Phishing and Countermeasures

Understanding the Increasing Problem of Electronic Identity Theft

Edited by
Markus Jakobsson
Steven Myers

This is a great book for readers who are interested in learning more about Phishing & countermasures, as the name says.

ISACA book review is available here:

http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=53127&TEMPLATE=/ContentManagement/ContentDisplay.cfm

PDF: http://www.isaca.org/AMTemplate.cfm?Section=2008&Template=/ContentManagement/ContentDisplay.cfm&ContentID=53126

Both the Authors/Editors are really experienced in the domain. Author details are listed below [Souce: Wiley]:

MARKUS JAKOBSSON, PhD, is Associate Professor in the School of Informatics at Indiana University, where he is also Associate Director of the Center for Applied Cybersecurity Research. Dr. Jakobsson is the former editor of RSA CryptoBytes. He is a noted authority on the subject of phishing and is regularly invited to speak on the topic at conferences and workshops.

STEVEN MYERS, PhD, is Assistant Professor in the School of Informatics at Indiana University and a member of the University’s Center for Applied Cybersecurity Research. Dr. Myers worked on secure email anti-phishing technology at Echoworx Corporation, and has written several papers on cryptography, distributed systems, and probabilistic combinatorics.

Phishing and Countermeasures, table of contents [Source: Wiley]:

Preface.Acknowledgements.

1. Introduction to Phishing.

1.1 What is Phishing?

1.2 A Brief History of Phishing.

1.3 The Costs to Society of Phishing.

1.4 A Typical Phishing Attack.

1.4.1 Phishing Example: America’s Credit Unions.

1.4.2 Phishing Example: PayPal.

1.4.3 Making The Lure Convincing.

1.4.4 Setting The Hook.

1.4.5 Making The Hook Convincing.

1.4.6 The Catch.

1.4.7 Take-Down and Related Technologies.

1.5 Evolution of Phishing.

1.6 Case Study: Phishing on Froogle.

1.7 Protecting Users from Phishing.

References.

2. Phishing Attacks: Information Flow and Chokepoints.

2.1 Types of Phishing Attacks.

2.1.1 Deceptive Phishing.

2.1.2 Malware-Based Phishing.

2.1.3 DNS-Based Phishing (“Pharming”).

2.1.4 Content-Injection Phishing.

2.1.5 Man-in-the-Middle Phishing.

2.1.6 Search Engine Phishing.

2.2 Technology, Chokepoints and Countermeasures.

2.2.1 Step 0: Preventing a Phishing Attack Before it Begins.

2.2.2 Step 1: Preventing Delivery of Phishing Payload.

2.2.3 Step 2: Preventing or Disrupting a User Action.

2.2.4 Steps 2 and 4: Prevent Navigation and Data Compromise.

2.2.5 Step 3: Preventing Transmission of the Prompt.

2.2.6 Step 4: Preventing Transmission of Confidential Information.

2.2.7 Steps 4 and 6: Preventing Data Entry and Rendering it Useless.

2.2.8 Step 5: Tracing Transmission of Compromised Credentials.

2.2.9 Step 6: Interfering with the Use of Compromised Information.

2.2.10 Step 7: Interfering with the Financial Benefit.

References.

3. Spoofing and Countermeasures.

3.1 Email Spoofing.

3.1.1 Filtering.

3.1.2 Whitelisting and Greylisting.

3.1.3 Anti-spam Proposals.

3.1.4 User Education.

3.2 IP Spoofing.

3.2.1 IP Traceback.

3.2.2 IP Spoofing Prevention.

3.2.3 Intradomain Spoofing.

3.3 Homograph Attacks Using Unicode.

3.3.1 Homograph Attacks.

3.3.2 Similar Unicode String Generation.

3.3.3 Methodology of Homograph Attack Detection.

3.4 Simulated Browser Attack.

3.4.1 Using the Illusion.

3.4.2 Web Spoofing.

3.4.3 SSL and Webspoofing.

3.4.4 Ensnaring the User.

3.4.5 SpoofGuard Versus the Simulated Browser Attack.

3.5 Case Study: Warning the User About Active Web Spoofing.

References.

4. Pharming and Client Side Attacks.

4.1 Malware.

4.1.1 Viruses and Worms.

4.1.2 Spyware.

4.1.3 Adware.

4.1.4 Browser Hijackers.

4.1.5 Keyloggers.

4.1.6 Trojan Horses.

4.1.7 Rootkits.

4.1.8 Session Hijackers.

4.2 Malware Defense Strategies.

4.2.1 Defense Against Worms and Viruses .

4.2.2 Defense Against Spyware and Keyloggers.

4.2.3 Defending Against Rootkits.

4.3 Pharming.

4.3.1 Overview of DNS.

4.3.2 Role of DNS in Pharming.

4.3.3 Defending Against Pharming.

4.4 Case Study: Pharming with Appliances.

4.4.1 A Different Phishing Strategy.

4.4.2 The Spoof: A Home Pharming Appliance.

4.4.3 Sustainability of Distribution in the Online Marketplace.

4.4.4 Countermeasures.

4.5 Case Study: Race-Pharming.

4.5.1 Technical Description.

4.5.2 Detection and Countermeasures.

4.5.3 Contrast with DNS Pharming.

References.

5. Status Quo Security Tools.

5.1 An overview of Anti-Spam Techniques.

5.2 Public Key Cryptography and its Infrastructure.

5.2.1 Public key Encryption.

5.2.2 Digital Signatures.

5.2.3 Certificates & Certificate Authorities.

5.2.4 Certificates.

5.3 SSL Without a PKI.

5.3.1 Modes of Authentication.

5.3.2 The Handshaking Protocol.

5.3.3 SSL in the Browser.

5.4 Honeypots.

5.4.1 Advantages and Disadvantages.

5.4.2 Technical Details.

5.4.3 Honeypots and the Security Process.

5.4.4 Email Honeypots.

5.4.5 Phishing Tools and Tactics.

References.

6. Adding Context to Phishing Attacks: Spear Phishing.

6.1 Overview of Context Aware Phishing.

6.2 Modeling Phishing Attacks.

6.2.1 Stages of Context Aware Attacks.

6.2.2 Identity Linking.

6.2.3 Analysing the General Case.

6.2.4 Analysis of One Example Attack.

6.2.5 Defenses Against our Example Attacks.

6.3 Case Study: Automated Trawling for Public Private Data.

6.3.1 Mother’s Maiden Name: Plan of Attack.

6.3.2 Availability of Vital Information.

6.3.3 Heuristics for MMN Discovery.

6.3.4 Experimental Design.

6.3.5 Assessing the Damage.

6.3.6 Time and Space Heustics.

6.3.7 MMN Compromise in Suffixed Children.

6.3.8 Other Ways to Derive Mother’s Maiden Names.

6.4 Case Study: Using Your Social Network Against You.

6.4.1 Motivations of a Social Phishing Attack Experiment.

6.4.2 Design Considerations.

6.4.3 Data Mining.

6.4.4 Performing the Attack.

6.4.5 Results.

6.4.6 Reactions Expressed in Experiment Blog.

6.5 Case Study: Browser Recon Attacks.

6.5.1 Who Cares Where I’ve Been?

6.5.2 Mining Your History.

6.5.3 CSS To Mine History.

6.5.4 Bookmarks.

6.5.5 Various Uses For Browser-Recon.

6.5.6 Protecting Against Browser Recon Attacks.

6.6 Case Study: Using the Autofill feature in Phishing.

6.7 Case Study: Acoustic Keyboard Emanations.

6.7.1 Previous Attacks of Acoustic Emanations.

6.7.2 Description of Attack.

6.7.3 Technical Details.

6.7.4 Experiments.

References.

