New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims 71
chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
How are they validating ID? (Score:2)
Re: (Score:3)
Unlike the usual IP-restricted entry
This doesn't use IP addresses to verify. Using IP addresses requires you to know the IP addresses of your intended victims, severely limiting the usefulness. This can send emails automatically and still filter out the incoming requests.
Re: (Score:2)
If they knew who was not a target victim in the first place, why send them emails too? Sounds silly to me
Re:How are they validating ID? (Score:4, Informative)
I use precisely this technique for presenting discount vouchers to people who have signed up to a restaurant mailing list, identical system but for white hat purposes:
1 - send an email to the relevant contacts, including an embedded image at domain.com/voucher.php?id=xyz where "xyz" is a unique account ID.
2 - when the recipient receives the email the voucher that is displayed has their name on it, the image is generated on-the-fly using the unique ID to get the name right.
3 - (this is the important bit) - if anyone logs into domain.com/voucher.php without passing a correct ID then they simply see a voucher marked as invalid, and a link to where they can sign up. In my case it stops non-members getting a voucher, in the spammers case it stops a non-target (including investigators) from seeing the exploit being presented to a "customer", most likely someone from a list of known phishing mugs.
Re: (Score:1)
Unless they collect their links from emails tagged as phishing...
Re: How are they validating ID? (Score:3)
Re: How are they validating ID? (Score:2)
Re: (Score:2)
When the package exploits a server, it alters pages/links to redirect each unique visitor to a dynamically generated temp folder on itself which contains the phishing code, and afterwards is deleted.
Fabulous... I just need to make my mail server, PING every URL in an e-mail before delivering the message, and if it's a phishing attempt, the user will get a 404 error instead of the phisher's intended page.
Another possibility is to rewrite every URL in every e-mail (except ones in a whitelist),
Re:How are they validating ID? (Score:5, Interesting)
So which is it? Aren't they using IP addy to verify the identity of the sucker? Or is their some other source (their unique URL that they post)?
We've started seeing some of these newfangled phishing emails over the last few days. The victim's email address is used as an identifier. It is simply appended to the URL by the mailer bot, so that the link sent to the victim will look something like this:
hxxp://compromisedsite.ru/joe33/somebank/?victim@gmail.com
That URL would lead to a script hosted on a compromised site, which looks up the email address in a whitelist before serving either a credential-collecting scam page or a bogus 404 error.
But this is all very basic stuff, and it is not hindering forensic investigators in the least. The folks investigating such scams don't just stumble upon them by accident; they rely instead on vigilant users and admins who take the time to report phishing emails. Once they get a report they already have a whitelisted URL to begin with.
Need better security (Score:3, Interesting)
It looks like banks and gov departments can no longer be trusted as normal web sites. They have to be setup to be only available through SSL and must use client certificates for authentication with some way of verifing that the server certificate matches the client certificate.
Only then could the software (possibly a custom configuration of a web browser, maybe an normal one) actually be sure of defeating a phishing attack.
Of course the main reason it'd work is that with a client certificate there's no password to "phish" for.
Something tells me that the banks are too lazy to do this; every other web site will have to be SSL before they get on the bandwaggon.
Re:Need better security (Score:4, Interesting)
They need to do like European banks and issue keypads that generate one-time codes in conjuction with the card.
Re: (Score:3)
As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions. One example uses a user ID, a password (split into two entry fields) and the site displays a picture that you chose when you first activated the "web access" .
This isn't that secure and because a lot of their site is HTTP there's a good chance that "sheep" attack will work too.
Re: (Score:2, Interesting)
US banks are so uncaring about user's security. Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.
As long as you have enough rupiah (Score:2)
Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.
But do you have cell carriers charging 0.20 USD (2000 rupiah) per received text message on entry-level plans?
Re: (Score:2)
That's because it costs money. In North America, it's all about the money - it costs more to issue everyone a challenge-response token (not OTP) than to just pay up whatever fraud happens.
And no, OTP keys are useless unless they're challenge response based. Because these same phish sites often do MITM attacks on the rea
Re: (Score:2)
This is what my bank does, actually. The challenge/response method after inserting your card into the reader and entering your PIN. Sometimes there are several challenges, based on what you're doing (multiple transactions). The response is then entered into the website to validate the payment/transfer. You can configure some recipients to not require challenge/response after you've done it the first time (utilities, cable, etc.).
Sorry for using the wrong terms. THIS is the method that US banks should be usi
Re:Need better security (Score:4, Informative)
As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions.
Here in the UK HSBC, Barclays and others issue OTP calculators to all their Internet banking customers.
