Phishing Attacks and Countermeasures

BackgroundPhishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish.

Phishing emails usually appear to come from a well-known organization and ask for your personal information such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.

In order for Internet criminals to successfully "phish" your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

Types of Phishing Attacks Deceptive Phishing.The term "phishing" originally referred to account theft using instant messaging but the most common broadcast method today is a deceptive email message. Messages about the need to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other scams are broadcast to a wide group of recipients with the hope that the unwary will respond by clicking a link to or signing onto a bogus site where their confidential information can be collected. Malware-Based Phishingrefers to scams that involve running malicious software on users' PCs. Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities--a particular issue for small and medium businesses (SMBs) who are not always able to keep their software applications up to date. Keyloggers and Screenloggersare particular varieties of malware that track keyboard input and send relevant information to the hacker via the Internet. They can embed themselves into users' browsers as small utility programs known as helper objects that run automatically when the browser is started as well as into system files as device drivers or screen monitors. Session Hijackingdescribes an attack where users' activities are monitored until they sign in to a target account or transaction and establish their bona fide credentials. At that point the malicious software takes over and can undertake unauthorized actions, such as transferring funds, without the user's knowledge. Web Trojanspop up invisibly when users are attempting to log in. They collect the user's credentials locally and transmit them to the phisher. Hosts File Poisoning.When a user types a URL to visit a website it must first be translated into an IP address before it's transmitted over the Internet. The majority of SMB users' PCs running aMicrosoft Windowsoperating system first look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted, taking the user unwittingly to a fake "look alike" website where their information can be stolen. System Reconfiguration Attacksmodify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "bankofabc.com" to "bancofabc.com". Data Theft.Unsecured PCs often contain subsets of sensitive information stored elsewhere on secured servers. Certainly PCs are used to access such servers and can be more easily compromised. Data theft is a widely used approach to business espionage. By stealing confidential communications, design documents, legal opinions, and employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors. DNS-Based Phishing ("Pharming").Pharming is the term given to hosts file modification or Domain Name System (DNS)-based phishing. With a pharming scheme, hackers tamper with a company's hosts files or domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site. The result: users are unaware that the website where they are entering confidential information is controlled by hackers and is probably not even in the same country as the legitimate website. Content-Injection Phishingdescribes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server. Man-in-the-Middle Phishingis harder to detect than many other forms of phishing. In these attacks hackers position themselves between the user and the legitimate website or system. They record the information being entered but continue to pass it on so that users' transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system. Search Engine Phishingoccurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products or services and are fooled into giving up their information. For example, scammers have set up false banking sites offering lower credit costs or better interest rates than other banks. Victims who use these sites to save or make more from interest charges are encouraged to transfer existing accounts and deceived into giving up their detailsCounter Measures for Phishing1. Auto-Generate Domain-Specific PasswordMany researchers have developed a kind of mechanism in which, when you give your username and password, it turns into a domain-specific password and that is even done via a transparent method. The basic idea behind this is to hash passwords with a secret key along with website domain name. The website domain name is very important because it will tell that password to go into that domain [1].

