From reading a few of the feedbacks from my last post on phishing, I apparently was not clear enough about the attack and the prevention method. The solution is effective against the particular type of phishing scam diagramed here:
Most of the feedback I received focused on the email portion of the attack, so I decided to remove it completely from the equation to make the attack clearer. This also better demonstrates how none of us are safe and it really can be completely undetectable. This attack is purely hypothetical, as I have never heard of it being implemented. It is however entirely possible. The solution to this attack will also prevent other weaker variables of the man in the middle attack, with one exception that I will discuss at the end. The diagram shows:
1. An ISP that serves 500,000 residents of a major metropolitan city had their DNS server compromised. When users attempt to visit www.mybank.com, the DNS server sends them the incorrect IP address (any other means of a user winding up at the wrong site could be replace this step, including but not limited to email links).
2. The client then connects to the IP address which is that of the phishing attacker. The phishing server is acting as a proxy and merely gathering data. That data is mined by the phishers and used from anywhere in the world. In other words, this server does not commit the actual fraud, but records the authentication credentials (username/password, 2 factor, etc.) of the user so the fraud can be committed from another location.
3. When the phishing server receives requests, it will then forward it on the actual bank’s server. The bank will process the request, just as they normally would, and send a response to the phishing server. The phishing server responds back the client, and neither the bank, nor the user, is aware that someone has been listening in on their conversation.
It is impossible for the end user, without fingering the IP address or using some other investigative method, to be aware that they have just been victimized. There were no clues evident during the attack in which the user would have become suspicious to perform any investigation in the first place. The one possible exception is a lack of an SSL certificate, but this is easy enough for the proxy server to do this as well. They could simply have the client do a redirect to another URL they purchased, like www.MyBankOnline.com that would have an accompanying SSL certificate. Because they typed in the bank’s address, and it appeared the bank redirected them, users would most likely accept this to be valid. To make it even sneakier, they could use a non standard Unicode character to make the URL appear the same, as was the case in the PayPal attack, and now it has become completely transparent to the user.
The bank can do something to detect this. The solution I am about to describe is not that hard to implement from a technical standpoint. As a rough estimate, I suppose it could be added in a matter of months, and at a far, far lesser cost than other alternatives currently being evaluated that do not solve the problem, like rolling out 2 factor authentication to thousands or millions of users.
All they would have to do is track the IP addresses that a particular user logs in with by adding an activity log that captures time and IP address. A user logging in from a new IP address is not suspicious by itself. When a new IP address is used to log in, an additional log would capture this IP and increments a counter that would denote the number of different users that have logged in for the first time from that IP. A trigger with a threshold could be placed on this log, and alert fraud agents at the company when too many users come from a particular IP address for the first time. Fraud agents would investigate the IP address to determine if it is part of a phishing scheme. In the attack described above, all users coming through the proxy server would appear to the bank as coming from a single IP address. This is a proxy server, not a router. The bank now simply disallows all traffic from the phishing proxy server.
There will be false positives. For example, a company that changes the IP address of their legitimate proxy server would cause the trigger to be fired.
All man in the middle attacks I have seen to date, use a single proxy server to perform the attack with, meaning there will be only a single IP address. The next variant of the attack would be to try and appear as if it were coming from multiple IP addresses, possibly through a farm of proxy servers as diagramed here:
As criminals adapt their attacks, so must you. Now they have distributed the load amongst a farm, the threshold in the trigger that monitors new IP addresses used must be lowered. This will cause significantly more false positives for the fraud team at a company to deal with. The upside is, now it is much more difficult for phishers to set up a farm of servers to perpetuate attacks from, in terms of materials and labor. As some point, the value gained from these phishing attacks will be outweighed by the cost and risk to implement them.
I can also see another possible variant where one machine has multiple IP addresses for sending and receiving to the actual server, and only a single address for sending and receiving to the user. As hosting providers assign a range of IP addresses and you could adjust the prevention method to look at IP ranges instead of individual IP addresses. The downside again is the increased number of false positives.
As I mentioned earlier, there is one instance of a man in the middle attack this will not solve. That is when a legitimate proxy server used by a company is compromised. If a legitimate proxy server is turned into a phishing proxy server, then the IP address for the server will not be new to the application. I consider this to be a much more difficult form of attack, and if done, would only affect the employees of a particular company.
Other forms of phishing attacks are easy for educated users to spot. Training users to become more aware of their surroundings is an important step often being overlooked by most companies. Ironically, it was AOL who I first saw inform their customers that they would never ask for certain types of information.
They key factor that gives these other types of phishing scams away, is when they ask for information that the site should already have. Reporting these scams to the company and for the company respond in a timely manner, should limit their effectiveness. You may also inform the Anti Phishing Working Group to the scam as well, just in case the target company does not have the proper infrastructure in place for dealing with them.