 Advisory and Consultancy > Latest Threat Research Report - 31st March 2008 | |
| Phishing: Avoid Being the Catch of The Day | |
| Click here to download | |
| Abstract | |
| Phishing is now a widespread threat in the online community. With various products, solutions and services available out there claiming to mitigate the Phishing threat it is wise to have a step back and look at the Phishing threat in itself and identify its various components. This is done through studying various Phishing attacks, the processes involved and then comparing them to other previous attacks.
The first step to win a war is to know thy enemy. Once the various components of Phishing are identified, then we are able to map the various controls to them and see which part of the Phishing threat is mitigated. | |
| Top | |
| Introduction / Background | |
| Today, Phishing attacks and its many variants are in the forefront of the news. Due to this publicity organizations that offer services online, especially the online banking, are looking into various controls to mitigate the risks of Phishing attacks.
These controls range from Two Factor Authentication (2FA) solutions, anti-Phishing plug-ins for web browsers, fraud detection systems, website take-down services, user awareness training and a variety of end-user software. While all these controls do help in the fight against Phishing attacks, it should be noted that they only tackle only one or at most two parts of a typical Phishing attack and not in its entirety. “But what are the various portions of a typical Phishing attack?” you may ask. The four parts of a typical Phishing attack are Redirection, Disclosure, Impersonation and Unauthorized Usage. These parts are explained in more detail in the following pages. | |
| Top | |
| Anatomy of a Phishing Attack | |
 Figure 1: Anatomy of a Typical Phishing Attack The Phishing attack is made up of different types of conventional (conventional as in something we have experienced prior to the Phishing term coined) attacks and these attacks can be categorized into four parts; Redirect, Disclosure, Impersonation and Unauthorized Usage. For example, the objective of the first part usually consists of a social engineering attack to lure victims to a masquerade site, which forms the second part of the attack, where the victim discloses their identities. The third part of the attack consists of the attacker impersonating the victim by using the stolen identity. The fourth part, called the unauthorized usage, usually consists of fund transfer (if applicable) or other types of unauthorized transaction. There may sometimes be a fifth part, where it involves laundering the stolen money out into the attacker's account. This usually involves the Nigerian Scam where another set of victims have disclosed their bank accounts and act as an intermediary to help transfer funds from the victim to the attacker. However, this document does not cover the fifth part because there are too many variants. | |
| Top | |
| Redirection | |
| What is it? The first part of a Phishing attack involves redirecting the victim to what is commonly known as a Phishing site. A Phishing site is a mock-up of a real website, complete with user login and password fields. It is also known as a masquerade site for this reason. A good masquerade site will be able to fool the user into logging in using their credentials, which will then lead to the second part, Disclosure How do they do it? There are various ways for an attacker to redirect a victim to a masquerade site but they are generally categorized into Social Engineering or Automatic/Technical methods. Social Engineering methods typically involve sending out Phishing emails, citing an upgrade in systems, an attack on the current systems or various other pleas to get the victim to click on a link provided in the email. This link, instead of leading victim to the real and genuine website, redirects the victim to the masquerade site. Social Engineering methods involve convincing the victim to enter a masquerade site by clicking on a link or entering a URL address that is similar but not of the genuine website, such as www.paypal-secure.com Automatic/Technical methods are more devious and typically require more skill and effort on the part of the attacker. The attacker has to modify any part of the Domain Name Server (DNS) process, which translates a human readable web address (URL link such as www.maybank2u.com.my) into an address that computers can read (IP Address such as 127.0.0.1). This can be done by poisoning the victim machine’s host file, a proxy server’s host file or the local DNS cache. Once this is implemented, a victim that types a legitimate URL link into their web-browser, or even links from bookmarks, will automatically be redirected to a masquerade site. This requires no contact, either online or in person, between the attacker and the victim. How do we not fall for it? From this information, the most efficient controls are only user awareness and Public Key Infrastructure (PKI) that authenticates both client and servers, and even then these controls are not fool-proof. It is still up to the user to decide if they should click on a link from an email or not. Warnings on web-browsers that verify a server’s public key can still be easily over-ridden or are just plain ignored by the user. Besides, how many of us actually read the warnings that pop-up warning us the site’s certificate has expired or the name of the certificate does not match the site? There have also been reports of unauthorized persons obtaining valid PKI certificates as the verification process by Certification Authorities (CA) are inherently limited by geography and bureaucracy. (http://www.schneier.com/crypto-gram-0104.html, Ellison & Schneier, 2000) | |
| Top | |
| Disclosure | |
| What is it? This is the part where the attacker deceives victims into disclosing their personal information, such as username and passwords, credit card details, account numbers, personal identification numbers such as Social Security number, National Registration Identification Card or NRIC and Employee number. Why do we fall for it? Masquerade sites are constantly getting better and better at imitating the genuine sites. They are now at a level detail where they can fool the casual on-looker. When a victim does not suspect the site they are viewing as a masquerade, they will not be apprehensive about logging in and providing the attacker with our username and passwords. Though a masquerade site is the most notorious method, a simple phone call to the victim to where the attacker masquerades as somebody in an authoritative position either in government service, law enforcement or with the targeted corporation deceives the victim into disclosing such information can also be considered a Phishing attack. There is an example of how disclosure through the phone was accomplished without the victim even disclosing their actual password! (Mitnick, Simon, & Wozniak, 2003). How do we not fall for it? Most of the controls to mitigate disclosure do mirror those of redirection. User awareness and PKI are still effective controls. Website take down services and multi-factor authentication systems (2FA or 3FA) are some others. Web browsers with plug-ins to detect Phishing sites can also be helpful but may not be very effective if there are a lot of false alarms. For false alarms, user awareness and training then becomes the best way to confirm them. | |
