The "No Network is 100% Secure" series
- Phishing -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What is phishing?: Phishing is an attempt to steal personal data.
The term comes from "Fishing for information".
SMS phishing: SMSishing) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details.
How is phishing accomplished?: Several popular methods are used to illegally acquire sensitive or private information such as bank details, login information or personal details. The delivery method is usually via electronic e-mail. These messages usually direct victims to a spoofed web site or otherwise get you to divulge private information (e.g., password, credit card, or other information). The perpetrators then use this private information to commit various types of fraud such as identity theft.
Why do people fall for these phishing scams?: Phishing scams are social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.
How does one avoid becoming a phishing victim?: Most people tend to be trusting of their fellow man. But most people do not understand that the Internet is like the old Wild West... totally lawless with robbers, thugs and highway men at every turn. Until computer users become "street smart" and understand that the rules of polite society do not apply on the Internet, there will be victims a-plenty for the World's cyber criminals. The first rule of self-protection is "trust no one and nothing that comes to you via the Internet". Ignore this rule at your peril
Here are a few specifics: Always be suspicious of any email message that asks you to enter or verify personal information, through a web site or by replying to the message itself. Never reply to or click the links in a message. If you feel the message may be legitimate, go directly to the company's web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message. Avoid providing any information on web sites that can not be authenticated with a Verisign certificate. If you don't know what this is, my advice would be to never provide any personal information to any web site period.
When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.
Always read your email as plain text. Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.
Cautionary notes: Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won't avoid them all. Some legitimate sites use redirect scripts that don't check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones. This deception uses a technology known as punycode. These web sites may very well have Verisign certificates and could look completely legitimate.
Bottom line: Trust has gone out the window when you follow links in email or on Web sites. There's no longer a way to be sure that the domain name you're visiting is the one you think you are unless you check the URL out in Terminal or have multiple anti-spoofing and anti-phishing browser plug-ins installed. When it comes to entering personal information on a web site when asked to do so, my advice would be: just don't do it!
Why should IT Managers care about phishing?: Phishing is typically a one-on-one attack. So why would an enterprise network manager care about these activities? Phishing is often geared towards obtaining a legitimate username and password in a computer network somewhere. And as you may know, the best way to defend against hackers is to never allow them to gain access to your network. Once a miscreant gains login access to your network, they are half way there to gaining root access. This is particularly problematic in large networks that use login authentication methods such as NIS, active directory, pam and so on. Once they are "inside", they can bypass protections such as firewalls and intrustion detection systems (IDS) making it much easier to wreak havoc in your network.
My ISP has tens of thousands of users and even if only two or three fall for a phishing scam, it can cause major problems for them. For example, having a legit username and password allows them to access the ISP mail server for the purpose of sending bulk spam e-mail. At the very least, this causes the victim e-mail server(s) to be blacklisted (blocked) by most larger ISPs and company networks, greatly interfering with your ability to conduct business. And depending on how robust your mail server hardware is, the attack could also result in a DoS preventing legitimate e-mail to or from your company from being delivered.
With a username and password, hackers can also upload web site content that sends web surfers to porn sites and other web servers run by criminals. And if your file protections are weak, hackers can also deface and otherwise compromise your company web site! Just do a Google search on "porn sex midgets" or something like that and see how many government web sites, libraries, church sites, businesses and so on show up in the listing that host one or more porn site pages! Embarrassing, to say the least!
Can these attacks be seen?: If you don't have a professionally staffed, proactive NOC and/or if you are not actively monitoring server log files, probably not. You're first indication may well be vague complaints by users that "the network is slow". Depending on the severity of the break-in, your users may start seeing mail bouncing messages or other symptoms that will eventually be reported to IT support. Without the proper tools, these cyber criminals could be having a fine old time for hours or even days before you actually realize what's going on. And by that time, the damage has been done and it's all over but the crying.
What symptoms should I look for?: A substantial increase in the server load average or the length of the mail queue would be two indications.
From my ISP: how do you spot if a phishing attack was successful? You look in the maillogs and see two patterns:
1) A series of emails going to alphabetically-arranged usernames in a single domain.
2) A whole bunch of NDRs (non-delivery report), usually from messages sent to nonexistent addresses.
If you see those two, you're pretty sure you've got a spammer in your network. From there, it's a matter of tracking them down and knowing whether or not your users were recently targeted with a phishing email.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro