Section 14.2. Attack Techniques

Previous page
Table of content
Next page

14.2. Attack Techniques

Phishing attacks use a variety of techniques to make the presentation of an email message or web page deceptively different from its implementation. In this section, we catalog a few of the techniques that have been seen in the wild:


Copying images and page designs

A phishing attack often copies a legitimate page nearly verbatim, including its style, layout, and embedded images. The eBay attack shown in Figure 14-2 is an example of this approach. Because logos and page style are the most prominent indicators of a site's identitythe "face" of a web siteunsuspecting users are likely to fall for this very simple deception.


Similar domain names

Another way that users authenticate web sites is by examining the URL displayed in the address bar. To deceive this indicator, the attacker may register a domain name that bears a superficial similarity to the imitated site's domain. Sometimes a variation in capitalization or use of special characters is effective. Because most browsers display the URL in a sans-serif font, paypaI.com has been used to spoof paypal.com, and barcIays.com to spoof barclays.com. More commonly, however, the fake domain name simply embeds some part of the real domain: ebay-members-security.com to spoof ebay.com, and users-paypal.com to spoof paypal. Most users lack the tools and knowledge to investigate whether the fake domain name is really owned by the company being spoofed.


URL hiding

Another way to spoof the URL took advantage of a little-used feature in URL syntax. A username and password could be included before the domain name, using the syntax http://username:password@domain/. Attackers could put a reasonable-looking domain name in the username field, and obscure the real domain amid noise or scroll it past the end of the address bar (e.g., http://earthlink.net%6C%6C...%6C@211.112.228.2). Recent updates to web browsers have closed this loophole, either by removing the username and password from the URL before displaying it in the address bar or (in the case of Internet Explorer) by simply forbidding the username/password URL syntax entirely.


IP addresses

The simplest expedient to obscuring a server's identity is to display it as an IP address, such as http://210.93.131.250. This technique is surprisingly effective. Because many legitimate URLs are already filled with opaque and incomprehensible numbers, only a user knowledgeable enough to parse a URL, and alert enough to actually do so, is likely to be suspicious.


Deceptive hyperlinks

The text of a hyperlink is completely independent from the URL to which it actually points. Attackers exploit this built-in distinction between presentation and implementation by displaying one URL in the link text, while using a completely different URL underneath. Even a knowledgeable user, having seen an explicit URL in the message, may not think to check its true URL. The standard means for checking the destination of a hyperlinkhovering over it and examining the URL in the status barmay also be spoofed, using JavaScript or URL hiding techniques.


Obscuring cues

Instead of tweaking URLs, a sophisticated attack may spoof identification cues like the address bar or the status bar by replacing them entirely. One recent attack used JavaScript to create a small, undecorated window on top of Internet Explorer's address bar, displaying a completely innocent URL.[6]

[6] Anti-Phishing Working Group, "US BankMaintenance Upgrade" (July 6, 2004); http://www.antiphishing.org/phishing_archive/07-06-04_US_Bank_(usBank.com_Maintenance_upgrade).html.


Pop-up windows

A recent attack against Citibank customers[7] has taken page copying a step further, by displaying the true Citibank web site in the browser but popping up an undecorated window on top to request the user's personal information.

[7] Anti-Phishing Working Group, "CitibankYour Citibank Account!" (July 13, 2004); http://www.antiphishing.org/phishing_archive/07-13-04_Citibank_(your_Citibank_account!).html.


Social engineering

Phishing attacks also use nontechnical approaches to persuade users to fall for the attack. One tactic is urgency so that the user will feel rushed to comply and be less likely to take time to check the message's authenticity. Another tactic is a threat of dire consequences if the user fails to comply, such as terminating service or closing accounts. A few attacks promise big rewards instead ("You've won a great prize!"), but threatening attacks are far more common. It may be human nature that users would be more suspicious of getting something for nothing.

Phishing attacks to date have several other noteworthy properties:


Short duration

Most phishing web sites exist for a very short period of time, on the order of days or even hours.


Sloppy language

Many phishing messages have misspellings, grammar errors, or confusing wording.


Previous page
Table of content
Next page
Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295
Authors: Lorrie Faith Cranor, Simson Garfinkel
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Oracle Developer Forms Techniques
The Java Tutorial: A Short Course on the Basics, 4th Edition
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy