www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document is provided for informational purposes only. CUISPA and the author make no warranties or representations as to the accuracy or completeness of such information and CUISPA and the author assume no liability or responsibility for errors or omissions in the content of this information. Your use of this information is AT YOUR OWN RISK and applies to all CUISPA legal notices and terms of use.
21
Embed
Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.cuispa.org
Fraudulent Site Take Down Guidance
Author:John Brozycki, CISSPHudson Valley FCUCUISPA Member Advisor
LEGAL DISCLAIMER: This document is provided for informational purposes only. CUISPA and the author make no warranties or representations as to the accuracy or completeness of such information and CUISPA and the author assume no liability or responsibility for errors or omissions in the content of this information. Your use of this information is AT YOUR OWN RISK and applies to all CUISPA legal notices and terms of use.
www.cuispa.org
Overview
• Responding to phishing attacks has become a routine task for many credit union IT departments. Rapidly taking down these fraudulent websites is a prudent and often necessary measure for preventing losses.
• This presentation outlines some of the processes, challenges, and techniques involved in getting a fraudulent website, impersonating your institution, taken down.
www.cuispa.org
Take-down Steps:
1) PREPARATION2) DETERMINE THE SOURCE3) RESEARCH THE DOMAIN 4) RECON / INTELLEGENCE5) CONTACTING 3rd PARTIES6) WORKING WITH LAW
ENFORCEMENT
www.cuispa.org
Prepare Environment
• Prepare your environment in advance.• Remember that the site may host
malicious code. • Do not use a production machine that
can’t afford to be compromised. Always use a test PC that can be “sacrificed.”
• If possible, do not use your production network.
• A separate broadband connection is preferable.
• Full Internet access (no proxy server or restricted ports) is advantageous.
• Useful common Internet tools: ping, traceroute, nslookup etc.
www.cuispa.org
Helpful Tools
VMware Workstation or PlayerAllows you to create a test environment without sacrificing a production PC. Disks can be “undoable” so you can get back to the original state without rebuilding from scratch.
www.cuispa.org
Helpful Tools
SandboxIE A freeware utility that allows you to
launch an app, such as IE, in a controlled area, prohibiting writes to the hard drive and registry.
www.cuispa.org
2) Determine the SOURCE
• The phishing site may be accessible via FQDN (Fully Qualified Domain Name) and/or IP address.
• Try to determine the FQDN if applicable, IP address, and path information
www.cuispa.org
2) Determine the SOURCE
• If you have the phish email, view the underlying source to determine the true link URL
Example (FQDN):
http://www.hackedsite.com/mycreditunionexploited/
Example (IP address): http://192.168.0.1/mycreditunionexploited
www.cuispa.org
3) Researching the DOMAIN
• The Domain often be contained in the FQDNExample: http://www.hackedsite.com/mycreditunionexploited(domain is hackedsite.com)
• Use a WHOIS utility to determine information on the domain.
• WHOIS gives us:1) Domain owner and contact information (email and hopefully a phone number)
2) Determine who is authoritative for DNS. May be owner, ISP, or DNS hosting service.
www.cuispa.org
• For US-based .com and common domains, start with: www.netsol.com click on “whois” link.
• For a more expansive search, try one of the following:
www.arin.net www.allwhois.com (free service from
MarkMonitor)
www.completewhois.com
3) Researching the DOMAIN
www.cuispa.org
3) Research the DOMAIN
ARIN:• Start with ARIN (American Registry
for Internet Numbers, www.arin.net) WHOIS tool. Enter the IP address.
• If IP is not domestic, ARIN will tell you where to look next, ie: RIPE, APNIC, etc.
• If IP only leads back to site owner, use a traceroute to determine how packets get to the site. The IPs right before the site will be the ISPs and you can look them up.
www.cuispa.org
3) Researching the DOMAIN
• If given an IP address only:1. Any website that may be
viewable from the IP only should be viewed on a safe test machine (ex: http://192.168.0.1)
# ARIN WHOIS database, last updated 2006-01-29 19:10# Enter ? for additional hints on searching ARIN's WHOIS database.
The above results tell us that “Bob’s Internet” owns the range of addresses from 10.32.15.0 through 10.32.19.255. A class “C” range (255 addresses from 10.32.15.0 through 10.32.15.255) are assigned to “My Credit Union”. In this case, you would try to contact My Credit Union as they are responsible for the IP address. You can always contact the ISP if you can’t reach the party immediately responsible for the IP address.
3) Research the DOMAIN
www.cuispa.org
We now know:• Who owns the domain• Contact info for domain• The ISP (may not be hosting but is at least providing
connectivity)
• DNS provider
RESEARCH COMPLETE!
www.cuispa.org
4) RECON AND INTELLIGENCE
• Procede with caution• Gathering intelligence is optional. You
may not need any additional information.
• Further investigation calls upon some technical skills.
• Be cautious of the legal aspects of further investigation.
• Finger-printing tools can be deployed to determine OS, app, etc.
• Port scanners can determine if other services are running.
www.cuispa.org
4) RECON AND INTELLIGENCE
Example: Information from FTP service
telnet 192.168.0.1 21
220 FTP Server ready.
214-The following commands are recognized (* =>'s unimplemented).
USER PASS ACCT* CWD XCWD CDUP XCUP SMNT*
QUIT REIN* PORT PASV TYPE STRU MODE RETR
STOR STOU* APPE ALLO* REST RNFR RNTO ABOR
DELE MDTM RMD XRMD MKD XMKD PWD XPWD
SIZE LIST NLST SITE SYST STAT HELP NOOP
214 Direct comments to root@www.<sanitized>.kr.
www.cuispa.org
5) CONTACT PARTIES
• Try contacting Website owner first• Try contacting ISP next• If no luck and the site uses an
external DNS service then try contacting them next.
• Have documentation available and provide it with your request.
• Request the fake site code for further reference.
www.cuispa.org
5) CONTACT PARTIES
To whom it may concern,
URGENT REQUEST - Please read the following:
Today a number of our credit union members received a phishing e-mail soliciting their personal account information. The link referenced in the e-mail returns to a site which is presenting itself as our Hudson Valley Federal Credit Union Web site. As such it is violating copyright laws and misrepresenting itself for the purposes of illegally collecting account information for financial gain.
The compromised server is housing the spoof content at:
Please take this site down or remove the fraudulent content and respond when these changes have been implemented. If any financial loss is incurred we will be required to actively seek redress through local and national law enforcement bodies.
I have attached a PDF capture of the spoofed site (rogue1.pdf). We would greatly appreciate it if you would email us an archive of the fake site directory.
Thank you for your prompt attention to this matter.
Sample email to ISP
www.cuispa.org
5) CONTACT PARTIES
• Common difficulties:Time differences with overseas ISPs.Language barriers.
ISP policies on take-downs
www.cuispa.org
6) WORKING WITH LAW ENFORCEMENT
• Law enforcement can make request on your behalf or call on contacts abroad (ie: Interpol)
• Provide law enforcement with intelligence information:1) They track it2) You may provide a missing piece of a larger puzzle3) Losses across organizations can be aggregated