DCSIMG
עמוד הבית| חבילות השירות שלנו| חומר חופשי| צור קשר
It looks like it, It feels like it but it is not It – Phishing for Dummies - בלוג היועצים של מיקרוסופט ישראל

בלוג היועצים של מיקרוסופט ישראל

It looks like it, It feels like it but it is not It – Phishing for Dummies

Phishing is a new hacking technique which opened a new era of hacks. I call it a new era due to the fact that once again changed the level of hacks. It caused the boundary between application layer attacks and social engineering to be nebulous. We all have heard that security should be deployed and considered in layers. Have we ever thought about all the layers? Is social engineering was ever taken into consideration?

We have heard thousands of times that tools and hacking techiques are getting more and more sophisticated and so are the defense mechanisms, did we ever considered the homo sapiens should be taken into this equation as well (both as an attacker and as the victim)?

Well the attackers have alreay started ...

Security hacks started in telephony, then moved on to network attacks, then came the era of application security which we thought is the worst and considered to be the last one. We considered it as layer 7 (the highest OSI model layer) attack. However, recently we are facing a new challenge: social engineering security. To be honest it was always there, we all knew about it and we were all aware about the human affect on security. At the end it comes to human beings, however the main question here is can technology overcome human being’s mistakes?

Phishing in a Nutshell?
Phishing is a social engineering technique that is used by hackers\attackers in order to capture a naïve user’s login information (username and passwords) to different web sites (i.e. banks, credit cards, Paypal and others). These credentials are then used in order to steal money or information from those accounts.


IRS phishing example

How to Phish?

The Phishhook
When I was a child I always wanted all my clothes and shoes to be Nike. Where I lived there was a very common company for clothing including shoes named Mike. Guess what, their logo was the same as Nike’s with small change replacing the N with the M. My mother paid half the price and was happy. By the way two weeks later all my friends were having the same clothes and we were all Mike’s best friends.

Well Phishing is just the same imitating the attacked web site. Let say there is a bank named ibank.com its logo starts with capital “i”, when you write its name it looks like Ibank.com when you write it with lowercase “L” it looks like lbank.com. I am sure you all agree with me that only the minority of the population would notice the difference, isn’t that so?

Of course the domain name is not enough in order to convince a customer that he got to the website he was looking for. The main trick here is the look and feel (in advanced techniques the domain name is not an issue at all).
So now the hacker’s challenge is to dress his web site with the same clothes as the attacked web site – meaning building his trap in a convincing way so the naïve user would not even doubt that this is not the original web site. This is an easy task; one could even use the same pictures, same images as well as same colors. It might even be easier if he gets to the original web site download its HTMLs (the Web pages) and change it just a bit in order to put the attackers functionality (As for the functionality we’ll discuss it a little later) but keeping the look and feel of the original ibank web site.


The Bait
All the attacker is left with now is to convince customers to surf and visit his website. There are different ways to do that, he might spread an email or might post a message into a banking forums or even send IM messages to people. The message will be the bait and will contain two main components: 1. Offerings - to attract the fish to eat the bait (pressing the link)
2. Link – the bait itself (pressing this would lead the user to the hacker web site)
Therefore the message (email, IM) would contain some attractive offerings that will cause the naïve user to press the attached link such as an offer to customers to open a checking account with very good interest. In that same message he will add the link to the bank’s site (of course the link would lead to the attacker’s web site). Once the user clicks the link it feels like he got to the real banks web site. He tries to log in in order to get the new deal he got and he supplies its credentials (I hooked a fish).


After the Bait was Hooked
Here the attacker has two functionality options:
1. Grab these credentials and store it in its DB then displaying a message the bank web site is not available try again later.
2. Grab the credentials and redirect the client to the original website and running the client under the real login process so the customer won’t even know he was redirected.

The example given above is not theoretical and there are lots of “flavors” and permutations for Phishing.

Ebay Phishing Scam

How can we Make the Phisher Starve

The main problem though is how can we solve or overcome such challenges? And what is it different then old hacking techniques.

The main difference is that old hacks were using the human mistakes (bugs) in order to penetrate the corporate network or applications. The hackers used those holes in order to gain unauthorized access to data. As a result we could have put the blame on the organizations functionaries such as developers, system administrators, QA personnel, security stuff and others – it was someone’s responsibility to make sure these kinds of hacks would be found and fixed. Whereas the new attack is out of the organization hands and responsibility, even if the web site is totally secured and all the countermeasures were put in place and the web site is using all security mechanisms such as authentication, authorization, encryption, and many others all these won’t do anything to prevent from someone developing a masquerading website and attract users to get there and then stealing their identity.

There are a lot of groups and products that claim they could protect from these kinds of attacks but none take high percentage of responsibility for that. I believe, then, that the only tool we have to prevent these attacks is by education and awareness both to the organizations and customers. Once again back to my childhood when mother kept telling me “don’t open the door to strangers”.

Guilad Regev
ACE Team

Attachment: MSN-Phishing.jpg
פורסם: Jul 12 2008, 10:23 PM by guregev | with no comments |
תגים:, ,
שלח תגובה

(שדה חובה)  

(שדה חובה)  

(אופציונלי)

(שדה חובה) 

Please add 7 and 1 and type the answer here:


Enter the numbers above: