Phishing
Information Systems Security Association
New England Chapter
Tuesday 16 Nov 2004
M. E. Kabay, PhD, CISSP
Assoc. Prof. Information Assurance
Division of Business & Management, Norwich University
mailto:mkabay@norwich.edu
V: 802.479.7937
1
Copyright © 2004 M. E. Kabay. All rights reserved.
Come With Me, Little Child
From:
To:
Cc:
Subject:
Microsoft Corporation Technical Bulletin [ljseedwngeoswojtfbv@confidence.com]
MS Customer
Sent: Thu 9/18/2003 3:32 PM
Network Critical Patch
Microsoft Customer
This is the latest version of security update, the ‘September 2003, Cumulative Patch’
update which resolves all known security vulnerabilities affecting MS Internet Explorer,
MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now to
help maintain the security of your computer from these vulnerabilities. This update
includes the functionality of all previously released patches.
2
Copyright © 2004 M. E. Kabay. All rights reserved.
Topics
 Phishing Basics
 Serious Problem
 APWG Regular Reports
 Recent Examples
 Phishing Harms Firms
 Problem Increasing
 Anti-Phishing Steps
 Public Education
 Possible Solutions
3
Copyright © 2004 M. E. Kabay. All rights reserved.
Phishing Basics (1)
 Pronounced "fishing"
 Scam to steal valuable information such as
credit cards, social security numbers, user
IDs and passwords.
 Also known as "brand spoofing"
 Official-looking e-mail sent to potential
victims
Pretends to be from their ISP, retail store,
etc.,
Due to internal accounting errors or some
other pretext, certain information must be
updated to continue the service.
4
Copyright © 2004 M. E. Kabay. All rights reserved.
Phishing Basics (2)
 Link in e-mail message directs the user to a Web page
 Asks for financial information
 Page looks genuine
 Easy to fake valid Web site
 Any HTML page on the real Web can be copied and
modified
 E-mails sent to people on selected lists or to any list
 Some % will actually have account
 “Phishing kit"
 Set of software tools
 Help novice phisher imitate target Web site
 Make mass mailings
 May include lists of e-mail addresses
5
From Computer Desktop Encyclopedia v17.4
http://www.computerlanguage.com/
Copyright © 2004 M. E. Kabay. All rights reserved.
Serious Problem
“Illegal access to checking
accounts, often gained via
phishing scams, has become the
fastest-growing form of
consumer theft in the United
States, accounting for a
staggering $2.4 billion in fraud in
the previous 12 months.”
-- Gartner Group
6
Copyright © 2004 M. E. Kabay. All rights reserved.
APWG Regular Reports
Phishing Activity Trends Report Oct 2004
 1142: Number of active phishing sites reported in Oct
2004
 25%: Average monthly growth rate in phishing sites
July through Oct
 44: # brands hijacked Oct
 6: # brands comprising top 80% of brands hijacked by
phishing campaigns in Oct
 USA: country hosting most phishing Websites
 20%: contain some form of the target name in URL
 63%: no hostname, just IP address
 6 days: average time online for phishing site
http://www.antiphishing.org/APWG_Phishing_Activity_Report-Oct2004.pdf
7
Copyright © 2004 M. E. Kabay. All rights reserved.
Recent Examples of Attacks
From APWG
 Nov 15 - People's Bank - 'New Mail from People'
 Nov 10 - Citibank - 'Citibank Alert Service'
 Nov 9 - Paypal - 'Your Account Will Be Suspended'
 Nov 2 - Sovereign Bank - 'Sovereign Bank
Unauthorized Account Access'
 Nov 1 - Citibank - 'Security Alert on Microsoft
Internet Explorer'
 Oct 29 - eBay - 'TKO NOTICE: Verify Your Identity'
 Oct 28 - Verizon - 'Update your Verizon billing
profile'
 Oct 27 - Washington Mutual Bank - 'Washington
Mutual Bank : Notification of Washington Mutual
Internet Banking Account‘
8
Copyright © 2004 M. E. Kabay. All rights reserved.
People’s Bank
Not the
proper
domain for
peoples.com
9
Copyright © 2004 M. E. Kabay. All rights reserved.
Citibank (Nov 10)
Links to
http://82.90.165.65/cit
i
10
Copyright © 2004 M. E. Kabay. All rights reserved.
PayPal (1)
11
Copyright © 2004 M. E. Kabay. All rights reserved.
PayPal (2)
12
Actually links to
http://212.45.13.185/.payp
al/index.php
Copyright © 2004 M. E. Kabay. All rights reserved.
Citibank (Nov 1)
Links to
http://200.189.70.90/citi/
13
Copyright © 2004 M. E. Kabay. All rights reserved.
eBay
http://signinebay.com-cgibin.tk/eBaydll.php
14
Copyright © 2004 M. E. Kabay. All rights reserved.
APWG (antiphishing.org)
 Anti-Phishing Working Group
15
Copyright © 2004 M. E. Kabay. All rights reserved.
