Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Phishing - A new age weapon


{LANG_NAVORIGIN} Exploits
Abhishek Kumar 02/14/2005



Editors note: At least on anti-virus vendor has reported the examples in this white paper as a "Exploit-URLSpoof" trojan. We assure you this is a false positive generated by the content of the paper, not an actual phishing attempt. Thanks to Aloysius Ring for letting us know.

Phishing is a form of social engineering attack used by cyber criminals to steal sensitive information. Customers of leading banks have often been a target of Phishing. This article focuses on the security measures that financial service providers can take to prevent and manage a Phishing attack.

Motives
The exponential growth in online financial transactions has made Phishing a lucrative option for attackers. Today almost all the banks provide online banking facilities and the customers of these banks can easily become a target of Phishing. Using stolen information attackers can perform a number of fraudulent activities which may include:
  1. Carrying out unauthorized transactions using credit or debit card numbers.
  2. Logging into the banking application using username and passwords. The attacker can get access to all the financial details of the user, as well as conduct transactions on his behalf.
  3. Selling user’s personal information phone numbers, address, account numbers etc to others for different mischievous activities.
  4. Denying service to legitimate users by changing passwords and other contact details.
  5. Ruin the customer’s trust in the services provided by the bank and malign the brand name.
Attack techniques
Most Phishing attacks use a combination of fake emails and look-alike websites to fool the users into revealing their personal financial details. Users are usually sent an official looking forged email which appears to come from the genuine organization but is actually sent by the attackers. This email lures the users into visiting a fake website where they logon and update their personal information there by revealing their details to the attackers.

In the following section a dummy bank called Rite Bank is used to illustrate a typical Phishing attack. The figure 1.1 shows a Phishing email targeting Rite Bank customers. The ‘FROM’ address has been modified to make it look like it has been sent from the Rite Bank support staff. The email has got a subject line that prompts the users for urgent action.


Figure 1.1

Figure 1.2 shows the content of the email. The email asks the users to log on to the online banking web site by clicking on an embedded link in the email and update their information. When users click on the link “Click here to verify your account” on the email, they are taken to a replica of the Rite Bank site and are fooled into providing their login username, password and other information. In order to make the email look authentic, Phishers often provide security guidelines in the mail. In the example discussed here the “Security Tips” link points to the actual Rite Bank site security tips.


Figure 1.2

This example shows just one of the ways in which a Phishing attack can be carried out. There can be other variations also. For example a user can be asked to directly fill information in a form embedded within the fake email. When a user inputs the information it is sent to the attackers.

Exploited weaknesses
Let us now delve a little deeper into what makes a Phishing attack successful. User’s lack of awareness about this kind of attack is perhaps the highest contributor to the success of Phishing. Since users are unable to differentiate between the genuine and a fake email or website; they often end up providing their personal information.

Another reason is the easy accessibility to email addresses. Today attackers can easily get access to large databank of email addresses. This allows them to quickly reach numerous possible preys. The email address can belong to some random users or customers of a particular bank.

Ease of use of technology also contributes to the success of Phishing. Using web technologies attackers can quickly build and deploy a fake web site. Compared to creation of viruses, worms or other exploits this is trivial. The only thing that is now left is to lure the users to visit this web site, which is effectively achieved through a fake email.

The existing weaknesses in the mail protocols further help the Phishers. For example attackers can easily modify the “FROM” address in an email to make it look from a genuine source. Simple Web programming features are also used to fool the users. Consider the HTML statement given below:



This is used to put a URL link in a web page or an email. The user views the link as https://genuinesite.com but on clicking the link he is taken to http://fakesite.com. Apart from this, various advanced URL obfuscation techniques can be used to obscure the final destination displayed in the browser. A user would see the correct web site name displayed in his browser, whereas he might be visiting a completely different fake web site.

Some recent browser vulnerabilities have helped in misleading the users too. One such example was the Microsoft Internet Explorer URL spoofing vulnerability. This vulnerability can allow an attacker to modify the address displayed on the address bar of the browser, while a fake web site is opened. For example consider the URL given below:

http://www.genuinesite.com%01%00@fakesite.com/

If this URL is visited, the address bar in the browser only displays http://www.genuinesite.com, whereas the user is actually visiting a page on fakesite.com. This vulnerability was caused due to incorrect interpretation of URLs that contained special characters such as %01 and %00. The solution is to apply a patch released by the vendor to prevent this vulnerability.

The relative anonymity of the web makes it very difficult to locate the culprits. Attackers can quickly launch a Phishing attack and clear all the traces equally fast. The existing Anti-spam software and content filters are not very effective in detecting and stopping Phishing emails. Moreover most of the currently deployed web applications lack in any anti-Phishing features. All these reasons together are contributing to the explosive growth in Phishing attacks.


Building up the defense

The saying goes “Good security is dependent on People, Process, and Technology”. This approach applies to the defense against Phishing also. Solutions against Phishing are still in their nascent stage, yet a combination of defense mechanisms can be built to deter Phishing attacks. The following sections discuss steps that can be implemented by banks to protect against Phishing attacks.

Improving technical controls in application
Various technical controls that can help in preventing Phishing attacks should be built within the web applications. The first defense should be strengthening the authentication mechanism in a web application. A simple username and password based authentication is not sufficient for web sites providing critical financial transactions. Authentication process should be complemented by introducing hardware tokens or client certificates.

Hardware tokens
In challenge – response based token device, the application sends back a ‘challenge’ when the user logs in using his user name and password. The challenge which is a random number is fed into the hardware token device to generate a new random ‘response’. This response is sent to the application for a second level authentication. Since each time the generated response from the token device is different, the Phisher would not be able to access the site without the token device, even if he manages to steal the first level username and password.


Smart cards
In a Smart Card enabled application only a user having the right card can get access to the web application. Since a Phisher would not have a valid Smart Card he would be denied access to the application even if he manages to get information such as username, password, account numbers etc. The caveat with smart cards is the added infrastructure required to implement this solution. Compared to smart cards the infrastructure overheads in Hardware Token devices is much less.



Web page personalization
Using hardware token devices or client certificates may require a lot of changes in the existing application; as such these are more relevant for any new application that is being developed. Existing application can introduce other simple solutions to reduce the risk of Phishing.

One simple feature that can be built is to make it harder for people to impersonate a site. One way to achieve this is to personalize the web application for the users. Web sites can use two pages to authenticate the users. The first page can ask the user to provide only the user name. On receiving a valid username the user is given a personalized page for entering password. The second page can be personalized based on some user provided phrase or a user chosen image etc. It would be difficult for a fake site to provide the second page.

Personalization of web pages can also be achieved in other ways. Client side persistent cookies can be used to present a personalized login page to the user. When the user logs in for the first time, the application can set a cookie with a simple personal but non-confidential string (e.g. user's first name). Next time the user comes back, the applications can greet the user with this string before he logs in. A Phishing site will not be able to read the cookie containing the string if it is limited to the right domain. As a result, the user will not see the greeting string and would get tipped off that the site is not genuine. The success of these options again depends a lot on the alertness of the end user.

Implementing secure internal processes
Banks manage sensitive information of their customers, both personal as well as financial details. Such organizations should follow secure processes while handling any customer information. Secure internal processes would help in preventing any leakage of customer information including email addresses which may be used for Phishing. This may include activities such as:
  1. Restrict customer database access to authorized users only.
  2. Dispose media only after erasing the data containing user information if any.
  3. Make all the personnel handling customer data aware of confidentiality requirements and the risks of breach.
  4. Do not display Email ids in any mass mailers.
  5. Share Email addresses only with authorized marketing alliances or other groups with similar security controls.
Security standards such as GLBA (Gramm-Leach Bliley Act) can be referred to for building in the required security controls. For example the Section – 314.4 of safeguard rules in GLBA specifies following requirements to be followed by financial organizations to protect customer data:
  1. Limit access to customer information to employees who have a business reason for seeing it. Maintain systems and procedures to ensure that access to non public consumer information is granted only to legitimate and valid users.
  2. Encrypt sensitive customer information when it is transmitted electronically over networks or stored online. Provide for secure data transmission (with clear instructions and simple security tools) when you collect or transmit customer information.
Brand monitoring
As an additional control the banks should also try to keep track of the usage of their brand over Internet. This would involve tracking for activities such as similar domain name registration, usage of brand within web pages or usage of brand in email spams. Today some companies like NetCraft, Cyota, Cyveillance and Envisional provide these services. This information can be used to track down suspicious activities and take remedial measures.

Increasing Customer awareness
Success of a Phishing attack to a large extent depends on the response of the users. Hence adequate security measures need to be implemented on the user side. A number of attacks can be prevented if the users are alert and aware of the threats. Banks should take steps to make their customers and employees aware of basic security practices.

