PHISHING ATTACKS

for use with a particular type of access
control system) read configuration
information from the server and route
status change events (such as loca-
tion and occupancy changes) from the
access controller to the relevant policy
processors.
Transaction and authen-
tication recognition
Following a devolved agent-based
(endpoint) processing model, each
individual policy processor determines
what it should do on receipt of an
access control status change event.
For example, if the policy processor
belongs to a user who has just left the
building it can determine whether it
should freeze (i.e. block keyboard and
mouse events) for that session.
Convergence is also now combin-
ing recognition of specific transactions
with authentication solutions. Using
endpoint agents it’s possible to monitor
everything a user does and, by integrat-
ing with biometric devices such as fin-
gerprint and finger vein readers, require
them to re-authenticate on carrying
out a certain action – such as printing
a sensitive document, putting though
an unusually high value stock move-
ment, or a financial transaction above a
certain value. This type of transaction
level authentication would have stopped
Jerome Kerviel at Société Générale in
his tracks.
To date, solutions to data loss and the
wider insider threat have been piece-
meal. A combination of network and
endpoint based controls are required
to prevent data literally walking out of
the door. Integrating physical and logi-
cal security systems maximises existing
investment, improves risk management
and gives operational benefits. With
these systems already in play, don’t we
just need to join the dots?

Phishing in depth
Dario Forte, CFE, CISM, founder and CEO, DFLabs, Italy UÊ 6ˆÃ…ˆ˜}°
UÊ /…iÊ Vœ˜ÃiµÕi˜ViÃÊ œvÊ Ì…iÊ v>ՏÌÊ ˆ˜Ê ̅iÊ
In the first of this two-part series, published last month, we explained the initial MD5 hash algorithm.
process of how phishers prepare the ground for their attacks. As stated in that UÊ ˜‡ÃiÃȜ˜Ê>ÌÌ>VŽÃ°
article, phishing attacks can be subdivided into three phases:

UÊ
Ài>̈œ˜ÊœvÊ>ÊLœ}ÕÃÊÜiLÊÈÌiÊ̅>Ìʓˆ“ˆVÃÊ̅iÊÜiLÊÈÌiʜvÊ̅iÊL>˜ŽÊ̅>ÌʈÃÊ̅iÊ
Vishing
target of the attack. Discovered in early 2006, ‘vishing’, a
UÊ1«œ>`ˆ˜}ʜvÊ̅iÊ«>}iʜ˜ÌœÊœ˜i½ÃʜܘÊÈÌiʜÀÊiÃiÊ̅iÊVœ“«Àœ“ˆÃˆ˜}ʜvÊ>˜Ê portmanteau word of ‘voice’ + ‘phishing’,
existing site. is a natural outgrowth of phishing. The
UÊ>ÃÃÊi“>ˆˆ˜}Ê̜ʏÕÀiÊ̅iÊ՘Ü>ÀÞÊ̜Ê̅iÊLœ}ÕÃÊÈÌi°
Internet Crime Complaint Center (IC3)
states that this type of attack is increas-
The combination of these three elements allows an attacker to carry out an attack.
ing at an alarming rate.
The success of the attack depends on many factors, such as the credibility of the
Online fraud, as we have discussed
site, the contents of the email message, and the final user’s critical analysis
capacity and IT proficiency. This article will go into more depth on these issues. earlier, is carried out through the use of
bogus emails and web sites. The fraud-
ster sends out an email message mas-
Mass mailings ers’ that allow targeted searches within querading as the user’s bank, hoping to
After having created and published the websites to extract email addresses. This convince us to click on a link and pro-
web site, the next step in the phish- is why you should be discouraged from vide our username, password or other
ing attack is to send out mailings. As including explicit references to your information for ‘security reasons’.
alluded to above, there are different mailbox or leaving your email address in With a vishing attack, however,
ways to obtain an email address that discussion forums. The last thing to do instead of sending an email asking us to
can be used for this purpose. The user in the phishing attack is to compose the click on a link, the attacker sends out a
can either create an ad hoc account, or message to be sent out. As for the web telephone call asking us call a telephone
obtain an email address from the web. site, the message should imitate the style number. When we do, a recorded voice
The first alternative produces a more and content of official messages from asks us to key in our personal informa-
convincing phishing attack, since the the mimicked institution. An example is tion. Let us analyse briefly the details of
attacker may incorporate the name of illustrated below. a vishing attack.
the defrauded bank into the account The initial phase entails configuring
name, thus increasing the likelihood of New attack scenarios the computer using VoIP technology so
tricking the user. Once a valid account that it can call a long list of telephone
has been established, the next thing to Before turning to a discussion of coun- numbers in a given area. Given the
do is to generate a mailing list. This termeasures, it is opportune to discuss low cost of telephone calls, distance no
is facilitated with tools known as ‘crawl- three current offshoots of phishing: longer constitutes an obstacle. The call

