CISO

Enterprise Information Security

Anti-phishing . Detection

by Leave a Comment

Phishing is a very common means of social engineering in these days. Despite the increased efforts by Banks and other organizations, there is still a good number of people fall victims of the phishing attacks. Some of the attacks are very targeted to some people and some others are for a wider audience. Those who fall victim, often loose their online identity to the attackers.

When setting up a phishing site, attackers often use either a phishing kit readily available or build a custom one which fakes the real web page. In many cases, the phishing site will have the following characteristics

  • The entry page: This is the page the phishing attackers communicate to its potential victims. This page comes up to the end users as the channel to the fake site, by means of email or malware or even instant messages
  • The data capturing page (s): This page is used by the attackers for collecting the data such as usernames and passwords, credit card number and associated information, social security numbers etc. The submit button in the final page often would be a server side script like .php. sending the captured information to the attacker.
  • The exit page: At times, the attackers redirect the users to genuine website to leave an impression with the user indicating that the user was actually on a real website.

So how do you detect phishing, with this information?

In most cases, the images and style sheet files are fetched from the original website. If you are using any dynamic images, they are also often referred from the original site. Web servers often record the logs of events and give detailed information on who accessed the site from where. there are many configurable parameters such as referrer logs. analysing the referrer logs of the webserver can provide detailed insights of the sites from the web traffic is originated. For example, if the image at the url www.example.com/a.jpg is referred from www.ciso.in/example.html then the webserver log at www.example.com would show www.ciso.in/example.html as the referrer. If you have a log management system to capture and do the log analysis, you can filter out the most common referrers and identify the potential phishing sites.

This is only one among many ways to detect the potential phishing attacks. Hope this tip would help you in detecting the phishing sites very early.

New phishing trends

by 2 Comments

Phishing attacks are getting sophasticated everytime. Recently, phishers become very creative in detection mechanisms. In a recent attack phishers modified the .htaccess file to deny access from specific IP addresses while they were using a known phishing kit. Over a period of time it will become known to the world, especially the attackers, which service provider helps your organization in anti-phishing service. Being in the phishing business these attackers are very well aware of the IP addresses used by these anti-phishing companies

In the new trend, by denying the access to the phished pages by using access list in the .htaccess page, the service providers are typically blind about the status of the phished site. It is interesting to see that the attackers are blacklisting the security companies so that an incident response analyst checks the site, the attack will look like offline.

Tips for corporates

  • Do not disclose the details of the anti-phishing service provider publicaly
  • Change the anti-phishing provider periodically
  • To check the status, do not rely only on the service provider
  • Communicate with your service provider to use the public proxies for checking the status

Service Providers

  • Use anonymisers for browsing the phishing sites so that you wont leave the trace at the site
  • Do not use your publicaly announced IP addresses for checking the attack status

Money Mules

by Leave a Comment

In the recent days, we have seen many emails claiming to be from your bank and asking you to provide the user name, password, ATM Number PIN etc… First of all let me emphasize the fact that these are fake emails. Banks or any other responsible companies will never ask for these details of yours for any reason.

Let me reiterate that never ever respond to such emails. Do not click on the links in these emails as this will lead to fake sites. Entering your online banking username and password to these fake sites will make an attacker to take control of your account and withdraw all the money you have in your account. This scam is normally known as Phishing

I will post another post on the phishing later. In this post, I would like to emphasize the money mule scam which is the hidden side of the phishing.

Extract from Wikipedia about money mules

“Money mule is a person who transfers money and reships high value goods that have been fraudulently obtained in one country, usually via the internet, to another country, usually where the perpetrator of the fraud lives.
The need for money mules arises because while a criminal in a developing country can obtain the credit card numbers, bank account numbers, passwords and other financial details of a victim living in the first world via the internet through techniques such as malware and phishing, turning those details into money usable in the criminal’s own country can be difficult. Many businesses will refuse to transfer money or ship goods to certain countries where there is a high likelihood that the transaction is fraudulent. The criminal therefore recruits a money mule in the victim’s country who will receive money transfers and merchandise and resend them to the criminal in return for a commission”

There are various stages where people are recruited as money mules

First stage is to advertise the job vacancies, usually the work from home scheme. The advertisements will appear in major employment portals and job sites as well as free classifieds sites offering stay at home positions such as financial representative, Fund manager, regional assistant etc… Occasionally these recruitment drive will have well defined company websites which will boost the trust of the person applying for these kind of jobs.

Typical responsibilities of a mule is to transfer the money which is coming into his/her account to an account of the so called company. The mule might have been informed that these transactions are genuine transactions and to fast track these transaction the company needs a financial representative.

Below is a sample email of a typical mule recruitment

We are a small Software Development Company. The company based in Ukraine but at this time we open new office in Bulgaria. We.ve earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European and North American copmanies and providing them with reliable softwaredevelopment services in financial, telecom and media sectors.

Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment from your country and such delays are harmful to uor business.We do not have so much time to accept every wire transfer and we can’t accept cashier.s checks or money orders as well. That.s why we are currently looking for partners in your country to help us accept and process these payments faster.If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and check payments and forwarding them to us. ……

Looking forward to hearing from you.
Sincerely,
Kerri Knight
Director of Electronics

How true it is; isn’t it?

So the end to end actions are like this. Attacker gets a users online banking account using phishing or viruses. Then they recruit the money mules and gets the bank account details of the mule. Once it is done, then they will use the online banking details of the user obtained through phishing (not the mule) to login to the banking site and transfer the money to Mule’s account. Mule believes it as the financial transaction from the parent companies customer and transfers the money after deducting the commission normally through western union or similar service.

So far everything is cool. Now the real problem happens for the mule. The bank’s customer who lost the money registers the compliant with the banks / police. Investigation will show that the money is transferred to the Mule’s account. Mule is caught and asked to pay the money  back in full and/or face legal consequences.

This post is gone beyond the length what I have thought, so let me stop here.

The three things you should remember and if possible follow are given below.

  • Never ever click through some links in email to access your online banking
  • Always be cautious about the additional income jobs and never be a carrier for the money.
  • Always run an antivirus on your PC and update it.
Reblog this post [with Zemanta]

Phishing in the middle eastern banks are on rise

by Leave a Comment

wie?e w kuwejcieImage via Wikipedia

Recently I was noticing an increase in the phishing emails targeted to the Banks in Kuwait. This was very low in the past years, as low as only 10 attempts noticed at some banks. However, recently the number of attacks are risen drastically. I am wondering what made the phishers to target these countries all of a sudden?

Is it the fact the cyber laws are not strong or that the money?

Drive-By Pharming

by Leave a Comment

Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson have identified a clever, and potentially devastating, attack against home/wireless routers.

How does the attack works?

  1. Attacker creates a webpage with containing the malicious Javascript code.
  2. Victim visits the page
  3. The code makes a login attempts into the users home broadband router and then attempts to change its DNS server settings to point to an attacker-controlled DNS server
  4. Once the user.s machine receives the updated DNS settings from the router (after the machine is rebooted) future DNS requests are made to and resolved by the attacker.s DNS server.
  5. Now the attacker basically owns the victim.s web connection.

The main condition for the attack to be successful is that the attacker can guess the router password. This is surprisingly easy, since home routers come with a default password that is uniform and often never changed.

They.ve written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users change their home broadband router passwords to something difficult to guess, they are safe from this attack.

Additional details can be found here. There.s also a paper on the attack.

Note that the attack does not require the user to download any malicious software; simply viewing a web page with the malicious JavaScript code is enough.

Trusted Phishing

by Leave a Comment

I have seen many sites using a logo, provided by the security certificate vendor, be it VeriSign, Thawte or any for that matter. Most of the people trust this logo as they can check the validity of the site in real-time. Now comes the real question. Are you really getting the authenticity of the website? It is true sometimes, but not always. In the recent past I have seen many websites with the security logo which will enable the users to verify the authenticity of the website.

The phishers/attackers take the advantage of HTML coding. They just embed the target URL which will result while you are on the genuine website. Let.s check the scenario with eBay.

The Login page of Ebay has the VeriSign Secured logo. Verify the site by clicking the logo; it will take you to

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&lang=en&dn=sig.

Now let.s see this URL

Where did you reach? Does this give an added assurance to the user? No!!! This can be imitated even by the attackers and eventually it will make the fake site more authentic.

Please take these logos as reminders and not as the security assurance. If you have followed an external link to reach the website where you want to trust the security, then re-enter the URL by hand in a new browser window, be on the safer side.

Phishing . attacks and countermeasures

by Leave a Comment

What is Phishing?

Phishing is the art of stealing the idnetity of an individual and obtaining confidential information by the attacker. Surveys and studies reveals that the direct financial loss due to phishing attacks accounted for 1.2 billion in 2003 and is increasing day-by-day. The indirect loss is many times higher than the direct loss.

The most popular phishing attack strategy is to trick the users by sending fraudulant messages into giving out information. You might have seen messages like .ABC bank requires to verify your account information, please follow the below URL and enter the login credentials to verify your account..

Other methods include malware attacks, where malicious code is used to obtain the confidential information and DNS redirection, where the DNS entries are altered to redirect the users to the fraudulant server.

Phishing attack flow

Most of the phishing attacks falls in the following work flow

  1. Attack planning
  2. Setting up the phish page/server
  3. Sending the malicious code/email/message
  4. End user action (executing the code, clicking the links etc..)
  5. Prompting for confidential information
  6. User enters the confidential information
  7. The phishing server send the confidential information to the phisher
  8. Use of the confidential information to impersonate the user
  9. Making use of the compromised information and performing fraudulant transactions.

Countermeasures

The phishing problem cannot be handled solely by the end-users, financial institutions or regulations. A combined effort is important to mitigate the threat of phishing. The solution to phishing lies in taking counter measures at all levels. This includes, technical solutions, user awareness and regulations.

To effectively counter a phishing attack, the early detection of such activity is important.

99.99% of the phishing attacks have an associated phishing page, which captures the information from the end user. This hosting of the phishing page is the first step in the phishing. Many attackers use the images and buttons from the real website by saving the webpage as it is or will redirect the page to the geniune site after the submission of the confidential data. In both the cases, the webserver logs will have the referer names recorded. Regularly reviewing the webserver logs will help the detection in the planning stage of a phishing attack.

Once the server is setup, the attacker starts sending the .bait. emails with the URLs encoded in the email. These emails are either from a valid email address or from an invalid address. As the attacker sends thousands of emails, there is a high chance of finding bounced messages in the inbox of the valid mailbox. Tracking the customer facing mailboxes for bounced messages can help detecting that a phishing attack is in progress and a possibility of finding the details of the phishing site.

Another way to detect the phishing is by asking the users to report it. Ideally, your website shouold have a option for reporting the phishing incidents they recieve.

Once you have identified the phishing attack and the detils related to it, the next step is to take the phishing site down. To achive this, the phishing site need to be reported to the authorities. The lsit includes ISP.s, the related NIC, hosting provider etc.

Security Meassures for End Users

The above details give a snapshot of how the phishing works and how to prevent it. References:This document has excerpts/ideas from articles posted in and websites.

  • Do not click on any link received through mails, always type or use the bookmarks
  • Do not send sensitive information like passwords or banking pins through emails to anyone
  • Contact the bank/organization incase of any suspicious transaction
  • Always use complex alpha-numeric passwords containing at least 8 characters. Refer to the posts related to passwords in this site.
  • Change passwords at least once in 2 months and avoid using the same password for multiple Websites
  • Update the system with security patches and anti-virus signatures
  • Set Internet browser security settings to .high.
  • Avoid visiting links containing [email protected] sign in the URL
  • Always make sure that financial or commerce Websites contain .HTTPS. before the URL and the .Padlock. at the status bar
  • Log out properly from all open accounts, such as email and online banking etc.
  • Close the browser after completing any transaction

The above details give a snapshot of how the phishing works and how to prevent it.

The above details give a snapshot of how the phishing works and how to prevent it. References:

The above details give a snapshot of how the phishing works and how to prevent it. References:This document has excerpts/ideas from articles posted in SANS and Antiphishing websites.