Phishing: Spam that can’t be ignored
Mostly By David Berlind
January 7, 2004
(Pronounced 'fishing'.) This involves creating a replica of a legitimate web
page to hook users and trick them into submitting personal or financial
information or passwords.
If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email. Whereas all spam is not a scam, all attempts at phishing are scams, and the potential losses to corporations and consumers alike is stunning.
Phishing, as the name implies, is when spam is used as means to “fish” for the credentials that are necessary to access and manipulate financial accounts. Invariably, the e-mail will ask the recipient for an account number and the related password using an explanation that their records need updating or a security procedure is being changed that requires confirming an account. Unsuspecting e-mail recipients that supply the information don’t know it, but within hours or even minutes, unauthorized transactions will begin to appear on whatever account was compromised.
By now, most people know that giving this information away on the Internet is a no-no. With phishing, however, it’s almost impossible to tell that the e-mail is a fraud. Like spam, e-mail from phishers usually contains spoofed FROM or REPLY TO addresses to make the e-mail look as though it came from a legitimate company.
In addition to the spoofed credentials, the e-mail is usually HTML-based. To an undiscerning eye, the e-mail bears the authentic trademarks, logos, graphics, and URLs of the spoofed company. In many cases, the HTML page is coded to retrieve and use the actual graphics of the site being spoofed. Most of the phishing I’ve received pretends to come from PayPal and contains plainly visible URLs that make it look as though clicking on them will take me to PayPal’s domain. Upon quick examination of the HTML tags behind the authentic looking link, the actual URL turns out to be an unrecognizable and cryptic looking IP address rather than an actual page within PayPal’s domain.
PayPal, the payment subsidiary of EBay, is a common target of phishing. If you get one and you’ve never joined PayPal, then you obviously know it’s a fraud. But if you are a PayPal member, as I am, the phisher has at that point broken through the unofficial security-by-obscurity layer that once protected you. It not difficult to see how PayPal members could be victimized by this technique.
According to Antiphishing Woking Group Chairman David Jevans, PayPal isn’t the only target of phishers. “In about 35 percent of all reported phishing attacks, Ebay’s PayPal service is the biggest victim. But just about any financial institution, credit card issuer, retailer, or other business can be targeted. UK-based NatWest was phished badly in October 2003 and then even worse in December. The December attack was so bad that NatWest had to take down its site. Visa was another organization that was targeted over the holidays.”
At first blush, phishing appears to be sort of buyer-beware consumer issue since the e-mails themselves are prospecting for potential account holders to the spoofed institutions. Indeed, depending on the spoofed institution’s policies, a consumer could end up eating a loss. “So far,” said Jevans, “most of the transgressions against individuals have been in the hundreds of dollars because smaller transactions will sometimes go unnoticed for a while. But they go higher. The largest one on record so far is for $16,000. If the credentials obtained by a phisher are for a credit card account, then the risk is usually absorbed by either card issuer or a merchant.” This is when the hard dollar cost of phishing, which Jevans considers a form of identity theft, begins to be recognized by corporations and businesses instead of individuals.
However, the financial risk that’s connected with each credit card transaction isn’t the only hard dollar cost to corporations. “In most cases so far, as a matter of good customer relations,” said Jevans, “where a customer has experienced a loss as a result of phishing, the spoofed institution has made them whole even if their policies don’t expressly guarantee that treatment. As evidence of how this cost is hitting the bottom line, several Australian banks have set aside a $2 million fund just to cover any losses associated with phishing.”
Jevans cited other areas of loss as well. “When NatWest had to shut its site down, it incurred the added expense of setting up and manning a phone number that customers could call. In situations like that, dissatisfied customers that have to wait a long time on jammed phone lines might take their business elsewhere,” Jevans said.
According to Jevans, another unexpected cost could arise after a large number of accounts are successfully phished. Jevans said the cost to issue new credit cards, accounts and passwords is about $50 to $60 per user. “You can see how the costs can quickly escalate if 2000 accounts are compromised. Not only that, once a phisher has succeeded with a particular institution, the trust chain--especially in e-mail--is broken. So, it makes it much more difficult for the institution to maintain a relationship via e-mail with its customers.”
Liability is yet another area of concern for organizations that are spoofed. Jevans said that one of the Anti-Phishing Working Group’s members is being sued by customers whose accounts were successfully phished. Whether the plaintiffs will get anywhere could be the topic for an entire column, but regardless of whether a company wins or loses such a case against its customers, it still must bear the legal costs. The spoofee may not be the only target of such a lawsuit. In an effort to cover their tracks, many phishers will publish their web pages on Web servers that they’ve hacked into, unbeknownst to the operators of those Web servers. Under these circumstances, it’s entirely possible that the operator of the hacked Web server could be sued on the grounds of negligence through lax security as well.
While businesses everywhere are staring down the barrels of phishers’ shotguns, they’re also trying to figure out how to put a stop to it. As with spam, the solutions are primarily technological, legal, and social. The biggest priority currently is to deal with the major phishing attempts as reports of them surface. Obviously, the first order of business is disable the offending page. “Depending on the situation,” Jevan said, “this could require any number of techniques. For example, if the phisher published the page by hacking into a legitimate server, you can’t just go and shut that server down or have all the paths to it cut off by the ISPs. In some situations, that’s what you need to do, but in others you have to work with the operator of the server to remove the offending page.”
Jevans warns that even the most proactive of responses to a phishing report may not be sufficient. “It can take anywhere from 19 hours to 6 ½ days before a site or a Web page is cut off,” said Jevans. “It takes longer when the sites are located overseas and increasingly, more and more of these sites are showing up in Eastern Europe and Asia. Quite often, by the time something is shut down the damage is done.” Jevans noted that pilfered funds pass through temporary accounts and are eventually electronically shuffled to offshore accounts in a way that makes the money trail almost impossible to follow. “Regrettably, no phishers have been caught yet,” Jevans said.
Users can achieve some success in shutting down suspect pages. When I contacted EBay’s public relations department about one of the PayPal phishers that had come my way, the company asked me to file the report to the e-mail address spoof@ebay.com , where it collects all reports of this nature. About two weeks passed between the time when I first received the e-mail and when I finally forwarded the e-mail and its header to that address. During that entire time, the page remained active. Within 24 hours of filing the report, I received a reply from eBay confirming that the page was fraudulent and that the company had taken action. To no avail, I tried to return to the offending page with my browser. EBay obviously has some clout. When I asked for more details about its process for handling my report and whether EBay would try to track down the bad guys, the company refused to comment. According to Jevans, this is not uncommon. Although the Anti-Phishing Work Group has a blue-blooded membership consisting of major financial institutions and Fortune 500 companies, most of them would just as well assume not be mentioned in stories that have to do with phishing.
“On the technology front, since phishing is spam, the same tools to combat spam such as Web and e-mail filtering are one approach," Jevans said. “But we also recommend that companies regularly scan the DNS to see if domains with a close resemblance to their own are being registered. When Visa was targeted last month, the phisher used the domain visa-security.com. Also, banks are starting to digitally sign their e-mails, which in turn requires that end users be educated on how to discern between an e-mail that’s been legitimately signed and one that’s not.”
From a social perspective, education is key. For example, users need to be schooled on how to spot fraudulent mail and what to do about it. Whereas eBay has a process in place, other institutions may not. Jevans said anyone can file a phishing report at
www.antiphishing.org.
Also Microsoft has some help HERE.
US firms take legal action against over 100 spammers, Sophos reports
AOL, Earthlink, Microsoft and Yahoo are taking legal action against over 100 of the world's most prolific spammers. The US firms claim that spammers have falsified email addresses to hide their identities, and used open proxies through innocent third party computers.
Legal documents show that one AOL lawsuit is against 40 unnamed spammers it refers to as "John Does". Yahoo and Microsoft are suing 50 and 25 John Does respectively. In addition there are three lawsuits against specific individuals and associated parties.
"Recent research by Sophos showed that over 50% of all spam is being sent from computers based in the USA, so any action taken against American spammers has to be welcomed," said Graham Cluley, senior technology consultant at Sophos. "However, it is relatively easy for spammers to relocate their businesses overseas making it harder for the USA authorities to put a halt to their activities."
Phishing relies on users clicking on links which look like they will go to a particular web site but actually go elsewhere. Pharming hijacks DNS entries so that even the phishing-aware user who explicitly types in the web site they want (e.g. http://www.suntrust.com) will end up at a different web site anyway.
SSL certificate verification does defeat pharming, unless something else has already happened at the user's web browser to also defeat SSL certificate verification, of course. This can be as simple as a virus / worm / script exploit turning off the security options I'll describe at the end of this message, or as complex as a virus / worm / trojan / adware program actually changing the web browser to function differently. This is why security is a total process involving not just the right software (e.g. anti-virus, personal firewall) but also the knowledge of the user to configure and check things regularly, and to browse sensibly (don't download / install anything that you aren't certain is trustworthy, never click "yes" to toolbars, helpers, or anything else that pops up unexpectedly, etc).
Here's how SSL certificate verification works against pharming:
Scenario 1:
You type in e.g. http://www.suntrust.com
Someone has hijacked the suntrust.com domain, so that the IP address your computer gets for www.suntrust.com is really sending you to www.pharmer.com.
You look for the SSL "lock" in your web browser status bar, and you don't see it, so you stop.
Scenario 2:
You type in the web site address https://www.suntrust.com which has been hijacked, and since you explicitly use https:// it forces the browser to only go to an SSL enabled version of the web site.
Your browser goes to the hijacked destination https://www.pharmer.com.
The web server at www.pharmer.com sends its SSL certificate - a wholly valid certificate issued by a trusted CA .. but NOT issued to www.suntrust.com because SSL certificate issuers are quite good at ensuring that they do not issue certificates to any company other than the legitimate holder.
Your web browser, properly configured, pops up a warning saying that the certificate does not match the name of the web site, because the name of the web site is www.suntrust.com, but the SSL certificate is for something else (maybe www.suntrust2.com), so, being highly observant, you stop.
There are many possible variations on this theme, but those are the key ones from which most of the others stem.
To put more detail to it, we must rely, and historically we can rely, on the SSL certificate issuers e.g. Verisign (http://www.verisign.com), Thawte (http://www.thawte.com) to validate that the requestor of an SSL certificate for a web server legitimately has the right to have that certificate. So even though typing www.suntrust.com does not get you to the legitimate Sun Trust Bank web site, the fact that the real Sun Trust Bank web site is the only place which can have a www.suntrust.com SSL certificate protects you.
To make sure that your web browser properly validates SSL certificates, set the following options in Internet Explorer 6 (users of other browsers will find comparable settings somewhere in their browser configurations):
Tools -> Internet Options
Advanced tab
Under the Security section, make sure these options are checked:
* Check for publisher's certificate revocation
* Check for server certificate revocation
* Use SSL 3.0
* Warn about invalid site certificates
Make sure that the option "Use SSL 2.0" is not checked, because there are problems with the SSL 2.0 protocol which can make it possible for a pharmer to defeat SSL certificate verification.
Post by: Jay
Libove, CISSP on
03/01/05 to CNET
Thank you Jay!
A new PIRT Squad member starts by submitting new phishing scams into our Fried Phish tool. Currently there are three ways to submit new phish scams:
Further reading on reporting phishing scams is found here.
Remember, don't open the email!
Just
To
Virus Help