SOCIO-TECHNICAL ATTACKS: PHISHING AND IDENTITY THEFT

Although we think it's one of the more unfortunate terms in the hacker vernacular, social engineering has been used for years in security circles to describe the technique of using persuasion and/or deception to gain access to information systems. Social engineering typically takes place via human conversation or other interaction. The medium of choice is usually the telephone, but it can also be communicated via an e-mail message, a television commercial, or countless other media for provoking human reaction.

Social-engineering attacks have garnered an edgy technical thrust in recent years, and new terminology has sprung up to describe this fusion of basic human trickery and sophisticated technical sleight-of-hand. We use the term socio-technical attack, but the expression that's gained the most popularity of late is phishing, which is defined as follows by the Anti-Phishing Working Group (APWG, http://www.antiphishing.org):

"Phishing attacks use ˜spoofed e- mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers , etc."

Thus, phishing is essentially classic social engineering married to Internet technology. This is not to minimize its impact, however, which by some estimates costs consumers over $1 billion annually, and growing steadily. This section will examine some classic attacks and countermeasures to inform your own personal approach to avoiding such scams.

Phishing Techniques

APWG is probably one of the best sites for cataloging recent widespread scams (see http://anti-phishing.org/phishing_archive.html). The common themes to such scams include:

  • Targeting financially consequential online users

  • Invalid or laundered source addresses

  • Spoof authenticity using familiar brand imagery

  • Compelling action with urgency

Let's examine each one of these in more detail. Phishing scams are typically targeted at financially consequential online users, specifically those who perform numerous financial transactions or manage financial accounts online. As the saying goes, "Why do criminals rob banks? Because that's where the money is." Thus, the top most targeted victims include Citibank online banking customers, eBay and PayPal users, larger regional banks with online presences, and Internet service providers whose customers pay by credit card, such as AOL and Earthlink (this is based on APWG's July 2004 "Phishing Attack Trends Report"). All these organizations support millions of customers through online financial management/transaction services. Are you a customer of one of these institutions? Then you likely have already or will soon receive a phishing e-mail.

As one might imagine, phishing scam artists have very little desire to get caught, and thus most phishing scams are predicated on invalid or laundered source addresses . Phishing e-mails typically bear forged "From" addresses resolving to nonexistent or invalid email accounts, or are typically sent via laundered e-mail engines on compromised computers and are thus irrelevant to trace via standard mail header examination techniques. Similarly, the websites to which victims get directed to enter sensitive information are temporary bases of operation on hacked systems out on the Internet. If you think phishing is easy to stomp out simply by tracking the offenders down, think again.

The success of most phishing attacks is also based on spoofing authenticity using familiar brand imagery . Again, although it may appear to be technology driven, the root cause here is pure human trickery. Take a look at the fraudulent phishing e-mail in Figure 13-9. The images in the upper-left corner of the e-mail are taken directly from the http://wellsfargo.com home page, and they lend an air of authenticity to the message (which is itself only a few lines of text that would probably be rejected out-of-hand without the accompanying imagery). The copyright symbol in the footer also plays on this theme. Surely this must be a legitimate message because it bears the imprimatur of the Wells Fargo brand!

image from book
Figure 13-9: A phishing e-mail targeted at Wells Fargo banking customers
Tip 

Savvy companies can learn whether their customers are being phished by examining their web server logs periodically for HTTP Referrer entries that indicate a fraudulent site may be pointing back to graphic images hosted on the authentic website. Although it's trivial to copy the images, many phishing sites don't bother and thus beacon their whereabouts to the very companies they are impersonating.

Of course, the "Please update your information here" link at the end of this message takes the user to a fraudulent site that has nothing to do with Wells Fargo but is also dressed up in similar imagery that reeks of authenticity. Many phishing scams spell out the link in text so that it appears to link to a legitimate site, again attempting to spoof authenticity. Even more deviously, more sophisticated attackers will use a browser vulnerability or throw a fake script window across the address bar to disguise the actual location (you saw an example of this in our discussion of IE improper URL canonicalization, earlier in this chapter). The fraudulent site behind the scam in Figure 13-9 looks nearly identical to the actual site at https ://online.wellsfargo.com/signon, and it even pops a window over the address bar to hide its actual location, which is http://216.43.204.4/1/index.php.

