Add to collection(s) Add to saved
  1. Business

Phishing-a_new_age_weapon

advertisement 
Phishing – A new age
weapon
Author: Abhishek Kumar
abhishek.kumar@paladion.net
www.paladion.net
OWASP Papers Program
Table of Contents
A1 Phishing – A new age weapon ............................................................................................................................................... 1
A1.1 Motives ......................................................................................................................................................................... 1
A1.2 Attack techniques......................................................................................................................................................... 1
A1.3 Exploited weaknesses ................................................................................................................................................. 4
A2 Building up the defense ........................................................................................................................................................... 6
A2.1 Improving technical controls in web application .......................................................................................................... 6
A2.2 Implementing secure internal processes .................................................................................................................... 8
A2.3 Increasing Customer awareness................................................................................................................................. 9
A2.4 Contingency measures .............................................................................................................................................. 11
A2.5 Looking ahead............................................................................................................................................................ 12
A3 Conclusion ............................................................................................................................................................................. 14
A4 References ............................................................................................................................................................................. 15
OWASP Papers Program
A1 Phishing – A new age weapon
Phishing is a form of social engineering attack used by cyber criminals to steal sensitive
information. Customers of leading Banks throughout the world have been a target of
Phishing. This article focuses on the security measures that financial service providers such
as Banks can take to prevent and manage a Phishing attack.
A1.1 Motives
The exponential growth in online financial transactions has made Phishing a lucrative option
for attackers. Today almost all the banks provide online banking facilities and the customers
of these banks can easily become a target of Phishing. Using stolen information attackers
can perform a number of fraudulent activities, which may include:
1. Carrying out unauthorized transactions using credit or debit card numbers.
2. Logging into the banking application using username and passwords. The attacker
can get access to all the financial details of the user, as well as conduct transactions
on his behalf.
3. Selling user’s personal information such as phone numbers, address, account
numbers etc to others for different mischievous activities.
4. Denying service to legitimate users by changing passwords and other contact details.
5. Ruin the customer’s trust in the services provided by the bank and malign the brand
name.
A1.2 Attack techniques
Most Phishing attacks use a combination of fake emails and look-alike websites to fool the
users into revealing their personal financial details. Users are usually sent an official looking
forged email that appears to come from the genuine organization but is actually sent by the
attackers. This email lures the users into visiting a fake website where they logon and
update their personal information there by revealing their details to the attackers.
1
OWASP Papers Program
In the following section a dummy bank called Rite Bank is used to illustrate a typical
Phishing attack. The figure 1.1 shows a Phishing email targeting Rite Bank customers. The
‘FROM’ address has been modified to make it look like it has been sent from the Rite Bank
support staff. The email has got a subject line that prompts the users for urgent action.
Figure 1.1
Figure 1.2 shows the content of the email. The email asks the users to log on to the online
banking web site by clicking on an embedded link in the email and update their information.
When users click on the link “Click here to verify your account” on the email, they are taken
to a replica of the Rite Bank site and are fooled into providing their login username,
password and other information. In order to make the email look authentic, Phishers often
2
OWASP Papers Program
provide security guidelines in the mail. In the example discussed here the “Security Tips”
link points to the actual Rite Bank site security tips.
Figure 1.2
This example shows just one of the ways in which a Phishing attack can be carried out.
There can be other variations also. For example a user can be asked to directly fill
information in a form embedded within the fake email. When a user submits the
information, it is sent to the attackers.
3
OWASP Papers Program
A1.3 Exploited weaknesses
Let us now delve a little deeper into what makes a Phishing attack successful. User’s lack of
awareness about this kind of attack is perhaps the highest contributor to the success of
Phishing. Since users are unable to differentiate between the genuine and a fake email or
website; they often end up giving their personal information.
Another reason is the easy accessibility to email addresses. Today attackers can get access
to large databank of email addresses. This allows them to quickly reach numerous possible
preys. The email address can belong to some random users or customers of a particular
bank.
Ease of use of technology also contributes to the success of Phishing. Using web
technologies attackers can quickly build and deploy a fake web site. Compared to creation of
viruses, worms or other exploits this is trivial. The only thing that is now left is to lure the
users to visit this web site, which is effectively achieved through a fake email.
