RSSWhat Phishers Know That You Don't
By By Jeremiah Grossman, Guest Columnist | Published April 29, 2005, 10:22 AM
Today's headlines scream about phishing attacks that are stealing financial data, bilking billions from consumers, and contributing to identity theft. These news articles are soon followed by vendor press releases and dubious marketing propaganda seeking to capitalize on the buzzword hysteria.
Security professionals are left trying to separate the truth from the hype while looking to SSL, token authentication, e-mail encryption, A/V scanners, blacklist and take-down services for solutions. Each incident usually gets management very excited about protecting their customers and the brand.
Meanwhile, while gleefully jumping from foot to foot, the Phishers are having the last laugh because they know something you don't: None of this stuff actually works anyway. At least not for phishing scams. Don't get me wrong. These solutions have their time and place, just not when it comes to phishing and I'm here to tell you why.
Everyone's heard about "spoofed" e-mails compelling consumers to visit fake Web sites and fooling them into disclosing sensitive information. So I'm skipping that part of the conversation because it's boring. What's interesting are the increasingly sophisticated techniques Phishers are using to maintain their edge. Let's delve into the dark-arts that render phishing attacks virtually impervious to the widely advertised solutions mentioned above.
Phishers are targeting consumers by exploiting Web security loopholes for financial gain. And it makes perfect sense that they would, because 9 out of 10 Web sites are vulnerable to something serious called cross-site scripting (XSS).
A recent report issued by the Anti-Phishing Working Group (APWG), states Phishers are visibly employing cross-site scripting redirect attacks. "...Websense Security saw a number of attacks using cross-site scripting to redirect URL's from popular Web sites in order to better present themselves and as a means to prevent blocking," according to the APWG February 2005 Trends Report. Using specially crafted links, Phishers are piggybacking on legitimate domain names to pull off their scams.
Cross-site scripting is by far the most common and overlooked vulnerability in Web sites today. Coincidentally, XSS is just the "super" bait Phishers are looking for. XSS attacks are designed to target the users of a Web site, rather than the web server or operating system. A Web site is at risk if a coding oversight allows user-submitted content to be displayed without filtering out malicious data.
What a clever Phisher does is create a specially crafted link, laced with Web scripting code, and convinces a user to click on it. When the user clicks, the injected code executes and becomes part of the resulting Web page. This is where the Phisher's fun begins.
Consider the following example: http://therealwebsite.com/redirect/user/to/http://thefakewebsite.com
When a user looks at the above Web address, the link appears legitimate because the domain name shown is in fact the real Web site. Also, the link can be encoded to disguise its intention further. When the user clicks "therealwebsite.com," their browser is automatically be redirected to "thefakewebsite.com," the Web address tacked onto the end of the link. From a user perspective, everything will take place normally as they land on the fake page.
Prominent Web sites, including eBay, Google, Lycos, Citizens Bank, and SunTrust have been victimized by similar types of attacks. The good news is that consumers are wising up and learning how to identify this type of scam. The bad news is the next generation XSS attacks are proving nearly impossible for consumers to spot or technology to identify.
These attacks actually convert the real website into the fake website, thereby making consumers increasingly likely to fall for the scam. Sounds like magic doesn't it? But it’s actually just a clever trick.
Just found this:
http://toolbar.netcraft.com/
It looks promising. I've already tested it on some phishing sites I knew of and it worked - it popped up a warning telling me about possible XSS. Maybe we're closer to a solution than I thought. Then again, maybe not.
Score: 0
|Could a website create a sort of unreproducable graphic? Like the Holograms on MS CD's or a water mark on a dollar bill that verify's the authenticity of the page.
If Ebay, Amazon or Google decide to nip this issue the could develop some sort of element that says this is authentic.
If certain elements or iamges are being hijacked or not served from the correct server, then a message saying 'this is not an authentic source' could be shown.
While I'm not a developer by trade I do have some devlopment background. I just figure Amazon or Google who love technology could come up with something interesting.
Score: 0
|BetaNews mentions everything except the only real solution which is taking legal action against phishers.
Score: 0
|What will be more interesting is that Microsoft will not be able to address this issue it looks like with longhorn, and certainly not with XP's certain tools. Microsoft finally included a decent level of security with XP, with a firewall that does well enough and bugging the user to stay up to date with AV... but phishing is an open hole and it will take education, not definition-based updates or toolbars or browser updates to stop this. It could seriously erode people's confidence in computing in general, let alone browsing the web, at least for people burnt by this.
Score: 0
|I'm not going to act like I know anymore about phishing than is explained in this article, but it seems like there would have to be some way to have the browser be able to identify XSS, either through a plugin (i.e. Firefox plugins) or maybe even a function integrated into future browsers (IE8 maybe? lol - it would take that long).
Is anyone formulating ideas for a service or product that can help with this? Like I said below, in my humble amateurish opinion, it seems like this would be easier to tackle on the client side. That's just my two cents.
Score: 0
|The basic problem is the incredible lack of knowledge of most PC users of how to use their OS. These are not "noobies". Some of these people have been using computers for many years. They don't realize that Windows has a command line, can't create toolbars in the taskbar, move icons to the QuickLaunch Bar and have never edited their registry.
When they download software they almost always think that bigger is better. These people don't have a clue or know where to buy one. There are a lot of "so-called" experts who have never written a lesson plan or created a training module, so their "help" is in computer jargon that only geeks can understand.
If you have no idea of how to install and configure your OS. Understand what a baseline and system image are, then phishers are going to eat your system. This is an even bigger problem if you have lots of bandwidth.
Score: 0
|We got to stop whining now, what part of DO NOT give out account information, SSN or other sensible data online, does people not understand? my bank for example tells me loud and clear that they will NEVER ask for such things other than via snail mail, so since I actually read my terms of service agreement I discard ALL email sent from "them" to me, it is THAT easy to avoid phishing.
And hey IF the message was genuine, then they are out of luck because you are just following your agreement.
So stop whining, you would not give ME any info if I walked up to you on the street and introduced myself as your Banker would you? it is the same with emails etc.
Score: 0
|lol. ummm... did you read beyond the 4th paragraph? This vulnerability is not related to e-mail. XSS can be exploited on any site that allows third parties to post information (Google, eBay, Amazon, etc...). We are far beyond the age where e-mail attachments were the biggest concern.
This scam can easily affect ANYONE if they are not careful. This time you don't have to click the link in the e-mail that says "get more smileys" ;-)
Score: 0
|When I posted this comment, this was in the address bar:
http://www.betanews.com/http://hackersheaven.com/
Is that normal? :p
That was really interesting. Is there any way to identify these tricks on the client side? For example, could someone write a FireFox plugin that checks the address bar for multiple domains? Or would that even work in most cases?
Anyway, I'm definitely going to be more paranoid from now on. Thanks a lot :p
Score: 0
|There is a good plug-in for FirFox called spoof-stix. It is a toolbar that tells you what site you are on reguardless of what URL you typed in the address bar....
Score: 0
|These XSS vulnerabilities that Phishers exploit are all the more dangerous because they originate __from the valid site__, yet the attacker can still execute malicious code.
The firefox plugin you mention will not protect you in any way from the class of vulnerabilities Jeremiah described.
Score: 0
|That sounds like it would help a little, but would it catch scripts in the URL that could redirect information entered on the website?
I was wondering if someone could write a plugin like that to look for more than one domain and/or scripts that could be malicious.
It sounds to me like this problem would be much simpler to tackle on the client-side than on the server side, but that is just my humble amateurish opinion.
Score: 0
|