1 copyright © 2004 m. e. kabay. all rights reserved. phishing information systems security...
TRANSCRIPT
1 Copyright © 2004 M. E. Kabay. All rights reserved.
PhishingInformation Systems Security Association
New England ChapterTuesday 16 Nov 2004
M. E. Kabay, PhD, CISSPAssoc. Prof. Information Assurance
Division of Business & Management, Norwich University mailto:[email protected] V: 802.479.7937
2 Copyright © 2004 M. E. Kabay. All rights reserved.
Come With Me, Little Child
Microsoft Customer
This is the latest version of security update, the ‘September 2003, Cumulative Patch’update which resolves all known security vulnerabilities affecting MS Internet Explorer,MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now tohelp maintain the security of your computer from these vulnerabilities. This updateincludes the functionality of all previously released patches.
From: Microsoft Corporation Technical Bulletin [ljseedwnge- Sent: Thu 9/18/2003 3:32 [email protected]]
To: MS CustomerCc: Subject: Network Critical Patch
3 Copyright © 2004 M. E. Kabay. All rights reserved.
Topics
Phishing BasicsSerious ProblemAPWG Regular ReportsRecent Examples Phishing Harms FirmsProblem IncreasingAnti-Phishing Steps Public EducationPossible Solutions
4 Copyright © 2004 M. E. Kabay. All rights reserved.
Phishing Basics (1)
Pronounced "fishing" Scam to steal valuable information such as
credit cards, social security numbers, user IDs and passwords.
Also known as "brand spoofing" Official-looking e-mail sent to potential
victims Pretends to be from their ISP, retail store,
etc., Due to internal accounting errors or some
other pretext, certain information must be updated to continue the service.
5 Copyright © 2004 M. E. Kabay. All rights reserved.
Phishing Basics (2) Link in e-mail message directs the user to a Web page
Asks for financial informationPage looks genuine
Easy to fake valid Web siteAny HTML page on the real Web can be copied and
modified E-mails sent to people on selected lists or to any list
Some % will actually have account “Phishing kit"
Set of software tools Help novice phisher imitate target Web site Make mass mailingsMay include lists of e-mail addresses
From Computer Desktop Encyclopedia v17.4http://www.computerlanguage.com/
6 Copyright © 2004 M. E. Kabay. All rights reserved.
Serious Problem
“Illegal access to checking accounts, often gained via phishing scams, has become the fastest-growing form of consumer theft in the United States, accounting for a staggering $2.4 billion in fraud in the previous 12 months.”
-- Gartner Group
7 Copyright © 2004 M. E. Kabay. All rights reserved.
APWG Regular ReportsPhishing Activity Trends Report Oct 20041142: Number of active phishing sites reported in Oct
200425%: Average monthly growth rate in phishing sites
July through Oct44: # brands hijacked Oct6: # brands comprising top 80% of brands hijacked by
phishing campaigns in OctUSA: country hosting most phishing Websites20%: contain some form of the target name in URL63%: no hostname, just IP address6 days: average time online for phishing site
http://www.antiphishing.org/APWG_Phishing_Activity_Report-Oct2004.pdf
8 Copyright © 2004 M. E. Kabay. All rights reserved.
Recent Examples of AttacksFrom APWGNov 15 - People's Bank - 'New Mail from People' Nov 10 - Citibank - 'Citibank Alert Service' Nov 9 - Paypal - 'Your Account Will Be Suspended' Nov 2 - Sovereign Bank - 'Sovereign Bank
Unauthorized Account Access' Nov 1 - Citibank - 'Security Alert on Microsoft
Internet Explorer' Oct 29 - eBay - 'TKO NOTICE: Verify Your Identity' Oct 28 - Verizon - 'Update your Verizon billing
profile' Oct 27 - Washington Mutual Bank - 'Washington
Mutual Bank : Notification of Washington Mutual Internet Banking Account‘
9 Copyright © 2004 M. E. Kabay. All rights reserved.
People’s Bank
Not the proper
domain for peoples.com
10 Copyright © 2004 M. E. Kabay. All rights reserved.
Citibank (Nov 10)
Links tohttp://82.90.165.65/
citi
11 Copyright © 2004 M. E. Kabay. All rights reserved.
PayPal (1)
12 Copyright © 2004 M. E. Kabay. All rights reserved.
PayPal (2)Actually links to
http://212.45.13.185/.paypal/
index.php
13 Copyright © 2004 M. E. Kabay. All rights reserved.
Citibank (Nov 1)
Links tohttp://200.189.70.90/citi/
14 Copyright © 2004 M. E. Kabay. All rights reserved.
eBay
http://signin-ebay.com-cgi-bin.tk/
eBaydll.php
15 Copyright © 2004 M. E. Kabay. All rights reserved.
APWG (antiphishing.org)
Anti-Phishing Working Group
16 Copyright © 2004 M. E. Kabay. All rights reserved.
Phishing Harms Firms
Harmful at many levels Threatens effective communication Undermines goodwill and trust
Customers Direct harm from stolen IDs, passwords Could perceive business as not taking
adequate steps to protect users Diminishes value of brand
Could affect shareholders Possibility of liability for failure to exercise
due diligence in protecting trademarkBased in part on material that iscopyright © 2004 Don Holden, CISSPUsed with permission (and thanks).