7. Human-Centered Design Considerations.

7.1 Introduction: The Human Context of Phishing and Online Security.

7.1.1 Human Behavior.

7.1.2 Browser and Security Protocol Issues in the Human Context.

7.1.3 Overview of the HCI and Security Literature.

7.2 Understanding and Designing for Users.

7.2.1 Understanding Users and Security.

7.2.2 Designing Usable Secure Systems.

7.3 Mis-Education.

7.3.1 How Does Learning Occur?

7.3.2 The Lessons.

7.3.3 Learning to Be Phished.

7.3.4 Solution Framework.

References.

8. Passwords.

8.1 Traditional Passwords.

8.1.1 Cleartext Passwords.

8.1.2 Password recycling.

8.1.3 Hashed Passwords.

8.1.4 Brute force attacks.

8.1.5 Dictionary Attacks.

8.1.6 Time-Memory Tradeoffs.

8.1.7 Salted Passwords.

8.1.8 Eavesdropping.

8.1.9 One-Time Passwords.

8.1.10 Alternatives to Passwords.

8.2 Case Study: Phishing in Germany.

8.2.1 Comparison of Procedures.

8.2.2 Recent Changes and New Challenges.

8.3 Security Questions as Password Reset Mechanisms.

8.3.1 Knowledge Based Authentication.

8.3.2 Security Properties of Life Questions.

8.3.3 Protocols Using Life Questions.

8.3.4 Example Systems.

8.4 One-Time Password Tokens.

8.4.1 OTPs as a Phishing Countermeasure.

8.4.2 Advanced Concepts.

References.

9. Mutual Authentication and Trusted Pathways.

9.1 The Need for Reliable Mutual Authentication.

9.1.1 Distinctions Between The Physical and Virtual World.

9.1.2 The State of Current Mutual Authentication.

9.2 Password Authenticated Key Exchange.

9.2.1 A Comparison Between PAKE and SSL.

9.2.2 An Example PAKE Protocol: SPEKE.

9.2.3 Other PAKE Protocols and Some Augmented Variations.

9.2.4 Doppelganger Attacks on PAKE.

9.3 Delayed Password Disclosure.

9.3.1 DPD Security Guarantees.

9.3.2 A DPD Protocol.

9.4 Trusted Path: How To Find Trust in an Unscrupulous World.

9.4.1 Trust on the World Wide Web.

9.4.2 Trust Model: Extended Conventional Model.

9.4.3 Trust Model: Xenophobia.

9.4.4 Trust Model: Untrusted Local Computer.

9.4.5 Trust Model: Untrusted Recipient.

9.4.6 Usability Considerations.

9.5 Dynamic Security Skins.

9.5.1 Security Properties.

9.5.2 Why Phishing Works.

9.5.3 Dynamic Security Skins.

9.5.4 User Interaction.

9.5.5 Security Analysis.

9.6 Browser Enhancements for Preventing Phishing.

9.6.1 Goals for Anti-phishing Techniques.

9.6.2 Google Safe Browsing.

9.6.3 Phoolproof Phishing Prevention.

9.6.4 Final Design of the Two-Factor Authentication System.

References.

10. Biometrics and Authentication.

10.1 Biometrics.

10.1.1 Fundamentals of Biometric Authentication.

10.1.2 Biometrics and Cryptography.

10.1.3 Biometrics and Phishing.

10.1.4 Phishing Biometric Characteristics.

10.2 Hardware Tokens for Authentication and Authorization.

10.3 Trusted Computing Platforms and Secure Operating Systems.

10.3.1 Protecting Against Information Harvesting.

10.3.2 Protecting Against Information Snooping.

10.3.3 Protecting Against Redirection.

10.4 Secure Dongles and PDAs.

10.4.1 The Promise and Problems of PKI.

10.4.2 Smart Cards and USB Dongles to Mitigate Risk.

10.4.3 PorKI Design and Use.

10.4.4 PorKI Evaluation.

10.4.5 New Applications and Directions.

10.5 Cookies for Authentication.

10.5.1 Cache-Cookie Memory Management.

10.5.2 Cache-Cookie Memory.

10.5.3 C-Memory.

10.5.4 TIF-Based Cache Cookies.

10.5.5 Schemes for User Identification and Authentication.

10.5.6 Identifier Trees.

10.5.7 Rolling-Pseudonym Scheme.

10.5.8 Denial-of-Service Attacks.

10.5.9 Secret Cache Cookies.

10.5.10 Audit Mechanisms.

10.5.11 Proprietary Identifier-Trees.

10.5.12 Implementation.

10.6 Lightweight Email Signatures.

10.6.1 Cryptographic and System Preliminaries.

10.6.2 Lightweight Email Signatures.

10.6.3 Technology Adoption.

10.6.4 Vulnerabilities.

10.6.5 Experimental Results.

References.

11. Making Takedown Difficult.

11.1 Detection and Takedown.

11.1.1 Avoiding Distributed Phishing Attacks—Overview.

11.1.2 Collection of Candidate Phishing Emails.

11.1.3 Classification of Phishing Emails.

References.

12. Protecting Browser State.

12.1 Client-Side Protection of Browser State.

12.1.1 Same-Origin Principle.

12.1.2 Protecting Cache.

12.1.3 Protecting Visited Links.

12.2 Server-Side Protection of Browser State.

12.2.1 Goals.

12.2.2 A Server-Side Solution.

12.2.3 Pseudonyms.

12.2.4 Translation Policies.

12.2.5 Special Cases.

12.2.6 Security Argument.

12.2.7 Implementation Details.

12.2.8 Pseudonyms and Translation.

12.2.9 General Considerations.

References.

13. Browser Toolbars.

13.1 Browser-Based Anti-Phishing Tools.

13.1.1 Information-Oriented Tools.

13.1.2 Database-Oriented Tools.

13.1.3 Domain-Oriented Tools.

13.2 Do Browser Toolbars Actually Prevent Phishing?

13.2.1 Study Design.

13.2.2 Results and Discussion.

References.

14. Social Networks.

14.1 The Role of Trust Online.

14.2 Existing Solutions for Securing Trust Online.

14.2.1 Reputation Systems and Social Networks.

14.2.2 Third Party Certifications.

14.2.3 First Party Assertions.

14.2.4 Existing Solutions for Securing Trust Online.

14.3 Case Study: “Net Trust”.

14.3.1 Identity.

14.3.2 The Buddy List.

14.3.3 The Security Policy.

14.3.4 The Rating System.

14.3.5 The Reputation System.

14.3.6 Privacy Considerations and Anonymity Models.

14.3.7 Usability Study Results.

14.4 The Risk of Social Networks.

References.

15. Microsoft’s Anti-Phishing Technologies and Tactics.

15.1 Cutting The Bait: SmartScreen Detection of Email Spam and Scams.

15.2 Cutting The Hook: Dynamic Protection Within the Web Browser.

15.3 Prescriptive Guidance and Education for Users.

15.4 Ongoing Collaboration, Education and Innovation.

References.

16. Using S/MIME.

16.1 Secure Electronic Mail: A Brief History.

16.1.1 The Key Certification Problem.

16.1.2 Sending Secure Email: Usability Concerns.

16.1.3 The Need to Redirect Focus.

16.2 Amazon.com’s Experience with S/MIME.

16.2.1 Survey Methodology.

16.2.2 Awareness of Cryptographic Capabilities.

16.2.3 Segmenting the Respondents.

16.2.4 Appropriate Uses of Signing and Sealing.

16.3 Signatures Without Sealing.

16.3.1 Evaluating the Usability Impact of S/MIME-Signed Messages.

16.3.2 Problems from the Field.

16.4 Conclusions and Recommendations.

16.4.1 Promote Incremental Deployment.

16.4.2 Extending Security from the Walled Garden.

16.4.3 S/MIME for Webmail.

16.4.4 Improving the S/MIME Client.

References.

17. Experimental evaluation of attacks and countermeasures.

17.1 Behavioral Studies.

17.1.1 Targets of Behavioral Studies.

17.1.2 Techniques of Behavioral Studies for Security.

17.1.3 Strategic and Tactical Studies.

17.2 Case Study: Attacking eBay Users with Queries.

17.2.1 User-to-User Phishing on eBay.

17.2.2 eBay Phishing Scenarios.

17.2.3 Experiment Design.

17.2.4 Methodology.

17.3 Case Study: Signed Applets.

17.3.1 Trusting Applets.

17.3.2 Exploiting Applets’ Abilities.

17.3.3 Understanding the Potential Impact.

17.4 Case Study: Ethically Studying Man in the Middle.

17.4.1 Man-in-the-Middle and Phishing.

17.4.2 Experiment: Design Goals and Theme.

17.4.3 Experiment: Man-in-the-Middle Technique Implementation.

17.4.4 Experiment: Participant Preparation.

17.4.5 Experiment: Phishing Delivery Method.

17.4.6 Experiment: Debriefing.

17.4.7 Preliminary Findings.

17.5 Legal Considerations in Phishing Research.

17.5.1 Specific Federal and State Laws.

17.5.2 Contract Law – Business Terms of Use.

17.5.3 Potential Tort Liability.

17.5.4 The Scope of Risk.

17.6 Case Study: Designing and Conducting Phishing Experiments.

17.6.1 Ethics and Regulation.

17.6.2 Phishing experiments—Three Case Studies.

17.6.3 Making it Look Like Phishing.

17.6.4 Subject Reactions.

17.6.5 The Issue of Timeliness.

References.

18. Liability for Phishing.

18.1 Impersonation.

18.1.1 Anti-SPAM.

18.1.2 Trademark.

18.1.3 Copyright.

18.2 Obtaining Personal Information.

18.2.1 Fraudulent Access.

18.2.2 Identity Theft.

18.2.3 Wire Fraud.

18.2.4 Pretexting.

18.2.5 Unfair Trade Practice.

18.2.6 Phishing-Specific Legislation.

18.2.7 Theft.

18.3 Exploiting Personal Information.

18.3.1 Fraud.

18.3.2 Identity Theft.

18.3.3 Illegal Computer Access.

18.3.4 Trespass to Chattels.

References.

19. The Future.

Index.

About the Editors.

This is one of the most useful books in this domain for understanding the internals of Phishing and the internals of its countermeasures. This book will help home users to get educated further into the internals of phishing and this would also help the researchers to draft their projects in such a way that they have the countermeasures perfectly done targeting such phishing techniques.


Hope this was helpful. Thank you for choosing Phish Analytics!

Target Audience: Home Users


Phishing guys are getting more creative in making simple emails that are truly believable. Check out the following email that I received from  “American Express Company”, which for sure is not from the real American Express.

Delivered-To: contact.fingers@gmail.com
Received: by 10.90.98.15 with SMTP id v15cs96930agb;
Fri, 12 Mar 2010 09:26:49 -0800 (PST)
Received: by 10.141.108.16 with SMTP id k16mr3318331rvm.120.1268414808819;
Fri, 12 Mar 2010 09:26:48 -0800 (PST)
Return-Path: <AmericanExpress@welcome.aexp.com>
Received: from LOTUS-SBS.lotuspropertyservices.local (adsl-99-30-196-129.dsl.lsan03.sbcglobal.net [99.30.196.129])
by mx.google.com with ESMTP id 5si2926183pzk.48.2010.03.12.09.26.48;
Fri, 12 Mar 2010 09:26:48 -0800 (PST)
Received-SPF: pass (google.com: domain of AmericanExpress@welcome.aexp.com designates 99.30.196.129 as permitted sender) client-ip=99.30.196.129;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of AmericanExpress@welcome.aexp.com designates 99.30.196.129 as permitted sender) smtp.mail=AmericanExpress@welcome.aexp.com
Received: from User ([66.127.102.154]) by LOTUS-SBS.lotuspropertyservices.local with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 12 Mar 2010 09:24:29 -0800
Reply-To: <AmericanExpress@welcome.aexp.com>
From: “American Express”<AmericanExpress@welcome.aexp.com>
Subject: New Alert Notice American Express
Date: Fri, 12 Mar 2010 09:26:42 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: AmericanExpress@welcome.aexp.com
Message-ID: <LOTUS-SBSeQM7gyoPB2000001f7@LOTUS-SBS.lotuspropertyservices.local>
X-OriginalArrivalTime: 12 Mar 2010 17:24:29.0765 (UTC) FILETIME=[DF6FBF50:01CAC208]

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
“http://www.w3.org/TR/html4/loose.dtd”>
<html>
<head>

<html><head></head><body><br>
</td>
<td>
</td>
<td>

</td>
</tr>
<br><font size=”2″>Dear Customer ,
<br><br>
Our technical service department has recently discovered that your information on file with us is incomplete.<br>
Your American Express on file with us is: 37xxxxxxxxxxxxxx .<br>
<br>

<br>
Please update your American Express account on our secured server below:<br>
(If you cannot click on the link, please copy and paste it into your browser’s address bar).<br>
<br>
<font style=”font-size: 9pt;” face=”Verdana”><a rel=”nofollow” target=”_blank” href=”http://www.barouki.com.br/notice.php”><span id=”lw_1258974946_0″>Continue To Online Update Form</a></font><br>
<br>
We appreciate your prompt attention to this important matter.<br>
<span>*If you account information is not updated within 48 hours then your ability to access your account will be restricted. <br>

<br>
<p>Thank you</p>
<p>American Express Company.

</p>
<table border=”0″ cellpadding=”0″ cellspacing=”0″ width=”500″>
<tbody><tr>
<td colspan=”2″>
<div align=”center”></div>
<hr align=”center” width=”500″>
<p><br>
</p></td></tr>
<tr>

<td align=”left” height=”31″ valign=”top” width=”450″><font size=”-1″><font size=”-2″><font face=”Arial, Verdana, Helvetica, sans-serif” size=”1″>Copyright
The products, account packages, promotional offers and services described on this website may not apply to customers of International Personal Banking (IPB) or Global Executive Banking (GEB). IPB customers should visit the <a id=”cmlink_IPBhomepage” href=”javascript:launchPopup(‘https://home.americanexpress.com/home/mt_personal.shtml’,'ipb’,'resizable,menubar,toolbar,scrollbars,status,location,width=650,height=451′)” target=”_top”>IPB Web site</a> and GEB customers should visit the <a id=”cmlink_GEBhomepage” href=”javascript:launchPopup(‘https://home.americanexpress.com/home/mt_personal.shtml’,'geb’,'resizable,menubar,toolbar,scrollbars,status,location,width=850,height=600′)” target=”_top”>GEB Web site</a> to obtain such information.
<table border=”0″ cellpadding=”0″ cellspacing=”0″>

<br>Copyright © 2010 American Express Company.

Home users can fall as a pray for such Phishing attempts. The link in this email would take users to “hxxp://www.barouki.com.br/notice.php“.

Firefox blocks this link as a possible forgery website, which is great. Let us see if we get any other data for this site:

• McAfee SiteAdvisor had no results for this domain.
• Norton SafeWeb says that this site is legitimate: http://safeweb.norton.com/report/show?name=barouki.com.br [Snapshot is displayed below.]

This article was not to convey the message that you should not trust any analytics portal completely, but to have some preliminary checks yourself. The reason is because, analytics portals could use automated tools at regular time intervals and these could have certain delays. This does not mean that you cannot trust them. But do not blindly trust any tool, as is. Try to do some preliminary checks that would help you figure out if the results were true-positive or false-negative. These portals do give false-positive results too, since they might find some Exploit PCAP or something that could trigger the analytics signature at their end.

Hope this was helpful. Thank you for choosing Phish Analytics!

This is a phishing email that looks just like a normal email from eBay:

Delivered-To: contact.fingers@gmail.com
Received: by 10.90.98.15 with SMTP id v15cs39513agb;
Thu, 11 Mar 2010 12:37:02 -0800 (PST)
Received: by 10.115.98.2 with SMTP id a2mr1602713wam.127.1268339821920;
Thu, 11 Mar 2010 12:37:01 -0800 (PST)
Return-Path: <members@eby.com>
Received: from p06ns1.puretopure.jp ([210.254.102.210])
by mx.google.com with ESMTP id 22si253916pxi.1.2010.03.11.12.37.01;
Thu, 11 Mar 2010 12:37:01 -0800 (PST)
Received-SPF: neutral (google.com: 210.254.102.210 is neither permitted nor denied by best guess record for domain of members@eby.com) client-ip=210.254.102.210;
Authentication-Results: mx.google.com; spf=neutral (google.com: 210.254.102.210 is neither permitted nor denied by best guess record for domain of members@eby.com) smtp.mail=members@eby.com
Message-Id: <4b99546d.161bf30a.7f4b.ffff889eSMTPIN_ADDED@mx.google.com>
Received: (qmail 14000 invoked from network); 11 Mar 2010 20:08:42 +0700
Received: from adsl-66-142-134-209.dsl.hstntx.swbell.net (HELO User) (66.142.134.209)
by p06ns1.puretopure.jp with SMTP; 11 Mar 2010 20:08:42 +0700
From: “eBay”<members@eBy.com>
Subject: Question about Item #200434957586 – Respond Now
Date: Thu, 11 Mar 2010 07:08:47 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

<IMG alt=eBay src=”http://66.236.38.226/eb.jpg” border=0></TD> <TD vAlign=”bottom”><FONT face=”verdana, sans-serif” color=#666666 size=1><B></B><BR></FONT></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width=”100%” bgColor=#ffe680 border=0>
<TBODY>
<TR>
<TD vAlign=top width=8><IMG height=8 src=”http://pics.ebaystatic.com/aw/pics/globalAssets/ltCurve.gif” width=8></TD>
<TD vAlign=bottom width=”100%”>
<H1 style=”MARGIN-TOP: 2px; FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN-BOTTOM: 2px; COLOR: #000000; FONT-FAMILY: arial,”><FONT face=”Arial, Verdana” size=4><B>Question about Item #200434957586 – Respond Now</B></FONT> </H1></TD>
<TD vAlign=top align=right width=8><IMG height=8 src=”http://pics.ebaystatic.com/aw/pics/globalAssets/rtCurve.gif” width=8 align=top></TD></TR>
<TR>
<TD bgColor=#ffcc00 colSpan=3 height=4><SPACER width=”1″ type=”block” height=”4″></SPACER></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width=”96.6%” border=0>
<TBODY>
<TR>
<TD><IMG height=1 src=”http://pics.ebaystatic.com/aw/pics/s.gif” width=5></TD>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width=”100%” border=0>
<TBODY>
<TR>
<TD>
<TABLE style=”BORDER-RIGHT: #ffcc00 1px solid; BORDER-LEFT: #ffcc00 1px solid; BORDER-BOTTOM: #ffcc00 1px solid” width=”100%” border=0>
<TBODY>
<TR>
<TD style=”PADDING-LEFT: 8px”><FONT face=”Arial, Verdana” size=2>eBay sent this message on behalf of an eBay member through My Messages.
<P><ALIGN=LEFT>Dear member,</P>
<P><ALIGN=LEFT>eBay member leahpfeiffer has left you a message regarding item #200434957586</P>
<P><ALIGN=LEFT><A title=http://signin.ebay.com.xffaxooqdnaqo.pd92jdkakq6jka.mobi/ws/eBayISAPI.dll/ href=”http://74.7.12.91/r_eBayISAPI.dll/”>Click here to view the message</A></P>
<P><ALIGN=LEFT>Regards,</P>
<P><ALIGN=LEFT>eBay</FONT></P></TD></TR></TBODY></TABLE></TD>
<TD><IMG height=1 src=”http://pics.ebaystatic.com/aw/pics/s.gif” width=5></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width=”100%” border=0>
<TBODY>
<TR></TR></TBODY></TABLE>

The link in the email would take you to “http://74.7.12.91/r_eBayISAPI.dll/”. When I tried to upload at Phishtank, I found that someone else has already uploaded as shown in the following image:

The site is still active, although firefox has blocked the site with forged website warning, as shown below:

Phishtank’s page [Source:Phishtank Portal] had snapshot of the site before it was blocked by firefox:

Since the site only had an IP, I tried resolving the following information:

Whois:

 network: Class-Name: network
 network: ID: NET-74-7-0-0-1
 network: Auth-Area: 74.7.0.0
 network: Network-Name: CBEY-74.7.12.88
 network: IP-Network: 74.7.12.88/29
 network: IP-Network-Block: 74.7.12.88 - 74.7.12.95
 network: Org-Name: Avida Rent a Car
 network: Street-Address: 3185  CAMP CREEK PKWY
 network: City: EAST POINT
 network: State: GA
 network: Postal-Code: 30344
 network: Country-Code: US
 network: Tech-Contact;I: ip-admin@cbeyond.net

 network: Admin-Contact;I: ip-admin@cbeyond.net

 network: Abuse-Contact;I: abuse@cbeyond.net

 network: Created: 3/13/2007
 network: Updated: 20100311
 network: Updated-By: ip-admin@cbeyond.net

 network: Class-Name: network
 network: ID: NET-74-7-0-0-1
 network: Auth-Area: 74.7.0.0/17
 network: Network-Name: CBEY-74.7.0.0
 network: IP-Network: 74.7.0.0/17
 network: IP-Network-Block: 74.7.0.0 - 74.7.127.255
 network: Org-Name: Cbeyond Communications
 network: Street-Address: 320 Interstate North Parkway  Suite 300
 network: City: Atlanta
 network: State: GA
 network: Postal-Code: 30339
 network: Country-Code: US
 network: Tech-Contact;I: ip-admin@cbeyond.net

 network: Admin-Contact;I: ip-admin@cbeyond.net

 network: Abuse-Contact;I: abuse.net
 network: Created: 3/13/2007
 network: Updated: 20100311
 network: Updated-By: ip-admin@cbeyond.net

Reverse DNS:
Funny thing is, there is no Reverse DNS. [no domain name]


Domains In this IP:
None


Other sites that has blocklisted this IP:
http://www.siteadvisor.com/sites/74.7.12.91
http://www.mailscanner.eu/phishing.bad.sites.conf.master


The email might convince many of the home users, there by misleading them to click on the link. Fortunately, there are no Drive-by-download malware in this site so far. But who knows what gets added or removed from time-to-time. Hope this helps in user education to fight against Phishing. Thank you for choosing Phish Analytics!

We definitely believe & have seen that it could be so real that makes it hard to differentiate between a phishing site and a true site. Let us consider our example here. We received an email this morning:

Delivered-To: contact.fingers@gmail.com
Received: by 10.90.75.16 with SMTP id x16cs83152aga;
Wed, 3 Mar 2010 07:45:14 -0800 (PST)
Received: by 10.224.88.83 with SMTP id z19mr1009893qal.88.1267631113910;
Wed, 03 Mar 2010 07:45:13 -0800 (PST)
Return-Path: <Citibank@serviceemail.com>
Received: from mail.certsonline.com (mail.certsonline.com [63.100.2.99])
by mx.google.com with ESMTP id 30si10655145qyk.84.2010.03.03.07.45.08;
Wed, 03 Mar 2010 07:45:13 -0800 (PST)
Received-SPF: neutral (google.com: 63.100.2.99 is neither permitted nor denied by domain of Citibank@serviceemail.com) client-ip=63.100.2.99;
Authentication-Results: mx.google.com; spf=neutral (google.com: 63.100.2.99 is neither permitted nor denied by domain of Citibank@serviceemail.com) smtp.mail=Citibank@serviceemail.com
Received: from User ([66.127.102.154]) by mail.certsonline.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 3 Mar 2010 07:44:38 -0800
Reply-To: <Citibank@serviceemail.com>
From: “Citibank”<Citibank@serviceemail.com>
Subject: New Alert Notice Citibank
Date: Wed, 3 Mar 2010 07:44:40 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: Citibank@serviceemail.com
Message-ID: <IDSEMAIL023AkwtsQzt0001c53c@mail.certsonline.com>
X-OriginalArrivalTime: 03 Mar 2010 15:44:39.0077 (UTC) FILETIME=[6EFD8D50:01CABAE8]

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
“http://www.w3.org/TR/html4/loose.dtd”>
<html>
<head><!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
“http://www.w3.org/TR/html4/loose.dtd”>
<html>
<head>
<html><head>
<style type=”text/css”>
<!–
.style2 {
font-family: “Times New Roman”, Times, serif;
font-size: 12px;
}
.style3 {
font-family: “Times New Roman”, Times, serif;
font-size: 10px;
color: #666666;
}
.style4 {color: #000000}
.style5 {font-family: “Times New Roman”, Times, serif; font-size: 12px; color: #000000; }
.Estilo2 {font-family: “Times New Roman”, Times, serif; font-size: 14px; }
–>
</style></head><body>

<table border=”0″ cellpadding=”0″ cellspacing=”0″ width=”506″>
<tbody><tr>
<tr>
<td height=”10″>&nbsp;</td>
</tr>
<tr>
<td valign=”top”> <span><strong>Dear Customer: </strong><br>
<br>
</span>
<div align=”justify”>
<p align=”left”> During our regualry scheduled account maintenance and verifications procedures,<br>
we have detected a slight error regarding your Citibank Credit Cards.<br>
<br>
This might be due to one of the following reasons:<br>
<br>
1. A recent change in your personal information (i.e. address changing)<br>
2. Submitting invalid information during the initial sign up process.<br>

4. Multiple failed logins in your personal account.<br>
3. An inabillity to accurately verify your selected option of payment due<br>&nbsp;&nbsp;&nbsp; to an internal error within our system.<br>

<br>
Please update and verify your information by clicking the following link:<br>
<br>
<font style=”font-size: 9pt;” face=”Verdana”><a rel=”nofollow” target=”_blank”href=”hxxp://www.comunidadunete.net/notice.php”>https://www.citicards.com/home</a></font><br>
<br>

<p><span>We appreciate your support and thank you for your prompt attention to this matter.</span></p>
<p align=”left”><span><br>

It looked so real to begin with, when we saw what was inside the link. But when we investigated more, the domain name that was listed in the email is just a link that links you to a totally different domain name.  Even though the email lists “hxxps://www.citicards.com/home”, it takes you to the phishing site:


“hxxp://www.comunidadunete.net/notice.php”
[
Address: 201.175.38.217
Registrant:
UNETE AC
Leibnitz 11 - 401 Col. Anzures
Mexico City, MX 11590
MX
], and this is because instead of using plain-text in HREF, they have just used the same concept and used the legitimate URL.


COUNTERMEASURE FOR THE LINK SPOOFING: In some browsers, when you highlight[do not click] the link, you would see the link to which you are redirected to in the status bar. In other cases, you could Right-click —> Copy Shortcut and throw it into a sandbox like “http://jsunpack.jeek.org” and that would show you where you are being taken to.


In this case, the bad guys have made the phishing site look so real that many/most of the links in the Phishing site directs you to the legitimate Citi group portal. Check out the snapshot below[we submitted this to Phishtank this morning]:

Now you know, how real a phishing site can be? Hoping that this was helpful. Thank you for choosing our blog!

I received an phishing email today:

Delivered-To: contact.fingers@gmail.com
Received: by 10.90.75.16 with SMTP id x16cs421142aga;
Fri, 26 Feb 2010 12:18:17 -0800 (PST)
Received: by 10.150.8.10 with SMTP id 10mr1515936ybh.125.1267215497145;
Fri, 26 Feb 2010 12:18:17 -0800 (PST)
Return-Path: <service1@paylpal.com>
Received: from dbmserver2.dbm.cl (www.dbm.cl [200.27.137.235])
by mx.google.com with ESMTP id 4si3032474yxe.61.2010.02.26.12.18.15;
Fri, 26 Feb 2010 12:18:17 -0800 (PST)
Received-SPF: neutral (google.com: 200.27.137.235 is neither permitted nor denied by best guess record for domain of service1@paylpal.com) client-ip=200.27.137.235;
Authentication-Results: mx.google.com; spf=neutral (google.com: 200.27.137.235 is neither permitted nor denied by best guess record for domain of service1@paylpal.com) smtp.mail=service1@paylpal.com
Received: from User ([66.166.198.251]) by dbmserver2.dbm.cl with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 26 Feb 2010 17:15:34 -0300
From: “Pay Pal-Customer Service”<service1@paylpal.com>
Subject: Notification of Limited Account Access
Date: Fri, 26 Feb 2010 15:18:24 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: service1@paylpal.com
Message-ID: <DBMSERVER2lsjH1dsDb000013f5@dbmserver2.dbm.cl>
X-OriginalArrivalTime: 26 Feb 2010 20:15:34.0703 (UTC) FILETIME=[74087BF0:01CAB720]

&nbsp;
<DIV id=readMsgBodyContainer onclick=”return Control.invoke(‘ReadingPane’, ‘_onBodyClick’, event);”>
<DIV id=MsgContainer>
<STYLE>
.ExternalClass EC_style2
{font-size:x-small;font-family:Verdana, Arial, Helvetica, sans-serif;}

</STYLE>

<DIV id=EC_message>
<STYLE>
.ExternalClass #EC_message .EC_dummy
{;}
.ExternalClass #EC_message
{font-size:12px;color:#000000;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message TD
{font-size:12px;color:#000000;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message LI
{line-height:120%;}
.ExternalClass #EC_message UL.EC_ppsmallborder
{;}
.ExternalClass #EC_message LI.EC_ppsmallborderli
{;}
.ExternalClass #EC_message UL.EC_pp_narrow
{;}
.ExternalClass #EC_message HR.EC_dotted
{border-right:#fff;border-top:#fff;margin-bottom:0px;border-left:#fff;width:100%;border-bottom:#ccc 2px dotted;}
.ExternalClass #EC_message .EC_pp_label
{font-weight:bold;font-size:10px;color:#000000;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_serifbig
{font-weight:bold;font-size:20px;color:#000000;font-family:serif;}
.ExternalClass #EC_message .EC_pp_serif
{font-size:16px;color:#000000;font-family:serif;}
.ExternalClass #EC_message .EC_pp_sansserif
{font-size:16px;color:#000000;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_heading
{font-weight:bold;font-size:18px;color:#003366;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_subheadingeoa
{font-weight:bold;font-size:15px;color:#000000;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_subheading
{font-weight:bold;font-size:16px;color:#003366;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_sidebartext
{font-size:11px;color:#003366;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_sidebartextbold
{font-weight:bold;font-size:11px;color:#003366;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_footer
{font-size:11px;color:#aaaaaa;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_button
{font-weight:400;font-size:13px;color:#000000;border-top-style:outset;font-family:verdana,arial,helvetica,sans-serif;border-right-style:out
set;border-left-style:outset;background-color:#cccccc;border-bottom-style:outset;}
.ExternalClass #EC_message .EC_pp_smaller
{font-size:10px;color:#000000;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_pp_smallersidebar
{font-size:10px;color:#003366;font-family:verdana,arial,helvetica,sans-serif;}
.ExternalClass #EC_message .EC_ppem106
{font-weight:700;}
</STYLE>

<TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
<TBODY>
<TR vAlign=top>
<TD><A href=”http://87.96.141.110/gallery/img/re.html” target=_blank><IMG height=35 alt=PayPal src=”https://www.paypalobjects.com/en_US/i/logo/email_logo.gif” width=255 border=0></A> </TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width=”100%” border=0>
<TBODY>
<TR>
<TD width=”100%” background=https://www.paypalobjects.com/en_US/i/scr/bg_clk.gif><IMG height=10 src=”http://pixel(1).gif/” width=1 border=0></TD></TR>
<TR>
<TABLE cellSpacing=0 cellPadding=0 width=850 align=center border=0>
<TBODY>
<TR vAlign=top>
<TD width=352>
<TABLE cellSpacing=0 cellPadding=5 width=407 border=0>
<TBODY>
<TR vAlign=top>
<TD width=397>
<TABLE cellSpacing=0 cellPadding=0 width=”100%” border=0>
<TBODY>
<TR>
<TD align=left>Notification of Limited Account Access</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD width=397>Dear Member,
<P>As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason:<BR><BR>We recently received a report of unauthorized credit card use associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions.<BR><BR>Case ID Number: PP-204-863-417
<P>In accordance with PayPal’s User Agreement, your account access will remain limited until the issue has been resolved. Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to follow our verification procedure as soon as possible to help avoid this.</P><BR>
<TABLE cellSpacing=0 cellPadding=1 width=”75%” align=left bgColor=#ffe65c border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=4 width=”100%” align=center bgColor=#fffecd border=0>
<TBODY>
<TR>
<TD align=middle><A href=”hxxp://87.96.141.110/gallery/img/re.html” target=_blank><FONT color=#0068cf>Click here to login and restore your account access</FONT></A></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<P><FONT color=#0068cf><BR></FONT></P>
<P><BR><BR><BR>Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.<BR><BR>This is a final reminder to <A href=”hxxp://87.96.141.110/gallery/img/re.html” target=_blank><FONT color=#0068cf>log in</FONT></A> to PayPal as soon as possible.</P>
<P>We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. </P>
<P>Sincerely,<BR>PayPal Account Review Department<BR>PayPal Email ID PP-204-863-417</P></TD></TR>
<TR>
<TD width=397>
<HR>
</TD></TR>
<TR>
<TD width=397>
<TABLE cellSpacing=0 cellPadding=0 width=”100%” border=0>
<TBODY>
<TR>
<TD>Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, <A href=”hxxp://87.96.141.110/gallery/img/re.html” target=_blank><FONT color=#0068cf>log in</FONT></A> to your PayPal account and choose the “Help” link in the footer of any page.</TD></TR>
<TR>
<TD><IMG height=10 src=”http://pixel(2).gif/” width=1 border=0></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD width=397><BR><SPAN>PayPal Email ID PP638<BR><BR></SPAN></TD></TR></TBODY></TABLE></TD>
<TD width=12><IMG height=1 src=”http://pixel(1).gif/” width=10 border=0></TD>
<TD vAlign=top width=248>
<TABLE cellSpacing=0 cellPadding=1 width=”100%” bgColor=#cccccc border=0>
<TBODY>
<TR>