Even if the user uses the same password for every entry point in the world, it gets changed due to this mechanism, so it becomes really hard for the attacker to get the password because it will be very unique and long which will be hard to remember.Advantages:1. Looks cool.2. Works fine on a theoretical basis.Disadvantages:1. Practical implementation is quite difficult.2. Many banks use multiple domains and sub-domains.3. Some sites force the user to use a password with a combination of uppercase, lowercase, and symbols.4. Its a static solution: If a user travels without his/her laptop then this mechanism is not helpful anymore. She/he has to carry his/her device everywhere along with them.2. Specific ApplicationsHere I am going to tell about one scenario that happened back in the 1980s. Many corporate banking systems use some back-up operating system in a portable device such as a CD or DVD. That device contains their own piece of the operating system. Lets suppose this is a matter of administration, but if the bank is providing any kind of mobile or desktop application to use their bank service, it can be a worthwhile target for attack. What the attacker needs to do is just to tell their victim is Apply our latest upgraded application in order to secure transaction.The best way to protect against this is a low-cost SSL certificate. This protocol supports certificates for both servers and client. To find more on this topic, you may visit the link given in the references. There are basically main two functions of SSL: First, to check the real identity of its holder and, second, to encrypt and pass data between the client and server. So if SSL is used, there is very little chance that the phishermen will get his/her victim. The servers certificate identifies the website that you are visiting through your browser application. The client certificate is used for the verification and authentication process. Then the data transportation process gets started.Advantages:1. It is not end-to-end security.2. It is not a bullet-proof secure mechanism.Disadvantages:1. The process of certificate management is tedious to handle.2. Researchers have implemented JavaScripts that can fool browser applications.3. Malware can steal the information about the certificate.4. In the very worst case scenario, phisherman may manage to convince her/his victim that Your certificate expired, so give it back to us for secure demolition.3. Web Browsers PWD DatabaseIn this type of mechanism, random passwords are generated and stored in the browsers. It has more advantages than the first method of hashing passwords. It is moresecure,as the browser will only give the credentials to the right URL. So, for instance, if I saved the password for my website www.chintangurjar.com, then it will pass these credentials only if this URL appears. If anything changes in the URL, it wont pass credentials. Firefox has this mechanism that stores passwords after encrypting them, but this feature is not by default, so many people wont even use that.Advantages:1. Its easy to implement.2. No specialized or purchased software is needed.Disadvantages:1. It doesnt work fully with subdomains. If I have a saved password for www.chintangurjar.com and I want to log in through subdomain.chintangurjar.com, it wont allow me to pass credentials through this URL.2. Even here, passwords are stored in plain text, so there is always a fear of stealing password via malware, RAT, or other suspicious activity.4. Virtual KeyboardsThis mechanism was the favorite mechanism for organizations and individuals back in the 1990s. Rather than using the traditional hardware keyboard, people used a virtual keyboard that appeared on the screen.

People and some banking organizations assumed that attackers wont able to capture their keyboard activity. This mechanism has been defeated by attackers. Nowadays they have a method to capture a screen as well as a virtual keyboard.5. Educating Your PeopleMany organizations conduct seminars and workshops on ethical hacking and Internet security in order to educate their employees. This can be a quality step towards security awareness, though many of their employees may not take it seriously and may not follow the instructions given at the workshop/seminar. Those kinds of employees can be a potential target of attackers/phishers.There are some methods of educating your employees that we can think about. Logical awareness has to be built. First, they are given instructions to check the English. To respond to that, the bad guys started writing professional English that is really more than 95% identical to the original website. Thus victims got exploited. Then phishers started to use the lock symbol, keeping in mind that, even if some clever employee/person knows about SSL, she/he can be trapped. Phishers have done this by forging the symbol. They did it by putting lock icons in the URL (favicon) on the web pages. Banks started putting the last four digits of credit card or other bank account detail; in response to that, attackers also started putting the first four digits of those numbers that are constants in the card detail provided by any bank. Thus persons got exploited again.Mitigations: Logical awareness has to be raised. Customers have to think on their own about whether something is legal and legitimate or a fake. When this awareness rises within them, there wont be any need for workshops or seminars for ethical hacking awareness.6. Phishing Scam Alert Add-ons/ExtensionsMany organizations have built toolbars that use a ton of problem-discovering and -solving methods to determine whether a URL is fake or not. Even Microsoft also used this feature, built in to Internet Explorer 7. The concept is like this. If server visits any known fake/phishing URL, then that tool bar turns red. If that phishing or fake site is the one suspect site, then it turns yellow. Nowadays some websites use extended validation. This is a new type of certificate that is sold to the website only after the credentials are checked very carefully and particularly. If a browser toolbar finds this type of website, then it turns green.The first method has already been broken by researchers. It was presented in a research paper whose link is mentioned in the references [8]. That is a very unconventional and unusual semi-technical method for breaking into the victims mind. It uses apicture-in-picturemethod. Here the phisher displays a picture of the browser with a green tool bar so that that the user thinks it is safe to visit and thus she/he is exploited.

As you can clearly see that the malicious URL is nothttps://www.paypal.com/ukthat is inside the browsers top window but it is displayed in the log-in window. The attacker also puts the favicon and outside logo to prove the legitimacy of his work. Thus, people think that this is the real page and they log in to the website and their credentials are compromised. The second scenario, which is extended validation, can be broken by URL manipulation. Attackers use an almost identical URL and they buy their own certificate and install it on their server. Now the URL of the phishing site and the original site are almost identical, as shown below:Original Site:www.chintanwov.comPhishing Site:www.chintanvvov.comAs you can see, in the first URL its wov and in the second URL the attacker put vvov; vv looks like w and the client thinks that its a genuine website and logs in. Thus, how their credentials gets stolen and they get exploited. These types of phishing sites are calleddodgy sites.7. 2FATwo-Factor AuthenticationTwo-factor authentication is also known as 2FA, two-step verification, or multi-factor authentication. It requires not only a username and password, but also some piece of information that only the user knows. That piece of information is known as a physical token. Using traditional credentials along with the physical token makes it very hard for a phisher to exploit his/her victim.The concept of two-factor authentication is explained in the pic below. Lets suppose you are going to access a VPN website.(1)Here the first authentication is done via traditional credentials such as username and password. This is called primary authentication.(2)Then the domain controller calls on the users mobile phone or any other device (mobile is a standard device that all users will have) and it will send a token code or an automated call.(3)Then it checks for the right identity.(4)If the credentials are verified, the user will be given authorization to access the VPN as shown in the pic below.

In the UK, some banks are using two-factor authentication, but not in this traditional mobile token way. They have given their customers password calculators that have multi functions, such as generating a real-time security code to log in to the customers account and even to make a transaction.Lets take a real-life scenario from the UK. One of the top famous banks, Barclays, uses a small device called PINentry. Each device is registered with a unique card that is given to their customers. The device looks:

If you want to log in to your online Barclays account, you need to give your basic details such as last name and card number. Once you click on Login, it will ask you for the security code. Now you need to verify your identity by inserting your card into this PINentry and clicking on Identity. Give your secret PIN and it will auto-generate a random number. Once you type that number on the website it will allow you to login. Now if a phisher stole this device and put his card into this, it will flash the message shown in the picture below:

If a customer wants to make a payment, it will also ask for the security code, which you will have to get from this machine. Not only that, but it will also ask you to input the exact amount of money that you have already entered in the website. If both figures match, you will be allowed to make a transaction.Thus two-factor authentication works. No doubt its very effective and promisingly secure. However to pass through all these processes just to log in is a tedious, time-consuming method from the customers point of view.8. TPM Chip Trusted Computing MechanismThis mechanism is set up by TPM chips, short forTrusted Platform Module.If two computers are doing regular transactions, then this chip is physically placed on motherboard to tie them together.

As you can see from the diagram, this whole mechanism can be implemented on a single chip. However this mechanism has a portability/roaming problem. Roaming cannot be done easily on these devices.

This chip is placed on an endpoint device that stores an RSA key. It makes an RSA key pair that is saved within the chip and cannot be accessed by any software. The SRK (storage root key) is generated only when the system administrator accesses the computer. There is a second key, known as the AIK(attestation identity key). It is there to protect the chip from unauthorized access. They create hashes. If the system wants to connect to the network or end device, it passes the hash and gets verified by the network or another end device. If the match fails, access is denied. This is how it gives complete bullet-proof security against phishing.9. Encrypted Key Exchange ProcessPrevent Dictionary AttacksMany researchers came up with a new authentication protocol. They implemented a series of protocols for encrypted key exchange. This key is generated by combining the shared password. And this process takes place in such a way that the phisher (who is the man in the middle) cant guess it. Those protocols were awkward to implement and use and they were also too time-consuming.Major Issues (Problems, Concerns & Questions)ExamplesReferences https://www.phishtank.com/what_is_phishing.phphttp://www.pcworld.com/article/135293/article.html https://www.grc.com/sqrl/phishing.htm http://www.infoworld.com/article/2865821/security/prevent-phishing-attacks-via-opendns-minority-report-style.html (GOOD READ AND LATEST CONTERMEASURE)https://www.grc.com/sqrl/phishing.htm (MORE COUNTERMEASURES)http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx http://computer.howstuffworks.com/phishing.htm