Ethical Hacking and Countermeasures v6 module 12 phishing

Trang 1

Ethical Hacking and CountermeasuresVersion 6

Module XIIPhishing

Ethical Hacking and Countermeasures v6

Module XII: Phishing Exam 312-50

Trang 2

According to Hooper, it became a running joke for others, but it was not a joke for her because her email account, which was her lifeline and a link to so many different people, was basically sabotaged

Fred Felman of MarkMonitor said, “My company sees about 600 phishing attacks a day each one generating millions of emails Scammers are raking in millions of dollars.”

Trang 3

Module Objective

This module will familiarize you with:

Introduction Reasons for Successful Phishing Phishing Methods

Process of Phishing Types of Phishing Attacks Anti-phishing Tools

Trang 4

Module Flow

Introduction

Phishing Methods

Reasons for Successful Phishing

Process of Phishing

Types of Phishing Attacks

Anti-phishing Tools

Module Flow

Trang 5

EC-Council

Phishing- Introduction

Trang 6

UK’s financial institutions are the second most targeted ones that do accounting for 15 percent of global banking brands, behind the US, which constitutes 61 percent

Phishers use storm botnet as a fast flux-network by regularly rotating the IP address of the infected computers by sending phishing information RSA analysts have alerted that the Storm botnet can be used

as an infrastructure behind fast-flux phishing attacks

Trang 7

The phishing attack is successfully carried out by deceiving and convincing the user with the fake technical content along with social engineering practices The major task for the phishers is to make the victim’s believe in the phishing sites The sources that can be impersonated include web pages, instant messaging, emails, and IRC Most phishing attacks are done through emails, where the user gets an email which forces the user to follow the link given in the email navigating him/her to a phishing website The email may contain a message stating that a particular amount of transaction has been done from the user’s account and a link is provided to check his/her balance, or may contain a link to perform security check for the user’s account

According to a study by Gartner, “57 million US Internet users have identified the receipt of email linked

to phishing scams, and about 1.7 million of them are thought to have succumbed to the convincing attacks and tricked them into divulging personal information Studies by the Anti Phishing Working Group (APWG) has concluded that Phishers are likely to succeed with as much as 5 percent of all message recipients.”

Trang 8

• Lack of computer system knowledge by the user (as how the emails and web works) can be exploited by the phishers to acquire sensitive information

• Many users lack the knowledge of security and security indicators

Lack of knowledge

• Phishers can fool users by convincing them to get into a fake website with the domain name slightly different from the original website which is difficult to notice

• They use the images of the legitimate hyperlink, which itself helps as a hyperlink to an unauthorized website

• Phishers track the users by using the images in the content of a web page that looks like a browser window

• Keeping an unauthorized browser window on top of, or next to a legitimate window having same looks, will make the user believe that they are from the same source

• Setting the tone of the language same as the original website

Visual deception

Not giving attention to Security Indicators

 Reasons for Successful Phishing

The reasons behind successful phishing are:

Lack of Computer System Knowledge:

Many users lack the knowledge about different aspects of the system behavior, the applications, and Internet, and emails If the users are not able to differentiate between legitimate and fraudulent emails, then the phishers can exploit these weaknesses of users

Visual Deception:

 Visual Deception text: Deceiving the users by changing the domain names of the URL that are unnoticed or unrecognized by the users For e.g., For a URL of www.myweb.com, the phisher may develop a new website called www.mywab.com which looks similar to the original URL

 Image masking underlying text: Using the image of a legitimate site in their fraudulent URL where the image acts as a hyperlink navigating the user to a fake website

 Images mimicking Windows: Using the images in the illegitimate web pages which look the same

as the authorized web page, thus making the user to believe that it is a legitimate website

Trang 9

 Windows masking underlying windows: Keeping a fake browser window on the top or next to a legitimate window makes users think that the web pages are from the same source irrespective of the differences in the address and the security indicators

 Deceptive look and feel: The user identifies the website to be illegitimate by looking at the look and tone of the language for any misspellings or for any unprofessional design If the original site

is properly impersonated, the user fails to identify the fake website

Not giving attention to Security Indicators:

 Lack of attention to security indicators: Users can be tricked if they do not realize the indicators

or read the warning messages

 Lack of attention during the absence of security indicators: The user does not realize that the security indicators are not present, which may lead to a spoofed image being inserted

