Phishing: Information Systems Security Association New England Chapter

Phishing
Information Systems Security Association New England Chapter Tuesday 16 Nov 2004
M. E. Kabay, PhD, CISSP
Assoc. Prof. Information Assurance Division of Business & Management, Norwich University mailto:mkabay@norwich.edu V: 802.479.7937
1
Copyright 2004 M. E. Kabay. All rights reserved.
Come With Me, Little Child

From: To: Cc: Subject: Microsoft Corporation Technical Bulletin [ljseedwngeoswojtfbv@confidence.com] MS Customer Network Critical Patch Sent: Thu 9/18/2003 3:32 PM
Microsoft Customer This is the latest version of security update, the September 2003, Cumulative Patch update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now to help maintain the security of your computer from these vulnerabilities. This update includes the functionality of all previously released patches.
Topics
Phishing Basics Serious Problem APWG Regular Reports Recent Examples Phishing Harms Firms Problem Increasing Anti-Phishing Steps Public Education Possible Solutions
Phishing Basics (1)

Pronounced "fishing" Scam to steal valuable information such as credit cards, social security numbers, user IDs and passwords. Also known as "brand spoofing" Official-looking e-mail sent to potential victims Pretends to be from their ISP, retail store, etc., Due to internal accounting errors or some other pretext, certain information must be updated to continue the service.
4
Phishing Basics (2)

Link in e-mail message directs the user to a Web page Asks for financial information Page looks genuine Easy to fake valid Web site Any HTML page on the real Web can be copied and modified E-mails sent to people on selected lists or to any list Some % will actually have account Phishing kit" Set of software tools Help novice phisher imitate target Web site Make mass mailings May include lists of e-mail addresses
From Computer Desktop Encyclopedia v17.4 http://www.computerlanguage.com/
Serious Problem
Illegal access to checking accounts, often gained via phishing scams, has become the fastest-growing form of consumer theft in the United States, accounting for a staggering $2.4 billion in fraud in the previous 12 months.
-- Gartner Group
6
APWG Regular Reports

Phishing Activity Trends Report Oct 2004 1142: Number of active phishing sites reported in Oct 2004 25%: Average monthly growth rate in phishing sites July through Oct 44: # brands hijacked Oct 6: # brands comprising top 80% of brands hijacked by phishing campaigns in Oct USA: country hosting most phishing Websites 20%: contain some form of the target name in URL 63%: no hostname, just IP address 6 days: average time online for phishing site
http://www.antiphishing.org/APWG_Phishing_Activity_Report-Oct2004.pdf 7
Recent Examples of Attacks From APWG

Nov 15 - People's Bank - 'New Mail from People' Nov 10 - Citibank - 'Citibank Alert Service' Nov 9 - Paypal - 'Your Account Will Be Suspended' Nov 2 - Sovereign Bank - 'Sovereign Bank Unauthorized Account Access' Nov 1 - Citibank - 'Security Alert on Microsoft Internet Explorer' Oct 29 - eBay - 'TKO NOTICE: Verify Your Identity' Oct 28 - Verizon - 'Update your Verizon billing profile' Oct 27 - Washington Mutual Bank - 'Washington Mutual Bank : Notification of Washington Mutual Internet Banking Account
8
Peoples Bank
Not the proper domain for peoples.com
Citibank (Nov 10)
Links to http://82.90.165.65/cit i
10
PayPal (1)
11
PayPal (2)
Actually links to http://212.45.13.185/.payp al/index.php
12
Citibank (Nov 1)
Links to http://200.189.70.90/citi/
13
eBay
http://signinebay.com-cgibin.tk/eBaydll.php
14
APWG (antiphishing.org)
Anti-Phishing Working Group
15
Phishing Harms Firms

Harmful at many levels Threatens effective communication Undermines goodwill and trust Customers Direct harm from stolen IDs, passwords Could perceive business as not taking adequate steps to protect users Diminishes value of brand Could affect shareholders Possibility of liability for failure to exercise due diligence in protecting trademark
16
Based in part on material that is copyright 2004 Don Holden, CISSP Used with permission (and thanks).
Problem Increasing
17
Get a Job and Lose Money

