1 / 36

Fighting Phishing site at the front line --CNCERT/CC Anti-Phishing activities review

Fighting Phishing site at the front line --CNCERT/CC Anti-Phishing activities review. CNCERT/CC. Jun. 2005 FIRST www.cert.org.cn. Abstract :. Overview of Phishing Responsibility Experience of CNCERT/CC Review and prospect Conclusion . Overview of Phishing. What is Phishing?.

inocencia
Télécharger la présentation

Fighting Phishing site at the front line --CNCERT/CC Anti-Phishing activities review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fighting Phishing site at the front line --CNCERT/CC Anti-Phishing activities review CNCERT/CC Jun. 2005 FIRST www.cert.org.cn

  2. Abstract: • Overview of Phishing • Responsibility • Experience of CNCERT/CC • Review and prospect • Conclusion

  3. Overview of Phishing What is Phishing? -- Phishing attacks use 'spoofed' e-mails and fake websites designed to bamboozle recipients into revealing confidential information with economic value such as credit card numbers, account usernames and passwords, social security numbers, etc.

  4. Overview of Phishing Phishing is Epidemic: --7 of 10 people, who received phishing E-mail, are spoofed --15% are tricked into providing personal information

  5. Overview of Phishing • Damage --Average economic loss of $115 per adult duped. (E-Trust) --$500 million lost due to Phishing in U.S. (APWG) --A Phishing site had been visited 98 time in 48 hour (98 different IPs) 49 person/day*10*15%*$115=$8452.5/case

  6. Overview of Phishing • Statistics Till the end of 2004, CNCERT/CC received 230 Phishing report from over 33 worldwide financial and security organization.

  7. Overview of Phishing • Statistics

  8. Overview of Phishing • Statistics Dec. 2004-March 2005(APWG)

  9. Overview of Phishing • Statistics in March, 2005 (APWG) --Number of active phishing sites reported in March: 2870 --Average monthly growth rate in phishing sites July 2004 through March 2005: 28 % --Number of brands hijacked by phishing campaigns in March: 78 --Number of brands comprising the top 80% of phishing campaigns in March: 8

  10. Statistics in March, 2005 (APWG) --Country hosting the most phishing websites in March: United States --Contain some form of target name in URL: 31 % --No hostname just IP address: 48 % --Percentage of sites not using port 80: 3.89 % --Average time online for site: 5.8 days --Longest time online for site: 31 days

  11. Responsibility • Who has the Responsibility? Bank -provide a secure internet dealing environment -new Phishing tech is also developed fast

  12. Responsibility Law enforcement -Investigate and arrest the ‘Phisher’ -most of the Phishing incident cross multi-country, it take long time through the law procedure. In certain region, the ISP only keep the log for 30 days, the procedure may take more than that.

  13. Responsibility • Service provider -locate the host, find out the user information -most of the host was intruded, they are also the victim cannot force them to take down the phishing site.

  14. Responsibility • Bank customer -Report the Phishing site, prevent from the Phishing scam -They may not know how to different the Phishing site and normal site.

  15. Responsibility • CSIRT -CSIRT have trust contact cross multi-region -CSIRT have the research ability to follow the new Phishing trick. -CSIRT provide the professional consultant to public

  16. Responsibility • CSIRT -Public user trust and willing to cooperate with CSIRT -CSIRT provide public awareness education

  17. Responsibility CISRT is a chain to link every point in Anti-Phishing

  18. Experience of CNCERT/CC • Phishing tech is changing rapidly - Since 2004, Phishing has passed three generation.

  19. Experience of CNCERT/CC • First generation, (Previous – Oct. 2004) --Fake appearance, IE redirection, address bar cover, pop-up log window. --Purpose to appear like normal Bank site, hard to be different.

  20. Experience of CNCERT/CC • Address bar block

  21. Experience of CNCERT/CC • Pop-up log window

  22. Experience of CNCERT/CC • unconventional Port Pid Process Port Proto Path 436 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 492 msdtc -> 1025 TCP C:\WINNT\system32\msdtc.exe 912 MSTask -> 1026 TCP C:\WINNT\system32\MSTask.exe 792 sqlservr ->1433 TCP d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe 896 r_server -> 4899 TCP C:\WINNT\System32\r_server.exe 964 http -> 5121 TCP c:\winnt\system32\http.exe 964 http -> 5125 TCP c:\winnt\system32\http.exe 964 http -> 5180 TCP c:\winnt\system32\http.exe 996 web -> 6121 TCP c:\winnt\system32\web.exe 996 web -> 6125 TCP c:\winnt\system32\web.exe 996 web -> 6180 TCP c:\winnt\system32\web.exe

  23. Experience of CNCERT/CC • Extra info --most of the Phishing web server, which was planted in the host, are Russian version. --and some of the evidence are related to Russian region.

  24. Experience of CNCERT/CC • Second generation (Oct. 2004-Mar. 2005) --Combine with backdoor, key logger, or Trojan. --Purpose to hijack the user info through the Spyware.

  25. Experience of CNCERT/CC The Spyware detected on the Phishing site -JS/Stealus -W32.Netsky -Web/HTTP (Russian version Web server) It has been used as a spyware

  26. Experience of CNCERT/CC • Third generation (Mar.2005- ) --Exploit DNS Cheat, Bot-net, and Dynamic Domain --Purpose to make the Phishing site hard to be detected and investigated

  27. Experience of CNCERT/CC Pharming, the revival of old trick uses malware/spyware to redirect users from real websites to the fraudulent sites (typically DNS hijacking).

  28. Experience of CNCERT/CC Devious DNS Tricks Dynamic Domain, Dynamic IP CNCERT/CC found many Phishing site host in ADSL user’s PC, which is live only when the user online.

  29. Experience of CNCERT/CC Devious DNS Tricks AusCERT found: • A domain name was registered, similar to the bank. • 5 name servers were listed in the WHOIS record. These changed every day or so. • each of these 5 name servers resolved the fake bank domain to 5 other servers. These changed every 30 minutes or so. • we saw the IP of the phishing site move across 44 different in a short space of time (see below for IPs).

  30. Experience of CNCERT/CC Bot-net Netcraft said Bot-net can be used as nameserver to Phish. CNCERT/CC deteced a bot-net with 100 thousand bot. It is serious situation, once a bot-net is used to ‘Phish’

  31. Review and prospect • CNCERT/CC -Public Awareness education -Anti-phishing consultant -Anti-phishing investigation and take down -Anti-phishing tech research -Participant the APWG WG

  32. Review and prospect • Future Trend -- Financial institution will continue to be top targets. Phishing attacks will victimize the identity of small to medium size institutions. -- Phishing attacks will increase in sophistication. -- Use of Trojans, screen captures and key loggers will increase. -- Attacks that target the DNS, Router Infrastructure will increase.

  33. Review and prospect • Future Trend -- Phishing attacks will exploit global events such as tsunami's and holidays. -- The distinction between Phishing, spyware, and malware will blur. -- The time between the discoveries of an exploit to its use in a Phishing will shrink. --Browser specific Phishing attacks will emerge.

  34. Review and prospect Establish a procedure of cooperation with Law enforcement is considerable

  35. Conclusion -Anti-Phishing is a long time fight -Anti-Phishing is a good place for CSIRT practice -Trust relationship is required -Anti-Phishing is a way to establish the trust relationship.

  36. Thank you E-mail:larryliu@cert.org.cn

More Related