Re: (Score:2)
Yes, same here in Switzerland at UBS. I have a SmartCard and a reader, and I have a PIN, and then there's some sort of challenge/response magic going on.
There was an article in the newspaper recently, and they compared the various authentication-mechanisms used for Swiss bank accounts, unsurprisingly, the outcome was that UBS had the most secure as well as the most user-unfriendly authentication process.
I guess online banking is where I'll always prefer security over ease-of-use.
Re: (Score:2)
Same thing with PostFinance in Switzerland.
Not terribly user-unfriendly, IMHO.
Re: (Score:1)
Not terribly user-unfriendly, IMHO.
No, not terribly user-unfriendly, I agree... then again, you may not be the best example of an average user, having listed PGP and S/MIME keys on your website :)
Re: (Score:2)
No, not terribly user-unfriendly, I agree... then again, you may not be the best example of an average user, having listed PGP and S/MIME keys on your website :)
Hah! Indeed. :)
I wish they'd allow smartcard/token authentication instead of the calculator though, as that'd likely be a bit faster. Oh well.
Re:Need better security (Score:5, Interesting)
Not at all. BankID, the dominant form of bank-authenthication in Norway issues OTP-calculators to everyone, including average private people with a perfectly ordinary account.
As an alternative, they have a solution where the SIM-card in your mobile-phone is used by an app to authenthicate you.
In both cases the same thing is true: logging in to your bank requires knowledge of your passphrase -- but *also* physical possession of a object - so a phisher would need to get both somehow, in order to be able to impresonate you.
It might not make phishing impossible, but it does make it a lot more difficult.
Re: (Score:2)
I have bank accounts with the Co-op, Nationwide and RBS and 3 provide OTP calculators.
Re: (Score:2)
All the dutch banks use SSL and OTP for consumer accounts.
Re: (Score:3)
Re: (Score:1)
As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions.
Most, if not all, banks in Sweden have keypads that generate one-time codes - for "normal" end-users, not just business users. This has ben the case for years. Some have different methods for logging in vs signing transactions. Some require an ATM/VISA/etc card with a chip on it.
Re: (Score:2)
Re: (Score:2)
For example, my bank allows two methods, ChipTAN and mTAN. These are fairly usual in Germany.
ChipTAN uses the user's bank card and a card reader. The reader is synchronized with the bank so that when combined with the correct
Re: (Score:1)
Re: (Score:2)
And gaining a user's ONE TIME password/pin gains them what?
Re: (Score:2)
The point of the keypads is that it verifies you're in posession of the card. You need the card, the reader and your PIN to generate the response code the website is looking for. When validating transactions, you need all of that plus a challenge code that the banking website provides.
So it's more than those keychain dongles that have changing codes on them...
Re: (Score:2)
Re: (Score:2)
It wouldn't. But a challenge/response system where you must have the card, reader, PIN and one-time code to log in and then, again, the card, reader, PIN, challenge from the website and the appropriate response code to make the transfer, would make life very hard for the phisher. The "identify" and "sign" functions are different actions, so you'd have to fool the user into signing the transaction.
Social engineering over the phone posing as bank representatives would probably be more effective than automatin
Re: (Score:1)
Would it be worth the expense?
what's the average cost/account holder of breaches? Is it really more than the $15 or so / year my Scottish spends on keypads?
Re: (Score:2)
I have no idea. I'd imagine that it would be worth it overall, though.
Quick Google search found card fraud costs $86M per year [techtarget.com].
Although...
One-time code devices and associated smart cards would likely s
Re: (Score:1)
According to the first paragraph in my link there's 26,000,000 mobile bank users in the US (I'm using this, the lowest possible valid number of account holders for this, as fewer people for same fraud means more fraud/person). I got this number by assuming 200,000,000 total account holders (108,000,000 x 2 approximated, as 108,000,000 was 46%, and currently 13% use mobile banking). If we take the US total fraud (approx .5 of 7.6 billion) and the 26 million numbers, we get about $136 per a mobile account hol
Re: (Score:1)
It'd be interesting to see:
1) how much dollar savings/account holder was saved in europe and asia (couldn't deduce it at a glance), and what the actual cost of those pads are (my friend pays $15 (10 pounds) for one, and has lost it more than once. Also, the ability to not bank if she leaves her purse at a friends for a day or two is an additional annoyance).
If fraud is costing the average account holder less than $20/year, I don't like the idea of giving the banks another way to charge fees...
Re: (Score:2)
The keypads are a small part, though, as I mentioned. Every point of sale would have to get a new reader to validate smart-cards and the PIN. I get funny looks in Europe when I use my US cards that have to be swiped. How quaint...
