480 likes | 597 Vues
Anatomy of a Phishing Email. Emil Leong MailFrontier Inc. The Problem. Phishing is Everywhere. MailFrontier Employee/Contractor ,
E N D
Anatomy of a Phishing Email Emil Leong MailFrontier Inc.
The Problem Phishing is Everywhere
MailFrontier Employee/Contractor, Your e-mail account was used to send a large number of unsolicited spam messages during the past 5 days. We suspect your account has been compromised. Please click here to change your account password in the next 24 hours. Failure to change your account password will result in the suspension of your login to the system. Virtually yours, The MailFrontier Support Team … and sometimes it can hit close to home! click here
Phishing by the numbers • 5.7 billion – The estimated number phishing email messages that are sent worldwide each month • 73 million – The number of adults who “believe” they have received at least 50 phishing emails in the last year (Gartner) • 14,135 – Number of unique phishing attacks in July 2005 (APWG) • 2,944 – Number of phishing sites operational in July 2005 (APWG) • 46% – The percentage of phishing sites hosted in the United States for July 2005 (APWG) • 5.9 – Average number of days a phishing site is live (APWG)
www.paypal-verify.info Social engineering: consumer • Build credibility • Spoof of a real company • Spoofed company sender • Links to the company site • Create a reason to act • Plausible premise • Generate urgency • Require a quick response • Have a call to action • “Good” visual URL • “Good” hidden URL as well
Social engineering: corporate • Build credibility • Spoof of a real company • Spoofed company sender • Links to the company site • Create a reason to act • Plausible premise • Generate urgency • Require a quick response • Have a call to action • “Good” visual URL • Hidden URL could be an IP address
Phishing with forms “Action” Mailto This email appears to be from eBay, but it actually sends the information it collects to the fraudster’s email address listed in the <form action=> statement.
http://219.163.9.224/manual/login_trigger.php Sprechen sie deutsch “Action” Execute …or the action executes a program on the phishing server.
Email link tricks • Stupid link tricks • URL hiding • Misdirection
Link tricks • Credible IP string • Uses a credible looking text string within the URL • http://81.109.43.102/ebay/account_update/now.php • The @ sign • Everything to the left is forgotten, everything to the right is used • http://www.usbank.com/update.pl@81.109.43.102/usb/upd.pl • Long status line • The URL is so long is can not be completely displayed in the status bar • Often combined with the @ trick • http://www.usbank.com/update/cust=90119323... 100 characters later… status=1@www.usbank-verify.us/update • Similar names • Uses a credible sounding, but fraudulent, domain name • http://www.ebay-secure.com/verify
The @ in action Disguising the URL <a href="http://internal/login/update/accounts/securid/secureupdatecode=3D849E459FB77AC8C5783450459c3849aa23cd94834839913449913445223cd9483991344523D@http://www.sisterstuff.com/images/index.html">http://internal/loginupdate.htm</a> Display Link: http://internal/loginupdate.htm Status Bar:http://internal/login/update/accounts/securid/secureupdatecode=3D849E... Reality: http://www.sisterstuff.com/images/index.html
Similar names The Click Here link in this fraudulent PayPal email takes the user to: http://www.paypal-supports.com • Some of my favorites • banking-account-renewal.com • citibank-validate.info • customer-verification.com • earthlink-reactivation.net • services-bankofamerica.com • sales-aol.net • secure-ebay.com • secure-usbank.info • security-update.cc • service-visa.net • verification-e-gold.com
Links tricks – URL hiding • URL encoding • Encodes the URL to disguise its true value using hex, dword, or octal encoding. • http://www.visa.com@%32%32%30%2E%36%38%2E%32%31%34%2E%32%31%33, translates into220.68.214.213 • Image maps • The URL is actually a part of an image, which uses map coordinates to define the click area and the real URL, with the fake URL from the <A> tag being displayed • URL as a button • The displayed URL is contained in the text description of a Form button • The button itself is formatted to match the email background • The fake URL does not display in the status bar of the email client • onMouseOver • Places a fake URL in the onMouseOver message