The existing weaknesses in the mail protocols further help the Phishers. For example
attackers can easily modify the “FROM” address in an email to make it look from a genuine
source. Simple Web programming features are also used to fool the users. Consider the
HTML statement given below:
<a href= http://fakesite.com> https://genuinesite.com </a>
This is used to put a URL link in a web page or an email. The user views the link as
https://genuinesite.com but on clicking the link he is taken to http://fakesite.com. Apart
from this, various advanced URL obfuscation techniques can be used to obscure the final
destination displayed in the browser. A user would see the correct web site name displayed
in his browser, whereas he might be visiting a completely different fake web site.
Some recent browser vulnerabilities have helped in misleading the users too. One such
example was the Internet Explorer URL spoofing vulnerability. This vulnerability can allow
an attacker to modify the address displayed on the address bar of the browser, while a fake
web site is opened. For example consider the URL given below:
http://www.genuinesite.com%01%00@fakesite.com/
4
OWASP Papers Program
If
this
URL
is
visited,
the
address
bar
in
the
browser
only
displays
http://www.genuinesite.com, whereas the user is actually visiting a page on fakesite.com.
This vulnerability was caused due to incorrect interpretation of URLs that contained special
characters such as %01 and %00. The solution is to apply a patch released by the vendor to
prevent this vulnerability.
The relative anonymity of the web makes it very difficult to locate the culprits. Attackers can
quickly launch a Phishing attack and clear all the traces equally fast. The existing Anti-spam
software and content filters are not very effective in detecting and stopping Phishing emails.
Moreover most of the currently deployed web applications lack in any anti-Phishing features.
All these reasons together are contributing to the explosive growth in Phishing attacks.
5
OWASP Papers Program
A2 Building up the defense
The saying goes “Good security is dependent on People, Process, and Technology”. This
approach applies to the defense against Phishing also. Solutions against Phishing are still in
their nascent stage, yet a combination of defense mechanisms can be built to deter Phishing
attacks. The following sections discuss steps that can be implemented by banks to protect
against Phishing.
A2.1 Improving technical controls in web application
Various technical controls that can help in preventing Phishing attacks should be built within
the web applications. The first defense should be strengthening the authentication
mechanism in a web application. A simple username and password based authentication is
not sufficient for web sites providing critical financial transactions. Authentication process
should be complemented by introducing Hardware Tokens or Client Certificates.
Hardware Tokens
Hardware
token
devices
introduce
two
factor
authentications in a web application. These token devices
are generally of two types; those using the Challenge –
Response method and the SecureID devices from RSA
security.
In challenge – response based token device, the application sends back a ‘challenge’ when
the user logs in using his user name and password. The challenge that is a random number
is fed into the hardware token device to generate a new random ‘response’. This response is
sent to the application for a second level authentication. Since each time the generated
response from the token device is different, the Phisher would not be able to access the site
without the token device, even if he manages to steal the first level username and
password.
6
OWASP Papers Program
Smart Cards
Client
certificates
can
also
introduce
strong
authentication in a web application. One option of using
client certificates is through Smart Cards with the public
key cryptography capability. Smart cards introduce a
secure and mobile platform for authentication.
In a Smart Card enabled application only a user having the right card can get access to the
web application. Since a Phisher would not have a valid Smart Card he would be denied
access to the application even if he manages to get information such as username,
password, account numbers etc. The caveat with smart cards is the added infrastructure
required to implement this solution. Compared to smart cards the infrastructure overheads
in Hardware Token devices are much less.
Web page personalization
Using hardware token devices or client certificates may require a lot of changes in the
existing application; as such these are more relevant for any new application that is being
developed. Existing application can introduce other simple solutions to reduce the risk of
Phishing.
One simple feature that can be built is to make it harder for people to impersonate a site.
One way to achieve this is to personalize the web application for the users. Web sites can
use two pages to authenticate the users. The first page can ask the user to provide only the
user name. On receiving a valid username the user is given a personalized page for entering
password. The second page can be personalized based on some user provided phrase or a
user chosen image etc. It would be difficult for a fake site to provide the second page.
Personalization of web pages can also be achieved in other ways. Client side persistent
cookies can be used to present a personalized login page to the user. When the user logs in
for the first time, the application can set a cookie with a simple personal but nonconfidential string (e.g. user's first name). Next time the user comes back, the applications
can greet the user with this string before he logs in. A Phishing site will not be able to read
the cookie containing the string if it is limited to the right domain. As a result, the user will
not see the greeting string and would get tipped off that the site is not genuine. The success
of these options again depends a lot on the alertness of the end user.