Tip 

Reading e-mail in plaintext format allows you to more easily distinguish fraudulent hyperlinks , because the phishing site will appear in angle brackets (< and >) following the "friendly" legitimate link name .

Finally, looking again at Figure 13-9, we see an example of how phishing compels action with urgency. Besides heightening the overall authenticity and impact of the message, this is actually critical to the successful execution of the fraud. According to AWPG research, the average "life span" of fraud sites, measured by how long they continue to respond with content, is only a matter of days. Thus, the fraud is most successful when it drives the maximum number of users to the fraudulent site in the shortest amount of time, to maximize the harvest of user credentials.

Of course, the carnage that occurs after a scam artist obtains a victim's sensitive information can unfold with anything but a sense of urgency. Identity theft involves takeover of accounts and also opening of new accounts using the information gleaned from fraudlike phishing. Even though victims are typically protected by common financial industry practices that reduce or eliminate liability for unauthorized use of their accounts, their creditworthiness and personal reputations can be unfairly tarnished, and some spend months and even years regaining their financial health.

Note 

You IT pros in the audience who may still be snickering at the misfortunes of hapless end users should read about the lawsuit filed by a Bank of America customer who blamed the bank for failing to alert him to malicious code that had infected his computer and authorized a $90,000 wire transfer to Latvia. See http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1062440,00.html.

Phishing Countermeasures

Thanks ( unfortunately ) to the burgeoning popularity of this type of scam, the Internet is awash in advice on how to avoid and respond to phishing scams. Some of the resources we've found to be the most helpful for end users include:

  • http://anti-phishing.org/consumer_recs.html

  • http://www.ifccfbi.gov/index.asp

  • http://www.privacyrights.org/identity.htm

  • http://www.consumer.gov/idtheft

New online services have sprung up recently to assist end users in identifying phishing scams. For example, Earthlink's ScamBlocker is a component of their browser toolbar that gives users an indication when they are browsing a known phishing site. The list of known phishing sites is kept up to date in the same manner as virus programs update their virus definitions. For example, when you're browsing a known site, the ScamBlocker toolbar icon indicates a green "thumbs-up" icon. When you're browsing an indeterminate site, an icon appears, showing a shadowy figure with line through it, and the pull-down menu provides additional options to get information about the site (including domain registration informationcool!). The ScamBlocker toolbar is shown in Figure 13-10.

image from book
Figure 13-10: Earthlink's ScamBlocker, a free tool for helping users identify and avoid phishing sites

When users do wind up on a known phishing site, they are redirected to a page on Earthlink's site with the following clear warning shown in Figure 13-11.

image from book
Figure 13-11: The warning shown to users who visit a known phishing site with Earthlink's ScamBlocker enabled

We think the Earthlink ScamBlocker is an innovative mechanism for protecting users from phishing scams, and we encourage readers to try it out (although we wish it was available separately from the whole toolbar).

And of course, we recommend our own advice from the earlier section titled "General Microsoft Client-Side Countermeasures." In particular, reading e-mail in plaintext format can help reduce the effectiveness of one of the key tools of phishers , spoofing authenticity using familiar brand imagery. In fact, plaintext e-mail allows you to blatantly see fraudulent hyperlinks disguised as legitimate ones because they appear in angle brackets (< and >).

Finally, if you encounter what you think might be a phishing scam, report it. Most ISPs maintain an "abuse" alias (for example, abuse@hotmail.com). Other organizations, such as banks, can be more difficult to contact electronically , but start with their customer service department and work inward. There are also some up-and-coming organizations that are focusing specifically on identifying and holding accountable perpetrators of phishing (for example, http://www.digitalphishnet.org).



Hacking Exposed
Hacking Exposed 5th Edition
ISBN: B0018SYWW0
EAN: N/A
Year: 2003
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net