Phishing Harms Firms
 Harmful at many levels
 Threatens effective communication
 Undermines goodwill and trust
 Customers
 Direct harm from stolen IDs, passwords
 Could perceive business as not taking
adequate steps to protect users
 Diminishes value of brand
 Could affect shareholders
 Possibility of liability for failure to exercise
due diligence in protecting trademark
16
Based in part on material that is
copyright © 2004 Don Holden, CISSP
Used with permission (and thanks).
Copyright © 2004 M. E. Kabay. All rights reserved.
Problem Increasing
17
Copyright © 2004 M. E. Kabay. All rights reserved.
Get a Job – and Lose Money
 Free training offer is latest spam scam
By John Leyden
Published Tuesday 2nd November 2004
12:35 GMT
http://www.theregister.com/2004/11/02/train
ing_spam_scam/
 Apply for “training” and “job” at Credit
Suisse
 Fill in banking details (!)
 Lose control over your financial information
to criminals
18
Copyright © 2004 M. E. Kabay. All rights reserved.
Spoofed Page and Address Bar
Not the real
address bar
See http://www.antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html
19
Based on a slide copyright © 2004 Don Holden, CISSP
Used with permission (and thanks).
Copyright © 2004 M. E. Kabay. All rights reserved.
Spoofed Address Bar
 Problem
 JavaScript device replaces address bar
 Allows complete control
 Can show one URL while going to another
 Viewing source code for page does NOT
show Java source code
 Implications
 With address bar installed, could track
other sites visited
 Could do a man-in–the-middle attack to
see everything entered
20
Copyright © 2004 M. E. Kabay. All rights reserved.
Recent Alert
 @RISK: Consensus Security Vulnerability
Alert 3(45) Nov 14, 2004
From SANS Institute
 Internet Explorer Phishing Vulnerability
Attacker can construct malicious hyperlink
Hundreds of attacks reported per week
Object element embedded in hyperlink
Can embed flash movie or other
executable code in a hyperlink
21
Copyright © 2004 M. E. Kabay. All rights reserved.
Tabbed Browser Problems (1)
 Phishing for dummies: hook, line and sinker
 By Scott Granneman, SecurityFocus
 Published Tuesday 2nd November 2004 14:55 GMT
 http://www.theregister.com/2004/11/02/phishing_tab
bed_browsers/
 Vulnerabilities in many “tabbed” browsers that allow
easy switch from one window to another
 Mozilla 1.7.3
 Mozilla Firefox 0.10.1
 Camino 0.8
 Opera 7.54
 Konqueror 3.2.2-6
 Netscape 7.2
 Avant Browser 9.02 build 101 and 10.0 build 029
 Maxthon (MyIE2) 1.1.039
22
Copyright © 2004 M. E. Kabay. All rights reserved.
Tabbed Browser Problems (2)
 Dialog box can be spawned in active window
from connection to an inactive window
E.g., visit PayPal
Get popup box to “verify” password
Actually comes from rogue site in different
window
 Possibility of diverting data into a form on a
different window for a malicious Website
Would try to enter data into form on
legitimate site
Data would actually go somewhere else
23
Copyright © 2004 M. E. Kabay. All rights reserved.
Anti-Phishing Steps
Proclaim, Protect, Pursue
 Proclaim in all correspondence the use of an
official mark (e.g. TrustedSender stamp)
 Protect all messages, Web pages with the
mark
 Pursue all impostors – actively seek reports
of phishing
Copyright © 2004 Don Holden, CISSP
Used with permission (and thanks).
24
Copyright © 2004 M. E. Kabay. All rights reserved.
Public Education
 Use digitally-signed documents ONLY
Don’t release unsigned documents
Get consumers used to idea that an unsigned
document is an untrustworthy document
 Use public education campaigns
“No one will ever ask you to confirm your
password”
“Don’t believe alerts that address you as ‘Dear
Customer.’”
Link to APWG documents; e.g.,
http://www.antiphishing.org/consumer_recs.html
25
Copyright © 2004 M. E. Kabay. All rights reserved.
Possible Solutions
 Strong Website authentication
 Mail server authentication
 Digitally-signed e-mail with desktop
verification
 Digitally-signed e-mail with gateway
verification
AWPG: Proposed Solutions to Address the Threat of Email
Spoofing Scams
http://tinyurl.com/5bo55
26
Copyright © 2004 M. E. Kabay. All rights reserved.
APWG Resources Page
27
Copyright © 2004 M. E. Kabay. All rights reserved.
CloudMark’s Community
Approach
 Cloudmark SafetyBar
http://www.cloudmark.com/
Works for Outlook and Outlook Express
 Community members report new spam or
fraud at push of button
Information sent worldwide to improve
blocking
 Anti-fraudster measures
Reliability of reports affects credibility of
reporter
Spammers and fraudsters would lose
credibility fast
28
Copyright © 2004 M. E. Kabay. All rights reserved.
Cloudmark SafetyBar (2)
29
Copyright © 2004 M. E. Kabay. All rights reserved.
DISCUSSION
30
Copyright © 2004 M. E. Kabay. All rights reserved.