Phishing programs allow the use of the mechanism. Phishing in a corporate environment

Phishing is a very common threat. An email with a link to a malicious site or a malicious attachment is no surprise, and the development of ransomware has only added fuel to the fire.

Technical anti-phishing measures such as mail/web traffic filtering and analysis, software environment restriction, attachments not running are very effective, but they cannot withstand new threats and, more importantly, cannot withstand human stupidity of curiosity and laziness. There have been cases when a user, being unable to open/launch malicious content at the workplace, forwarded it to their home computer and launched it, with all the consequences...

Therefore, no matter how solid a technical protection system we build, we should not forget about the main link in the entire chain - the user, and his training.

Periodic briefings and information mailings are an important component of staff training, but, as practice shows, their effectiveness is much lower than training employees on their own mistakes.

What the system will do:

1. Send phishing emails to users;
2. When clicking on the link in the body of the letter, notify the user of his error - redirect to a web site with a training page;
3. Keep statistics on inattentive users.

Mailing of letters

The username in the greeting is taken from the user's mailbox name. The letter is purposefully made in such a way that the user has the opportunity to consider it suspicious. After several trainings, the complexity of letters can be increased.

Link leading to a phishing site http://phishingsite-327.com/p/ [email protected] varies depending on the username. In this way, we transmit information about the user to the site and can keep records.

Create a tutorial page

Our task is not to accuse the user of a violation, but to explain to him what the threat of phishing attacks is, show where he made mistakes and give a simple guide to action in the future. Therefore, the information page contains a detailed analysis of his actions:

The training page is hosted on the organization's Web server and includes PHP code for statistics.

On the local DNS servers of the organization, we set up a CNAME record for our web server so that the link looks more like a malicious one, for example: http://phishingsite-327.com/

If we want to control the fact that a malicious link is opened from non-workplaces (for example, when an employee sends a letter to his personal mail), then we will have to use a real address on the Internet. Or monitor the fact of sending a letter to an external address through the available protection and administration tools.

After a while, we analyze a report with a list of users who followed the phishing link. In our case, the PHP script saves information about the time, e-mail address and ip-address of the host from which the site was accessed to a csv file.

The report helps to assess the level of staff training, to identify weak links. And when conducting periodic checks (monthly / quarterly), you can:

1. Build a staff readiness curve for phishing attacks, use it as one of the quantitative indicators of infrastructure security;
2. Identify users who regularly make the same mistakes in order to apply other educational measures to them.

Implementation experience

• Training of IT staff
  Before mailing, you should warn IT staff and explain how to respond to user requests about a strange letter. But before that, you should test on them yourself. In case of inattention of IT personnel, you should not limit yourself to recommendations, since in the future such negligence can be extremely deplorable for the infrastructure.
• Guide preparation
  The management of the organization should be warned about the planned testing. Or even arrange testing by an internal act. The user, depending on his position and personal qualities, upon realizing that he violated the requirements of IS, that he "was misled" can react very unpredictably. Arguments in favor of the information security service in the form of documents and management support will not be superfluous.
• Target selection
  With a mass mailing to all employees, word of mouth will significantly spoil the objectivity of the final assessment. It is better to test in parts, not forgetting to change the text of the letter.

Alexey Komarov

The threats that arose with the advent of phishing required the introduction of adequate protection measures. Within the framework of this article, both already widespread methods of countering phishing and new effective methods will be considered. This division is rather conditional: we will classify the well-known (including the attackers themselves) methods of countering phishing as traditional and analyze their effectiveness in the first part of this article. According to the APWG report, 47,324 phishing sites were identified in the first half of 2008. The same report also shows the average losses of users and companies as a result of the operation of a phishing site - they amount to at least $300 per hour. Simple multiplications allow us to conclude that this type of black business is highly profitable.

Modern phishing

The word "phishing" (phishing) is formed from the English words password - password and ёshing - fishing, fishing. The purpose of this type of Internet fraud is to deceive the user to a fake site in order to later steal his personal information or, for example, infect the computer of the user redirected to the fake site with a Trojan. An infected computer can be actively used in botnets to send spam, organize DDOS attacks, and collect user data and send it to an attacker. The range of application of the information "harvested" from the user is quite wide.