I've never bought anything online with my European cards, though, so I have no idea how that's implemented. I can't imagine every retailer is using a challenge/response system like the bank websites are... If it's just a matter of entering card information like we do in the US, the
Re: (Score:2)
What banking website are you using that doesn't use SSL/TLS? I think what you're suggesting is that instead of websites using a simple username and password (something you know), they should move to having user certificates for each client (something you have). The problem with that is you still have a single factor authentication, which is no more secure.
Bullshit. A good single factor is a lot more secure than a shitty single factor.
With passwords, you're still transmitting the secret token, which is what makes phishing work in the first place. With a client cert, you explicitly do not send your secret key. The phisher can't use that to impersonate you.
Certificates can be stolen (Score:3)
Re: (Score:3)
If World of freaking Warcraft can issue OTP devices to their players, big banks should be more than capable of providing the same. Even if it's just a smart-phone app (far less secure than a physical device, but more secure than nothing)
Re: (Score:2)
Re: (Score:2)
It looks like banks and gov departments can no longer be trusted as normal web sites.
While this statement may be true, I don't understand how you arrive at that this conclusion from TFA. This is a classic phishing attempt, as in go to a random website that is NOT the bank or gov web site.
It is the same as someone calling you up, claiming to be from the bank, and asking for account info. And then you saying the Bank's phone number can't be trusted.
Slightly redundant conclusion. (Score:3)
Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
The past tense should have been used in that sentence. Any security researcher worth their salt will *not* now move onto the next site upon getting a 404.
Re:Slightly redundant conclusion. (Score:5, Insightful)
A good security researcher would hopefully just paste in the link with one of the unique IDs that it came with in the honeypots/reports. Not exactly an insurmountable obstacle, this.
Re: (Score:2)
What if it expires after the first time it is used?
Re: (Score:2)
2. Associate an IP address (or ISP-specific range) with the mail address, for example by having malicious code in place in a website where the mail address is entered.
3. Store the IP/mail address combo in a database and use it to verify that the person visiting is likely to be the person the mail was supposed to reach.
4. ????
5. Profit
Sure, it's relatively much work but it's also relatively hard to get into.
Re: (Score:2)
Problem -- This is something you would like to avoid doing in general, because you don't want to let the spammer know that the email was sent to a mailbox that is read. With these, you can't avoid it, alas.
On the other hand, just the fact of obfuscation of this sort can be taken as evidence that the sender of the email has something to hide. Are there any non-phishy reasons for an email sender to do this? I can think of some plausible legitimate reasons that someone might think it was a good idea ... but
New? This is very old method. (Score:1)
I think I saw this 7 years ago...
pretty obvious thing to do!
Re: (Score:3)
email harvesters/spammers have been using unique strings in links to verify addresses a hell of a lot longer than 7 years.. probably longer than legitimate mass marketers have been doing it to get stats on each mailing campaign.
Does this really work though? (Score:5, Interesting)
So while it might afford some protection to the phishing site, it doesn't seem very likely that it would protect them from further scrutiny.
I think a bigger benefit for phishers is they can identify users who click on these links they can focus their attention on them rather than on users who don't. Somebody dumb enough to click on these links and fill in data is obviously a more valuable target than someone who never responds.
Personally I think the best way to combat phishers would be for major mail providers to work with banks and credit institutions to poison phishing sites with bogus data and flagged cards / accounts.
How is this new? (Score:3)
I've seen ones years ago that were PHP scripts that had different behavior based on who was coming in. (one of the more clever ones actually took over the site's main index ... but if the visitor was from the same domain as the server, it returned a near-duplicate of the original content and not the drug ads)
The 404 aspect does give me an idea that I think could make things trickier, but I'll be damned if I'm going to give spammers any ideas for things that they're not already using. (although, I guess it's possible that what I'm thinking of is what they're actually doing, but no security person would call a whitelist ... some person who's not really familiar with the security lingo might, though)
Re: (Score:2)
No ... because that would be obvious to what they're doing ...
The 404 makes someone think that it's already been cleaned up and already been dealt with.
New? (Score:1)
Not Impressed (Score:2)
Lets say url crafted is: http://www.example.com/some-spam-page.php?email=joe@example.com&id=f5b8fb60c6116331da07c65b96a8a1d1 [example.com]
<?php
$md5_check = md5($_GET['email'].'SomeSuperAwesomelyRandomSeedHere');
if($md5_check!=$_GET['id']){
header("Location:
die();
}
?>
Well that took me 30 seconds to come up with.