Re: FW: Are consumers being misled by "phishing"?

["Josh L. Perrymon" <joshuaperrymon () gmail com>]

> -----Original Message-----
> From: Ajay Pal Singh Atwal [mailto:ajaypal () bbsbec org]
> Sent: Friday, 30 June 2006 2:46 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Are consumers being misled by "phishing"?
>
>
> Here is one phishing site for paypal
>
> http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html
>
>
>
> >>>
> This is not a bad job of duplication. However, pay-pal and similar sites
> are used may too much for this type of attack in my opinion. The phishing
> email would be probably sent to every email address they could harvest
> setting off every alarm Websense has.
>
>
>
> Phishing attacks are most affective when duplicating something like OWA or
> Citrix portals.. Or even better -- Custom built company portals facing the
> net and only sent to a handful of addresses gathered from company X.
>
> One interesting note about the site above is that it seems to relay it's
> data back to the attacker using POST instead of relying on an underlying
> mail program/script..
>
>
>
> ------ POST data from the phishing site above---
>
> HTtp://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpassword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=_login-processing&login_cmd=_login-done&login_access=11680108541<http://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpassword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=_login-processing&login_cmd=_login-done&login_access=116>
>
>
> ------------------------------------------------------------------------------------------------------
>
>
> Protecting against this type of attack???
> I don't know of many existing content gateways / email filters that will
> stop the initial email if the attack is a one-off and sent on a small scale.
> It's just some verbiage with an <A> and link to the attackers IP address or
> site hosting the phsihing site. A lot of times the web servers have been
> compromised and the http server is on a non standard port unless port 80
> wasn't used before.
>
> Then when the user clicks on the link the in the phishing email it opens
> the browser w/o triggering any alarms.. ( I haven't visited any sites that
> the new M$ phishing filter picked up from its whiltelists)
>
>
> Enters password.. game over. The attacker now logs in using the new
> harvested credentials .This also works with token password generators (
> nothing new here ).. Given it's only a 60 second window to login after
> acquiring the first token code.
>
>
>
> Ideas???_-----
> End-User security awareness and training is the most important deterrent.
> Whitelisting isn't going to stop small footprint attacks directed at a
> single company and a handful of users.
>
> Most companies believe that blocking HTML in email handicaps emails
> effectiveness.. ( screw the newsletters.. put it on a website )
>
> Users should copy links from the email into the browser but don't.
>
> Certificates will protect where tokens fail.
>
> Network Protection:
> I believe that it's possible to develop "widgets" to alert on this type of
> directed phishing attacks. First you have to have the ability to monitor all
> emails traffic. This shouldn't piss off legal because all users should have
> already signed off on this.
>
> The most effective would be to monitor all known public email addresses.
> Including "planted' email address placed in forums and webpages to be
> harvested. This would provide a greater % that traffic sent to those
> addresses are directed attacks.. (Like an Email Honeypot :)
>
>
> ( yes... need to copyright that one quick muhahah  :)
>
> It should be easy to develop an analysis to pick up on standard phishing
> emails. You would look for Anchors / links with IP addresses that resolve
> outside of the "known- whiteliested" address list. This should at least
> alert and place the email in a second level queue for analysis. You could
> also do some type of grep on the email link looking for company X verbiage.
>
>
>
>
>
> M$ Phishing filter may even be USEFUL ( Almost.... )
>
> So using the methods above you would have a system to alert on potential
> phishing attacks scanning all emails or preferably only public emails
> included "planted" ones.
>
> The widget performs analysis to determine if the email is a phishing
> attack.
>
> This process could be automated to perform the whois so on…  So now we
> should have determined the IP or block for the hosted phishing site.  We
> can use something like M$ phishing filter. Send it the new whitelisted IP
> address of the phishing site and the browser should block the site. If the
> widget monitors all emails coming into the company then it should have the
> ability to do some trending of who received certain emails.. sorted on
> subjects for instance. One you found the phishing email you would have a
> known list of all email addresses that received the email once the attack
> has been spotted.
>
>
>
> This could be used as additional analysis to monitor traffic after the
> attack.
>
>
>
>
>
> Just some ideas I have had. If anyone is interested in working with us on
> developing something like this get in touch with me:
>
> Josh.perrymon () packetfocus com
>
> CEO
>
> www.packetfocus.com
>
> www.packetfocus.blogspot.com














_______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/