Phishing mechanisms

The main attack vector of phishing is aimed at the weakest link in any modern security system - the person. The bank client does not always know exactly which address is correct: mybank.account. com or account.mybank. com? Attackers can also use the fact that in some fonts lowercase i and uppercase L look the same (I = l). Such methods allow you to deceive a person with a link in an email that looks like a real one, while even hovering the mouse cursor over such a link (in order to see the real address) does not help. Attackers have other means in their arsenal: from the banal substitution of a real address in the local database of IP addresses with a fake one (in Windows XP, for example, editing the hosts file is enough for this) to farming. Another type of fraud is the substitution of a Web page locally, on the fly. A special Trojan that has infected a user's computer can add additional fields to the site displayed by the browser that are not on the original page. For example, a credit card number. Of course, to successfully carry out such an attack, you need to know the bank or payment system used by the victim. That is why thematic databases of electronic addresses are very popular and are a liquid commodity on the black market. Phishers who do not want to incur additional costs simply direct their attacks to the most popular services - auctions, payment systems, large banks - in the hope that a random recipient of a spam email has an account there. Unfortunately, the hopes of attackers are often justified.

Traditional methods of countering phishing attacks

Unique site design The essence of this method is as follows: a client, for example, a bank, when concluding an agreement, selects one of the proposed images. In the future, when entering the bank's website, this image will be shown to him. If the user does not see it or sees something else, he must leave the fake site and immediately report this to the security service. It is assumed that attackers who were not present at the signing of the contract, a priori, will not be able to guess the correct image and deceive the client. However, in practice this method does not stand up to criticism. Firstly, in order to show the user his picture, he must first be identified, for example, by the login that he entered on the first page of the bank's website. It is not difficult for an attacker to prepare a fake site to find out this information, and for the user himself to emulate a communication error. Now it is enough to contact the real server, enter the stolen login and spy on the correct image.

Another option is to give the client a fake warning about the expiration of their image and prompt them to select a new one...

One Time Passwords

Classic passwords are reusable: the user enters the same password every time they go through the authentication procedure, sometimes without changing it for years. Intercepted by an attacker, this password can be used repeatedly without the knowledge of the owner.

Unlike the classic one-time password, the one-time password is used only once, that is, with each request for access, the user enters a new password. For this, in particular, special plastic cards with a protective layer applied are used. Each time the bank client erases the next strip and enters the required one-time password. In total, about 100 passwords are placed on a standard-sized card, which, with intensive use of telebanking services, requires regular replacement of the medium. More convenient, but, however, expensive are special devices - one-time password generators. Basically, two types of generation are distinguished: by the time when the current one-time password is displayed on the screen and changes periodically (for example, once every two minutes); by event, when a new value is generated each time the user presses the device button.

Being more secure than classic password authentication, this method, however, leaves the attacker some chance of success. For example, one-time password authentication is not immune to a man-in-the-middle attack. Its essence consists in "wedging" into the information exchange between the user and the server, when the malefactor "is represented" to the user by the server, and vice versa. All information from the user is transmitted to the server, including the one-time password entered by him, but already on behalf of the attacker. The server, having received the correct password, allows access to confidential information. Without arousing suspicion, an attacker can allow the user to work, for example, with his account, sending him all the information from the server and back, but when the user ends his session, do not break the connection with the server, but make the necessary transactions supposedly on behalf of the user.

In order not to waste time waiting for the end of the user session, an attacker can simply simulate a communication error and prevent a legitimate user from working with his account. Depending on the generation method used, the intercepted one-time password will be valid either for a short time or only for the first communication session, but in any case, this gives the attacker the opportunity to successfully steal the user's data or money.

In practice, authentication using one-time passwords is rarely used by itself; to increase security, a secure connection is established even before authentication, for example, using the SSL protocol.

One-way authentication

The use of the Secure Sockets Layer (SSL) protocol ensures secure communication between the Web server and users. Despite the fact that the protocol allows authentication of not only the server, but also the user, in practice only one-way authentication is most often used. To establish an SSL connection, the server must have a digital certificate used for authentication. The certificate is usually issued and certified by a third trusted party, which is a certification authority (CA) or certification authority (in Western terminology). The role of the CA is to authenticate the Web sites of various companies, allowing users, by "trusting" a single certification authority, to automatically be able to authenticate those sites whose owners accessed the same CA.

The list of trusted certification authorities is usually stored in the registry of the operating system or in the browser settings. It is these lists that are attacked by the attacker. Indeed, by issuing a certificate from a fake certification authority to a phishing site and adding this CA to the trusted ones, it is possible to successfully carry out an attack without arousing any suspicion from the user.