Clicking on any of the images or hyperlinks takes users to the following place:

“hxxp://87.96.141.110/gallery/img/re.html”

I tried entering this into Phishtank, but this was already entered by mxlab on Feb 26th 2010 10:42 PM and verified by stuartgrant buaya tetak patrickchefalo [Source: http://www.phishtank.com/phish_detail.php?phish_id=935078]:

Clicking on the link in Firefox would indicate the users that it is a possible malicious site. Users should be cautious about proceeding further to the site, since Firefox ALERT is the best browser indicator ever. Even though there has been minor glitches in the past, Firefox does its best to keep its data up to date:

• to avoid blocking legitimate websites
• to ensure blocking most of the bad guys
• to alert their users at the right time

The following is what you would see when you are trying to go to bad sites through Firefox:

We will talk more about our framework, once it is complete. We are in the process of releasing it by end of March 2010, only if things go according to plan . Thank you for choosing Phish Analytics!

I am not sure if this comes under Phishing or blackhat blog. I could have published this at EF.Kaffenews to keep it neutral, although this is more of something where people click on malicious stuff without knowing what the link is about. We received this Twitter message at our EvilFingers Inbox. Here is the snapshot of the email:

The twitter page of the above message is as follows:

When I tried analyzing with Wepawet, no results were found: http://wepawet.iseclab.org/view.php?hash=60ca3123058123136fc0d38acc9ebc68&t=1267171143&type=js


I tried performing further analysis with JSunpack, which found the following results[Source: http://jsunpack.jeek.org/dec/go?report=0f619b1c6136a2d94dce02430c527dfe1bb847c7]:

When trying to look into “cdn2.static.cdn-xxxblackbook.com/js/lib/prototype.615183038.js suspicious – [suspicious:5] (script) cdn2.static.cdn-xxxblackbook.com/js/lib/prototype.615183038.js – suspicious: MSIEUseAfterFree CVE-2010-0249 detected“, I found the following details from CVE[Source:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249]:

Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka “HTML Object Memory Corruption Vulnerability.”

Hence, I got so keen in knowing if operation Aurora was not done yet and is still continuing to hose/compromise others. Other JavaScript files from the same main link that has no indication of malicious stuff, although listed as suspicious by JSunpack:


tinyurl.com/YDL76SY suspicious

When I tried checking BrowserDefender, I found the following:

To further double-check, I ran it over Norton SafeWeb and found the following results:

Does this mean that it is safe? Or, does it mean that “suspicious: MSIEUseAfterFree CVE-2010-0249 detected” is a falsepositive? Thank you for choosing our blog!

We looked at Spear phishing attack[targeted phishing attacks] in one of the prior blogs. Let us now imagine that you are the CISO of a fortune corporation. Your company is being the #1 target of spear phishing attack of the week. You received a report on the type of phishing attacks and possible samples, from one of your subordinates. Always remember, that in any given situation there is nothing better than educating the users in your organization. How would you do this, under the circumstances explained above?


User education is an ongoing process where users are tested and trained, with the latest possible update in any given situation. It is not a one-step process where users can analyze the email to be good or bad, by just looking at it. Hence the best way, would be to throw users at “practical” situations where they are tested. Why cant we do something that the phishing emails would do, but lead the users to a page that warns them of “fall for phishing”, something like a decoy? By doing this, you would also have a statistics on:

• How many users clicked on the link?
• How often do these users click the links?
• How many require additional training?
• How vulnerable are you, if it happens in reality?
• Does difference in appearance of email or link, change the user’s mentality?
• How should the training be modified to ensure that this does not happen again?
• How many times & how often are each of the users trained?

To do the above, you need a framework that does the following:

• Simulate phishing emails with phishing links.
• Redirect phishing links to decoy site, that logs user details.
• Compute user stats.

The user stats should clearly identify the following, for concluding if our user education was effective enough, or if we should change the way in which they are being trained:

• Number of times: this user was tested.
• Number of times: this user has clicked the link.
• Number of times: this user has been trained.
• Number of times: user filled in the information on this fake phishing page.

Though, testing the users is primary step in understanding the user’s knowledge in this domain, user education is more important to ensure that the user would not repeat errors and stay updated on the current phishing attacks, current techniques in understanding the phishing links & phishing sites, etc.. Although, this would seem like an offensive technique of performing research on your own employees, it is not really offensive. This only ensures that user education is provided in an appropriate way, to channelize the users to go only to the right pages, to ensure that they do not get misdirected to the bad guy’s site.


Warning: Please note that this article is not trying to tell you that you should Phish your own employees. Our intent is to help you provide proper training to your employees and test them with different cases, to ensure that they do not fall for phishing emails from the bad guys.


Thank you for choosing Phishing Analytics News!

Phishing any website is common to get the username, password & other details, though phishing bank websites is not just about that. Phishing bank sites would give complete access to money of the victim’s bank account. This alone has increased the phishing attacks against banks. Paypal is one of the major targets of phishing attacks. Even though Paypal is not a bank, they still interact directly with bank accounts and credit cards merchants. The following is a Paypal phishing link sample[Source: Phishtank]:

http://klitoo.com/u765/paypal.com/cgi-bin/webscr?cmd=_personal&locale.x=en_US&_email=PP258&transaction.id=utf80f37a98b003d84e3d61680b05d8d291c0c71fce779f78c51be339c49445c49723a182a83

Here is how the above link looks like when entered in a browser:

Why are bank sites targeted against Phishing attacks?

As mentioned above, the bad guys get direct information of the victim’s bank details, which includes account number, username, password, creditcard number, etc. With this the attacker can immediately:

• Withdraw money from the banks.
• Transfer money to other accounts across the world.
• Pretty much empty everything in the bank and if possible leave it with negative balance.

Some call this identity theft, since someone else has stolen your online identity just by entering your username, password or account details. There are many organizations that fight against such account thefts. Most of the US banks also fight against such attacks by several ways. One of the well known way is by monitoring the pattern in purchases or money transfers that is happening now, comparing it with the account activity pattern in the past.  If the bank finds a mismatch in the pattern or if they find a large transaction taking place, they call the account holder to confirm this transaction. There are many other ways to prevent bad stuff from happening, although the bad guys still find other ways to loot money.


How can someone prevent such phishing attacks?


User education is one major step to avoid users from falling into phishing traps. Some of these phishing sites are exact copies of original bank websites, that anyone would fall into this trap. Bank of America’s phishing sample is as shown below. The following is a phishing website link that looks exactly similar to the Bank of America site:

http://74.86.153.208/~dreemeho/backups/1/bankofamerica.com/ssl/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

The above link would take you to a page, as shown below:

Right now, Firefox browser alerts users of the malicious nature of the above listed link:

But if no one has detected this attack, imagine the victim’s situation. User education comes in handy! One must always check the domain name validity and SSL certificates for bank websites, to determine if they are really who they say they are.


Hope you enjoyed reading our blog posting. We would start getting in depth into Phishing research stuff from next posting onwards. Leave us a feedback at the comments section, or email us at contact.fingers@ gmail.com. Thank you for choosing our blog!

Discover bank has occassionally been a target of phishing attacks, similar to any other famous banks. This is an email we received today: 

Delivered-To: xxxxxxxxxxxxxxx@gmail.com
Received: by 10.114.180.12 with SMTP id c12cs488waf;
Sat, 30 Jan 2010 14:34:59 -0800 (PST)
Received: by 10.142.209.16 with SMTP id h16mr1118941wfg.83.1264890899049;
Sat, 30 Jan 2010 14:34:59 -0800 (PST)
Return-Path:
Received: from mail.facesllc.com (mail.facesllc.com [24.73.185.66])
by mx.google.com with ESMTP id 42si2594905pzk.37.2010.01.30.14.34.55;
Sat, 30 Jan 2010 14:34:59 -0800 (PST)
Received-SPF: unknown (google.com: domain of discover@email.discover.com uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=24.73.185.66;
Authentication-Results: mx.google.com; spf=permerror (google.com: domain of discover@email.discover.com uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=discover@email.discover.com
Received: from User ([192.168.0.1]) by mail.facesllc.com with Microsoft SMTPSVC(6.0.3790.3959);
Sat, 30 Jan 2010 16:34:54 -0600
Reply-To:
From: “Discover Bank”
Subject: Notification from Discover Bank
Date: Sat, 30 Jan 2010 14:34:56 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: discover@email.discover.com
Message-ID:
X-OriginalArrivalTime: 30 Jan 2010 22:34:55.0006 (UTC) FILETIME=[72023BE0:01CAA1FC] 

–>

Dear Customer:   During our regualry scheduled account maintenance and verifications procedures, we have detected a slight error regarding your Discover Bank. This might be due to one of the following reasons: 1. A recent change in your personal information (i.e. address changing) 2. Submitting invalid information during the initial sign up process.  4. Multiple failed logins in your personal account. 3. An inabillity to accurately verify your selected option of payment due     to an internal error within our system.  Please update and verify your information by clicking the following link: https://www.discovercard.com/app/signin *If you account information is not updated within 48 hours then your ability to access your account will be restricted. We appreciate your support and thank you for your prompt attention to this matter.    Sincerely, Discover Bank Online Customer Service     We appreciate your support and thank you for your prompt attention to this matter.    Sincerely, Discover Bank Online Customer Service     Copyright The products, account packages, promotional offers and services described on this website may not apply to customers of International Personal Banking (IPB) or Global Executive Banking (GEB). IPB customers should visit the IPB Web site and GEB customers should visit the GEB Web site to obtain such information. Copyright © 2010 Discover Bank, Member FDIC.

The following is how the email can be viewed in your email account, the link can lead valid users to phised website as shown in following image:

The link in the email redirects users to:
hxxp://developer.stormvision.com/notice.php 

The website content in the above link redirects its users using the code shown below: 

 

 </HTML>
<HEAD><meta http-equiv=”Refresh” content=”0; URL
=http://portal.kuantanport.com.my/pma/config/www.discovercard.com/
“> </HEAD>
</HTML>

 

From the above code, hxxp://portal.kuantanport.com.my/pma/config/www.discovercard.com/ is the phishing link, that takes you to the phishing site. When I tried to file this in Phishtank portal, it already had this phishing link posted on Submitted Jan 30th 2010 8:52 PM by cybercrime and it showed the following snapshot of the Phished site:

[Source: Phishtank]

We just thought of helping our readers understand, how these phishing websites look so real that anyone and everyone would love to trust such sites. Speaking of trust, we have released a blog in our Human Analytics blog, on Trust – Should it exist?. Do check it out when you get a chance! Thank you for choosing our blog. Hoping to catch up with more research soon!

Received a attempted phishing email with yet another phishing attempt for WebMD LLC with the following content:

The original source of this email is as listed below:

Delivered-To: SOMEONE@gmail.com
Received: by 10.220.91.148 with SMTP id n20cs1339vcm;
Wed, 27 Jan 2010 11:37:30 -0800 (PST)
Received: by 10.223.132.197 with SMTP id c5mr4559856fat.35.1264621049506;
Wed, 27 Jan 2010 11:37:29 -0800 (PST)
Return-Path:
Received: from c4-host89.eso-es.net (c4-host89.eso-es.net [88.255.57.89])
by mx.google.com with SMTP id 23si483204fxm.58.2010.01.27.11.37.28;
Wed, 27 Jan 2010 11:37:29 -0800 (PST)
Received-SPF: neutral (google.com: 88.255.57.89 is neither permitted nor denied by domain of SOMEONE@gmail.com) client-ip=88.255.57.89;
Authentication-Results: mx.google.com; spf=neutral (google.com: 88.255.57.89 is neither permitted nor denied by domain of SOMEONE@gmail.com) smtp.mail=SOMEONE@gmail.com
Date: Wed, 27 Jan 2010 11:37:29 -0800 (PST)
X-Originating-IP: [56.92.701.571]
X-Originating-Email: [SOMEONE@gmail.com]
X-Sender: SOMEONE@gmail.com
Return-Path: SOMEONE@gmail.com
Message-Id: <5ba9f01ca9f98$ebca9cd0$5939ff58@SEVKIYAT>
From: � VIAGRA � Official Site
To: SOMEONE@gmail.com
Subject: For SOMEONE Sale ID 58724
MIME-Version: 1.0
Content-Type: text/html; charset=”ISO-8859-1″
Content-Transfer-Encoding: 7bit
Welcome to WebMD

27.1.2010 New from WebMD: Dear SOMEONE@gmail.com Sign-up today!

You are subscribed as SOMEONE@gmail.com. View and manage your WebMD newsletter preferences. Subscribe to more newsletters. Change/update your email address. WebMD Privacy Policy WebMD Office of Privacy 1175 Peachtree Street, Suite 2400, Atlanta, GA 30361 2010 WebMD, LLC. All rights reserved.

The following is the snapshot of the Phished site, that looks just like the Canadian Pharmacy[WebMD LLC] official Viagra site:

Clicking on “Sign-up today” in the above image, would take you to hxxp://gmn.beforefull.ru/. McAfee SiteAdvisor gave the following in response to beforefull.ru. VIEW FULL REPORT.


The following is what you could see in the McAfee analysis section:





However the “User Review” gives more info, as shown below:





Thank you for following our blog!