 The
Internet
Storm Center handlers provide the
following:In the client / server model -
Never Trust The Client.
In an ever increasingly hostile online
world, how do you do business with what
could be a hostile client, which could
be your PC, or the PC of one of your
customers?
In the last few days, I've read some amazing
tips presented around how to perform
authentication. A lot of these are targeted
at preventing phishing fraud. Phishing, for
those recently returned from a distant
planet, is the collection and fraudulent use
of credentials to make money. During my day
job with a financial institution I have
experienced wide and varied methods used
by organized phishing gangs. Probably the
most prolific of those in wide spread use is
Rock Phish, and it is a good example to gain
an understanding of the scale of the
problem.
The principal a phisher uses is the time
delay between the fraud being performed, and
the fraud being detected. This attack method
is made more effective by the length of time
it takes to take down a phishing web site
and as we've seen Rock Phish has increased
the effectiveness by increasing the number
of web sites being hosted at any one time.
Supporting this is a huge organized crime
subsystem to get the money into the hands of
the bad guys. So, as a user of online
banking, auction house, etc., always look for
unexpected information. Does the web site
show the date of last log in, does it tally
with your activities? If not, contact their
customer help desk and have your account
checked.
Customer education is the first line of
defense in the fight against phishing.
Teaching your customers not to expect
e-mails from your organization ever
requesting your credentials is paramount.
CyLab have recently released an anti
phishing educational game, check it out
here. (Editor's Note: this is the
Anti-Phishing Phil game we talked about
earlier in the month.)
Phishing often uses URL Obfuscation
techniques to make that link you click on
all that more real. Ed Skoudis compiled a
list of techniques often used by phishers
and it is hosted here at the ISC. The page
is
here and the source code of the attack
techniques
here.
To get over this threat, the use of modern
browsers with built in rogue site detection
or add on toolbars which alert users to
potential phishing sites should be
considered. But be careful about how you
recommend your customer base to do this, as
the phishers could jump on your "download
and install now!" bandwagon to distribute
trojans. Communication of this sort is only
recommended once the customer has
authenticated to you, and equally that you
have authenticated to them. There are a few
examinations of this sort of technology on
the web, such as CERT's
report.
However, Phishing needs the banks customer
to give away their credentials, and
customers are becoming more aware of the
dangers. So the fraudsters are moving to
trojans, and to other areas to cast their
phishing nets. The areas of the Internet
that phishers are covering is colossal, from
Banking, to identity theft, from auction
sites, to online gaming, anywhere a
credential is used, and money can be made, phishers are targeting. There will be more
on online gaming safety later in the month.
In the financial world, trojans are the
'soup de jour'. If your system has been
infected with a modern banking trojan it is
'game over'. It is often safer to format, and
reinstall. The trojans are now so advanced
as to render what you see through your
browser as totally unbelievable.
To protect yourself against this sort of
threat, have a good antivirus product
installed and update signatures daily, make
sure you are patched, and that you are
running an effective firewall product. Check
with your bank, some of them are giving away
AV/Firewall products so you might not even
have to buy one. Look back through the last
few days to get tips on how to configure
your operating system of choice.
The move from username and password
authentication to two-factor authentication
is underway, some banks and organizations
such as
e-bay. There are multiple standards in
play here, and we will all - maybe in
the short term - end up with multiple
tokens to use to authenticate to your bank, and your
auction site may use different technologies.
If your financial organization of choice
uses such two factor authentication for log
on, but not for marking your transactions to
third parties as valid, then trojans are an
active threat to any transactions you make.
Some suggestions from another ISC
contributor:
- Never respond to unsolicited emails
regardless how authentic the email
appears.
- Never click on a provided url or
dial a provided telephone number. Ever.
- If you think an unsolicited email
may be authentic then contact that
organization through a previously
established communications channel. This
could be from a phone number off a bill
or contact information from their
website (but the website access has to
be made from a new browser window using
a saved Favorites link that YOU
previously established).
|
