Phishing ~ An Evolution

July 2005

Company Confidential Copyright 2005 Secure Science Corp. 1

 Cyber Attack Sophistication
Continues To Evolve bots
Cross site scripting

“stealth” / advanced
Tools
High scanning techniques
Staged
packet spoofing denial of service attack
sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Attackers
Low
Source: CERT 1980 1985 1990 1995 2000+

Company Confidential Copyright 2005 Secure Science Corp. 2

 And Continue To Grow…

85% Avg reported loss from

of respondents attacks was $2.7M per
had breaches incident
— CSI/FBI survey — CSI/FBI survey
85%
of the critical
infrastructure is owned
or operated by the
private sector
137,000
security incidents in Data theft grew more than
2003, nearly twice 650%
as many as in 2002 over the past 3 years
— CERT — CSI/FBI
Source : Carnegie Mellon

Company Confidential Copyright 2005 Secure Science Corp. 3

Growth Or Liability?
 Over twenty per cent of Internet users now
access online banking services.
 This total will reach 33% by 2006, according to The
Online Banking Report.
 By 2010, over 55 million US households will use
online banking and ePayments services, which are
tipped as "growth areas".
 Wamu buys Providian, BofA buys MBNA

 And so what about the ‘Phishing’ threat to

e-commerce?
Source: ePaynews

Company Confidential Copyright 2005 Secure Science Corp. 4

What Is Phishing?
 Phishing, also referred to as brand spoofing, as it is a
variation on “fishing,” the idea being that bait is thrown out
with the hopes that while most will ignore the bait, some will
be tempted into biting.
 Phishing is the act of sending a communication to a user falsely claiming
to be an established legitimate enterprise in an attempt to scam the user
into surrendering private information that will be used for identity theft.
 The communication (usually email) directs the user to visit a Web site
where they are asked to update personal information, such as passwords
and credit card, social security, and bank account numbers, that the
legitimate organization already has.
 The Web site, however, is bogus or hostile and set up only to steal the
user’s information.

Company Confidential Copyright 2005 Secure Science Corp. 5

Phishers Mainly US Hosted

FY04

Source: APWG

 Gartner estimates phishing cost the US over $2.4B

in 2004, not including law enforcement costs.
Company Confidential Copyright 2005 Secure Science Corp. 6
Phishing
 “Dear bank customer...”
 Phishing:
 Impersonates respected company
 Tarnishes reputation – weakened customer confidence
 Is Fraud: misplaced trust to gain customer accounts
 Is identity theft
 All phishers
 Only 3 web attack methods, minor variations
 Impersonate, Forward, Pop-Up

Company Confidential Copyright 2005 Secure Science Corp. 7

How Phishers Operate
 Images
 Link to target site so images 
really come from target
 Looks real because it is real
 Mirror to a phishing server
prevents target site from
removing images
 Looks real, but could get
outdated
Company Confidential Copyright 2005 Secure Science Corp.
 Web pages
Phishing page links to
target server’s web page
 Man-in-the-middle POST
 Logs user into real site
 Provides “real” pages; victim
will not notice phishing site
 Prevents scam from being
noticed AFTER victim discloses
information
8
Phishing Flow
 Phisher develops phishing server
 CGI, PHP, HTML, images

 Phisher configures blind-drop

 Free email address or IRC channel
 Phisher configures hostile server (typically compromised)
 Hacked or stolen credit card from previous phish

 Phisher tests configuration

 Complex system (blind drop, hostile server, target, email) requires testing

 Phisher sends bulk mailing

 Phisher collects data from blind drop

Company Confidential Copyright 2005 Secure Science Corp. 9

Phisher’s ROI
 Time..
 Create server: 1 week to 1 month
 Create blind-drop: 1 day to 1 week
 Hostile server config: 1 day to 1 week
 Test
 Longest seen: 10 days
 Shortest seen: 6 hours
 Bulk mailing: up to 8 hours, usually 1-2 hours
 50% of victims in first 24 hours
 99% of victims in first 48 hours
 Server take-down
 48-72 hours

Company Confidential Copyright 2005 Secure Science Corp. 10

Type of Phishing Attacks
 Impersonate (simple attack):
 Fake site looks like target
 Mirror or link to images for credibility
 Man-in-the-middle POST login prevents victim detection
 Forward (sophisticated attack):
 Typically collected via phishing email (not as effective/av)
 Site collects data; performs meta-refresh to target (HTTP redirect)
 Man-in-the-middle POST login prevents victim detection
 Popup (creative attack):
 Real site in back, hostile popup in front
 Real site gives credibility, prevents victim detection
 Not man-in-the-middle
 Mirror or link to images for credibility

Company Confidential Copyright 2005 Secure Science Corp. 11

How Phishers Use Accounts
 So you are a phisher and you have some accounts...
“Now what?”
 Steal
 Money
 Identity
 Laundering
 The big problem: getting the money out (we’ll catch you!)
 Webmoney.ru (russian money service)
 eGold (gold to currency service middle-man)
 Western Union (for untraceable cash)
 eBay / PayPal
 419 (Nigerian email scams)

Company Confidential Copyright 2005 Secure Science Corp. 12

Tracking Phishers
 Phishers use base camps to store and analyze
victim information.
 These servers act as centralized communication and
distribution points for group members.
 They also use blind-drop servers.
 These are used to collect victim information
without compromising the base camps.

Company Confidential Copyright 2005 Secure Science Corp. 13

Tracking Phishers (cont.)
 Secure Science Corporation estimates that
approximately 42 (out of 53) phishing groups
account for over 90% of all phishing emails.
 The larger phishing groups include DPG (PG2),
Citiimg (PG20), Ro-Bot (PG40) and Palka (PG30).
 These 42 groups account for over 75% of all
phishing emails observed over the last quarter.
 (PG30 is also known as the “laptop seller” group
according to PayPal, as this was their first venture).

Company Confidential Copyright 2005 Secure Science Corp. 14

Tracking Phishers (cont.)
 Secure Science Corporation has identified the
likely scope and effectiveness of a phishing bulk
mailing, including:
 How large are the bulk mailings?
 How many people receive the emails? How many
emails never reach their destination?
 How many people fall victim to a single mass mailing?

 When do people fall victim?

 Which is worse? Email phish or phishing malware?

Company Confidential Copyright 2005 Secure Science Corp. 15

Tracking Phishers (cont.)
 Phishing base camps frequently contain the actual
mailing lists used by the phishers, as well as the list of
proxy hosts used to anonymize the mass mailing.
 While the total number ranges from 1 to5 million email
addresses, the large phishing groups have divided the
address lists into files containing 100,000 addresses. This
means that they likely generate 100,000 emails per mass
mailing.
 While the larger groups uses open proxies to anonymize the
mass mailing, a few of the smaller phishing groups use the
phishing server to also perform the mass mailing.
 One small group had an email list that contained over one million
addresses. They likely sent out one million emails for their mass
mailing.

Company Confidential Copyright 2005 Secure Science Corp. 16

Tracking Phishers (cont.)
 Of the estimated 42 active phishing groups worldwide, some
phishing groups send emails daily, while others operate on weekly
or monthly cycles.
 Similarly, some groups only operate one phish per day, while the
larger groups may operate a dozen blind drops on any given day.
The average per group is approximately 750,000 emails per day. **
 Considering that there are an estimated 42 active groups, that makes the total
daily amount of phishing emails approximately 31.5 million emails per day

** It is important to emphasize that this is strictly an average per

group. The larger groups generate much more email than the
smaller groups. And very few groups generate email daily.

Company Confidential Copyright 2005 Secure Science Corp. 17

What’s Worse?
 Email Phish or Phishing Malware?
 Some of the larger phishing groups have
associations with both phishing emails and key-
logging malware.
 While phishing email is very effective, the number
of victims is significantly smaller than the victims
of phishing malware.
 Logs recovered from base camps for phishing
emails and malware show a startling difference.

Company Confidential Copyright 2005 Secure Science Corp. 18

Email –vs- Malware
Phishing Emails Phishing Malware / Keyloggers

Average number of 100 500,000

accounts
compromised in a
week
Type of information Name, address, phone, SSN, credit card, Account login, or credit card number
compromised VCC2, bank account numbers, with expiration and address.
logins and passwords, and even Generally, a single victim only loses a
items such as mother’s maiden single amount of information. Few
name or the answer to the “forgot victims lose more than one type of
your password” prompt. information. And the information
Generally, victims provide all of the compromised may not match the
information asked. information desired by the phisher.
Volume of data Each victim = < 500 bytes of data. A single key logging Trojan can
generated 1 week = < 50Kbytes. generate hundreds of megabytes of
A single person can process the data in data in a week. The data is not
minutes. processed by hand. Instead, scripts
are used to filter the information.
Potentially valuable information is
frequently ignored due to the
filtering process.
Company Confidential Copyright 2005 Secure Science Corp. 19
Email –vs- Malware (cont.)
How often is the method Reused regularly for weeks or months
viable?
Total development cost A single phishing server may take one
to the phishers?
Company Confidential
Phishing Emails
before requiring a change. Due to
simple changes in the mailing list,
a variety of people can be solicited
– information is almost never
collected from the same person
twice.
week to develop. The server may
then be applied to hundreds of
blind drop servers and reused for
weeks or longer. Changes to the
phishing email content (bait) can
be measured in hours and may not
need a change to the phishing
server.
Copyright 2005 Secure Science Corp.
Phishing Malware / Key loggers
Most malware is effective for a week
before anti-virus vendors develop
signatures.
Some phishing groups use malware in
limited distributions. While these
programs may exist for much
longer durations, they generally
collect less information.
A single person that is infected may
compromise the same information
multiple times.
A single malware system, including
Trojan and receiving server, may
take months to develop. Each
variant may take a week or longer
to develop. When generic anti-
virus signatures appear,
redevelopment may take weeks or
months.
20
Phishing Malware
 Phishing technology generally follows spam technology by 6-12
months.
 The recent developments in spam provide insight into upcoming changes
in phishing technology.
 Over the last six months, spam as a whole has shown a dramatic increase
in malware. The malware ranges from common attachment worms and
Trojans to hostile JavaScript/Object exploits.
 Over the last few years, malware consisted of a single executable that
infected hundreds of thousands, or millions, of systems.
 These mega-viruses, such as Sobig, Blaster, Code Red, and Nimda used a
single executable to infect a large system base. After the primary infection,
other variants were released, but these were designed to be additional mega-
viruses.

Company Confidential Copyright 2005 Secure Science Corp. 21

Phishing Malware (cont.)
 In November of 2003, the concept of a single
mega-virus changed.
 Gaobot, followed by Sasser and Berbew, took a
different tact: rather than one mega-worm, these
consisted of hundreds of variants – each slightly
different.
 The goal of the variant was not to become a mega-
worm, but rather to infect a small group of systems.

Company Confidential Copyright 2005 Secure Science Corp. 22

Phishing Malware (cont.)
 This approach provided two key benefits to the malware
authors:
 Limited distribution; limited detection. As long as the malware is
not widespread, the anti-virus vendors would be less likely to detect
the malware. (If Norton doesn’t know about a virus, then they
cannot create a detection signature for the virus.)
 Over the last 12 months Secure Science Corporation has identified
dozens of virus variants used by phishers, carders, and generic malware
authors that are not detected by anti-virus software.
 Rapid deployment.. Nearly a hundred variants of Sasser were
identified in less than three months. Each variant requires a different
detection signature. The rapid modification and deployment ensures
that anti-virus vendors will overtax their available resources,
becoming less responsive to new strains. It also ensures that some
variants will not be detected.

Company Confidential Copyright 2005 Secure Science Corp. 23

Phishing Malware (cont.)
 2004 saw a significant increase in malware used
by phishing groups.
 It also ended with multiple warnings, where
phishers may use cross-site scripting (XSS) attacks.
 SSC has taken a closer look at the malware and XSS
attacks used by phishing groups. While we believe
that malware will continue to be a major collection
method used by phishers, XSS has taken an
underestimated backseat.

Company Confidential Copyright 2005 Secure Science Corp. 24

Phishing Malware (cont.)
 A few phishing groups have been associated
with specific malware.
 The malware is used for a variety of purposes:
 Compromising hosts for operating the phishing server;
 Compromising hosts for relaying the bulk mailing;

 Directly attacking clients with key-logging software.

 A single piece of malware may serve any or all

of these purposes.

Company Confidential Copyright 2005 Secure Science Corp. 25

Malware Trends
 In early 2004, the malware associated with phishing groups rarely
appeared to be created specifically for phishing. Instead, was
focused on botnet* attributes:
 Email relay. The software opens network services that can be used to relay
email anonymously. This is valuable to phishers, and spammers in general.
 Data mining. The malware frequently contains built-in functions for gathering
information from the local system. The gathering usually focuses on software
licenses (for game players , warez, or serialz dealers**) and Internet Explorer
cache. The latter may contain information such as logins. For phishers, this
type of data mining primarily focuses on account logins to phishing targets.

* A compromised system with remote control capabilities is a “bot”. A “botnet” is a

collection of these compromised hosts.
** Illegally distributed software applications (warez) and the associated license keys
(serialz) are frequently available and propagated through the underground software
community.

Company Confidential Copyright 2005 Secure Science Corp. 26

Malware Trends (cont.)
 Remote control. The malware usually has backdoor
capabilities. This permits a remote user to control and
access the compromised host. For a phisher, there is little
advantage to having a backdoor to a system unless they
plan to use the server for hosting a phishing site. But for
other people, such as virus writers or botnet farmers*,
remote control is an essential attribute.

* A “botnet farmer” is an individual or group that manages and

maintains one or more botnets. The botnet farmers generate revenue
by selling systems or CPU time to other people. Essentially, the
botnet becomes a large timeshare computer network.

Company Confidential Copyright 2005 Secure Science Corp. 27

Malware Trends (cont.)
 By Q3 of 2004, a few, large phishing groups
had evolved to support their own specific
malware.
 While the malware did contain email relays, data
mining functions, and remote control services, these
had been tuned to support phishing specifically.
 Viruses such as W32.Spybot.Worm included
specific code to harvest bank information from
compromised hosts.

Company Confidential Copyright 2005 Secure Science Corp. 28

Malware Trends (cont.)
 A few phishing groups also appeared associated
with key logging software.
 While not true “key logging”, these applications
capture data submitted (posted) to web servers.
 A true key logger would generate massive amounts of
data and would be difficult for an automated system to
identify account and login information.

Company Confidential Copyright 2005 Secure Science Corp. 29

Malware Trends (cont.)
 Instead, these applications hook into Internet
Explorer’s (IE) form submission system.
 All data from the submitted form is relayed to a
blind drop operated by the phishers.
 The logs contain information about the infected
system, as well as the URL and submitted form
values.
 More importantly, the malware intercepts the data
before it enters any secure network tunnel, such as
SSL or HTTPS.

Company Confidential Copyright 2005 Secure Science Corp. 30

Malware Trends (cont.)
 The end of 2004 showed a significant modification to the
malware used by some phishing groups.
 The prior key logging systems generated gigabytes of data in a very
short time. This made data mining difficult, since only a few sites were
of interest to the phishers.
 By the end of 2004 and into 2005, the phishers had evolved their
software.
 Loggers focus on specific URLs, such as the web logins to Citibank and
Bank of America.
 It is believed that this was intended to pre-filter the data collected by the
malware. Rather than collecting all of the submitted data, only submitted
data of interest was collected.
 More importantly, multiple viruses appeared with this capability – indicating
that multiple phishing groups evolved at the same time. This strongly
suggests that malware developers associated with phishers are in
communication or have a common influencing source.

Company Confidential Copyright 2005 Secure Science Corp. 31

Phishing Trends
 A year+ ago, phishing was a very manual process.
 A server was required and the phishing system was manually
installed and tested.
 9 months ago, “scam kit” packages began to appear.
 Consisted of phishing sites stored in an archive (e.g., .zip)
 These archives would be transferred to the server, unpacked,
tested, and used.
 The archives significantly decreased the time needed to
install and configure the phishing server.
 Over the last quarter, the popularity of these archives has
dramatically increased – nearly every phishing group, both
new and old, are using prepackaged archives.

Company Confidential Copyright 2005 Secure Science Corp. 32

Phishing Trends (cont.)
 Two recent trends have surfaced over the last few
months:
 Targeting 2nd tier and 3rd tier banks.
 Spawning off intermediate phishing groups to increase
distance between mules and organized crime.
 These trends may actually be related: as phishers
distance themselves from the mules, they are likely to
target a wider variety of financial and corporate entities.
 Phishing trends generally follow spam trends.
 The latest spam trends show more malware with specialized
purposes.

Company Confidential Copyright 2005 Secure Science Corp. 33

Phishing Trends (cont.)
 Secondary & Tertiary Targets
 Phishers have consistently and repeatedly targeted a
small set of companies: eBay, Citibank, and PayPal.

 These primary targets are believed to be desirable

for the following reasons:
 Large customer base. Emails sent to random addresses
are likely to hit a significant number of customers for
these companies. Since the hit-per-email ratio is high,
the likelihood of a successful phish is high.

Company Confidential Copyright 2005 Secure Science Corp. 34

Phishing Trends (cont.)
 Low threat response.
 Internally, most organizations are actively working on the phishing
problem. However, their apparent public external reactions are lacking.
 From a phisher’s point of view, the primary targets are not immediately
responsive to the phishing threat.
 Active challenges.
 Most phishers are active in the hacking, warez, and Internet underground.
 In this case, many financial institutions continually run commercials
offering identity theft protection. The phishers see this as a challenge,
and target them to show that they do not actually offer identity theft
protection.
 Similarly, eBay’s anti-phishing toolbar is an enticement for phishers to
demonstrate how it does not protect eBay from phishers.
 Vulnerable Web Servers that aid phishers with cross-user attacks
against their customers.

Company Confidential Copyright 2005 Secure Science Corp. 35

Phishing Trends (cont.)
 Consumer Mis-education. Many companies are known
to periodically send out real emails that look similar to
phishing emails. Customers become unable to distinguish
the rare “real” emails from the common “phishing” emails.
 Multiple Uses. An account at any of these primary targets
offers multiple uses.
 Exploition of eBay/PayPal/E-gold enables multiple methods for
laundering.
 Blending in. The result of aggressive phishing has made it
difficult to distinguish/identify specific groups, which
provides safety in numbers.

Company Confidential Copyright 2005 Secure Science Corp. 36

Phishing Trends (cont.)
 Known processes. Known internal processes and
policies of an institution enable a fraudster to potentially
benefit from this knowledge.
 For example, if international transfers of amounts under $10,000
do not trigger an alarm, then phishers may use this information
to transfer appropriate amounts.
 Secure Science has observed that phishers continue to actively
collaborate with ‘insiders’ to understand internal mechanisms
that could enable fraudulent endeavors.
 Future regulatory compliance efforts should seriously consider
phishing.

Company Confidential Copyright 2005 Secure Science Corp. 37

Mid 2005 Phishing Trends
 Phishers are refining their email techniques.
 Emails are much more effective than regular spam emails.
A single mass mailing of 100,000 emails may have a receive
rate as high as 10% and collect as much as 1% in victims.
 Phishers have found a use for every account they
acquire: from money laundering to theft, and shuffling
to identity theft.
 Phishers are refining their key-logging malware.
 Rather than collecting data from all web sites, they are now
looking for data from specific URLs.

Company Confidential Copyright 2005 Secure Science Corp. 38

Mid 2005 Phishing Trends (cont.)
 Phishers are becoming more technically savvy.
 Besides using known and 0-day exploits to configure the
systems used for the phishing, they also use weaknesses in the
telephone infrastructure, such as Caller-ID (CID) spoofing, to
protect themselves from the mules that they contact.
 Phishers have consistently shown an interest in internal
policies and practices. These serve two purposes: policy
weaknesses can be leveraged, and policy strengths can
be avoided.
 With the ongoing addition of national and global policies such
as Sarbanes-Oxley and HIPAA, companies have new
challenges: avoiding the pitfalls and limitations of widely
accepted policies and required practices.