Trang 10

Phishing Methods

• Most of the phishing attacks are done through email

• Phishers can send millions of emails to valid email addresses by using the techniques and tools opted by spammers

• Phishing emails provide a sense of urgency in the minds of the user to give the important information

• Phishers take the advantage from SMTP flaws by adding fake “Mail from” header and incorporate any organization of choice

• Minor changes are made in the URL field by sending mimic copies of legitimate emails

Email and Spam

Phishing Methods (cont’d)

• This type of attack is carried out by targeting the customers through a third party website

• Providing malicious website content is a popular method of phishing attacks

• Keeping fake banner advertisements in some reputed websites to redirect the customers to the phishing website is also a form of web based delivery

Phishing Methods (cont’d)

• Trojan is a program that gives complete access of host computer

to phishers after being installed at the host computer

• Phishers will make the user to install the trojaned software which helps in email propagating and hosting fraudulent websites

Trojaned Hosts

Trang 11

 Phishing Methods

Email and Spam:

As most of the phishing attacks are done through emails, attackers use spamming techniques to send emails to millions of email addresses in a short span of time Phishers can utilize the flaws in the common mail server communication protocol (SMTP) to send email with a fake “from:” header and can fool any organization of their choice

Techniques used for email phishing:

 Copying the authorized corporate emails with minimal changes

 Using the HTML based emails to obfuscate target URL changes

 Attaching standard virus and worms to emails

 Designing personalized or unique email messages

Web-based Delivery:

One of the most effective methods to perform phishing attack is to use malicious website content Phishers or any third-party hosting embedded content can inject the malicious or illegal content into the genuine website

The techniques included in web-based delivery are:

 Including HTML hidden links

 Using the fake banner advertising graphics provided by the third-party to divert and attract the customers to the phishing website

 Using web-bugs to track customers for a phishing attack

 Masquerading the source of the phishers’ messages by using pop-ups or framing fewer windows

 Embedding a malicious content in the web pages It exploits the known vulnerability present in the customer’s web browser software as per the phisher’s choice

 Abusing the trusted relations present at the customer’s web browser configuration to make use of the site’s authorized scriptable components or data storage areas

IRC and Instant Messaging:

Most IRC and IM clients support the contents shared by the channel participants Using bots in most of the popular channels help phishers to send fake information and semi-matching links to the victims secretly

Trojaned Hosts:

Trojan software allows the phishers to access the user’s computer after installing it into their PC User installs the Trojaned software, which helps the phishers in propagating emails and hosting fraudulent websites

Trang 12

Process of Phishing

Registering a fake domain name

Building a look alike website

Sending emails to many users

The process involved in building a successful phishing site is:

 Process of Phishing

Source: http://palisade.plynt.com/issues/2006Sep/phishing-detection/

Phishers trick the users of an organization by:

Registering to a fake domain name:

The attacker must register to a domain name that looks similar to the site whose customers are to be phished The registrations to a fake domain name should be unrecognizable for the user trying to connect

to a legitimate site

Example: If the original site is www.abcbank.com, then the phisher can create a domain by www.abcbonk.com that can trick the user that it is an original URL

Build a look alike website:

The attacker tries to copy the original content of the HTML page into his/her webpage The images, when creating a fake website, are often taken from the original site When the user loads images for a phishing web site, the browser acquires the images by picking them from the original site

Many attackers would be willing to write their own HTML code by not copying the content from the original site including the images

Send emails to many users:

When the phishing website is ready, the attacker sends the emails to many users who will be their victims

To avoid the bounce back of the mails due to an invalid: TO: or From:” addresses, attackers can use valid user IDs The “from” field can be addressed as an important source to know the details of the user

When the emails arrive at the user’s end, the user is made to open the mail which may contain any important information or any exciting offer prompting the user to open the link present in it that directs

to a phisher’s website

Trang 13

EC-Council

Types of Phishing Attacks

Trang 14

of the loss of computer discs from HM Revenue and customs that contained confidential details of 25 million child benefit recipients including their NI numbers, addresses, and child records

"This phishing attack has echoes of traditional get rich quick scams, preying on the desire to be compensated for the Government losing their data, but people must learn that there really is no such thing as free money," said Greg Day, McAfee’s security analyst

Trang 15

Man-in-the-Middle Attacks

In this attack, the attacker’s computer is placed between the customer’s computer and the real website This helps the attacker in tracking the communications between the systems

This attack supports both HTTP and HTTPS communications

In order to make this attack successful, the attacker has to direct the customer to proxy server rather than the real server

• Transparent Proxies located at the real server captures all the data by forcing the outbound HTTP and HTTPS traffic towards itself

• DNS Cache Poisoning can be used to disturb the normal traffic routing by establishing false IP address at the key domain names

• Browser proxy configuration is used to set a proxy configuration options by overriding the users web browser settings

The following are the techniques used to direct the customer to proxy server:

 Man-in-the-Middle Attack

In a man-in-the-middle (MITM) attack, the attacker locates himself/herself in between the customer and the legitimate website the user is visiting An attacker monitors and records the communication on the system

This attack is effective and successful either with HTTP or HTTPS communications The user links to the attacker’s website thinking it as the real source, whereas the attacker tries to make a simultaneous connection with the original web site As the connections are formed simultaneously, the attacker spoofs the communication in the real-time

When it comes to the secured and protected HTTPS communication, the attacker generates a connection between the user and the attacker’s proxy, which allows the attacker to record the traffic in an unencrypted state On the other side, the attacker proxy creates its own SSL connection with the original server

To divert the user to the proxy server instead of the real server is possible by using:

 Transparent Proxy: This interrupts all the data by forcing the outbound HTTP and HTTPS traffic towards itself It is located in the same network segment or on the route to real server This operation does not require any configuration change at the customer’s end

 DNS Cache Poisoning: It can intercept the normal traffic by inserting invalid IP addresses for the main domain names By doing this, the attackers can divert the traffic to a particular site to their proxy server’s IP address

 URL Obfuscation: This is used to scam the user to connect to the proxy server in place of the real server

 Browser Proxy Configuration: The attackers force all the web traffic to their proxy server by modifying the customer’s web browser setup to proxy configuration option

Trang 16

URL Obfuscation Attacks

The user is made to follow a URL by sending a message which navigates them to the attacker’s server

• Making few changes to the authorized URL’s which makes difficult to identify it as a phishing site

• Giving friendly login URL’s to the users which negates the complexity of authentication that navigates them to the look-a-like target URL

• Many third party organizations offer to design shorter URL’s for free of service, which can be used to obfuscate the true URL

• The IP address of a domain name can be used as a part of the URL to obfuscate the host and also to bypass content filtering systems

The different methods of URL obfuscation include:

 URL Obfuscation Attack

The attack spoofs the users by allowing them to follow a link in the message that targets the attacker’s server

The methods used to obfuscate the URLs are:

Bad Domain Names:

Users can be attacked by purposeful registration and use of bad domain names When it comes to internationalizing the domain names, it can be registered in other languages with their specific character set

Friendly Login URLs:

As many web browser’s implementations permit for complex URLs, which include authentication information by the user, phishers can substitute the authentication fields with the target organization The friendly login URLs trick many users and make them believe that it is a legitimate URL

Third-Party Shortened URLs:

With the increase in the complexity of URLs due to their length, and since the URLs can be represented in various email systems, some third-party organizations offer free service in providing shorter URLs Phishers make use of the free service to complicate the true destination by employing social engineeringmethod and through deliberately braking long or incorrect URL’s The services that are offered for free include http://smallurl.com and http://tinyurl.com

Host Name Obfuscation:

Web browser does not identify the domain names like users who are familiar to navigate through the sites

by using the domain names Phishers intend to make use of the IP address in place of the URL in order to obfuscate the host by bypassing the content filtering systems, or to hide the destination from the end user’s prospect

With respect to the applications interpreting the IP address, the ways of encoding the address other than the decimal format is:

 Dworkd – It means double word since it consists of two binary words of 16 bits, which is expressed in decimal

 Octal – The address is uttered in base 8

 Hexadecimal –The address is uttered in base 16

Trang 17

Cross-site Scripting Attacks

This type of attack makes use of custom URL or code to inject into a valid web-based application URL or imbedded data field

Most of the CSS attacks are carried out using URL formatting

 Cross-site Scripting Attack

Cross-site Scripting Attack is also referred to as CSS or XSS This attack makes use of custom URL or code injection inside a genuine web-based application URL or imbedded data field This attack results due to poor web application development processes

When the user of a web application accesses the URL, they accept any arbitrary URL for insertion into their URL field because of poor application coding by the organization Due to this, the customers trying

to get the authentication for that application are referred to a page that is under the control of the external server The customer unknowingly gives all his/her authentication information to that spoofed site

Trang 18

Hidden Attacks

• Change the display of rendered information by interpreting with the customers’ web browser

• Disguise content as coming from the real site with fake content

Attacker uses the HTML, DHTML, or other scriptable code to:

These hidden frames are used for:

 Hiding the source address in the attacker’s content server

 Providing a false secured HTTPS wrapper

 Performing malicious activities by filling the images and HTML content present in the background

 Hiding the HTML code from the user

 Knowing about the user’s real web page work by storing and implementing background code.Overriding Page content:

There are many methods to override the displayed content with a fake content in the web page The function DIV allows the phisher to store the content into a virtual container that is positioned on top of the original content

Graphical Substitution:

The problem faced by the phishers is by the browser specific virtual clues to the source of the attack The method to overcome with the virtual clues is by using browser scripting language that is placed over the key areas with fake information

Trang 19

Trang 20

Deceptive Phishing

The common method of deceptive phishing is email

Phishser sends a bulk of deceptive emails which command the user to click on the link provided

Phisher’s call to action contains daunting information about the recipient’s account

Phisher then collects the confidential information given by the user

 Deceptive Phishing

The common method of deceptive phishing is through email The phisher sends a bulk email to the customer with a certain call to action, which demands the customer to click on the link When the user clicks on the link, he/she is directed to a fraudulent web site from where the phisher gets access to the confidential data given by the user

The call to action by the phisher can include:

 A message that there is a problem with the recipient’s account can be corrected by visiting the website’s URL which is given below

 A statement about an illegal order made by the user’s account can be canceled by clicking the link

 A prompting message about a new service that is being offered for free for a limited time period

 A notice about an unauthorized change made to the user’s account

Trang 21

Malware-Based Phishing

In this method, phishers use malicious software to attack on the user machines

This phishing attack spreads due to social engineering or security vulnerabilities

In social engineering, the user is convinced to open an email attachment that attracts the user regarding some important information and download it containing some malwares

Exploiting the security vulnerabilities by injecting worms and viruses is another form of malware based phishing

Malware-Based Phishing

(cont’d)

• It is a program that installs itself into the web browser or as a device driver that monitors the input data and sends it to the phishing server

• It monitors the data and sends to a phishing server

• The techniques used by keyloggers and screenloggers are:

• Key logging is used to monitor and record the key presses by the customer

• The device driver monitoring the keyboard and mouse inputs by the user

• The screen logger monitoring both the user inputs and the display

Keyloggers and Screenloggers

Trang 22

Malware-Based Phishing (cont’d)

• This attack is used to reconfigure the setting at the user computer

• The systems DNS server is modified with

a faulty DNS information by poisoning the host file

• It Changes the proxy server setting on the system to redirect the user’s traffic to other sites

System Reconfiguration Attacks

 Malware-Based Phishing

A malware-based phishing attack intends to run malicious software at the user’s pc It evolves mostly due

to social engineering and through security vulnerabilities In social engineering, the phisher tries to convince the user to open an email and download a file from the web site Some of these downloadable files may contain malware, which exploits the security vulnerabilities at the user’s PC

Web Trojans:

Web Trojans are illegitimate programs that are fired on to the login screen to collect the credentials This login information is collected locally and later transmitted to the phisher

Hosts file poisoning:

When the user connects to a legitimate URL, then that URL needs to be converted to a numeric address before visiting the site The operating system consists of the shortcut “hosts” file to look at the host names before the DNS lookup is performed If the hosts file is changed, then the legitimate URL redirects to a malicious address through which all the user credentials can be taken

System Reconfiguration Attack:

System Reconfiguration Attack changes the settings on the user’s computer to compromise the information One way of changing the setting is to modify the user’s DNS server to provide faulty information The other way is to install a web proxy that directs the user’s traffic through it

Data Theft:

Data Theft attack aims at the corporate espionage The user computers that contain the information of the organization can be used to acquire confidential data and design documents that can be exposed publicly, causing economic damage or embarrassment Data thefts are mainly intended to damage the reputation

of an organization by attacking the reputed person of that organization and stealing all the information

Trang 23

Tiêu đề	Phishing
Trường học	EC-Council
Chuyên ngành	Cybersecurity
Thể loại	module

Định dạng
Số trang	47
Dung lượng	1,92 MB