19
May 2009 Network Security
 PHISHING ATTACKS / EVENTS

contains a pre-recorded message that user that the session has expired and
asks the user to call a certain number to
resolve problems, for example, problems
inviting them to reinsert their access
credentials.
EVENTS
associated with their bank account or
credit card.
Two conditions are necessary for a suc-
cessful in-session phishing attack:
CALENDAR
In most cases, the caller masquerades
as the fraud prevention department of UÊ /…iÊÕÃiÀʅ>Ãʏœ}}i`ʜ˜Ê̜Ê>ÊÃiVÕÀiÊÈÌiÊ 27–28 May 2009
the bank or credit card company. If the (the bank, for example). EUSecWest
message is convincing, some of those UÊ /…iÊ ÕÃiÀÊ ÛˆÃˆÌÃÊ >˜Ê ˆ˜viVÌi`Ê ÃˆÌiÊ Ü…ˆiÊ Location: London, UK
receiving the call will call the telephone still logged on. Website: <http://eusecwest.com>
number provided by the fraudster. The
attacker may respond in various ways: As a countermeasure against this type 7–10 June 2009
of attack, the user should always log off Security XChange
UÊ 1ÃiʅˆÃʜÀʅiÀʜܘÊÜVˆ>Êi˜}ˆ˜iiÀˆ˜}Ê the online banking site or other sensitive Location: Park Valley, Utah, USA
abilities and respond personally to the sites before navigating to other, poten- Website: <http://security-xchange.com/
telephone call. tially non-trusted sites. integrators/index.html>
UÊ *Ài‡ÀiVœÀ`Ê>ÊÃiVœ˜`ʓiÃÃ>}iÊ̜ÊÌÀˆVŽÊ̅iÊ
caller into providing personal informa- Conclusions 8–9 June 2009
tion. Key Management Workshop
Due to the nature of phishing attacks, Location: Gaithersburg, Maryland, USA
Generally speaking, humans are more it is difficult to implement proactive or Website: <http://csrc.nist.gov/groups/ST/
inclined to reveal their access credentials technological countermeasures to pre- key_mgmt/>
to another person than to a pre-recorded vent them, other than the introduction
message. of the requirement for a security token 10 June 2009
during the authentication phase. The Security Canada West
MD5 algorithm reason for this is that a phishing attack Location: Richmond, BC, Canada
has the objective of tricking the user Website: <www.securitycanadaexpo.com>
A recent factor that has had an influ- and not that of perpetrating an infor-
ence on phishing techniques regards mation system or exploiting a known 10–12 June 2009
the fault discovered in the MD5 hash- vulnerability. Attention must therefore Security World Expo
ing algorithm. This algorithm is used be dedicated to sensitising users so Location: Seoul, South Korea
in creating digital certificates for email, that they know to verify emails and Website: <www.secuexpo.com/en/>
ecommerce and online banking. The phone calls they receive through direct
vulnerability may be exploited to cre- contact with their bank. The descrip- 13–22 June 2009
ate ad hoc certificates to allow phish- tion of factors in a phishing attack SANSFIRE 2009
ing attacks using HTTPS. The attacker discussed in the article will allow the Location: Baltimore, Maryland, USA
is thus able to create a fraudulent site user to prevent being defrauded in this Website: <http://tinyurl.com/ohfzjb>
that can masquerade as a secure site manner.
with its own SSL certificate that is 15–19 June 2009
bogus yet validated via the exploita- ISACA Training Week
Resources
tion of the vulnerability in MD5. This Location: Vienna, Austria
adds yet another element of deception 1. Lance James: Phishing exposed. Website: <http://tinyurl.com/r6zh9r>
since now the user sees a valid SSL Syngress, 2006
certificate and is all the more likely to 2. J. Long, J. Wiles, K. Mitnick, S. 17–19 June 2009
conclude that the site is bona fide. Pinzon: No tech hacking: A guide to CBA Security Management
social engineering, dumpster diving, and IT Conference
In-session attack and shoulder surfing. Syngress, 2008. Location: Costa Mesa, California, USA
3. In session phishing attacks. Trusteer, Website: <www.calbankers.com/content/
This new method is based on tabbed 2008 <www.trusteer.com/files/ event_detail.asp?EventID=131>
browsing. As we have seen in the past, In-session-phishing-advisory-2.pdf>
the introduction of new features opens 4. A. Sotirov, M. Stevens, J. Appelbaum, 26 June 2009
the way to new methods of attack. A. Lenstra, D. Molnar, D.A. Osvik,
New Zealand Security
Tabbed browsing makes it possible B. de Weger: MD5 considered
Conference and Expo
for fraudulent sites to open pop-up harmful today. December 2008
Location: Auckland, New Zealand
windows while the user is logged on to <www.win.tue.nl/hashclash/rogue-
Website: <www.security.org.nz/events/>
the online banking site, informing the ca/, 2008>

20
Network Security May 2009