<A onmouseover="window.status 'https://www.paypal.com/cgi-bin/webscr?cmd_login-run'; return true“ onmouseout "window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'“ href "http://leasurelandscapes.com/snow/webscr.dll">https://www.paypal.com/cgi-bin/webscr?cmd_login-run</A> https://www.paypal.com/cgi-bin/webscr?cmd=_login-run onMouseOver Shows a false URL in the status bar of the user’s email application
Misdirection link tricks • The simple redirect • Uses the “known” redirects to send the user to the phishing site • http://r.aol.com/cgi/redir?http://www.ebay_secure.info/update_user • Wearing a mask • Uses a URL masking service such as cjb.net or tinyurl.com • http://jne9rrfj4.CjB.neT/?uudzQYRgY1GNEn • Just stopping by • Link points to a page on a legitimate site which points to phishing site. • http://www.google.com/url?q=http://www.geocities.com/mibmib4321/ • The mibmib4321 site contains a “redirect” to 218.214.130.51 • Go here then here then here then here then here… • http://www.google.com/url?q=http://www.google.co.uk/url?=http://www.google.it/url?q=http://www.geocities.com/mibmib4321/
Phishing web site tricks • Validate information • Pop-up SSL certificates • Address bar tricks
SSL Certificates • The email has a fake “https://” address shown • When the “https” link is clicked in the email, the phisher pops up a “Security Alert” window • Additional fake pop-ups appear if the “View Certificate” button is clicked
Address bar tricks: Replacement bar We arrive at the website. Is something phishy?
Address bar tricks: Replacement bar There is no address bar!
Address bar tricks: Replacement bar Now there’s two!
The first browser window What’s really there! + http://www.bis1bp.com/a12/index.html Plus a second “floating” browser window https://www.usbank.com/secure/-run = What you see https://www.usbank.com/secure/-run https://www.usbank.com/secure/-run Address bar tricks: floating window
Spam Virus • Technology • Keyloggers • Trojans • Encoding • Distribution • Sent to millions • Can be targeted Phishing Good email • Credibility • Your bank • Your business • Capability • Marketing • Communications Understand the Threat
Economic Money Credit cards Identities Machine Info Corporate Info Perpetuation Pharming Web bugs DHA attacks Trojans Keyloggers Worms Understand the Enemy
Understand the attack environment Thousands of email servers Millions of emails sent Hundreds of web sites
Make it Easy Installation, Maintenance and Administration
Easy means Only 10 minutes of administration per week “MailFrontier told me that I would spend less than 10 minutes a week managing spam after installing the MailFrontier Gateway Server. They were wrong. I only spend five.” Niall Pariag Senior Network Administrator
Message Delivery Rate MailFrontier - 40%- 290% faster 40% CipherTrust 70% Brightmail/Symantec 165% Sophos 290% Proofpoint Speed is good • High performance through preemptive scanning 1Delivery rate, msg/sec, NetworkWorld, Analyzing the Spam Test Results, 12/20/04
Powerful Reporting • Reports Dashboard • Over 20 reports included • Ability to customize reports • Reports are “emailable” • Data can be exported
A solution to fit every organization MailFrontier GatewayTM Server • Medium and large enterprises that wish to implement an email security solution in a server environment • Organizations that want a pre-configured, pre-hardened solution with immediate deployment (500-10,000 seats) MailFrontier GatewayTM Appliance MailFrontier GatewayTM Server, Small Business Edition • Organization of up to 50 users
Extraordinary Awards & Reviews NetworkWorld Top-Rated Enterprise Anti-Spam Software “…MailFrontier’s ASG put up some impressive results in terms of blocking spam and letting legitimate mail pass.” - Sept 15, 2003 Recommends MailFrontier be included on “Short List” of products evaluated for large-scale, high-performance anti-spam systems – December 20, 2004 InfoWorld Rated Excellent “MailFrontier's provides excellent accuracy, easiest install and lots of control to the admin.” – September 27, 2004 Recommended “MailFrontier's hands-off approach can help ease the administration burden on IT departments. – June 7, 2004 “Visionary” – Magic Quadrant for Enterprise Spam Filtering “…a gateway product with strong detection and management.” – Q1, 2004 E-Mail Hygiene Vendor Comparison MailFrontier receives highest possible score for spam filtering– November 19, 2004 Red Herring 100 Recognizing the company for its innovation and strategy – May 2004
The Leader in Email Security Best Protection •Effortless Control •High Performance www.mailfrontier.com