17 Copyright © 2004 M. E. Kabay. All rights reserved.
Problem Increasing
18 Copyright © 2004 M. E. Kabay. All rights reserved.
Get a Job – and Lose Money
Free training offer is latest spam scamBy John LeydenPublished Tuesday 2nd November 2004
12:35 GMThttp://www.theregister.com/2004/11/02/
training_spam_scam/ Apply for “training” and “job” at Credit
SuisseFill in banking details (!)Lose control over your financial information
to criminals
19 Copyright © 2004 M. E. Kabay. All rights reserved.
Spoofed Page and Address Bar
Based on a slide copyright © 2004 Don Holden, CISSPUsed with permission (and thanks).
Not the realaddress bar
See http://www.antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html
20 Copyright © 2004 M. E. Kabay. All rights reserved.
Spoofed Address Bar
Problem JavaScript device replaces address bar Allows complete control Can show one URL while going to another Viewing source code for page does NOT
show Java source code Implications
With address bar installed, could track other sites visited
Could do a man-in–the-middle attack to see everything entered
21 Copyright © 2004 M. E. Kabay. All rights reserved.
Recent Alert
@RISK: Consensus Security Vulnerability Alert 3(45) Nov 14, 2004From SANS Institute
Internet Explorer Phishing VulnerabilityAttacker can construct malicious hyperlinkHundreds of attacks reported per weekObject element embedded in hyperlink
Can embed flash movie or other executable code in a hyperlink
22 Copyright © 2004 M. E. Kabay. All rights reserved.
Tabbed Browser Problems (1) Phishing for dummies: hook, line and sinker
By Scott Granneman, SecurityFocusPublished Tuesday 2nd November 2004 14:55 GMThttp://www.theregister.com/2004/11/02/
phishing_tabbed_browsers/ Vulnerabilities in many “tabbed” browsers that allow
easy switch from one window to anotherMozilla 1.7.3Mozilla Firefox 0.10.1Camino 0.8Opera 7.54Konqueror 3.2.2-6Netscape 7.2Avant Browser 9.02 build 101 and 10.0 build 029Maxthon (MyIE2) 1.1.039
23 Copyright © 2004 M. E. Kabay. All rights reserved.
Tabbed Browser Problems (2)
Dialog box can be spawned in active window from connection to an inactive windowE.g., visit PayPalGet popup box to “verify” passwordActually comes from rogue site in different
windowPossibility of diverting data into a form on a
different window for a malicious WebsiteWould try to enter data into form on
legitimate siteData would actually go somewhere else
24 Copyright © 2004 M. E. Kabay. All rights reserved.
Anti-Phishing Steps
Proclaim, Protect, Pursue Proclaim in all correspondence the use of an
official mark (e.g. TrustedSender stamp) Protect all messages, Web pages with the
mark Pursue all impostors – actively seek reports
of phishing
Copyright © 2004 Don Holden, CISSPUsed with permission (and thanks).
25 Copyright © 2004 M. E. Kabay. All rights reserved.
Public Education
Use digitally-signed documents ONLYDon’t release unsigned documentsGet consumers used to idea that an unsigned
document is an untrustworthy documentUse public education campaigns
“No one will ever ask you to confirm your password”
“Don’t believe alerts that address you as ‘Dear Customer.’”
Link to APWG documents; e.g.,http://www.antiphishing.org/consumer_recs.html
26 Copyright © 2004 M. E. Kabay. All rights reserved.
Possible Solutions
Strong Website authenticationMail server authenticationDigitally-signed e-mail with desktop
verificationDigitally-signed e-mail with gateway
verification
AWPG: Proposed Solutions to Address the Threat of Email Spoofing Scams
http://tinyurl.com/5bo55
27 Copyright © 2004 M. E. Kabay. All rights reserved.
APWG Resources Page
28 Copyright © 2004 M. E. Kabay. All rights reserved.
CloudMark’s Community Approach
Cloudmark SafetyBarhttp://www.cloudmark.com/ Works for Outlook and Outlook Express
Community members report new spam or fraud at push of buttonInformation sent worldwide to improve
blockingAnti-fraudster measures
Reliability of reports affects credibility of reporter
Spammers and fraudsters would lose credibility fast
29 Copyright © 2004 M. E. Kabay. All rights reserved.
Cloudmark SafetyBar (2)
30 Copyright © 2004 M. E. Kabay. All rights reserved.
DISCUSSION