The Security Samurai

Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves - William Pitt

My Links

Post Categories

Archives


Random Family Guy Quotes

Blog Stats

.Where I Work

General Blogs I Read

Security Blogs I Read

Useful Articles

How Do We Stop Phishing Attacks?

Over 10 years ago, before I even knew what it was, I was the victim of a phishing attack.  It was crude but effective against unsuspecting users.  The social engineering aspect of it was flawless, but the technical portion was rather weak.  Being knowledgeable of how the internet works, I spotted the attack within 5 minutes and quickly changed my password.  Today they are getting better, and with our reliance on the internet to conduct many aspects of our daily lives, including financial transactions, the stakes are getting higher.

If you are a fan of Schneier’s blog, then you know there is currently no way to completely prevent phishing attacks, only ways to limit their effectiveness.  As soon as we develop these methods, criminals adapt theirs, and we end up looking for new solutions.  For instance, sending personalized email to users, like Dear Jim Smith instead of sending Dear PayPal, has up until now been considered a way of letting users know that it was a valid email, and not a phishing attack.  Today, I read a news story about phishers doing just that.  This is just another example of why it’s impossible to completely prevent.

Phishing attacks that are done properly can be so undetectable it might even fool you or me.  Not all of them use a shoddy emails that link to an IP address.  Those are easy to spot by anyone with even a basic understanding of what a phishing attack is. 

Consider for example an attack that combined the technical details of the man in the middle attack against eBay with the social engineering aspects of the PayPal attack, and you have something that would fool me 99 out of a 100 times. 

I have thought of a process to guard sites against this, the most dangerous of the phishing attacks.  First let’s consider how this attack would work.  Users would receive an email stating that their account might have been the victim of fraud.  They click on the link to the site, which appears to be the actual URL, but due to Unicode issues, DNS poisoning, or something of the like it is actually pointing to another server.  The user would log on, using ANY form of authentication possible (2 factor or whatever) and the server simply acts as a proxy, forwarding the request over to the actual site and when it's servers respond, the proxy would send it back to the user.  If advanced enough, the proxy site may even have its own SSL certificate to add to the illusion.  The user conducts whatever business they must, and when completed, the thieves have everything they need to compromise the user.

So how do we limit this attack’s effectiveness?  Most users frequent sites from a single machine, but we cannot simply allow users to only log on from only a single IP address.  That would be impractical due to DHCP and users that log into their accounts from home, work, or even internet cafes. I personally travel a lot, and am always connecting through different ISPs.  But we could record the IPs to analyze.  Any time a user visits the site from a new IP address, add it to a log that details that user’s activity (so we can tell new IP addresses from previously used ones) and also place it into a general log that has no duplicates.  If the IP address already exists in the general log, a value would be incremented.  Triggers can be placed on these incrementing values so that when they reach a certain threshold, a fraud team could investigate the address further.  If they suspect that the IP address being used to be part of a phishing scam, then a switch could be thrown in the application to report an error anytime someone tries to log in from that IP address. 

This can be built and implemented for far less money and time than other solutions that are currently being studied, like 2 factor authentication which would do nothing whatsoever to prevent this attack.  It would not prevent an existing proxy server that has been compromised, though.  Only when enough users report fraud, could you analyze their activity to determine they all came through a common IP address and solve that issue.

Most other forms of phishing attacks can be prevented with proper user training, which should include an easy way to report phishing scams to the company.  It would only take one educated user to report a phishing scam and the company to respond accordingly to stop an attack in its infancy.

Any questions?

posted on Thursday, May 19, 2005 7:55 PM

Feedback

# re: How Do We Stop Phishing Attacks? 5/20/2005 4:34 AM Tom Raftery

Eric,

I found your blog after Robert Scoble linked to it on his blog - I'm glad he did. Some good stuff here, thanks.

By the by, I'm not sure if you noticed, but your blog stats in the top right hand corner are reporting zero as the number of posts, stories, comments and trackbacks for this blog!

For a blog with zero posts, you managed to keep my attention for quite some time!

:-)

Tom

# re: How Do We Stop Phishing Attacks? 5/20/2005 4:49 AM Colin Newell

Is the way to prevent yourself from being a victim to phishing to simply not use links provided in your email? Is it not simpler to simply log in through the normal means (via your bookmarks/favourites) and deal with whatever that way?

With the exception of activation links I would avoid links in emails.

That doesn't actually solve the problem, but I'd rather just avoid the hassle.

# re: How Do We Stop Phishing Attacks? 5/20/2005 5:48 AM Eric Marvets

Not clicking links in emails is a good way to stop most phishing scams, however it can be done through other means. Consider a company's proxy server that has been hacked, which would redirect to the phish site instead of the real one. The same thing could be said about any server that acts as a gateway between you and the internet.

# re: How Do We Stop Phishing Attacks? 5/20/2005 8:01 AM Bob

Eric,

This is a fairly complex method to implement, with a limited usefulness.

The first thing I thought of after reading it is that the attacker simply needs to be changing the IP they come from on a regular basis. Something they ought to be doing currently anyway. I seem to remember from my last read of the DNS poisoning attack that there were MANY IPs involved?

It just seems like an awful lot of work to program in the changes you suggest, when a workaround is so simple for the attacker.

Heh, they could write a system to change their IPs easier than you could write a system such as you suggest and integrate it into a web site.

Now that I've loaded and fired at you, I'm sorry to say that I don't have any better ideas.....

What I tell my wife to do is to simply NEVER click on any links in email anymore, even if she was expecting an email from a bank or vendor. Simply excercise the fingers and type in the url, or choose it from faves. And hope that DNS hasn't been poisoned.

# Additional Info on Previous Phishing Post 5/20/2005 11:21 AM The Security Samurai

# re: How Do We Stop Phishing Attacks? 5/21/2005 5:33 AM Xavier Ashe

Many spyware programs modify the user's HOSTS file to redirect a URL to the attacker's site. That way, you'd never know that you were hitting the wring site.

Title  
Name  
Url
Comments