Security Basics mailing list archives

RE: HOW TO PREVENT FHISHING ATTACKS

From: Jon Davis <jon.davis () securenation net>
Date: Mon, 7 Feb 2011 15:40:54 -0600

Wombat Security (wombatsecurity.com) is an interesting company that is headed up by a group of Carnegie Mellon 
professors.  They have come up with an extremely low cost anti phishing solution that works well for our bank clients.

Cheers,

JD

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nikhil Manampady
Sent: Friday, February 04, 2011 2:00 AM
To: John Renne
Cc: Filiberto Moreno; Patrick Webster; mzcohen2682 () aim com; security-basics () securityfocus com
Subject: Re: HOW TO PREVENT FHISHING ATTACKS

Hi,

The watermark is being used by our company for antiphishing services for banks and the watermark  is obfuscated in the 
HTML source of the bank website.

I am not sure of how the watermark works but I think either the valid domains and IP are also obfuscated or the script 
does a reverse DNS lookup and triggers an alert if the domain and reverse dns lookup does not match.


Thanks & Regards,
Nikhil Manampady,
Security Consultant,
Paladion Networks.





On Fri, Feb 4, 2011 at 12:42 PM, John Renne <john () gniffelnieuws net> wrote:

Hi,
This might sound like an idea but poses a risk too. If a phisher 
copies the sourcecode, he'll probably adjust the IP's too. Customers 
will get a false feeling of trust since the watermark is correct.
If you want to do such a thing, I'ld try to hide the IP's (and 
probably some more info) in a generated JPEG on the site, and include 
something like an applet which checks the watermark. I'ld always try 
to hide it from the users though.
John
On Feb 4, 2011, at 5:41 AM, Nikhil Manampady wrote:

Hi,

One of the more proactive things is to have a watermark in the banks 
HTML source code which contains a list of IP's on which the bank's 
website domain is registered.

If a phisher copies the HTML source code and hosts it on the phished 
site, the watermark will check that this rogue IP is not part of the 
whitleisted bank domain IP's it can send an alert to the security team.

That way the phished site can be bought down before the customer gets 
redirected to it.

Thanks & Regards,
Nikhil Manampady,
Security Consultant,
Paladion Networks.




On Thu, Feb 3, 2011 at 2:50 AM, John Renne <john () gniffelnieuws net> wrote:


Hi everyone,

This problem is a bit harder then it seems at first sight. First of 
all, SPF's won't help you very much. In any case, it's not something 
a bank can enforce. It's the customers e-mail provider which will 
have to implement this. These however are out of the banks control.

The second problem is a dilemma. You can always have a communication 
strategy that consists of a few simple steps
- Tell all your customers official bank correspondation goes by mail 
from a certain address (this however is easy to spoof so no solution)
- Tell all your customers all of your e-mail correspondation contains 
some sort header / footer etc. (this however is easy to include / 
manipulate)
- Exclude mail from the official channels of communication (but what 
if you -want- to e-mail users)

It mostly comes down to security awareness. This is something both 
customers and banks should realise

A number of more things can be thought of but mostly it all breaks 
down to finding a balance between a few things
- ease of use for customers (if customers think it's too hard they'll 
find another bank)
- cost effectiveness (never spend a dollar to secure a cent)
- trust (make sure the customer gets the idea you are secure)

But this is just my 2 cents
John



On Jan 31, 2011, at 8:44 PM, Filiberto Moreno wrote:

Hello Everyone,

We were experiencing a similar scenario here at my current place of 
employment and we ended up having to do the following steps:

1. We had all the IT support technicians to list all the 
applications, scheduled tasks, and services that were running under 
the administrator account.
2. Once we got the list put together we had the IT technicians 
remove those accounts and replace them with their own and had them confirm.
3. Once it was confirmed the IT director changed the password on 
the Domain Administrator account to a very long passphrase with 
upper case, lower case, special characters, and numbers.
4. The IT director typed it up in a document and printed it out, 
sealed it in an envelope, and deposited it in a bank safe.

Hope this helps.

Fili

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com]
On Behalf Of Patrick Webster
Sent: Sunday, January 30, 2011 7:43 PM
To: mzcohen2682 () aim com
Cc: security-basics () securityfocus com
Subject: Re: HOW TO PREVENT FHISHING ATTACKS

Hi Marco,

Use Sender Policy Framework - see
http://en.wikipedia.org/wiki/Sender_Policy_Framework and 
http://www.openspf.org/

SPF is a DNS txt record which indicates whether a MTA (such as 
hotmail, gmail, good ISPs) should accept email purportedly from 
@bank.com when the source IP is i.e. a botnet.

-Patrick
http://www.osisecurity.com.au/

On Fri, Jan 28, 2011 at 10:44 AM,  <mzcohen2682 () aim com> wrote:

Hi Guys,

I am preparing a set of recommendation for a client of mine which 
is a bank , a set of controls against fhisging attacks, besides of 
telling the bank to teach there customers how to protect against 
those attacks ( not opening suspicious mails etc etc) what other 
recommendations are good? are there some technological tools to 
prevent those attacks that the bank can implement? I heard 
something about imperva radar service which should protect against 
fishing attack, some one has experience with that tool?
what
about other tools that the bank can implement?

many thanks!

Marco


------------------------------------------------------------------
------ Securing Apache Web Server with thawte Digital Certificate 
In this guide we examine the importance of Apache-SSL and who 
needs an SSL certificate.  We look at how SSL works, how it 
benefits your company and how your customers can tell if a site is 
secure. You will find out how to test, purchase, install and use a 
thawte Digital Certificate on your Apache web server. Throughout, 
best practices for set-up are highlighted to help you ensure 
efficient ongoing management of your encryption keys and digital 
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b
6be442f727d1

------------------------------------------------------------------
------


-------------------------------------------------------------------
----- Securing Apache Web Server with thawte Digital Certificate In 
this guide we examine the importance of Apache-SSL and who needs an 
SSL certificate.  We look at how SSL works, how it benefits your 
company and how your customers can tell if a site is secure. You 
will find out how to test, purchase, install and use a thawte 
Digital Certificate on your Apache web server. Throughout, best 
practices for set-up are highlighted to help you ensure efficient 
ongoing management of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6
be442f727d1
-------------------------------------------------------------------
-----


-------------------------------------------------------------------
----- Securing Apache Web Server with thawte Digital Certificate In 
this guide we examine the importance of Apache-SSL and who needs an 
SSL certificate.  We look at how SSL works, how it benefits your 
company and how your customers can tell if a site is secure. You 
will find out how to test, purchase, install and use a thawte 
Digital Certificate on your Apache web server. Throughout, best 
practices for set-up are highlighted to help you ensure efficient 
ongoing management of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6
be442f727d1
-------------------------------------------------------------------
-----



---------------------------------------------------------------------
--- Securing Apache Web Server with thawte Digital Certificate In 
this guide we examine the importance of Apache-SSL and who needs an 
SSL certificate.  We look at how SSL works, how it benefits your 
company and how your customers can tell if a site is secure. You will 
find out how to test, purchase, install and use a thawte Digital 
Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be
442f727d1
---------------------------------------------------------------------
---

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and
who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

RE: HOW TO PREVENT FHISHING ATTACKS Filiberto Moreno (Feb 02)
- Re: HOW TO PREVENT FHISHING ATTACKS John Renne (Feb 03)
  - Message not available
    - Message not available
    - Re: HOW TO PREVENT FHISHING ATTACKS Nikhil Manampady (Feb 07)
    - RE: HOW TO PREVENT FHISHING ATTACKS Jon Davis (Feb 08)
    - Re: HOW TO PREVENT FHISHING ATTACKS Paul Johnston (Feb 10)
    - RE: HOW TO PREVENT FHISHING ATTACKS Gadi Naveh (Feb 15)
  - Message not available
    - Re: HOW TO PREVENT FHISHING ATTACKS Nikhil Manampady (Feb 07)
- <Possible follow-ups>
- Re: HOW TO PREVENT FHISHING ATTACKS Adam Pal (Feb 03)
  - RE: HOW TO PREVENT FHISHING ATTACKS Lynch, Gordon CTR NHRC (Feb 03)
  - RE: HOW TO PREVENT FHISHING ATTACKS Eggleston, Mark (Feb 03)
  - RE: HOW TO PREVENT FHISHING ATTACKS Craig S Wright (Feb 03)
- Re: HOW TO PREVENT FHISHING ATTACKS Patrick Kobly (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Sacks, Cailan C (Feb 03)