Trickery

Trickery

If an attacker is unable to identify a vulnerability to exploit, they may fall back on trickery. The term social engineering has also been used for years in security circles to describe this technique of using persuasion and/or deception to gain access to digital information.

Such attacks have garnered an edgy technical thrust in recent years, and new terminology has sprung up to describe this fusion of basic human trickery and sophisticated technical sleight-of-hand. The expression that's gained the most popularity of late is phishing , which is essentially classic social engineering attacks implemented using Internet technology. This is not to minimize its impact however, which by some estimates costs consumers over $1 billion annually, and is growing steadily.

More aggressive fraudsters trick users into installing deceptive software such as adware and spyware, terms that describe covert or deceptive software that hijack computing resources to display ads or monitor web surfing habits (usually for later sale to marketing companies).

Note 

Spyware includes other classes of monitoring software, but we're only going to focus on the web- related category in this chapter.

This section will examine some classic attacks and countermeasures to inform your own personal approach to avoiding such scams.

Phishing

 Attack    Based on our assessment of statistics from the Anti-Phishing Working Group (APWG) and our own direct experience, the common features of phishing scams include

  • Targeted at financially consequential online users

  • Invalid or laundered source addresses

  • Spoof authenticity using familiar brand imagery

  • Compels action with urgency

Let's examine each one of these in more detail.

Phishing scams are typically targeted at financially consequential online users , specifically those that perform numerous financial transactions or manage financial accounts online. As the saying goes, "Why do criminals rob banks? Because that's where the money is." APWG's December 2005 "Phishing Attack Trends Report" indicated that 89.3 percent of phishing targeted financial services, 5 percent ISP, and 2.5 percent retail industry sectors. The most targeted victims include Citibank online banking customers, eBay and PayPal users, larger regional banks with online presences, and Internet Service Providers like AOL and Earthlink whose customers pay by credit card. All of these organizations support millions of customers through online financial management/transaction services. Are you a customer of one of these institutions? Then you likely have already or will soon receive a phishing e-mail.

As one might imagine, phishing scam artists have very little desire to get caught, and thus most phishing scams are predicated on invalid or laundered source addresses . Phishing e- mails typically bear forged "From" addresses resolving to nonexistent or invalid e-mail accounts, and are typically sent via laundered e-mail engines on compromised computers and are thus irrelevant to trace via standard mail header examination techniques. Similarly, the web sites to which victims get directed to enter sensitive information are laundered temporary bases of operation on hacked systems out on the Internet. APWG commonly cites statistics indicating that the average lifespan of a phishing scam site is only a matter of days. If you think phishing is easy to stomp out simply by tracking the offenders down, think again.

The success of most phishing attacks is also based on spoofing authenticity using familiar brand imagery . Again, although it may appear to be technology driven, the root cause here is pure human trickery. Take a look at the fraudulent phishing e-mail in Figure 10-1. The images in the banner and signature line are taken directly from the paypal.com home page and lend an air of authenticity to the message. The message itself is only a few lines of text that would probably be rejected out-of-hand without the accompanying imagery. The "trademark" symbols sprinkled throughout the message also play on this theme.


Figure 10-1: A phishing e-mail targeted at PayPal customers
Tip 

Savvy companies can learn if their customers are being phished by examining their web server logs periodically for HTTP Referrer entries that indicate a fraudulent site may be pointing back to graphic images hosted on the authentic web site. Although it's trivial to copy the images, many phishing sites don't bother and thus beacon their whereabouts to the very companies they are impersonating.

Of course, the "To update your records" link at the end of this message takes the user to a fraudulent site that has nothing to do with PayPal, but is also dressed up in similar imagery that reeks of authenticity. Many phishing scams spell out the link in text so that it appears to link to a legitimate site, again attempting to spoof authenticity (the actual link in this mail does not go to paypal.com, despite appearances !). Even more deviously, more sophisticated attackers will use a browser vulnerability or throw a fake script window across the address bar to disguise the actual location. For example, the "IE improper URL canonicalization" vulnerability was widely exploited in early 2004 by phishing scammers. (See "References and Further Reading.")

Finally, looking again at Figure 10-1, we see an example of how phishing compels action with urgency by using the phrase "failure to update your records will result in account suspension." PayPal users are likely to be alarmed by this, and take action before thinking. Besides heightening the overall authenticity and impact of the message, this is actually critical to the successful execution of the fraud, since it drives the maximum number of users to the fraudulent site in the shortest amount of time, to maximize the harvest of user information. Remember, phishing sites are usually only up for a few days.

Of course, the carnage that occurs after a scam artist obtains a victim's sensitive information can unfold with anything but a sense of urgency. Identity theft involves takeover of accounts and also opening of new accounts using the information gleaned from fraud like phishing. Even though victims are typically protected by common financial industry practices that reduce or eliminate liability for unauthorized use of their accounts, their creditworthiness and personal reputations can be unfairly tarnished, and some spend months and even years regaining their financial health.

Phishing Countermeasures

 Countermeasure    Thanks ( unfortunately ) to the burgeoning popularity of this type of scam, the Internet is awash in advice on how to avoid and respond to phishing scams. We've listed the resources we've found to be the most helpful in "References and Further Reading."

New online services have sprung up recently to assist end users identify phishing scams. For example, Earthlink's ScamBlocker is a component of their browser toolbar that gives users indication when they are browsing a known phishing site. The list of known phishing sites is kept up-to-date in the same manner as virus programs update their virus definitions. For example, when browsing a known site, the ScamBlocker toolbar icon indicates a green "thumbs-up" icon. When browsing indeterminate sites, an icon showing a shadowy figure with a line through it appears, and the pull-down menu provides additional options to get information about the site (including domain registration informationcool!). The ScamBlocker toolbar is shown here:

When users do wind up on a known phishing site, they are redirected to a page on Earthlink's site with the following clear warning:

We think the Earthlink ScamBlocker is an innovative mechanism for protecting users from phishing scams, and we encourage readers to try it out (although we wish it was available separately from the whole toolbar). Apparently, the idea is catching on, because Microsoft plans to implement a similar mechanism for an upcoming IE service pack, as well as the next version, IE7.

In addition, reading e-mail in plaintext format can help reduce the effectiveness of one of the key tools of phishers , spoofing authenticity using familiar brand imagery. Additionally, plaintext e-mail allows you to blatantly see fraudulent inline hyperlinks , since they appear in angle brackets (< and >) when viewed in plaintext. For example, here's a hyperlink that would normally appear as underlined blue inline text when viewed as HTML:

 Click   here   to go to our free gift site! 

When viewed as plaintext, this link now appears with angle brackets, as shown next:

 Click here <http://www.somesite.com> to go to our free gift site! 

Last but not least, we recommend a healthy skepticism when dealing with all things on the Internet, especially unsolicited e-mail communications. Our advice is NEVER click hyperlinks in unsolicited e-mail. If you're worried about the message, open up a new browser and type in the URI manually (for example, www.paypal.com), or click a known good favorite. It's not that hard to pick up this habit, and it dramatically decreases the likelihood of being phish'ed.

Adware and Spyware

 Attack    Most users are familiar with software that behaves (mostly) transparently and according to expectations. Anyone who's read this chapter is also familiar with software that undeniably performs activities that no sane user would authorize. Somewhere between these two extremes sits adware and spyware. These are programs that may perform some activities with the consent of the user, and others that do not.

Adware is broadly defined as software that inserts unwanted advertisements into your everyday computing activities. The best example of adware is those annoying popup ads that can overwhelm your browser when you visit a site with abusive advertising practices. 180Solutions is a company notorious for using deceptive software techniques to further their online advertising business.

Spyware is designed to surreptitiously monitor user behavior, usually for purposes of logging and reporting that behavior to online tracking companies that in turn sell this information to advertisers or online service providers. Corporations, private investigators , law enforcement, intelligence agencies, suspicious spouses, and so on have also been known to use spyware for their own purposes, legitimate and not so.

There are numerous resources available on the Internet that catalog and describe annoying and malicious software like adware and spyware (see "References and Further Reading"). The rest of our discussion will cover common spyware and adware insertion techniques, and how to rid yourself of these pests.

Common Insertion Techniques   There are two basic ways for adware and spyware to get on your machine: by exploiting a vulnerability which we already discussed in the first part of this chapter, or by convincing the user to install it willingly. There are a range of methods for achieving the latter. Relatively forthcoming programs will present a straightforward installation routine that includes an affirmative opt-in to installation, as well as an End User License Agreement (EULA) that spells out expectations (although most users ignore these obtuse legalisms). At the other end of the spectrum is outright deceptive software that installs completely covertly, as part of the installation routine for other software, for example. Microsoft has actually produced some interesting criteria for what constitutes deceptive software, and is implementing these criteria in its anti-malware products and services (see "References and Further Reading").

Common Insertion Locations   Spyware and adware typically insert themselves via one or more of the following techniques:

  • By installing an executable file to disk and referencing it via an autostart extensibility point (ASEP)

  • By install add-ons to web browser software

The importance of ASEPs to proliferation of annoying, deceptive, and even downright malicious software cannot be underestimatedin our opinion, ASEPs account for 99 percent of the hiding places used by these miscreants. Some good lists of ASEPs can be found in "References and Further Reading." You can also examine your own system's ASEPs using the msconfig tool on Windows XP (click the Start button, select Run, and enter msconfig .). Figure 10-2 shows the msconfig tool enumerating startup items on a typical Windows XP system.


Figure 10-2: The msconfig utility enumerates autostart extensibility points on Windows XP. Note the peer-to-peer networking software program highlighted here.

ASEPs are numerous, and they are generally more complex than the average user wishes to confront (especially considering that uninformed manipulation of ASEPS can result in system instability), so we don't recommend messing with them yourself unless you really know what you are doing. Use an automated tool like the ones we will recommend shortly.

Right up there with ASEPs in popularity are web browser add-ons, a mostly invisible mechanism for inserting helpful functionality into you web browsing experience. One of the most insidious browser add-on mechanisms is the Internet Explorer Browser Helper Object (BHO) feature (see "References and Further Reading"). Up until Windows XP SP2, BHOs were practically invisible to users, and they could perform just about any action feasible with IE. Talk about taking a good extensibility idea too farBHOs remind us of Frankenstein's monster. Fortunately, in XP SP2, the Add-On Manger feature (under Tools Mange add-ons) now will at least enumerate and control BHOs running within IE. You'll still have to manually decide whether to disable them, which can be a confusing task since some deceptive software provides little information with which to make this decision within the IE user interface. Alternatively, you can use one of the third-party tools we recommend next.

Adware and Spyware Countermeasures

 Countermeasure    One of the best mechanisms for fighting annoying and deceptive software is at the economic level. Don't agree to install adware or spyware on your system in exchange for some cool new software gadget (like peer-to-peer file sharing utilities).

You can also fight back directly using anti-adware/spyware tools. Germany hosts the top two contenders: Spybot Search & Destroy and Ad-aware from Lavasoft at http://www.lavasoft.de. In informal testing, we give the clear edge to Spybot since it's free and found far and away more items than the free Ad-aware Personal version on our test system. We also like the "Immunize" and "Recovery" features offered by Spybot, as well as the ability to get updates via the Internet integrated within the tool. Spybot is shown scanning a system in Figure 10-3.


Figure 10-3: Spybot Search & Destroy finds adware and spyware on a system.

In additional to the free anti-spyware programs just mentioned, a robust commercial market is evolving. Webroot's SpySweeper consistently gets top honors in the reviews we've seen, based on comprehensiveness, ease of use, and feature set. In addition, most of the leading anti-virus/security software companies like Symantec and McAfee have amplified their offerings with anti-spyware capabilities. Comparison shopping amongst the various options is as easy as Google-ing "anti-spyware reviews."

Never to be outdone for long in any software industry sector, Microsoft is joining the fray with an anti-spyware product of its own, recently christened Windows Defender. Defender is also free, and Microsoft appears to have put solid resources behind the malware research that undergirds the product. They also intend to release a consumer-focused online service version of the product called Windows OneCare, which may offer the ultimate in convenience to end users who would be happy to simply pay a monthly fee to make the whole problem of annoying and deceptive software just go away. See "References and Further Reading" for more information about Microsoft's various offerings in this space.



Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net