Of course, this method will require more actions from the phisher and, accordingly, costs, but users, unfortunately, often help in stealing their data themselves, not wanting to understand the intricacies and peculiarities of using digital certificates. Due to habit or incompetence, we often click the "Yes" button without really reading the browser messages about the lack of trust in the organization that issued the certificate.

By the way, some SSL traffic control tools use a very similar method. The fact is that recently there have been more cases when sites infected with Trojans and Trojans themselves use the SSL protocol in order to bypass gateway traffic filtering systems - after all, neither the anti-virus engine nor the data leakage protection system can check encrypted information in condition. Wedging into the exchange between the Web server and the user's computer allows such solutions to replace the Web server certificate with one issued, for example, by a corporate CA and, without visible changes in the user's work, scan the user's traffic when using the SSL protocol.

URL filtering

In a corporate environment, site filtering is used to limit the misuse of the Internet by employees and as protection against phishing attacks. In many anti-virus protection tools, this method of dealing with fake sites is generally the only one.

Phishing, or scams to steal data by copying the external images of popular resources, is just coming to the mobile world. In this article, we will analyze the anatomy of such attacks and find out exactly how hackers successfully encroach on the money of android phone users.

Phishing statistics on mobile platforms.

Smartphones and tablets have burst into our lives so quickly that the behavior of characters from films five years ago already seems like an anachronism. Naturally, along with useful and not so useful habits, the user also acquired new Internet enemies.

According to statistics, 85% of all mobile devices have some version of Android installed, and it is not surprising that most attacks and malware target our favorite operating system. Of course, the situation is not as bad as it was with Windows ten years ago, but the trend is frightening.

Last January, we analyzed how easy it is to create a cryptolocker for Android - a program that encrypts user data. And a little later, in April 2016, Kaspersky Lab confirmed our fears: the company announced the appearance of the Fusob locker Trojan, which attacked smartphones of users from more than a hundred countries.

The variety of phishing

Mimicking malware as something useful is a fairly old trend. About ten or fifteen years ago there was a boom in the popularity of sites that are very similar to the official portals of banks or payment systems. Such phishing resources tried to pull out user accounts, and even better - credit card data.

But that wave of theft bypassed the CIS countries. There was simply nothing to take from us: Pavel Durov had not yet written anything, and plastic cards were not popular. Now, for fraudsters, the situation has become truly “tasty”: online shopping, mobile banking, all kinds of social networks - a lot is now available through a mobile phone connected to the Internet.

So far, there have been no stories of phishing epidemics, but there are already unpleasant bells. Surfing the Internet from mobile devices has become much less safe: first, webmasters adapted ads for mobile content, and then dishonest people also pulled themselves up. More recently, at the beginning of December 2016, a window popped up on one popular sports resource with a suggestion to “update outdated WhatsApp” - naturally, the developers of the messenger have nothing to do with such advertising.

Such messages are generated on the server side and look rather clumsy. But once inside the device, an attacker can perform a more elegant and effective attack. Let's see how difficult it is in Android to replace a working application with its malicious "analog".

There is still nothing more universal in the world than money, so it is worth trying to get access to the user's wallet. How money is debited by sending SMS to short numbers, we have already said, today we will get to a bank card.

Almost Google Market

For phishing, you do not need to implement the functionality of the Google Market exactly - it's easier to write an application that extends its capabilities without changing the source code. It is interesting to know how hackers do this? Then let's go!

Choice

It would be wrong to try to fake an application that the device owner does not use at all. As with a normal intrusion, the scammer must first assess the environment in which he has entered. The variety of vendors producing mobile devices has led to big changes in the OS itself. And although, according to marketers, they all work on a single Android platform, the set of running applications can be completely different. Android has a built-in API for getting a list of running processes - this is the ACTIVITY_SERVICE system service.

Google, for security reasons, every year more and more restricts the ability of applications to interact with each other. The documentation does not explicitly state this, but for Android version 4.0 and later, such a call will return a list from only one application - your own. All is not lost - Android is based on the Linux kernel, which means we have a console. You can get to it manually using the adb utility included in Android Studio.

The result of the work is expectedly similar to the output that the Linux command of the same name gives - a table with many tab-separated values.

Actually, this output contains enough information for phishing: the name of the process, its ID, execution priority, and so on. You can run the utility not only with your hands, but also from the application - to access the shell, the standard API has the Shell class.

Linux users often have to write one-line scripts, so parsing such output is not a problem for them. But OOP developers are more gentle and probably don't want to do that.