Customer awareness should be conducted by banks in order to train them on identifying genuine emails and web sites. Guidelines should be issued to the customers to inform them about the way the bank would communicate to them. This awareness session should be conducted periodically and in a manner which is easy for the end user to understand. Guidelines can be provided in the form of documents which are given at the time of customer registration. Guidelines can also be displayed as security instructions on the web site and shown to the user before the user logs on. This may include informing the customers about the kind of mails that will be issued to them and what can be spurious / hoax emails. Specifically the users should be told that:
  1. They would never be asked to provide their username, password, credit card number, full name, bank account number etc by mail.
  2. That the emails would not contain any embedded links or ask the users to fill information in forms.
  3. Email from the bank would never ask the users to download software program from other sites or ask them to go to other sites apart from known banking sites.
  4. That they should always visit the web site by directly typing in the address in the browser and to look for secure website indications (https connection and lock icon) when submitting username, password, credit card number or other sensitive information via the Web browser.
  5. Users should be suspicious of any email with urgent requests for personal information.
The customers must also be informed about other security best practices, which can include:
  1. Keeping the browser up to date with all the security patches applied.
  2. Having a well configured personal anti-spam and anti-virus software on the computers.
  3. Using a simple pop-up blocker to help in stopping automatic execution of malicious code.
  4. Using anti-spyware tools occasionally to remove any lurking malware from the computer.
The risk of Phishing would be reduced a lot if the users are able to identify fake emails. Use of ‘Digital Signatures’ is one good option to differentiate the fake emails from the real one. As far as possible banks should digitally sign all customer communication through emails and inform them on how to identify a valid signature. The public key required to verify the Bank’s signature can be provided to the user in a CD ROM with the required instructions.

End user Browser tools
Apart from awareness sessions, users can also be provided with some simple browser tools such as SpoofStick or ScamBlocker which can help them in identifying the fake websites. SpoofStick by CoreStreet works on the principal of visual alert and displays the most relevant domain information of the site on the browser as shown in Figure 1.3. If the users are alert they would see a wrong domain name and would be able to identify a fake site. These tools are not a solution to Phishing but can help in detecting spurious web sites.


Figure 1.3 - SpoofStick

Contingency measures
No solution is a foolproof solution. Companies should be prepared to reduce the impacts of a successful Phishing attack. Various contingency measures should be put in place to quickly recover from a Phishing attack. Banks should provide an easy to use fraud reporting mechanism to the customers and make them aware on how to report frauds. This can be through email, webpage or phone. Banks should have a way to quickly contact all the customers and inform them of the safety measures that they should take in response to a Phishing attack.

Applications should also have a feature to force all the users to securely change their passwords in case of an attack. Once an attack is detected the applications introduce an additional page after the login page that asks for some information unique to the user and unknown to the Phishers. This can be anything like birth date, spouse name, social security number etc. Once a user fills this, another page can come up asking the user to change his password. Thereafter the user logs on to the site as normal user in future. This additional module can be activated as soon as a report of Phishing is noticed and this mechanism can stay on the site for a few months so that all users can change their password. This is a non intrusive way to protect user and make them change their password.

The users should also take immediate remedial measures if they detect that they have received a possible Phishing mail. This could include activities such as:
  1. Informing the bank about the mail and its details
  2. Immediately changing the password used to logon or perform transactions
Looking ahead
A few upcoming future technologies can also help in curbing the growing Phishing menace. Microsoft championed “Sender ID Framework” is one such effort. Another approach is the “Identified Internet Mail” proposed by Cisco. Both the proposals aim to stop forged emails from reaching the end user.

In most Phishing emails the “FROM” address is modified to make it appear from a genuine source. The Sender ID Framework tries to prevent email domain spoofing. It verifies email messages to ensure that it originates from the domain from which it claims to come from. The email sender’s server IP address is used to check this. The receiver’s inbound mail server forwards a mail message only if it originates from the right domain.

The Cisco Identified Internet Mail (IIM) is a signature based authentication mechanism to decide the validity of the mail. Using public key cryptography the sending domain signs the email, which is verified by the receiving domain. IIM can be used for signing and verification either at the domain or at user level. A policy can be implemented to decide upon the results of verification. Unsigned email messages or messages with invalid signatures can be categorized as possible Phishing attack.

A few consortiums such as FSTC (Financial Services Technology Consortium) and the APWG (Anti-Phishing Working Group) are also working towards a solution. These groups have pooled their resources to come up with a standard framework which can be implemented by financial organizations to counter Phishing threats.

In the coming time the efficiency of the anti-spam and content filter software would also improve. The number of spams and fake emails that are detected and stopped by these applications would increase, as they improve their detection signatures.

Conclusion
The problem of Phishing does not have a single solution as of now. Phishing is not just a technical problem and Phishers would keep coming up with new ways of attacking the users. Banks should undertake periodic vulnerability analysis to identify and plug weaknesses that can lead to a successful Phishing attack. The solution lies in a combination of controls setup by the organization and user awareness.


Figure 1.4

References
  1. Cisco systems. “Identified Internet Mail”. www.identifiedmail.com
  2. Microsoft Corporation. “Sender ID Framework”. www.microsoft.com
  3. Resources. www.antiphishing.org
  4. Financial Services Technology Consortium. www.fstc.org
  5. GLBA Act. http://www.ftc.gov/privacy/glbact/
  6. Ollman, Gunter. “The Phishing Guide”. www.ngssoftware.com

    More Exploits tutorials and guides













    E-Mail Link

    Your IP address will be sent with this e-mail
    From e-mail to e-mail



Stats
6750 Views
4.13/5 Rating
8 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact