Phishing Thomas Schwarz SJ 2006 URL Obscuring Internet based criminal activity that subverts web technology Phishing fraud Traffic redirection Hosting of illegal sites Child pornography ID: 282919
Download Presentation The PPT/PDF document "COEN 252 Computer Forensics" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
COEN 252 Computer Forensics
Phishing
Thomas Schwarz, S.J. 2006Slide2
URL Obscuring
Internet based criminal activity that subverts web technology:Phishing (fraud)
Traffic redirectionHosting of illegal sites Child pornographySlide3
URL Obscuring
Internet based fraud is gaining quickly in importance.
Phishing: The practice of enticing victims with spoofed email to visit a fraudulent webpage.
http://www.antiphishing.org/Slide4
URL Obscuring
Technical Subterfuge:Plants
crimeware onto PCs.Example: Vulnerable web browser executes remote script at a criminal website.Just staying away from porn no longer protects you.Payload:Use Trojan keylogger spyware.
Search for financial data and send it to an untraceable email addressSlide5
URL Obscuring
Social Engineering:Target receives e-mail pretending to be from an institution inviting to go to the institutions website.
Following the link leads to a spoofed website, which gathers data.It is possible to establish a web-presence without any links:Establish website with stolen / gift credit card.Use email to send harvested information to an untraceable account, etc.
Connect through public networks.Slide6
URL Obscuring
PhishingTargets general population
Thrives even with very low success rateSpear PhishingTargets individualsMore sophisticated and more expensiveIndividual success has higher valueSlide7
URL Obscuring:
Phishing Example
Visible Link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html
Actual Link: http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm
Actual website IP: 209.35.123.41
Uses Java program to overwrite the visible address bar in the window:Slide8
URL Obscuring:
Phishing ExampleSlide9
Phishing Tendencies
Phishs currently are very unsophisticated
Sophistication does not yield much better success rateSlide10
URL Obscuring
Phishs need to hide web-serversURL Obscuring
Javascript or other active web-technology overwrites URL fieldno longer possible in latest browsersOther techniques to hide web-server address Use hosts fileHiding illegal web-server at legal siteHijacking site to host pages.Slide11
URL Basics
Phishs can use obscure features of URL.URL consists of three parts:
ServiceAddress of serverLocation of resource.
http://www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.htmlSlide12
URL Basics
Scheme, colon double forward slash.
An optional user name and password. The internet domain name RCF1037 format IP address as a set of four decimal digits.
Port number in decimal notation. (Optional)
Path + communication data.
http://tschwarz:fiddlesticks@www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html
http://www.google.com/search?hl=en&ie=UTF-8&q=phishingSlide13
Obscuring URL Addresses
Embed URL in other documentsUse features in those documents to not show complete URL
http://www.usfca.edu@www.cse.scu.edu/~tschwarz/coen252_03/index.html
URL rules interpret this as a userid.
Hide this portion of the URL.Slide14
Obscuring URL Addresses
Use the password field.www.scu.edu has IP address 129.210.2.1.
Some browsers accept the decimal value 129*256**3 + 210*256**2 + 2*256 + 1 = 2178023937 for the IP address.http://www.usfca.edu@2178023937 Works as a link.Does not work directly in later versions of IESlide15
Obscuring URL Addresses
http://www.usfca.edu@129.210.2.1 works.
Hide the ASCI encoding of @:http://www.usfca.edu%40129.210.2.1Or just break up the name:http://www.usfca.edu%40%127%167w.scu.eduOr use active page technologies (javascript, …) to create fake links.Slide16
Obscuring URL Addresses
IDN – International Domain Names
Non-english Unicode characters are encoded as basic ASCII strings:punycodepunycode exampleb
űcher.ch encoded as xn- - bcher – kva.ch
Homographs: Characters from different alphabets look the same
Potential URL Obscuring
Register paypal.com, where one ‘a’ comes from a different alphabet.Slide17
Obscuring URL Addresses
Padding URLs
.. means go up create directory …http://129.210.2.1/.../../.../../.../../.../error.htmlSlide18
Obscuring URL Addresses
Redirection
Direct target redirects to main siteChances of main site getting shut down is lessTechnologiesPage-based redirection
Add meta tag to head section
<meta http-equiv=“refresh” content=“0; URL=http://bobadilla.engr.scu.edu”>
Server-based redirection
Apache: httpd.conf with a redirect statement
Redirection via vulnerable websites
2006 eBay run a script that redirected based on query string to
any
site.Slide19
'Enroll your card with Verified By Visa program'
2004 Phish sends SPAM consisting of a single image:Slide20
'Enroll your card with Verified By Visa program'
The whole text is a single image, linked to the correct citi URL.
If the mouse hovers over the image, it displays the correct citi URL.
But surrounded by an HTML box that leads to the phishing website.Slide21
'Enroll your card with Verified By Visa program'
Target webpage has an address bar that is overwritten with a picture with a different URL.
Go to www.antiphishing.org .Slide22Slide23Slide24
Phishing
Phishers now use bogus https techniques.
Exploiting browser flaws to display secure icon.Hacking legitimate sites or frames from these sites directly.Purchase and present certificates for sites that are named in resemblance of the target sites.
The SSL lock icon is no longer a guarantee for a legitimate site.Slide25
Registrar Impersonation Phishing Attacks
Phisher
sets up a bogus registrar customer portalPhisher composes email correspondence from registrarPhisher sends email to the contact email addresses for a domain nameVictims visit bogus registrar customer portal and disclose login credentials
Phisher
collects account credentials for subsequent misuseSlide26
Registrar Impersonation Phishing Attacks
Domain name registration information is open to the public
E.g. whois for windows or linux/unixAdversary can use this information (plus web) in order to target potential victims
For example, those whose registration is close to expiration
The information is also used to enhance the credibility of the messageSlide27
Use
whoisSlide28Slide29
Registrar Impersonation Phishing Attacks
Once authentication information is obtained
Modify DNS records to point to name servers under attacker’s controlMX: Points to mail hosts under attacker’s control and use them to send spam, …The victim was trustedAAAA
or
A
: To point to systems under attacker control
To host phony content
To provide false authentication portals Slide30
Registrar Impersonation Phishing Attacks
Fast Flux attacks
Fully qualified domain name has multiple (hundreds or even thousands) IP addresses assigned to it.Slide31
Registrar Impersonation Phishing Attacks
Counter measures taken:
Registrars limit open information severelyShould not use email to communicate with clientsSlide32
Hiding Hosts
Name Look-Up:
OS checks HOST file first.Can use HOST file to block out certain sitesadserversAffects a single machine.
OS
Location
Linux
/etc/hosts
Win95/98/ME
C:\windows\hosts
Win NT/2000/XP Pro
C:\winnt\systems32\etc\hosts
Win XP Home
C:\windows\system32\drivers\etc\hostsSlide33
Subverting IP Look-Up
In general, not used for phishing.
Economic DamageHillary for Senate campaign attack.Hiding illegal websites. (Kiddie Porn)DNS Server Sabotage IP ForwardingSlide34
Subverting IP Look-Up
Port Forwarding
URLs allow port numbers.Legitimate business at default port number.Illegitimate at an obscure port number.
Screen clicks
Embed small picture.
Single pixel.
Forward from picture to the illegitimate site.
Easily detected in HTML source code.
Password screens
Depending on access control, access to different sites.Slide35
Phisher-Finder
Carefully investigate the message to find the URL.
Do not expect this to be successful unless the phisher is low-tech.Capture network traffic with Ethereal to find the actual URL / IP address.Use Sam Spade or similar tools to collect data about the IP address.Slide36
Phisher-Finder
Capture network traffic with Ethereal when going to the site.This could be dangerous.
Disable active webpages.Do not use IE (too popular).Look at the http messages actually transmitted.Expect some cgi etc. script.Slide37
Phisher-Finder
Investigation now needs to find the person that has access to the website.
This is were you can expect to loose the trace.The data entered can be transmitted in various forms, such as anonymous email.For example, they can be sent to a free email account.IPS usually has the IP data of the computer from which the account was set up and from which the account was recently accessed.
Perpetrator can use publicly available computers and / or unencrypted wireless access points.
Investigator is usually left with vague geographical data.