Monday, October 14, 2019

Phishing and Pharming Attacks

Phishing and Pharming Attacks In this report, it provides overview about phishing and pharming like what is phishing, what is pharming, what are the impacts that caused by phishing and pharming and what are the solutions can be apply to remediate or minimize the chance of being attack by phishing and pharming. Phishing are internet frauds or identity thefts that use to acquire or steal targeted victims sensitive information like personal identity data or financial account credentials. Phishing can be carried out by attackers using social engineering like sending email, through instant messaging (IM), peer to peer (P2P) networks, search engine and other techniques to redirect users to fraudulent website. Pharming is the new twist of internet fraud or identity theft. It is the evolutionary of phishing that used to achieve the same goal, but pharming is more sophisticated. Pharming can be carry out by using technical subterfuge such as DNS cache poisoning, domain hijacking and other techniques to redirect users to fraudulent website or proxy server to solicit users sensitive personal information. Phishing and pharming attack will cause financial impacts on the targeted victims or hard-hit to small organization. It will also cause the undermining of consumers confident in using internet over secure transaction or communication. Beside from this, phishing and pharming will also cause the law investigation become harder. Table of Content Summary2 Table of Content-3 Table of Tables and Figures4 Introduction-5 Method of Phishing Attack-6 2.1. Link Manipulation6 2.2 Filter Evasion7 2.3 Website Forgery7 2.4 Phone Phishing-8 2.5 Example of Phishing9 2.6 Phishing Report-10 Method of Pharming Attack13 How Pharming Works13 DNS cache poisoning16 Domain Hijacking16 Registration of similar sounding domains17 Impact caused by phishing / pharming18 Prevention of phishing and pharming20 Prevention: What to do?20 Prevention: What not to do?-21 Classic phishing defenses 21 Client-side21 Server-side22 Enterprise-22 Additional Pharming-Specific defenses23 Change Management, Monitoring and Alerting-23 Third-party Host Resolution Verification Services-24 DNS Server Patching, Updating and Configuration25 Search Engine Control-26 Conclusion-27 Recommendation29 Reference30 Bibliography31 Appendix32 Template 1.032 Template 2.034 TABLE OF TABLES AND FIGURES Figure 1-9 Figure 210 Figure 311 Figure 412 Figure 514 INTRODUCTION Phishing and Pharming are two of the most organized crimes of the 21st century requiring very little skill on the part of the fraudster. These result in identity theft and financial fraud when the fraudster tricks the online users into giving their confidential information like Passwords, Social Security Numbers, Credit Card Numbers, CVV Numbers, and personal information such as birthdates and mothers maiden names etc. This information is then either used by fraudsters for their own needs such as impersonate the victim to transfer funds from the victims account, purchase merchandise etc., or is sold in a variety of online brokering forums and chat channels for a profit. The Anti-Phishing Working Group (APWG) study indicates that 26,877 phishing attacks were reported in October 2006, a 21 percent increase over Septembers 22,136 attacks and an increase of 70% as compared to October 2005. Through these attacks the fraudsters hijacked 176 brands resulting in huge financial losses and loss of reputation to enterprises. The Gartner study reported that more than 2 million Americans have had their checking accounts raided by criminals in 2004, the average loss per incident being $1,2002. With phishers developing evermore sophisticated attacks, these numbers are bound to increase in the near future. Hence, battling these attacks has become a high priority for Governments and Industry Groups. METHOD OF PHISHING ATTACK Link Manipulation Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by phishers, such as this example URL, http://www.yourbank.example.com/. Another common trick is to make the anchor text for a link appear to be valid, when the link actually goes to the phishers site, such as http://en.wikipedia.org/wiki/Genuine. An old method of spoofing used links containing the @ symbol, originally intended as a way to include a username and password (contrary to the standard). For example, the link http://[emailprotected]/ might deceive a casual observer into believing that it will open a page on www.google.com, whereas it actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied. Such URLs were disabled in Internet Explorer, while Mozilla and Opera present a warning message and give the option of continuing to the site or cancelling. A further problem with URLs has been found in the handling of Internationalized Domain Names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks have yet taken advantage of it.[citation needed] Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain. Filter Evasion Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails. 2.3 Website Forgery Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL. An attacker can even use flaws in a trusted websites own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or services own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal. A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site. To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites. These look much like the real website, but hide the text in a multimedia object. 2.4 Phone Phishing Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization. EXAMPLE OF PHISHING As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites. The following is an example of what a phishing scam e-mail message might look like. Figure 1: Example of a phishing e-mail message, which includes a deceptive URL address that links to a scam Web site. To make these phishing e-mail messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Web site, but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site. These copycat sites are also called spoofed Web sites. Once youre at one of these spoofed sites, you might unwittingly send personal information to the con artists. PHISHING REPORT Figure 2: The number of websites hosting key logging crime ware systems raise by over 1,100, reaching 3,362, the second highest number recorded in the preceding 12 months. Web sense Security Labs believes much of this increase is due to attackers increasing ability to co-opt sites to spread crime ware using automated tools. Figure 3: The number of unique key logger crime ware variants detected in January reached a new high of 364, an increase of 1.4% from the previous high in October, 2007. Figure 4: Anti-Phishing Working Group, Phishing Activity Trends Report, June 2005 Phishing undermines consumer confidence. Corporate websites of valid, well-respected companies are being cloned to sell nonexistent products, or to get consumers to participate in money-laundering activities while believing that they are dealing with a legitimate organization. The public relations consequences for the company that has had its website cloned can be as severe as the financial losses. 3.0 METHOD OF PHARMING ATTACK You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. You are also aware that responding to mails sent by your bank may not be a good idea because banks never require to send emails to get your credentials. They have more secure channels to get that information. However, pharming attacks do not require an attacker to send mails. By carrying out pharming attacks, a criminal can get access to a wider target than phishing emails and as quickly as possible. Hence the ph effect on the word farming. They are not fishing, they are farming for gullible people! By the way, pharming is a real dictionary word. HOW PHARMING WORKS Pharming attacks do not take advantage of any new technique. They use the well known DNS cache poisoning, domain spoofing and domain hijacking techniques that have been around for quite long. However, the motives of carrying out these attacks have changed. Earlier they were interested in just disrupting services and causing nuisance. But now, the game has become a matter of money than that of chest thumping. These techniques continue to exist because administrators and website owners dont care to secure and monitor their DNS servers while they have invested millions of dollars in application firewalls. How a typical pharming attack is carried out: Figure 5: 1. The attacker targets the DNS service used by the customer. This server can be a DNS server on the LAN or the DNS server hosted by an ISP for all users. The attacker, using various techniques, manages to change the IP address of www.nicebank.com to the IP address of a web server which contains a fake replica of nicebank.com. 2. User wants to go the website www.nicebank.com and types the address in the web browser. 3. Users computer queries the DNS server for the IP address of www.nicebank.com. 4. Since the DNS server has already been poisoned by the attacker, it returns the IP address of the fake website to the users computer. The users computer is tricked into thinking that the poisoned reply is the correct IP address of the website. The user has now been fooled into visiting fake website controlled by the attacker rather than the original www.nicebank.com website. Once the attacker has managed to get the user to visit the fake website, there are many ways in which the user can be tricked into revealing his / her credentials or giving out personal information. The beauty, or lets say, the notoriety of pharming over phishing is evident from the fact that one successful attempt in poisoning the DNS server can be potentially used to trick all the users of that DNS service. Much less effort and wider impact than phishing. DNS cache poisoning All DNS servers cache the queries that users have made for a certain period of time. This is done to speed up the responses to users for frequently used domains. This cache maintained by the DNS server can be poisoned by using malicious responses or taking advantage of vulnerabilities in the DNS software itself. Domain Hijacking This is an actual incident that took place a year ago. Panix, an ISP based in New York was the target of a domain hijack attack. All domains are typically registered with registrars which store information about the owner of a domain and location of the domains DNS servers. If any of this information is required to be changed, the approval of the domain owner is required. A domain owner can even switch registrars depending on costs and convenience. However, confirmation of the switch is required from all three parties, the domain owner, the old registrar and the new registrar. In case of Panix, a change was initiated by an unknown person in Australia. The person managed to skip confirmation from the old registrar and the domain owner. This was because the new registrar was not following the domain transfer process strictly. The result was, the unknown person managed to gain control over the panix.com domain completely. The person managed to divert all the web traffic of panix.com and customer emails to another server located in Canada. Domain hijacking has the widest impact because the attacker targets the domain registration information itself. Registration of similar sounding domains Similar sounding or similar looking domains are another source of security issues for internet users. An attacker can register a domain www.n1cebank.com and carry out pharming and phishing attacks on unsuspecting customers who dont notice the difference in the letter i being replaced by a 1. Also domain names created by typos on the original words (e.g. www.nicebqnk.com) manage to attract a lot of traffic. One such study on a popular domain cartoonnetwork.com shows that one in four people visiting the website incorrectly type a simple name like cartoonnetwork.com. So what about typo domains? One quick search in Google reveals that it is quite a big concern. An attacker can easily buy typo domains and setup his fake website on these domains to fool unsuspecting visitors. IMPACT CAUSED BY PHISHING AND PHARMING There are impacts that caused by rising of phishing and pharming. One of the impacts that caused by phishing and pharming is the lost of financial on both organizations and consumers. According to the InternetNews.com, there are about $1.2 Billion lost in financial of banks and credit card issuers at year 2003, while at year 2004, there is about  £12 Million lost in financial reported by the Association of Payment Clearing Services in United Kingdom. Due to the credit card association policies, the online merchants that accepted and approved transactions made by using credit card numbers which solicit through internet fraud may need to liable for the full amount of those transactions. This may cause hard-hit to those small organizations. Another impact that caused by phishing and pharming is the undermining of the consumers trust in the secured internet transaction or communication. This situation occurred because the internet fraud like phishing and pharming made consumer feel uncertain about the integrity of the financial and commercial websites although the web address display in the address is correct. Phishing and pharming also caused some impact on the Law investigation. It makes the law investigation become harder because the technique that used by attackers to perform phishing and pharming is more sophisticated. In nowadays, those attackers can perform all of the phishing and pharming attack at a location that provided with the internet connection. With the available of internet connection, they can make use of it to perform attacking activities. Those activities included the control of a computer located in one place to perform phishing and pharmings attack by using computer located at another place. The investigation become harder also because of the division of attacking tasks to several people located in different locations. PREVENTION OF PHISHING AND PHARMING Pharming attacks tend to be harder to defend against that traditional Phishing attacks due to the distributed nature of the attack focus and the use of resources not under the control of the victim organisation.   In addition, the manipulation of the DNS resolution process occurs at such a fundamental level that there are very few methods available to reliably detect any malicious changes. 5.1 PREVENTION WHAT TO DO? By using anti-virus software, spyware filters, e-mail filters and firewall programs and make sure that they are regular updated to protect your computer. Ensures that your Internet browser is up to date and security patches applied. Be suspicious of any e-mail with urgent requests for personal financial information or threats of termination of online account. Dont rely on links contained in e-mails, even if the web address appears to be correct, and use only channels that you know from independent sources are reliable (e.g., information on your bank card, hard copy correspondence, or montly account statement) when contacting your financial institution. When submitting credit card or other sensitive information via your Web browser, always ensure that youre using a secure website. Regularly log into your accounts. Regularly check your bank, credit and debit card statements to ensure that all transaction are legitimate. PREVENTION WHAT NOT TO DO? Dont assume that you can correctly identify a website as legitimate just by looking at its general appearance. Dont use the link in an e-mail to get to any web page, if you suspect the message might not be authentic. Avoid filling out forms in an e-mail messages or pop-up windows that ask for personal financial information. CLASSIC PHISHING DEFENCES Many of the defences used to thwart phishing attacks can be used to help prevent or limit the scope of future Pharming attacks. While readers are referred to the detailed coverage of these defence tactics explained in The Phishing Guide, a brief summary of these key defences is as follows: Client-Side Desktop protection technologies Utilisation of appropriate, less sophisticated, communication settings User application-level monitoring solutions Locking-down browser capabilities Digital signing and validation of email General security awareness 5.3.2 Server-Side Improving customer awareness Providing validation information for official communications Ensuring that the Internet web application is securely developed and doesnt include easily exploitable attack vectors Using strong token-based authentication systems Keeping naming systems simple and understandable 5.3.3 Enterprise Automatic validation of sending email server addresses, Digital signing of email services, Monitoring of corporate domains and notification of similar registrations, Perimeter or gateway protection agents, Third-party managed services. ADDITIONAL PHARMING-SPECIFIC DEFENCES While Phishing attacks typically use email as the attack delivery platform, Pharming attacks do not require any email obfuscation attacks to succeed therefore Phishing defences that rely upon email security play a lesser role. The defences that will be most successful in preventing Pharming attacks focus upon the following areas: Change management, monitoring and alerting Third-party host resolution verification DNS server patching, updating and configuration Search engine control 5.4.1 Change Management, Monitoring, and Alerting The potential for an administrator or other authoritative employee to maliciously modify DNS resolution information without detection is great.   As financial incentives increase, organisations and ISPs will need to ensure that adequate change control, monitoring and alerting mechanisms are in place and enforced. It is recommended that: Wherever editing is possible, access to DNS configuration files and caching data is limited to approved employees only. A change management process is used to log and monitor all changes to DNS configuration information. Auditing of DNS record changes is instigated by a team external to any DNS administrative personnel; with automatic alerting of changes conducted in real time. Regular audits and comparative analysis of secondary DNS and caching servers should be conducted. Third-party Host Resolution Verification Services Toolbars Many third-party developed plug-in toolbars originally designed to detect Phishing attacks are deceived by Pharming attacks.   Typically, these Phishing toolbars show the IP address and reverse lookup information for the host that the browser has connected to, so that customer can clearly see if he has reached a fake site.   Some managed toolbars (normally available through a subscription service) also compare the host name or URL of the current site to an updatable list (or real-time querying) of known phishing sites. Some toolbars now offer limited anti-pharming protection by maintaining a stored list of previously validated good IP addresses associated with a particular web address or host name.   Should the customer connect to an IP address not previously associated with the host name, a warning is raised.   However, problems can occur with organisations that change the IP addresses of their online services, or have large numbers of IP addresses associated with a particular host name. In addition, some toolbars provide IP address allocation information such as clearly stating the geographic region associated with a particular netblock.   This is useful for identifying possible fake Pharming sites that have been setup in Poland pretending to be for an Australian bank for instance. Server Certificates To help prevent pharming attacks, an additional layer can be added to the authentication process, such as getting the server to prove it is what it says it is.   This can be achieved through the use of server certificates. Most web browsers have the ability to read and validate server identification certificates.   The process would require the server host (or organisation) obtain a certificate from a trusted certificate authority, such as Verisign, and present it to the customers browser upon connection for validation. 5.4.3 DNS Server Patching, Updating and Configuration As with any Internet-based host, it is vial that all accessible services be configured in a secure manner and that all current security updates or patches be applied.   Failure to do so is likely to result in an exploitation of any security weaknesses, resulting in a loss of data integrity. Given the number of possible attacks that can be achieved by an attacker whom manages to compromise an organisations DNS servers, these hosts are frequently targeted by attackers.   Therefore it is vital that security patches and updates be applied as quickly as possible typically organisations should aim to apply fixes within hours of release. Similarly, it is important that organisations use up to date versions of the service wherever possible.   As we have already discussed in section 3.6, each new version of the DNS software usually contains substantial changes to protect against the latest attack vectors (e.g. randomising DNS IDs, randomising port numbers, etc.) 5.4.4 Search Engine Control Internet search engines are undergoing constant development.   Many of the methods used by attackers to increase their page ranking statistics are known of by the search engine developers, and a constant cycle of detection and refinement can be observed by both parties.   For instance, Google modified its search algorithm to reset the page rank statistics of web sites that had recently changed ownership this was to reduce the impact of instant backlinks and the weighting they attach to a ranking. Traditionally the emphasis on increasing a pages ranking has been for revenue or lead generation most closely associated with advertising.   However, the increasing pace at which customers are relying upon search engines to access key services (such as online banking) means that a Pharmer who can get his fake site ranked at the top is likely to acquire a high number of victims. Organisations should ensure that they regularly review keyword associations with their online services.   Ideally automated processes should be developed to constantly monitor all the popular search engines for key search words or phrases customers are likely to use to locate their key services.   It is also important that region-specific search engines also be monitored. CONCLUSION The term phishing is about the use of social engineering by performing online imitation of brands to send spoof email that contain of hyperlink to fraudulent website to solicit users sensitive personal information like credit card number, PIN, mothers maiden name and etc. Phishing can also be done through installing keylogger at users computer. Pharming use technical subterfuge like DNS cache poisoning, domain hijacking, routers setting or firmware malconfiguration to redirect users to a fraudulent website. Pharming may also perform by sending the targeted victims an email that contained of viruses or Trojan horse that will install small application that will redirect user to fraudulent website. There are impacts that caused by both phishing and pharming. Those impacts included the lost of financial, undermining of user confident in secured online transaction or communication, hard hit to small organizations and cause the law investigation harder. As a web developer, SSL certificate, switching of the recursion queries or DNS security extension should be apply because it can protect the DNS or website from phishing and pharming attack. Visual clues can also be use so that user can easily differentiate between authentic website and fraudulent website. Token based authentication also one of the technique that can be apply to protect the website or DNS server from phishing and pharming attack. Users are also responsible to protect their self from phishing and pharming attack by not opening email or download attachment from unknown sender or email that required user to respond by clicking on the hyperlink contained in the email. User should also double confirm the URL at the address bar when a warning message like SSL certificate do not match with the sites appear. User can also install security suite or firewall in the computer in order to protect user from phishing and pharming. User can also look for the lock or key icon at the bottom of the browser that lock the site they want to enter their sensitive personal information. As a user, we can also report the attack of phishing and pharming to the related agencies or company through internet or telephone to assist the work of minimize the attack. In addition, laws are also being introduced to against phisher and pharmer. RECOMMENDATION To prevent from becoming the victims of phishing and pharming, I suggest to users that must install security suite or firewall in their computer and the detection signature of the security suite should be up to date. Besides from this, I also suggest that users should beware in opening any email or attachment that they receive in order to prevent their self from becoming the victims of phishing and pharming. I also suggest to web developers that they should use SSL certificate, switch off the recursion queries, install DNS security extension in protect

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.