lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 30 07:21:00 2006 From: joshuaperrymon at gmail.com (Josh L. Perrymon) Subject: FW: Are consumers being misled by "phishing"? > > -----Original Message----- > From: Ajay Pal Singh Atwal [mailto:ajaypal@...bec.org] > Sent: Friday, 30 June 2006 2:46 PM > To: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] Are consumers being misled by "phishing"? > > > Here is one phishing site for paypal > > http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html > > > > >>> > This is not a bad job of duplication. However, pay-pal and similar sites > are used may too much for this type of attack in my opinion. The phishing > email would be probably sent to every email address they could harvest > setting off every alarm Websense has. > > > > Phishing attacks are most affective when duplicating something like OWA or > Citrix portals.. Or even better -- Custom built company portals facing the > net and only sent to a handful of addresses gathered from company X. > > One interesting note about the site above is that it seems to relay it's > data back to the attacker using POST instead of relying on an underlying > mail program/script.. > > > > ------ POST data from the phishing site above--- > > HTtp://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpassword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=_login-processing&login_cmd=_login-done&login_access=11680108541<http://www.yourfreespace.net/users/payal/Processing+Login.html?login=done0%3F847&password=1&email=1&altaddr=1&checkguar=1&PPIPProtPlus=PASS_encIP=62.245.23.454&enctype=blowfish&continue=ProcessingLogin&acceptlogin=pass&acceptpassword=pass&LoginAttempt=SecureLoginPass&SecurityMeasureCode=noneb2baf0b6a57d39abd6c44b48d6fe3559112c21e54b7e705ecc5116b3c7c38c37949e8aa81848934faf0821be04210e8c2ded3c4159edbee3ee1439f3892a3e9&Access=1&Submit=ProcessingLogin&cmd=_login-processing&login_cmd=_login-done&login_access=116> > > > ------------------------------------------------------------------------------------------------------ > > > Protecting against this type of attack??? > I don't know of many existing content gateways / email filters that will > stop the initial email if the attack is a one-off and sent on a small scale. > It's just some verbiage with an <A> and link to the attackers IP address or > site hosting the phsihing site. A lot of times the web servers have been > compromised and the http server is on a non standard port unless port 80 > wasn't used before. > > Then when the user clicks on the link the in the phishing email it opens > the browser w/o triggering any alarms.. ( I haven't visited any sites that > the new M$ phishing filter picked up from its whiltelists) > > > Enters password.. game over. The attacker now logs in using the new > harvested credentials .This also works with token password generators ( > nothing new here ).. Given it's only a 60 second window to login after > acquiring the first token code. > > > > Ideas???_----- > End-User security awareness and training is the most important deterrent. > Whitelisting isn't going to stop small footprint attacks directed at a > single company and a handful of users. > > Most companies believe that blocking HTML in email handicaps emails > effectiveness.. ( screw the newsletters.. put it on a website ) > > Users should copy links from the email into the browser but don't. > > Certificates will protect where tokens fail. > > Network Protection: > I believe that it's possible to develop "widgets" to alert on this type of > directed phishing attacks. First you have to have the ability to monitor all > emails traffic. This shouldn't piss off legal because all users should have > already signed off on this. > > The most effective would be to monitor all known public email addresses. > Including "planted' email address placed in forums and webpages to be > harvested. This would provide a greater % that traffic sent to those > addresses are directed attacks.. (Like an Email Honeypot :) > > > ( yes... need to copyright that one quick muhahah :) > > It should be easy to develop an analysis to pick up on standard phishing > emails. You would look for Anchors / links with IP addresses that resolve > outside of the "known- whiteliested" address list. This should at least > alert and place the email in a second level queue for analysis. You could > also do some type of grep on the email link looking for company X verbiage. > > > > > > M$ Phishing filter may even be USEFUL ( Almost.... ) > > So using the methods above you would have a system to alert on potential > phishing attacks scanning all emails or preferably only public emails > included "planted" ones. > > The widget performs analysis to determine if the email is a phishing > attack. > > This process could be automated to perform the whois so on? So now we > should have determined the IP or block for the hosted phishing site. We > can use something like M$ phishing filter. Send it the new whitelisted IP > address of the phishing site and the browser should block the site. If the > widget monitors all emails coming into the company then it should have the > ability to do some trending of who received certain emails.. sorted on > subjects for instance. One you found the phishing email you would have a > known list of all email addresses that received the email once the attack > has been spotted. > > > > This could be used as additional analysis to monitor traffic after the > attack. > > > > > > Just some ideas I have had. If anyone is interested in working with us on > developing something like this get in touch with me: > > Josh.perrymon@...ketfocus.com > > CEO > > www.packetfocus.com > > www.packetfocus.blogspot.com > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060630/ea6f6159/attachment.html
Powered by blists - more mailing lists