7
OWASP Papers Program
A2.2 Implementing secure internal processes
Banks manage sensitive information of their customers, both personal as well as financial
details. Apart from technical controls in the web application, it is important for such
organizations to follow secure processes while handling any customer information. Secure
internal processes would help in preventing any leakage of customer information including
email addresses that may be used for Phishing. This can include activities such as:
1. Restrict customer database access to authorized users only.
2. Dispose media only after erasing the data containing user information if any.
3. Make all the personnel handling customer data aware of confidentiality requirements
and the risks of breach.
4. Do not display Email ids in any mass mailers.
5. Share email addresses only with authorized marketing alliances or other groups with
similar security controls.
Security standards such as GLBA (Gramm-Leach Bliley Act) can be referred to for building in
the required security controls. For example the Section - 314.4 of Safeguard Rules in GLBA
specifies following requirements to be followed by financial organizations to protect
customer data:
1. Limit access to customer information to employees who have a business reason for
seeing it. Maintain systems and procedures to ensure that access to nonpublic
consumer information is granted only to legitimate and valid users.
2. Encrypt sensitive customer information when it is transmitted electronically over
networks or stored online. Provide for secure data transmission (with clear
instructions and simple security tools) when you collect or transmit customer
information.
8
OWASP Papers Program
Brand Monitoring
As an additional control the banks should also try to keep track of the usage of their brand
over Internet. This would involve tracking for activities such as similar domain name
registration, usage of brand within web pages or usage of brand in email spam. Today some
companies like NetCraft, Cyota, Cyveillance and Envisional provide these services. This
information can be used to track down suspicious activities and take remedial measures.
A2.3 Increasing Customer awareness
Success of a Phishing attack to a large extent depends on the response of the users. Hence
some security measures need to be implemented on the user side also. A number of attacks
can be prevented if the users are alert and aware of the threats. Banks should take steps to
make their customers and employees aware of basic security practices.
Customer awareness should be conducted by banks in order to train them on identifying
genuine emails and web sites. Guidelines should be issued to the customers to inform them
about the way the bank would communicate to them. This awareness session should be
conducted periodically and in a manner that is easy for the end user to understand.
Guidelines can be provided in the form of documents that are given at the time of customer
registration. Guidelines can also be displayed as security instructions on the web site and
shown to the user before the user logs on. This may include informing the customers about
the kind of mails that will be issued to them and what can be spurious / hoax emails.
Specifically the users should be told that:
1. They would never be asked to provide their username, password, credit card
number, full name, bank account number etc by mail.
2. That the emails would not contain any embedded links or asks the users to fill
information in forms.
3. Email from the bank would never ask the users to download software program from
other sites or ask them to go to other sites apart from known banking sites.
4. That they should always visit the web site by directly typing in the address in the
browser and to look for secure website indications (https connection and lock icon)
9
OWASP Papers Program
when submitting username, password, credit card number or other sensitive
information via the Web browser.
5. Users should be suspicious of any email with urgent requests for personal
information.
The customers must also be informed about other security best practices, which can
include:
1. Keeping the browser up to date with all the security patches applied.
2. Having a well configured personal anti-spam and anti-virus software on the
computers.
3. Using a simple pop-up blocker to help in stopping automatic execution of malicious
code.
4. Using anti-spyware tools occasionally to remove any lurking malware from the
computer.
The risk of Phishing would be reduced a lot if the users are able to identify fake emails. Use
of ‘Digital Signatures’ is one good option to differentiate the fake emails from the real one.
As far as possible banks should digitally sign all customer communication through emails
and inform them on how to identify a valid signature. The public key required to verify the
Bank’s signature can be provided to the user in a CD ROM with the required instructions.
End user Browser tools
Apart from awareness sessions, users can also be provided with some simple browser tools
such as SpoofStick or ScamBlocker which can help them in identifying the fake websites.
SpoofStick by CoreStreet works on the principal of visual alert and displays the most
relevant domain information of the site on the browser as shown in Figure 1.3. If the users
are alert they would see a wrong domain name and would be able to identify a fake site.
ScamBlocker by EarthLink goes a step ahead and maintains a database of fraudulent web
sites and updates it frequently. Users are alerted if they visit a potentially dangerous web
site. These tools are not a solution to Phishing but can help in detecting spurious web sites.
10
OWASP Papers Program
Figure 1.3 - SpoofStick
A2.4 Contingency measures
No solution is a foolproof solution. Companies should be prepared to reduce the impacts of a
successful Phishing attack. Various contingency measures should be put in place to quickly
recover from a Phishing attack. Banks should provide an easy to use fraud reporting
mechanism to the customers and make them aware on how to report frauds. This can be
through email, webpage or phone. Banks should have a way to quickly contact all the
customers and inform them of the safety measures that they should take in response to a
Phishing attack.
Applications should also have a feature to force all the users to securely change their
passwords in case of an attack. Once an attack is detected the applications introduce an
additional page after the login page that asks for some information unique to the user and
unknown to the Phishers. This can be anything like birth date, spouse name, social security
number etc. Once a user fills this, another page can come up asking the user to change his
11
OWASP Papers Program
password. Thereafter the user logs on to the site as normal user in future. This additional
module can be activated as soon as a report of Phishing is noticed and this mechanism can
stay on the site for a few months so that all users can change their password. This is a nonintrusive way to protect user and make them change their password.
The users should also take immediate remedial measures if they detect that they have
received a possible Phishing mail. This could include activities such as:
1. Informing the bank about the mail and its details
2. Immediately changing the password used to logon or perform transactions
A2.5 Looking ahead
A few upcoming future technologies can help in curbing the growing Phishing menace.
Microsoft championed “Sender ID Framework” is one such effort. Another approach is the
“Identified Internet Mail” proposed by Cisco. Both the proposals aim to stop forged emails
from reaching the end user.
In most Phishing emails the “FROM” address is modified to make it appear from a genuine
source. The Sender ID Framework tries to prevent email domain spoofing. It verifies email
messages to ensure that it originates from the domain from which it claims to come from.
The email sender’s server IP address is used to check this. The receiver’s inbound mail
server forwards a mail message only if it originates from the right domain.
The Cisco Identified Internet Mail (IIM) is a signature based authentication mechanism to
decide the validity of the mail. Using public key cryptography the sending domain signs the
email, which is verified by the receiving domain. IIM can be used for signing and verification
either at the domain or at user level. A policy can be implemented to decide upon the
results of verification. Unsigned email messages or messages with invalid signatures can be
categorized as possible Phishing attack.
A few consortiums such as FSTC (Financial Services Technology Consortium) and the APWG
(Anti-Phishing Working Group) are also working towards a solution. These groups have
pooled their resources to come up with a standard framework that can be implemented by
financial organizations to counter Phishing threats.
12
OWASP Papers Program
In the coming time the efficiency of the anti-spam and content filter software would also
improve. The number of spams and fake emails that are detected and stopped by these
applications would increase, as they improve their detection signatures.
13
OWASP Papers Program
A3 Conclusion
The problem of Phishing does not have a single solution as of now. Phishing is not just a
technical problem and Phishers would keep coming up with new ways of attacking the users.
Banks should undertake periodic vulnerability analysis to identify and plug weaknesses that
can lead to a successful Phishing attack. The solution lies in a combination of controls setup
by the organization and user awareness.
Implement
secure
processes
Build technical
controls in the
web
application
Conduct end
user awareness
programmes
Figure 1.4
14
OWASP Papers Program
A4 References
1. Cisco systems. “Identified Internet Mail”. www.identifiedmail.com
2. Microsoft Corporation. “Sender ID Framework”. www.microsoft.com
3. Resources. www.antiphishing.org
4. Financial Services Technology Consortium. www.fstc.org
5. GLBA Act. http://www.ftc.gov/privacy/glbact/
6. Ollman, Gunter. “The Phishing Guide”. www.ngssoftware.com
15
Related documents
PCC_Social-Engineering_2014_Final
PCC_Social-Engineering_2014_Final
Security Awareness for ISACA
Security Awareness for ISACA
Presentation - myroyalmail
Presentation - myroyalmail
Network Security - Information Technology at the Johns Hopkins
Network Security - Information Technology at the Johns Hopkins
slides
slides
Lesson 11 – Using Online Banking
Lesson 11 – Using Online Banking
Error report - Finanssivalvonta
Error report - Finanssivalvonta
AndranikKarapetyanSlides
AndranikKarapetyanSlides
Download
advertisement