There is already a project on Github that implements the necessary functionality. It was created by someone Jared Rummler (Jared Rummler), for which we say thanks to him. Processing the result of the toolbox execution is created as a library that can be connected directly through Gradle.

All information about running processes is wrapped in an object of the AndroidAppProcess class. If you look at the source code of the library, then there is nothing superfluous there - only parsing of the console output. Information about a specific application will have to be pulled out by direct enumeration.

Please note: Starting with Android 7.0, Google introduced a restriction on access to information about the processes of other applications. Now it cannot be obtained even with the ps command and direct reading of the /proc file system. However, most users will switch to Android 7+ very soon - if at all.

Active Applications

Successful phishing operations, as a rule, are well prepared - scammers know how to pick up the moment so that the user does not have even the slightest suspicion of forgery. Therefore, the phone should not just ask you to enter bank card details - this will be very suspicious. Phishing messages appear under some pretext, such as paid pseudo-updates for 1C or fictitious banking resources at addresses similar in spelling to legal ones.

Android multitasking can play into the hands here - a dozen applications can work simultaneously in the OS, replacing each other. An inexperienced user may not even understand (and even not think at all) in which particular application he is currently working. The output of ps gives information about which applications are currently actively interacting with the user - that is, they are visible to him.

This parameter is in the 11th column - it can be either bg (background, hidden) or fg (foreground, visible). The OS itself keeps track of such application states, so the developer's task is only to call ps from time to time.
Based on the library, a simple method is obtained that determines the state of the desired application.

We have the ability to immediately select only visible processes using the method of the same name. But it does not always work correctly and even displays applications that are currently invisible to the user. In this situation, you need to check the value of the foreground method, which will be true if any Activity is visible to the user.

Now it is possible to find a convenient moment to attack - calling this method will show if the user is currently working in a particular application. As soon as the method returns true, you can start any Activity, which will be immediately shown to the user. This is the essence of the attack - to show the user a phishing window disguised as a notification from a trusted application.

In general, the phishing attack has already been built. To operate it, you need to set up periodic monitoring of the victim application, as well as draw GUI windows for entering bank card data.

Services

Tracking the state of the application is not difficult, you only need to restart the isProccessForeground method at certain intervals - this can be implemented in the Activity or Service component. But keeping the same instance of Activity running for a long time will not work, sooner or later it will be unloaded by the system. In addition, it is too noticeable to the user.

In Android, as in "large" operating systems, there are services - components that allow you to perform some kind of routine work invisibly to the user. Usually this is downloading data or getting updates, but phishing will work too.

Services can be different: the so-called foreground service will always work in the system and will stop only when the phone is turned off. We have already discussed in detail the work of services before, so today I will be brief. Foreground service is inherited from the Service class and must necessarily have an icon that will be present in the device's notification panel.

Many organizations are introducing more stringent spam filtering rules, and in doing so, they are forced to take proactive measures in the fight against phishing. By understanding the tools and methods used by attackers, and by analyzing the weaknesses in the perimeter security system, we can protect ourselves against many attacks in advance.

Recently, new directions have emerged in the field of phishing - smishing, vishing and pharming (see the Glossary sidebar).

This article is devoted to describing some types of phishing, which, I hope, will allow you to more successfully defend against such attacks. Information security professionals and general users should be prepared to fend them off.

Fraud of the 21st century

The ability to steal personal identities has always been highly valued by criminals. By gaining access to someone's personal data and then playing the role of a legitimate user, an attacker can commit crimes under a false name. This kind of theft has never been easier than now, in the digital age.

Hidden among piles of electronic waste, bypassing many modern anti-spam filters, new means of attack allow the theft of sensitive personal information. Professional criminals are now using specially crafted messages to lure their victims into traps designed to steal user identities.

The name of this type of attack is Phishing, the process of deceiving or socially engineering clients to steal their personal data and transfer their confidential information for personal gain. Criminals use spam or previously infected computers for their own purposes. At the same time, the size of the victim company is not so important; the quality of the personal information obtained by the perpetrators as a result of an attack matters in and of itself.

Phishing fraud funds continue to grow every day, not only quantitatively, but also qualitatively. Today, an increasing number of clients are exposed to phishing attacks, and such emails are sent to millions of email addresses all over the world. Using many types of attacks, phishers can easily mislead customers into passing financial data (such as a payment card number) and password. While spam only distracts the attention of recipients, Phishing leads to financial losses due to fraudulent currency transfers.

In a January 2007 report from the Anti-Phishing Working Group ( www. anti- phishing. org) are given the following figures:

Figure 1. Number of phishing sites from January 2006 to January 2007

Some financial institutions and large companies whose business is directly related to the Internet explain the problem of phishing to their customers. Most organizations have done very little to actively combat this evil. However, keep in mind that there are many tools and methods available to protect against such attacks.

With a high level of protection against phishing attacks, organizations can greatly benefit from maintaining the loyalty of their customers.

Phishing timeline

The word "phishing" comes from the analogy that early Internet attackers used email honeypots for the passwords and financial data of many Internet users. The use of "ph" is most likely associated with popular hacker naming conventions like "Phreaks" that can be traced back in the history of the hacker movement, beginning with the problem of "phreaking" - hacking telephone systems.

The term was first used in 1996 by hackers who took over America Online (AOL) account management and stole AOL user passwords. The term phishing was first mentioned on the Internet in the alt.2600 hacker newsgroup in January 1996, but it may have been used earlier in the popular hacker newsletter "2600". I quote without comment: “It used to be that you could make a fake account on AOL so long as you had a credit card generator. However, AOL became smart. Now they verify every card with a bank after it is typed in. Does anyone know of a way to get an account other than phishing?

By 1996 hacked accounts were called "phish" and by 1997 phish was being heavily traded by hackers as a form of electronic currency. Over time, the definition of what constitutes a phishing attack has been greatly expanded. The term "phishing" now included not only getting the details of a user's account, but also access to all of his personal and financial data. Originally using email messages to obtain passwords and financial data from deceived users, phishers have now created fake websites, learned how to use Trojan horses, and man-in-the-middle data proxies attacks.

At the moment, online scams include the use of fake jobs or job offers.

Social engineering factor

Phishing attacks are based on a combination of technical deception and social engineering factors. In most cases, "Fisher" must convince the victim to perform a series of actions that will provide access to confidential information.

Today, phishers are actively exploiting the popularity of such means of communication as email, web pages, IRC, and instant messaging (IM) services. In all cases, the phisher must act on behalf of a trusted source (for example, the support service of the respective bank, etc.) in order to mislead the victim.

Until recently, the most successful phishing attacks have been via email, with the phisher playing the role of proxy (for example, by mimicking the original email address and using the embedding of appropriate corporate logos). For example, the victim receives an email from [email protected] (address spoofed) with a "security modification" message string asking her to go to the address www . my bank - validate . info (the domain name belongs to the attacker, not the bank) and enter his bank PIN.

However, phishers also use many other social engineering methods to get victims to voluntarily give up confidential information. For example, the victim believes that their banking information is being used by someone else to carry out an illegal transaction. In such a case, the victim would try to get in touch with the sender of the corresponding e-mail and inform him about the illegality of the transaction and cancel it. Further, depending on the type of fraud, the phisher would create a web "secure" web page for the victim to enter sensitive details (address, credit card number, etc.) and cancel the transaction. As a result, the fisher would have received enough information to make a real deal.

Figure 2. An example of a phishing email

Figure 3. Phishing site page

However, this site, despite the external similarity with the original, is intended solely for the victim to enter confidential data herself.

Figure 4. Fake sender email example

Online phishing means that attackers copy any sites (most often these are Internet-shops of online trade). It uses similar domain names and a similar design. Well, then everything is simple. The victim, getting into such a store, decides to purchase some product. Moreover, the number of such applicants is quite large, because the prices in a non-existent store will be literally junk, and all suspicions of users are dispelled due to the popularity of the copied site. When buying a product, the victim registers and enters the number and other details of his credit card.

Phishing methods like this have been around for a long time. Due to the spread of knowledge in the field of information security, they are gradually losing their effectiveness.

Figure 5. Email with only one phishing link out of many genuine ones

The third way is combined. Its essence lies in the fact that a fake website of a certain organization is created, to which potential victims are then lured. They are invited to go to a certain site and there to perform certain operations themselves. And, as a rule, psychology is used.

Figure 6. Sample phishing email to Mail.ru users

Numerous warnings that appear almost daily on the Internet make these fraudulent methods less and less effective. Therefore, now attackers are increasingly resorting to the use of key loggers, key-loggers - special programs that track keystrokes and send the information received to pre-assigned addresses.

If you think that phishing attacks are relevant only for foreign countries, then you are mistaken. The first phishing attempt in the CIS was registered in 2004. Its victims were clients of the Moscow Citibank.

In Ukraine, clients of Privat-Bank and Kyivstar became victims of phishing attacks.

Delivery of phishingcmessages

Email and spam. The most common phishing attacks are via email. Using the methods and tools of spammers, phishers can send special messages to millions of email addresses within hours (or minutes if distributed botnets are involved). In many cases, phishers obtain email lists from the same sources as spammers.

By exploiting known flaws in the SMTP mail protocol, phishers are able to create emails with fake "Mail From:" headers that will impersonate whatever organization they choose. In some cases, they can set the "Replay To:" field to an email address of their choosing, causing any client response to a phishing email to be automatically forwarded to the phisher. Phishing attacks are often reported in the press, so most users are wary of sending sensitive information (like passwords and PIN) by email, but such attacks are still effective.

Methods used by phishers when working with e-mail:

The official form of the letter;

Copying legitimate corporate addresses with minor URL changes;

HTML used in email obfuscates URL information;

Standard virus/worm attachments to messages;

Use of anti-spam filter obfuscation technologies;

Handling "personalized" or unique mailings;

Using a fake "Mail From:" address string and open mail gateways masks the source of the email.

Phishing attacks usingweb-content. The next method of phishing attacks is to use the malicious content of a website. This content may be included on the phisher's site, or on a third party site.

Available content delivery methods include:

Using web features (hidden elements within a page - such as a zero-size graphic) to track a potential customer;

Using pop-ups to mask the true source of a phishing message.

IRCand transferIM-messages. Relatively new is the use of IRC and IM messages. However, this method is likely to become a popular basis for phishing attacks. As these communication channels become more popular with home users, and as a large amount of functionality is included in this software, the number of phishing attacks using these technologies will increase dramatically.

However, it must be understood that many IRC and IM clients allow for the injection of dynamic content (eg graphics, URLs, multimedia, etc.) to be sent by channel members, which means that the implementation of phishing techniques is a rather trivial task.

The general use of bots - automated programs that process messages from users who participate in group discussions - in many popular channels means it's easy for a phisher to anonymously send links and falsify information intended for potential victims.

Use of Trojans. While the transmission medium for phishing attacks can vary, the source of the attack is increasingly ending up on a previously compromised home computer. At the same time, as part of the compromise process, the installation of Trojan software is used, which will allow the phisher (along with spammers, software pirates, DdoS bots, etc.) to use the computer as a distributor of malicious messages. Therefore, when tracing a phishing attack, it is extremely difficult to identify the real attacker.

It is necessary to pay attention to the fact that, despite the efforts of anti-virus companies, the number of Trojan infections is constantly growing. Many criminal groups have developed successful methods of tricking home users into installing software on them and are now using entire networks deployed with Trojan software. Such networks are used, among other things, to send phishing emails.

However, do not think that phishers cannot use Trojans against specific clients to collect sensitive information. In fact, in order to collect sensitive information from several thousand customers at once, phishers must selectively collect recorded information.

Trojans for selective collection of information. In early 2004, phishers created a specialized keylogger. Embedded within a standard HTML message (both in email format and on several compromised popular sites) it was code that attempted to run a Java applet named "javautil.zip". Despite the zip extension, it was actually an executable file that could be automatically executed on client browsers.

The Trojan keylogger was designed to capture all keystrokes within windows with titles of various names, including: -commbank, Commonwealth, NetBank, Citibank, Bank of America, e-gold, e-bullion, e-Bullion, evocash, EVOCash, EVOcash, intgold, INTGold, paypal, PayPal, bankwest, Bank West, BankWest, National Internet Banking, cibc, CIBC, scotiabank and ScotiaBank.

Directions of phishing attacks

Phishers are forced to use a variety of fraudulent methods in order to carry out successful attacks. The most common include:

Attacks by the "man in the middle" (Man-in-the-middle);

URL spoofing attacks;

Attacks using cross-site scripting, Cross-site Scripting;

Pre-set attack sessions;

Substitution of client data;

Exploitation of vulnerabilities on the client side.

Man in the middle attacks

One of the most successful ways to get information from a client and take control of resources is a man-in-the-middle attack. In this class of attack, the attacker "positions himself" between the client and the real application that is accessible over the network. From this point, the attacker can observe and record all events.

This form of attack is successful for the HTTP and HTTPS protocols. The client connects to the attacker's server as if it were a real site, while the attacker's server makes a simultaneous connection to the real site. The attacker's server in this case plays the role of a proxy server for all connections between the client and a real-time application server accessible via the network.

