WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Directed phishing attacks- protection methods

From: "Joshua Perrymon" <josh.perrymon () purehacking com>
Date: Wed, 12 Jul 2006 13:41:32 +1000

Here is one phishing site for paypal

http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html





This is not a bad job of duplication. However, pay-pal and similar sites are
used may too much for this type of attack in my opinion. The phishing email
would be probably sent to every email address they could harvest setting off
every alarm Websense has. 

Phishing attacks are most affective when duplicating something like OWA or
Citrix portals.. Or even better -- Custom built company portals facing the
net and only sent to a handful of addresses gathered from company X.

One interesting note about the site above is that it seems to relay it's
data back to the attacker using POST instead of relying on an underlying
mail program/script.. 

------ POST data from the phishing site above---
HTtp://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3
F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245
.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpas
sword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d
39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be
04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=
_login-processing&login_cmd=_login-done&login_access=11680108541
----------------------------------------------------------------------------
--------------------------


Protecting against this type of attack???
I don't know of many existing content gateways / email filters that will
stop the initial email if the attack is a one-off and sent on a small scale.
It's just some verbiage with an <A> and link to the attackers IP address or
site hosting the phsihing site. A lot of times the web servers have been
compromised and the http server is on a non standard port unless port 80
wasn't used before.

Then when the user clicks on the link the in the phishing email it opens the
browser w/o triggering any alarms.. ( I haven't visited any sites that the
new M$ phishing filter picked up from its whiltelists)

Enters password.. game over. The attacker now logs in using the new
harvested credentials .This also works with token password generators (
nothing new here ).. Given it's only a 60 second window to login after
acquiring the first token code.



Ideas???_-----
End-User security awareness and training is the most important deterrent.
Whitelisting isn't going to stop small footprint attacks directed at a
single company and a handful of users.

Most companies believe that blocking HTML in email handicaps emails
effectiveness.. ( screw the newsletters.. put it on a website )

Users should copy links from the email into the browser but don't.

Certificates will protect where tokens fail.

Network Protection:
I believe that it's possible to develop "widgets" to alert on this type of
directed phishing attacks. First you have to have the ability to monitor all
emails traffic. This shouldn't piss off legal because all users should have
already signed off on this.

The most effective would be to monitor all known public email addresses.
Including "planted' email address placed in forums and webpages to be
harvested. This would provide a greater % that traffic sent to those
addresses are directed attacks.. (Like an Email Honeypot :)

( yes... need to copyright that one quick muhahah  :)

It should be easy to develop an analysis to pick up on standard phishing
emails. You would look for Anchors / links with IP addresses that resolve
outside of the "known- whiteliested" address list. This should at least
alert and place the email in a second level queue for analysis. You could
also do some type of grep on the email link looking for company X verbiage.



M$ Phishing filter may even be USEFUL ( Almost.... )

So using the methods above you would have a system to alert on potential
phishing attacks scanning all emails or preferably only public emails
included "planted" ones.

The widget performs analysis to determine if the email is a phishing attack.

This process could be automated to perform the whois so on.  So now we
should have determined the IP or block for the hosted phishing site.  We can
use something like M$ phishing filter. Send it the new whitelisted IP
address of the phishing site and the browser should block the site. If the
widget monitors all emails coming into the company then it should have the
ability to do some trending of who received certain emails.. sorted on
subjects for instance. One you found the phishing email you would have a
known list of all email addresses that received the email once the attack
has been spotted.

This could be used as additional analysis to monitor traffic after the
attack. 


Just some ideas I have had. If anyone is interested in working with us on
developing something like this get in touch with me:


Josh.perrymon () packetfocus com
CEO
www.packetfocus.com
www.packetfocus.blogspot.com



-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: