"Phishing Attacks Cost Millions"
"Increase In Successful Phishing Attacks Expected"
"Phishing Attacks Still Successful, We're Still Gullible"
Phishing attempts to acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity (for example, by impersonating a password reset e-mail and web site from PayPal). These phishing attacks build on brand recognition to steal vital information from customers or users – the more time and money spent building a brand, the better it is for phishing. So the attacks hit where it hurts most, instantly eroding consumer trust in a recognized company.Should I trust that email?
An email from PayPal will: Address you by your first and last names or your business nameAn email from PayPal won't: Ask you for sensitive information like your password, bank account, or credit card
CSO termed Phishing as:
"Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Typically, a phisher sends an e-mail disguised as a legitimate business request."
For example, the phisher may pass himself off as a real bank asking its customers to verify financial data. (So phishing is a form of "social engineering".) The e-mail is often forged so that it appears to come from a real e-mail address used for legitimate company business, and it usually includes a link to a website that looks exactly like the bank's website. However, the site is bogus, and when the victim types in passwords or other sensitive information, that data is captured by the phisher. The information may be used to commit various forms of fraud and identity theft, ranging from compromising a single existing bank account to setting up multiple new ones."
"Early phishing attempts were crude, with telltale misspellings and poor grammar." Since then, however, phishing e-mails have become remarkably sophisticated. Phishers may pull language straight from official company correspondence and take pains to avoid typos. The fake sites may be near-replicas of the sites phishers are spoofing, containing the company's logo and other images and fake status bars that give the site the appearance of security. Phishers may register plausible-looking domains like aolaccountupdate.com, mycitibank.net or paypa1.com (using the number 1 instead of the letter L). They may even direct their victims to a well-known company's actual website and then collect their personal data through a faux pop-up window."
What makes a successful phishing attack?
For a Phishing attack to be successful, it must use a number of methods to trick the victim into doing something with their server and/or supplied page content. There are an ever increasing number of ways to do this. The most common methods are explained in detail below, and include:
- Man-in-the-middle Attacks
- URL Obfuscation Attacks
- Cross-site Scripting Attacks
Man-in-the-middle Attacks:
This form of attack is successful for both HTTP and HTTPS communications. The victim connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the victim and the real web-based application server – typically in real-time.In the case of secure HTTPS communications, an SSL connection is established between the victim and the attackers proxy (hence the attackers system can record all traffic in an unencrypted state), while the attackers proxy creates its own SSL connection between itself and the real server.
For man-in-the-middle attacks to be successful, the attacker must be able to direct the victim to their proxy server instead of the real server. This may be carried out through a number of methods:
- Transparent Proxies
- DNS Cache Poisoning
- URL Obfuscation
- Browser Proxy Configuration
In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server. The proxy server evaluates the request as a way to simplify and control their complexity. A transparent proxy would be one that is seamless to the victim. This could be HTTP or HTTPS.
DNS Cache Poisoning
Normally, a networked computer uses a DNS server provided by the computer user's organization or an Internet service provider (ISP). DNS servers are generally deployed in an organization's network to improve resolution response performance by caching previously obtained query results. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable.
To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC) the server will end up caching the incorrect entries locally and serve them to other users that make the same request.
This technique can be used to direct users of a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates files on the server he controls with names matching those on the target server. These files could contain malicious content, such as a computer worm or a computer virus. A user whose computer has referenced the poisoned DNS server would be tricked into accepting content coming from a non-authentic server and unknowingly download malicious content.
Browser Proxy Configuration
By overriding the victim's web-browser setup and setting proxy configuration options, an attacker can force all web traffic through to their nominated proxy server. This method is not transparent to the victim, and may easily reviewed on their web browser settings to identify an offending proxy server.
In many cases browser proxy configuration changes setting up the attack will have been carried out in advance of receipt of the Phishing message.
An example of a snippet
Const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"
strValueName = "ProxyEnable"
dwValue = 1
objRegistry.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName, dwValue
'
' Place your company Proxy information here and Port number here
'
strValueName = "ProxyServer"
strValue = "http=my.intranetproxy.proxy.com:8080;https=my.intranetproxy.proxy.com:8080;ftp=my.intranetproxy.proxy.com:8080;gopher=my.intranetproxy.proxy.com:8080;"
objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
'
' This section will allow you to place a proxy override url seperate url's be semi colons.
'
strValueName = "ProxyOverride"
strValue = ";*.my intranet . com" <-- change me
objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
'
' this will allow you to change your start "home page" in IE Explorer
'
strKeyPath = "SOFTWARE\Microsoft\Internet Explorer\Main"
ValueName = "Start Page"
strValue = "http://myintranet.site.com" <-- change me
objReg.SetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue
Dim WSHShell
Set WSHShell = Wscript.CreateObject("WScript.Shell")
bat_file = "%systemroot%\system32\"
bat_file2 = "kill_ie.bat " & mdl
cmd_bat = bat_file&bat_file2
'Info = MsgBox ("bat_file = " & bat_file & " " & cmd_bat & "")
WshShell.Run cmd_bat,0,TRUE
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"
strValueName = "ProxyEnable"
dwValue = 1
objRegistry.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName, dwValue
'
' Place your company Proxy information here and Port number here
'
strValueName = "ProxyServer"
strValue = "http=my.intranetproxy.proxy.com:8080;https=my.intranetproxy.proxy.com:8080;ftp=my.intranetproxy.proxy.com:8080;gopher=my.intranetproxy.proxy.com:8080;"
objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
'
' This section will allow you to place a proxy override url seperate url's be semi colons.
'
strValueName = "ProxyOverride"
strValue = ";*.my intranet . com" <-- change me
objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
'
' this will allow you to change your start "home page" in IE Explorer
'
strKeyPath = "SOFTWARE\Microsoft\Internet Explorer\Main"
ValueName = "Start Page"
strValue = "http://myintranet.site.com" <-- change me
objReg.SetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue
Dim WSHShell
Set WSHShell = Wscript.CreateObject("WScript.Shell")
bat_file = "%systemroot%\system32\"
bat_file2 = "kill_ie.bat " & mdl
cmd_bat = bat_file&bat_file2
'Info = MsgBox ("bat_file = " & bat_file & " " & cmd_bat & "")
WshShell.Run cmd_bat,0,TRUE
URL Obfuscation URL
URLs can be obscured at least three ways:- Meaningless or deceptive text can be added after "http://" and before an "@" symbol.
- The domain name can be expressed as an IP address, in dotted-decimal, dword, octal or hexadecimal format; and all of these formats have variants.
- Characters in the URL can expressed as hexadecimal (base 16) numbers.
Cross-site Scripting Attacks
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
To really understand what's going on with XSS, you have to consider injection into the hierarchical structure of the HTML DOM. Given a place to insert data into an HTML document (that is, a place where a developer has allowed untrusted data to be included in the DOM), there are two ways to inject code:"Even today, Web server administrators irresponsibly dismiss Web-borne malware as non-malicious attacks, while thousand of their Web site visitors are put at risk. An estimated 450,000 URLs point to malicious Web sites hosting malware on the Internet. That’s nearly half-a-million hidden landmines that casual users and even advanced users can’t spot on their own."
Injecting UP
The most common way is to close the current context and start a new code context. For example, this is what you do when you close an HTML attribute with a "> and start a new tag may be able to terminate a script block even if it is injected inside a quoted string inside a method call inside the script. This happens because the HTML parser runs before the JavaScript parser.
Injecting DOWN
The less common way to perform XSS injection is to introduce a code subcontext without closing the current context. For example, if the attacker is able to change
No comments:
Post a Comment