In the case of a secure HTTPS connection, an SSL connection is established between the client and the attacker's proxy (hence the attacker's system can record all traffic in the clear), while the attacker's proxy creates its own SSL connection between itself and the real server.

Figure 8. Structure of a man-in-the-middle attack

To carry out successful man-in-the-middle attacks, the attacker must be connected directly to the client instead of the real server. This can be done using many methods:

DNS Cache Poisoning

URL Obfuscation

Browser Proxy Configuration

Transparent proxy servers

Located on the same network segment or on the route to a real server (for example, a corporate gateway), a transparent proxy server can intercept all data, passing all outgoing HTTP and HTTPS through itself. In this case, no client-side configuration changes are required.

DNSCachePoisoning- cache poisoningDNS

MethodDNSCachePoisoning can be used to interrupt normal traffic routing by introducing false IP addresses. For example, an attacker modifies the cache of the Domain Name System and Network Firewall service so that all traffic destined for the MyBank IP address now goes to the attackers' proxy IP address.

substitutionURL

Using this method, the attacker changes the connection from the real server to a connection to the attacker's proxy server. For example, a client might follow a link to instead of www. my bank. com/>

Proxy server configuration in client browser

This type of attack can be seen by the client when viewing the browser settings. In many cases, changing browser settings is done immediately before the phishing message.

Figure 9. Browser configuration

Address spoofing attacks

The secret to the success of many phishing attacks is to trick the recipient of the message into following a link (URL) to the attacker's server. Unfortunately, phishers have access to a whole arsenal of methods to confuse the client.

Common address spoofing methods include:

Fake domain names

Friendly URLs

Host name spoofing

URL change.

Fake domain names

One of the trivial methods of substitution is the use of a fake domain name. Consider a MyBank financial institution with a registered domain mybank.com and related business website . Fisher could have installed the server using any of the following names to confuse the real host of the destination:

http :// private banking . my bank . com . ch
http:// my bank. private banking. com
http:// private banking. mybonk. com or even
http:// private banking. mybá nk. com
http:// private banking. my bank. hackproof. com

As domain registration organizations move towards the internationalization of their services, it is therefore possible to register domain names in other languages ​​and certain character sets. For example, "o" in Cyrillic characters looks identical to the standard ASCII "o", but the domain name will be different.

Finally, even the standard ASCII character set allows for ambiguities like uppercase "i" and lowercase "L".

friendly namesURL

Many web browsers allow for complex URLs that can include authentication information such as a login name and password. The general format is URL:// username: password@ hostname/ path.

Phishers can replace the username and password field. For example, the following URL sets username = mybank.com,password =ebanking, and the destination hostname - evil site. com.

my bank . com : ebanking @ evil site . com / phishing / fake page . htm >

This friendly login URL can successfully fool many customers into believing they are actually visiting a real MyBank page.

Host name spoofing

Most Internet users are familiar with navigating websites and services using a fully qualified domain name, such as www.evilsite.com. In order for a web browser to contact a given host on the Internet, this address must be converted to an IP address, such as 209.134.161.35 for www.evilsite.com. This translation of an IP address into a hostname is achieved using domain name servers. The phisher may use the IP address as part of the URL to confuse the host and possibly bypass content filtering systems, or to hide the destination from the end user.

For example, the following URL:

my bank . com : ebanking @ evil site . com / phishing / fake page . htm >

could be confusing by script

my bank . com : ebanking @210.134.161.35/ login . htm >

While some clients are familiar with the classic decimal representation of IP addresses (000.000.000.000), most are unfamiliar with other possible representations. These IP representations within the URL can lead the user to a phishing site.

Depending on the application that interprets the IP address, it is possible to use a variety of ways to encode addresses, in addition to the classic dotted decimal format. Alternative formats include:

Dword is the meaning of a double word because it consists essentially of two double "words" of 16 bits; but expressed in decimal format,

Octal

Hexadecimal.

These alternative formats are best explained using an example. Consider how the URL resolves to the IP address 210.134.161.35. This can be interpreted as:

Decimal -

Dword- http:// 3532038435/

Octal -

Hexadecimal - or even

In some cases, you can even mix formats (for example, ).

URL spoofing

To ensure local language support in Internet software such as web browsers, most software supports additional data encoding systems.

Cross-Site Scenarios

Typical XSS formats for injecting a valid URL include:

Complete HTML type replacement: my bank . com / ebanking ? URL=http://evilsite.com/phishing/fakepage.htm>

Inline script injection like: http:// my bank . com / ebanking ? Page=1*client= SCENARIO >evilcode ...

For example, a client received the following URL via a phishing email:

While the client is actually directed and connected to the real MyBank network application, due to the erroneous coding of the application by the bank, component ebanking will accept a URL to embed within the field URL returned page. Instead of an application providing a MyBank authentication form embedded within the page, the attacker redirects the client to a page running on an external server ( evil site. com/ phishing/ fake page. htm> ).

Smishing

Online scammers have recently mastered a new direction for themselves - attacks on mobile phones. Cases of bulk SMS sending luring users to pre-prepared infected sites have been observed, for example, in Iceland and Australia. In the text of the fake SMS, the user is informed that he has subscribed to a paid service and will be charged $2 daily from his account, and if he wants to refuse this service, he must go to the site. A Trojan written in VBS awaits users on the site, which opens a loophole for hackers to the computer infected with it and starts automatically sending SMS to random numbers through the corresponding web services of two mobile operators in Spain.

Farming

Pharming is redirecting a victim to a false address. For this, some navigational structure (hosts file, domain name system, DNS) can be used.

How does this happen?

The pharming mechanism has much in common with the standard viral infection. The victim opens an email message or visits a web server that is running a virus script. This corrupts the hosts file. The malware can contain URLs of many banking structures. As a result, the redirect mechanism is activated when the user types in an address that matches their bank. As a result, the victim gets to one of the false sites.

There are simply no mechanisms to protect against pharming today. It is necessary to closely monitor the received mail, regularly update anti-virus databases, close the preview window in the mail client, etc.

"Vishing"

In July 2006, a new type of phishing appeared, immediately called "vishing."

"Vishing" (vishing) is named so by analogy with "phishing" - a common network fraud, when customers of a payment system receive e-mail messages supposedly from the administration or security service of this system with a request to indicate their accounts, passwords, etc. . At the same time, the link in the message leads to a fake site, on which information is stolen. This site is destroyed after some time, and it is quite difficult to trace its creators on the Internet.

The schemes of deception are, in general, identical, only in the case of vishing, the message contains a request to call a certain city phone number. At the same time, a message is read in which the potential victim is asked to provide their confidential data.

It is not easy to find the owners of such a number, since with the development of Internet telephony, a call to a landline number can be automatically redirected to anywhere in the world. The caller is not aware of this.

According to information from Secure Computing, scammers configure a "war dialler" ("auto-dialer") that dials numbers in a certain region and, when the call is answered, the following happens:

The answering machine warns the consumer that fraudulent activities are being carried out with his card, and instructs him to call back the specified number immediately. This may be 0800, often with a fictitious name of the caller on behalf of the financial institution;

When this number is called back, a typical computer voice answers on the other end of the line, saying that the person must go through data verification and enter a 16-digit card number from the phone keypad;

As soon as the number is entered, the "visher" becomes the owner of all the necessary information (phone number, full name, address), in order, for example, to impose a fine on the card;

Then, using this call, you can collect additional information, such as PIN code, card expiration date, date of birth, bank account number, etc.

How to protect yourself from this? First of all, with the help of common sense, namely:

Your bank (or the credit card company you are using) usually refers to the client by their first and last name, both by phone and by e-mail. If it doesn't, then it's most likely a scam;

You can't call for credit card or bank account security issues on a phone number that's suggested to you. For emergency calls, you are provided with a phone number on the back of your payment card. If the call is legitimate, then the bank keeps a record of it and will help you;

If someone who claims to be your ISP calls and asks questions about your sensitive data, hang up.

, http:// www. itacademy. com. ua

Dictionary

Phishing(English) phishing, from password- password and fishing- fishing, fishing) - a type of Internet fraud, the purpose of which is to obtain user identification data. Organizers of phishing attacks use mass mailings of emails on behalf of popular sites. In these letters, they insert links to fake sites that are exact copies of the real ones. Once on such a site, the user can provide criminals with valuable information that allows them to manage their account from the Internet (username and password for access), or even their credit card number.

vishing- (vishing) is named by analogy with "phishing". The schemes by which users are deceived are similar in both cases, only in the case of "vishing" the message contains a request not to go to the site, but to call a city telephone number. Those who called him are read a message asking them to provide confidential data.

Farming In pharming, hackers redirect Internet traffic from one website to another that looks identical in order to trick the user into entering a username and password into a database on a fake server.