. In this case, you would try to contact My Credit Union as they are responsible for the IP address. You can always contact the ISP if you can’t reach the party immediately responsible for the IP address.

3) Research the DOMAIN

www.cuispa.org

We now know:• Who owns the domain• Contact info for domain• The ISP (may not be hosting but is at least providing

connectivity)

• DNS provider

RESEARCH COMPLETE!

www.cuispa.org

4) RECON AND INTELLIGENCE

• Procede with caution• Gathering intelligence is optional. You

may not need any additional information.

• Further investigation calls upon some technical skills.

• Be cautious of the legal aspects of further investigation.

• Finger-printing tools can be deployed to determine OS, app, etc.

• Port scanners can determine if other services are running.

www.cuispa.org

4) RECON AND INTELLIGENCE

Example: Information from FTP service

telnet 192.168.0.1 21

220 FTP Server ready.

214-The following commands are recognized (* =>'s unimplemented).

USER PASS ACCT* CWD XCWD CDUP XCUP SMNT*

QUIT REIN* PORT PASV TYPE STRU MODE RETR

STOR STOU* APPE ALLO* REST RNFR RNTO ABOR

DELE MDTM RMD XRMD MKD XMKD PWD XPWD

SIZE LIST NLST SITE SYST STAT HELP NOOP

214 Direct comments to root@www.<sanitized>.kr.

www.cuispa.org

5) CONTACT PARTIES

• Try contacting Website owner first• Try contacting ISP next• If no luck and the site uses an

external DNS service then try contacting them next.

• Have documentation available and provide it with your request.

• Request the fake site code for further reference.

www.cuispa.org

5) CONTACT PARTIES

To whom it may concern,

URGENT REQUEST - Please read the following:

Today a number of our credit union members received a phishing e-mail soliciting their personal account information.  The link referenced in the e-mail returns to a site which is presenting itself as our Hudson Valley Federal Credit Union Web site.  As such it is violating copyright laws and misrepresenting itself for the purposes of illegally collecting account information for financial gain.

The compromised server is housing the spoof content at:

http://nefariouswebsite.com/mycreditunion/banking001IP 192.168.0.1 = www.<sanitized>.kr

Please take this site down or remove the fraudulent content and respond when these changes have been implemented.  If any financial loss is incurred we will be required to actively seek redress through local and national law enforcement bodies.

I have attached a PDF capture of the spoofed site (rogue1.pdf). We would greatly appreciate it if you would email us an archive of the fake site directory.

Thank you for your prompt attention to this matter.

Sample email to ISP

www.cuispa.org

5) CONTACT PARTIES

• Common difficulties:Time differences with overseas ISPs.Language barriers.

ISP policies on take-downs

www.cuispa.org

6) WORKING WITH LAW ENFORCEMENT

• Law enforcement can make request on your behalf or call on contacts abroad (ie: Interpol)

• Provide law enforcement with intelligence information:1) They track it2) You may provide a missing piece of a larger puzzle3) Losses across organizations can be aggregated

www.cuispa.org

CUISPA Educational Programs

(512)465-97113500 Oakmont Blvd. Su.204Austin, TX 78731

For comments on this presentation please send email to:[email protected]