Free training offer is latest spam scam By John Leyden Published Tuesday 2nd November 2004 12:35 GMT http://www.theregister.com/2004/11/02/train ing_spam_scam/ Apply for training and job at Credit Suisse Fill in banking details (!) Lose control over your financial information to criminals
18
Spoofed Page and Address Bar

Not the real address bar
See http://www.antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html
19
Based on a slide copyright 2004 Don Holden, CISSP Used with permission (and thanks).
Spoofed Address Bar

Problem JavaScript device replaces address bar Allows complete control Can show one URL while going to another Viewing source code for page does NOT show Java source code Implications With address bar installed, could track other sites visited Could do a man-inthe-middle attack to see everything entered
20
Recent Alert
@RISK: Consensus Security Vulnerability Alert 3(45) Nov 14, 2004 From SANS Institute Internet Explorer Phishing Vulnerability Attacker can construct malicious hyperlink Hundreds of attacks reported per week Object element embedded in hyperlink Can embed flash movie or other executable code in a hyperlink
21
Tabbed Browser Problems (1)

Phishing for dummies: hook, line and sinker By Scott Granneman, SecurityFocus Published Tuesday 2nd November 2004 14:55 GMT http://www.theregister.com/2004/11/02/phishing_tab bed_browsers/ Vulnerabilities in many tabbed browsers that allow easy switch from one window to another Mozilla 1.7.3 Mozilla Firefox 0.10.1 Camino 0.8 Opera 7.54 Konqueror 3.2.2-6 Netscape 7.2 Avant Browser 9.02 build 101 and 10.0 build 029 Maxthon (MyIE2) 1.1.039
22
Tabbed Browser Problems (2)

Dialog box can be spawned in active window from connection to an inactive window E.g., visit PayPal Get popup box to verify password Actually comes from rogue site in different window Possibility of diverting data into a form on a different window for a malicious Website Would try to enter data into form on legitimate site Data would actually go somewhere else
23
Anti-Phishing Steps
Proclaim, Protect, Pursue Proclaim in all correspondence the use of an official mark (e.g. TrustedSender stamp) Protect all messages, Web pages with the mark Pursue all impostors actively seek reports of phishing
Copyright 2004 Don Holden, CISSP Used with permission (and thanks).
24
Public Education
Use digitally-signed documents ONLY Dont release unsigned documents Get consumers used to idea that an unsigned document is an untrustworthy document Use public education campaigns No one will ever ask you to confirm your password Dont believe alerts that address you as Dear Customer. Link to APWG documents; e.g.,
http://www.antiphishing.org/consumer_recs.html
25
Possible Solutions
Strong Website authentication Mail server authentication Digitally-signed e-mail with desktop verification Digitally-signed e-mail with gateway verification
AWPG: Proposed Solutions to Address the Threat of Email Spoofing Scams http://tinyurl.com/5bo55
26
APWG Resources Page
27
CloudMarks Community Approach

Cloudmark SafetyBar http://www.cloudmark.com/ Works for Outlook and Outlook Express Community members report new spam or fraud at push of button Information sent worldwide to improve blocking Anti-fraudster measures Reliability of reports affects credibility of reporter Spammers and fraudsters would lose credibility fast
28
Cloudmark SafetyBar (2)
29
DISCUSSION
30

Phishing: Information Systems Security Association New England Chapter

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Phishing: Information Systems Security Association New England Chapter

Enviado por

Direitos autorais:

Formatos disponíveis

Phishing

Come With Me, Little Child

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Phishing Basics (1)

Phishing Basics (2)

APWG Regular Reports

Recent Examples of Attacks From APWG

Not the proper domain for peoples.com

Copyright 2004 M. E. Kabay. All rights reserved.

Citibank (Nov 10)

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Actually links to http://212.45.13.185/.payp al/index.php

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Phishing Harms Firms

Copyright 2004 M. E. Kabay. All rights reserved.

Get a Job and Lose Money

Spoofed Page and Address Bar

Spoofed Address Bar

Copyright 2004 M. E. Kabay. All rights reserved.

Tabbed Browser Problems (1)

Tabbed Browser Problems (2)

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

APWG Resources Page

Copyright 2004 M. E. Kabay. All rights reserved.

CloudMarks Community Approach

Cloudmark SafetyBar (2)

Copyright 2004 M. E. Kabay. All rights reserved.

Copyright 2004 M. E. Kabay. All rights reserved.

Você também pode gostar