Dealing with Phishing

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

Security Skin

[christopherfinke]

Looking through the PDF linked, I see that the plugin uses some visual hashes as browser backgrounds in trusted situations, but I wonder if there is an anti-phishing extension that would alter the color of the main background of the browser chrome for possible phishing sites. For example, a light-green would be trusted, but variations through a fire-engine red would indicate a possible phishing attempt.

it doesnt help when

[future assassin]

legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

Capital One(R)--what's in your wallet?(R)

Your Capital One statement is ready.

RE: Your account ending in 0000

Your current Capital One statement is now available for viewing online. Simply log in to Online Account Services and click the My Statement tab.

Log in now at http://capitalone.bfi0.com/ [bfi0.com]

Is all your information reaching you?

To help ensure this time-sensitive message reaches your inbox each month, add the Capital One address that appears in the "From" line above to your electronic address book. This is especially important if you or your service provider use e-mail filters.

Use our web site as a resource for information and to access a variety of consumer lending products and special services. Add http://capitalone.bfi0.com/ [bfi0.com] to your bookmarks, so you can come back easily and often.

Thanks for using Capital One's Online Account Services.

Important Information from Capital One

This e-mail was sent to me@mydomains.com and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.

Capital One and its service providers are committed to providing meaningful privacy protection for their customers. To protect your privacy, please do not send sensitive account information through e-mail. For information on our privacy policy or how to contact us, please visit our web site at http://capitalone.bfi0.com/ [bfi0.com]

If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.

Drive-by-downloads

[Itninja]

So this may help one realized that they are not on the actual Paypal/Citibank/Ebay site, and they can leave before they enter their personal information. But many phishing sites have already done their damage by that time, via a drive-by-download; install all forms of malware and spyware in just a few seconds.

The more you think you know...

[Lord of Hyphens]

Good interview, bringing up sound points on the vulnerability of users to electronic attacks. Social Engineering (aka BSing the operator) has been around forever as a valuable tool in any attacker's arsenal.

The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?

Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.

GMail's filters failing?

[DAldredge]

Over the past 3 or so weeks I have noticed that the number of phishing emails coming to my slashdot email account that are not caught by the spam filter have increased about 300%.

Is google getting worse or are they getting better?

Bad analogy

[KerberosKing]

The thought that an average user will personalize their web interface like they personalize their celll phone doesn't fly with me. If that were true, we would see copies of Tweak UI on a lot more wintel boxes. Everyday people would be replacing the explorer shell with LightStep. I don't see that happening. About the most personalization I have seen is people putting up a picture of their girlfriend or baby up as desktop wallpaper. Geeks use custom tools, but most geeks are savvy enough about phishing to not fall for it.

Re:Unpredictable

[curecollector]

Some sites have started to adopt a similar approach, albeit not to such an extent. Bank of America, for example, asks for your login on their front page, which then forwards you to a separate page, displaying a user-selected icon (chosen from maybe 20 choices, if memory serves), and then asking for your password. Still, it's not perfect as your account number/login is typically your ATM/debit card number...

Re:it doesnt help when

[Tackhead]

> legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

And this, kids, is why you should never outsource your email.

In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.

(And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)

The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.

I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.

Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.

IP-based Secure connections?

[guruevi]

How about using the same technique SSH uses: If you come on a site that has the same IP but with a different key or the same key with a different IP: BIG WARNING THAT THIS SITE OR THE COMMUNICATIONS IS POSSIBLY COMPROMISED and provide a link to customer support in case that happens. SSL Certificates just check whether your communications is securely established and I won't examine that certificate everytime I connect. When you want to do Internet banking or something similar, your bank should give you a key on a read-only USB disk or something and the possibility to boot a Damn Small Linux from that disk. My bank did that for a while, but I guess they fell back on just providing the key probably because of the support issues with DSL and xDSL, USB Modems, Winmodems and other crap like getting the VPN through the users' firewall and you had a browser but couldn't go anywhere but the bank's sites. But I have another bank account that just requires a username and password and you're not even on the secure part by then. How dumb is that? I avoid using my Internet banking just for that. The people at the branch sometimes ask why I don't do those simple things (like transferring money) through their site. I am running only Mac and Linux but still I don't want anyone connecting because they keylogged my password - some users might have troubles putting a good password in the first place (insert oblig. spaceballs password quote here). My webmail is more secure than their site (RSA SecurID key required for that), so they could at least do SOME effort like giving me something similar to SecurID for their site.

Re:PDF, Not Plugin Link

[johnkoer]

Did you configure it?

I didn't see it the first time I reset firefox. I played with some of the settings, restarted Firefox again and it was working.

But after getting it working, it is a pretty neat addin.

Collaborative filtering works much better

[spamstopper]

Unless this is a highly targetted and customised phishing attack. Collaborative filtering like cloudmark [cloudmark.com] works amazingly well. You can stop a phishing attack spread within a few minutes. Here is more info on collaborative filtering [stason.org] or google for it.

Why no S/MIME?

[metamatic]

What I want to know is why none of these dumbass banks use S/MIME to sign the e-mail they send out.

Mozilla Thunderbird does S/MIME. Mac OS X Mail does S/MIME. Lotus Notes does S/MIME. Even Microsoft Exchange does S/MIME.

Sure, it wouldn't solve the problem, but it would at least give clueful users a dead easy way to see if the e-mail was really likely to be from their bank.

While we're on the subject, when is Gmail going to support S/MIME?

Obvious, simple anti-phishing solution?

[Jester99]

Maybe somebody could explain to me why this wouldn't work. It's trivially simple to implement.

When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?

Then every email they send to you, they include that string in the subject line.

e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"

Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.

Re:Unpredictable

[tylernt]

displaying a user-selected icon

Heck, why not allow a user to upload their own image (perhaps even a photo of themselves). If you store the image on the legitimate website's server, even a phisher exploiting a UI, browser, or cookie vulnerability wouldn't fool the user.

Re:Half-azzed study

[Zardus]

Well, it'd be a setup like this: you get an email sending you to http://bonkofamerica.com/ [bonkofamerica.com] (notice bonk instead of bank) telling you to login quick to fix something or other. You go there, enter your user ID, select the state that you got your account in, and click login.

BoA's servers haven't been touched yet, just the phisher's. Once the phisher recieves this info, they make a query to BoA's servers and input the info that you've given them (the username and state). BoA sees that you're logging in from a new IP and sends a question along to the phisher. The phisher then displays that question in the page that they send to the user. To the user, it just seems like his bank took longer to display the security question than they normally do. The user puts in the answer and sends it (unknowingly, of course) to the phisher, and the phisher sends it to BoA. BoA sends back the image, which the phisher sends to the user.

All the user sees is: Login Page -> Question Page -> Image Page. Perfectly ordinary, if slightly longer loading times. And since the phisher is the only one ever talking to BoA, there is only one security question ever asked. As far as BoA is concerned, the phisher is a perfectly normal user authenticating properly.

The few things that can stop this are:

- the user paying attention to the domain name
- the security cert not being signed by a root cert authority and the user paying attention to the warning that pops up
- some anti-phishing plugin (like the one discussed here or many others available)

Of course, I'm sure some string of vulnerabilities can disable all these protections. Not to mention plain incompetence on the part of the banks. It could be my memory playing tricks on me, but I think I've seen banks forget to update their certs for a day or two after they expire. At that point, you just use the phone bank until they get their act together I guess.

Re:What bothers me is...

[asuffield]

Become rich and hire the mob to find these people and break some knees?

By and large, these people are the mob. Russian organised crime is into spam and phishing in a big way, and several of the other groups are getting in on the action. And it's no easier to shut them down today than it was a hundred years ago. They're using bribery, blackmail, pressure on the government from their semi-legitimate sides, and all the other usual tricks. When some of them finally do get arrested, they're always sacrificial pawns; another bunch of people is immediately set up to replace them.

There are a few people out there doing this stuff on their own, but to make money from phishing you need a way to convert a long list of credit card numbers into money - it's far better suited to organised crime than to rogue asshats.

Re:Obvious, simple anti-phishing solution?

[Aerion]

Bank of America did this for a while. The first line of any e-mail they sent to you was "Authorization Phrase: %s", where %s was the phrase that the user entered on the website when entering their e-mail address.

Suddenly, they stopped doing this around March 2005. I haven't a clue why.