Full Disclosure mailing list archives
Re: FW: Are consumers being misled by "phishing"?
From: "Josh L. Perrymon" <joshuaperrymon () gmail com>
Date: Fri, 30 Jun 2006 16:20:50 +1000
-----Original Message----- From: Ajay Pal Singh Atwal [mailto:ajaypal () bbsbec org] Sent: Friday, 30 June 2006 2:46 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Are consumers being misled by "phishing"? Here is one phishing site for paypal http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html >>> This is not a bad job of duplication. However, pay-pal and similar sites are used may too much for this type of attack in my opinion. The phishing email would be probably sent to every email address they could harvest setting off every alarm Websense has. Phishing attacks are most affective when duplicating something like OWA or Citrix portals.. Or even better -- Custom built company portals facing the net and only sent to a handful of addresses gathered from company X. One interesting note about the site above is that it seems to relay it's data back to the attacker using POST instead of relying on an underlying mail program/script.. ------ POST data from the phishing site above--- HTtp://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpassword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=_login-processing&login_cmd=_login-done&login_access=11680108541<http://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpassword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=_login-processing&login_cmd=_login-done&login_access=116> ------------------------------------------------------------------------------------------------------ Protecting against this type of attack??? I don't know of many existing content gateways / email filters that will stop the initial email if the attack is a one-off and sent on a small scale. It's just some verbiage with an <A> and link to the attackers IP address or site hosting the phsihing site. A lot of times the web servers have been compromised and the http server is on a non standard port unless port 80 wasn't used before. Then when the user clicks on the link the in the phishing email it opens the browser w/o triggering any alarms.. ( I haven't visited any sites that the new M$ phishing filter picked up from its whiltelists) Enters password.. game over. The attacker now logs in using the new harvested credentials .This also works with token password generators ( nothing new here ).. Given it's only a 60 second window to login after acquiring the first token code. Ideas???_----- End-User security awareness and training is the most important deterrent. Whitelisting isn't going to stop small footprint attacks directed at a single company and a handful of users. Most companies believe that blocking HTML in email handicaps emails effectiveness.. ( screw the newsletters.. put it on a website ) Users should copy links from the email into the browser but don't. Certificates will protect where tokens fail. Network Protection: I believe that it's possible to develop "widgets" to alert on this type of directed phishing attacks. First you have to have the ability to monitor all emails traffic. This shouldn't piss off legal because all users should have already signed off on this. The most effective would be to monitor all known public email addresses. Including "planted' email address placed in forums and webpages to be harvested. This would provide a greater % that traffic sent to those addresses are directed attacks.. (Like an Email Honeypot :) ( yes... need to copyright that one quick muhahah :) It should be easy to develop an analysis to pick up on standard phishing emails. You would look for Anchors / links with IP addresses that resolve outside of the "known- whiteliested" address list. This should at least alert and place the email in a second level queue for analysis. You could also do some type of grep on the email link looking for company X verbiage. M$ Phishing filter may even be USEFUL ( Almost.... ) So using the methods above you would have a system to alert on potential phishing attacks scanning all emails or preferably only public emails included "planted" ones. The widget performs analysis to determine if the email is a phishing attack. This process could be automated to perform the whois so on… So now we should have determined the IP or block for the hosted phishing site. We can use something like M$ phishing filter. Send it the new whitelisted IP address of the phishing site and the browser should block the site. If the widget monitors all emails coming into the company then it should have the ability to do some trending of who received certain emails.. sorted on subjects for instance. One you found the phishing email you would have a known list of all email addresses that received the email once the attack has been spotted. This could be used as additional analysis to monitor traffic after the attack. Just some ideas I have had. If anyone is interested in working with us on developing something like this get in touch with me: Josh.perrymon () packetfocus com CEO www.packetfocus.com www.packetfocus.blogspot.com
_______________________________________________
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Are consumers being misled by "phishing"?, (continued)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? security curmudgeon (Jun 29)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? GroundZero Security (Jun 29)
- Re: Are consumers being misled by "phishing"? Gadi Evron (Jun 29)
- Re: Are consumers being misled by "phishing"? teh kids (Jun 29)
- Re: Are consumers being misled by "phishing"? neil davis (Jun 29)
- Re: Are consumers being misled by "phishing"? Bill Weiss (Jun 29)
- Re: Are consumers being misled by "phishing"? Neil Davis (Jun 29)
- Re: FW: Are consumers being misled by "phishing"? Chris Umphress (Jun 30)