| Top | |
| Impersonation | |
| What is it? Impersonation involves the attacker assuming the identity of the victim to access whatever services or gain what ever information is privy to the victim. This is usually done using the credentials (username, password, token number, etc.) of the victim that was acquired in the previous parts of the attack, but not always. Hence Impersonation deserves its very own part. Why do we fall for it? Any user who has left their system unattended, unsecured and still logged on is a prime target for an impersonation. The attacker does not even have to steal the victim’s information! Another way an attacker can impersonate a victim without any redirection or disclosure is through password cracking, using either a brute-force password cracker or a dictionary attack. Simple and easy to guess passwords then become easy pickings for a Phishing attack. How do we not fall for it? Simple user awareness, that they should always log off a whenever they are exiting a system or leaving their terminals unattended such as when they have to go to the washroom, is basically the only effective control. At the very least users should lock up their screensaver with a password such that if their terminal is left unattended for extended periods, a possible attacker may not easily gain access to it. Password policies can be enforced with an effective Identity and Access Management (IAM) solution. Ensuring the use of alphabets, numbers, special characters, lower and upper-case characters and none standard dictionary words are just some of the policies that can help prevent a password crack. Another method would be using a Fraud Identification engine that can detect an attacker trying various methods to crack the password of an account or various accounts. | |
| Top | |
| Unauthorized Usage | |
| What is it? This is the raison d’être for the malicious cracker, to use a victim’s account to perform various misdeeds. The most typical misdeeds are to transfer money out of the victim’s account or use the victim’s credit card for unauthorized purchases. It comes down to doing things with the victim’s resources they would definitely not approve of. Why do we fall for it? Once the attack has progressed to this point, it is typically a little too late to do anything about. Our identity has already been compromised and we find that out because of the discrepancies in our account balance, transaction records or credit card statement. How do we not fall for it? The only real way to counter this is through a combination of a complex fraud detection system and transactional alerting through Out-Of-Band (OOB) channels. This sounds like a very complicated and expensive and that is very true. Therefore, we should never ever let an attacker reach this stage of the attack. By utilizing the various controls in the previous parts, we can help prevent ourselves from being the catch of the day. | |
| Top | |
| Variants of Phishing Attacks | |
 Figure 2: Variants of Phishing Attacks Here are some variants to the typical Phishing attack we have come to know and love, you know the one with the illegitimate email that directs you to a masquerade site where you key in your username, password and provide whatever else an attacker would love to obtain from you and use it for their own personal benefit. Phishing: Email providing a link to the masquerade site is sent to various recipients. No discrimination, everybody is sent the email whether you be rich or dirt poor or do not even know how to log in to your online banking application. Think of a fishing trawler that catches everything on the bottom, fish, stingrays, rocks and yes, even corals. Spearphising: A more elegant form of phishing in that it only targets specific groups of users. No picking up of rocks and corals that is not of any worth and will only weigh your trawler down. Grab that spear or spear gun and pick out the juiciest, fattest, most succulent fish for your own enjoyment! Pharming: The Automated Redirection method is typically called pharming. It is automated and requires no social engineering to redirect the victim to the masquerade site. No fishing analogies come to mind so let’s leave it as that. Vishing: A purely social engineering form of Phishing using the phone. As it is usually done using Voice Over IP (VOIP), we thought it would be cool to call it vishing. The attacker typically impersonates somebody of authority in the target organization, government service or law enforcement to deceive the victim into disclosing confidential information. | |
| Top | |
| Trends in Phishing Today | |
| Today’s Phishing landscape is very interesting. It has now become a market segment onto itself, with crackers stealing identities en masse and selling them to other crackers who wish to impersonate these identities and perform unauthorized usage. Your credit card information, username and password for online banking accounts could very well be sold in some seedy underground (figuratively speaking) cracker online forum. The unfortunate circumstance is that stealing information is not a major crime, hence clamping down on these activities tend to be more difficult. It is only currently a crime in the unauthorized usage portion of the attack and in certain countries, the impersonation portion. The other problem is that the power of the internet allows crackers to steal and abuse identities from across the globe. With the ineffectiveness of current international law enforcement on cyber-crimes, correcting the problem remains a difficult task. And even if the international law enforcement comes together, there will always be certain countries which do not comply, thereby providing a haven for these crackers. | |
| Top | |
| Summary | |
| With the high exposure of Phishing attacks, we need to know how to effectively counter the threat of Phishing to ensure continued costumer confidence and mitigate business risk. With the plethora of controls out there claiming to stop Phishing, do stop and ask yourself this, “Which part of the Phishing problem does this control solve?” Once you can answer this problem, you can plan exactly how to implement the various controls to solve the various parts of the Phishing attack. As there are plenty of variants out there and not every part is required, there is still not a single control that will solve Phishing in its entirety. Though the most important but hardest to implement control is user awareness. For example, never disclose any private and confidential information over the phone, online, in person or even in writing to any untrustworthy and unverifiable entity. Is that website really of the bank I normally use? Is this person on the phone really calling from my bank? Is this guy telling me to update my details in the shopping mall really contracted by my bank? Are they the people who have a right to know? With the right controls and proper knowledge of these controls, we can now protect ourselves effectively against the Phishing threat. This of course includes its variants, such as Vishing, Pharming and Spearphishing. And this is how we can Avoid Being The Catch Of The Day. | |
| Top | |
| References | |
| |
| Top | |