Company Confidential Copyright 2005 Secure Science Corp. 39

FY05 Phishing Trends
 Increase.
 With the success of phishing malware, there is an inevitable
increase in variations and capabilities. Although few phishing
groups were associated with malware in 2004, more phishing
groups are adopting this trend in 2005.
 Ability to go back to compromised system at will
 Use as tool for distributed botnet (mass mailing already observed)
 Dynamic.
 The malware observed in 2004 contained hard-coded URLs. In
order to change the URL, a new variant needed to be released.
Malware in 2005 has become remotely configurable (BotNets).
DNS Host Poisoning will be come popular with more
sophisticated groups. XSS will become a problem.

Company Confidential Copyright 2005 Secure Science Corp. 40

FY05 Phishing Trends (cont.)
 BotNets – PG40 Case Study
 First discovered 11/04
 Demonstrates an aggressive campaign targeting secondary and
tertiary financial institutions.
 SouthTrust and Huntington Banks have been observed to be under
attack daily, this week alone.
 Have not targeted any primary financial institutions to-date.
 First group to be observed utilizing a logo server.
 Malware used: BO2K and IRC backdoors
 Spoof sites consistently outside the US (China/Germany/Japan/Korea)
 Demonstrate a consistent pattern of rapidly compromising systems
via specific web vulnerabilities.
 Compromises subnets, as opposed to sites
 Automated attack vector, such as a botnet/automated tool.

Company Confidential Copyright 2005 Secure Science Corp. 41

FY05 Phishing Trends (cont.)
 Caller ID
 The trust of caller-id at home opens up phishing scams off of
the internet and directly into homes.
 It's less scalable, but can be quite effective combined with clever
social engineering.
 The compromising of voicemail systems and the ability to
take over telephony networks can add to the information
they mine to gain what they need.
 Phishers have been observed doing full background credit checks on
target individuals, to obtain all the information they can.
 Telecommunication systems are quickly becoming a target
for information and identity theft.
 T-Mobile database compromise – defonic crew

Company Confidential Copyright 2005 Secure Science Corp. 42

FY05 Phishing Trends (cont.)
 Telephony Exploitation
 It has been observed that phishers use it to contact mules when conducting
money-laundering schemes.
 Public SIP/VOIP networks are primitive, (similar to early days of SMTP and
their open relays).
 There is no authentication (even if there is, it can be bypassed), it is readily available, and free (see
sipphone.com and freeworld dialup).
 Anonymous telephony becomes trivial with CPN Spoofing (CPN == Caller Party
Number). Most systems rely on it heavily for authentication.
 Examples of these are T-mobile, Verizon, SBC/Pacbell, Callwave.com and Ureach.
 Not to mention the PSTN (Public Switched Telephone Network) aka POTS
(Plain Old Telephone Service).
 The intersection of the technologies has caused the POTS lines to be vulnerable and makes it
nearly impossible to trace.
 Subpoena of voice over IP carriers only causes headaches.
 The VOIP carrier has to find what POTS carrier it went through;
 Then send back to the Feds that they need to subpoena that carrier.
 By the time it's all done, you may not get what you wanted, since the BTN (Billing Telephone
Number) is pretty much the last hop on a PSTN line.

Company Confidential Copyright 2005 Secure Science Corp. 43

FY05 Phishing Trends (cont.)
 Cross-Site Scripting (XSS)

Company Confidential Copyright 2005 Secure Science Corp. 44

Misplaced Trust
 Cross-User attacks:
 Only 1 cross-site scripting attack has been spotted so far
 Bank of America – predicted due to consumer mis-education
 Disappointing exploitation
 Defines potential
 Few Cross-User attacks in the wild
 Redirects such as:
 Google
 eBay
 Impact is high
 Generates “Misplaced Trust”
 Breaks SSL and Domain Keys
 Both server and customer ends up being compromised

Company Confidential Copyright 2005 Secure Science Corp. 45

Subject: Update Contact Information

Dear Cardmember,

Our records indicate that your billing address is no longer valid for your account ending in xxxxx.

Having your most updated contact information is critical to our ability to service your account and to provide you with information on
important changes that impact your account.

Please take a moment to update your contact information on https://www.americanexpress.com/updatecontactinfo. If you prefer, you can
copy and paste or type the URL directly into your address bar.

If you have any questions regarding this message, please call the telephone number on the back of your card for assistance from a Customer
Service Representative.

Thank you for your time and continued business with American Express.

Sincerely,
American Express Customer Service

To Reply to this e-mail

Simply log in to our Secure Message Center at https://www.americanexpress.com/messagecenter and send your inquiry via secure e-mail. If
clicking on this link does not work, please cut and paste it into the "address" bar of a new browser window. This e-mail was sent from a
notification-only address that cannot accept incoming e-mail.

Notice About Servicing E-mails

This e-mail was sent to you by American Express Customer Service to provide important information about your account and/or online
products and services for which you are registered. You may receive customer service e-mails even if you have requested not to receive e-
mail marketing offers from American Express.

Privacy Statement
For details on our e-mail practices, please visit the American Express Privacy Statement at http://www.americanexpress.com/privacy.

AGNEUATH0003001

Company Confidential Copyright 2005 Secure Science Corp. 46

Company Confidential Copyright 2005 Secure Science Corp. 47
Misplaced Trust (cont.)
 Target Types
 Redirects
 301/302 Headers and Meta-Refresh
 Landing page attacks
 Allow HTTP Response Injection
 Cross-Site enabled!
 Vulnerable sites include:
 American Express
 American Stock Exchange (AMEX)
 Ebay
 Bank of America
 TD Waterhouse (Breaks SSL)
 University of Wisconsin (no offense)
 http://www.uc.wisc.edu/track.php?
pageName=http://www.wisc.edu/&queryString=&url=%0d%0a%3Cscript
%3Ealert(%22Vulnerable%22);%3C/script%3E

Company Confidential Copyright 2005 Secure Science Corp. 48

Company Confidential Copyright 2005 Secure Science Corp. 49
Company Confidential Copyright 2005 Secure Science Corp. 50
Misplaced Trust (cont).
 Target Types (cont.)
 Reflective queries
 Forms
 Session Engines
 Reflecting Parameters
 Vulnerable sites include:
 CA.com (aren’t they a security company?)
 Comcast.net
 Apple Online Store
 Barclays Bank
 Adelaide Bank (Australia)

Company Confidential Copyright 2005 Secure Science Corp. 51

Company Confidential Copyright 2005 Secure Science Corp. 52
Misplaced Trust (cont).
 Target Types (cont.)
 Misconfigured 404’s
 Reflecting
 Lack Input validation
 Glorified 404’s
 Vulnerable sites include:
 Bank of America
 BuckKnives.com
 RIT.edu
 Military Banking (BofA company)

Company Confidential Copyright 2005 Secure Science Corp. 53

Company Confidential Copyright 2005 Secure Science Corp. 54
Misplaced Trust (cont.)
 Cross-Site Request Forging (CSRF)
 Session Riding
 Amazon and their long session cookies
 Browser Hijacking (Browser Botnet)
 Force a user to send spam
 Breaks Domain Keys
 No need for Spoofed Phish Site!
 Banks and online commerce lend hand to phishers
 Injection can be invisible from source code
 Verification of trust becomes difficult
 Reputation of FI is questionable

Company Confidential Copyright 2005 Secure Science Corp. 55

Company Confidential Copyright 2005 Secure Science Corp. 56
Company Confidential Copyright 2005 Secure Science Corp. 57
Request Forging

Company Confidential Copyright 2005 Secure Science Corp. 58

Company Confidential Copyright 2005 Secure Science Corp. 59
Company Confidential Copyright 2005 Secure Science Corp. 60
Contact Info
Secure Science Corporation
7770 Regents Rd.
Suite 113-535
San Diego, CA. 92122-1967
(877)570-0455
http://www.securescience.net
Email: [email protected]

Lance James ~ CTO

Company Confidential Copyright 2005 Secure Science Corp. 61

 Questions

Company Confidential Copyright 2005 Secure Science Corp. 62