Fighting Phishing site at the front line

1
Fighting Phishing site at the front
line --CNCERT/CC Anti-Phishing activities review
CNCERT/CC
Jun. 2005 FIRST www.cert.org.cn
2
Abstract

• Overview of Phishing
• Responsibility
• Experience of CNCERT/CC
• Review and prospect
• Conclusion

3
Overview of Phishing
What is Phishing?

• -- Phishing attacks use 'spoofed' e-mails and
  fake websites designed to bamboozle recipients
  into revealing confidential information with
  economic value such as credit card numbers,
  account usernames and passwords, social security
  numbers, etc.

4
Overview of Phishing

• Phishing is Epidemic
• --7 of 10 people, who received phishing E-mail,
  are spoofed
• --15 are tricked into providing personal
  information

5
Overview of Phishing

• Damage
• --Average economic loss of 115 per adult
  duped. (E-Trust)
• --500 million lost due to Phishing in U.S.
  (APWG)
• --A Phishing site had been visited 98 time in
  48 hour (98 different IPs)

49 person/day10151158452.5/case
6
Overview of Phishing

• Statistics
• Till the end of 2004, CNCERT/CC received 230
  Phishing report from over 33 worldwide financial
  and security organization.

7
Overview of Phishing

• Statistics

8
Overview of Phishing

• Statistics Dec. 2004-March 2005(APWG)

9
Overview of Phishing

• Statistics in March, 2005 (APWG)
• --Number of active phishing sites reported in
  March 2870
• --Average monthly growth rate in phishing sites
  July 2004 through March 2005 28
• --Number of brands hijacked by phishing campaigns
  in March 78
• --Number of brands comprising the top 80 of
  phishing campaigns in March 8

10

• Statistics in March, 2005 (APWG)
• --Country hosting the most phishing websites in
  March United States
• --Contain some form of target name in URL 31
• --No hostname just IP address 48
• --Percentage of sites not using port 80 3.89
• --Average time online for site 5.8 days
• --Longest time online for site 31 days

11
Responsibility

• Who has the Responsibility?
• Bank
• -provide a secure internet dealing
  environment
• -new Phishing tech is also developed fast

12
Responsibility

• Law enforcement
• -Investigate and arrest the Phisher
• -most of the Phishing incident cross
  multi-country, it take long time through the law
  procedure.
• In certain region, the ISP only keep the log
  for 30 days, the procedure may take more than
  that.

13
Responsibility

• Service provider
• -locate the host, find out the user information
• -most of the host was intruded, they are also the
  victim cannot force them to take down the
  phishing site.

14
Responsibility

• Bank customer
• -Report the Phishing site, prevent from the
  Phishing scam
• -They may not know how to different the Phishing
  site and normal site.

15
Responsibility

• CSIRT
• -CSIRT have trust contact cross multi-region
• -CSIRT have the research ability to follow the
  new Phishing trick.
• -CSIRT provide the professional consultant to
  public

16
Responsibility

• CSIRT
• -Public user trust and willing to cooperate with
  CSIRT
• -CSIRT provide public awareness education

17
Responsibility

• CISRT is a chain to link every point in
  Anti-Phishing

18
Experience of CNCERT/CC

• Phishing tech is changing rapidly
• - Since 2004, Phishing has passed three
  generation.

19
Experience of CNCERT/CC

• First generation, (Previous Oct. 2004)
• --Fake appearance, IE redirection, address bar
  cover, pop-up log window.
• --Purpose to appear like normal Bank site,
  hard to be different.

20
Experience of CNCERT/CC

• Address bar block

21
Experience of CNCERT/CC

• Pop-up log window

22
Experience of CNCERT/CC

• unconventional Port

Pid Process Port Proto Path 436
svchost -gt 135 TCP C\WINNT\system32\s
vchost.exe 492 msdtc -gt 1025 TCP
C\WINNT\system32\msdtc.exe 912 MSTask
-gt 1026 TCP C\WINNT\system32\MSTask.exe 792
sqlservr -gt1433 TCP d\PROGRA1\MICROS1\MSSQL\bi
nn\sqlservr.exe 896 r_server -gt 4899
TCP C\WINNT\System32\r_server.exe 964 http
-gt 5121 TCP c\winnt\system32\http.exe
964 http -gt 5125 TCP
c\winnt\system32\http.exe 964 http
-gt 5180 TCP c\winnt\system32\http.exe 996
web -gt 6121 TCP c\winnt\system32\w
eb.exe 996 web -gt 6125 TCP
c\winnt\system32\web.exe 996 web -gt
6180 TCP c\winnt\system32\web.exe
23
Experience of CNCERT/CC

• Extra info
• --most of the Phishing web server, which was
  planted in the host, are Russian version.
• --and some of the evidence are related to
  Russian region.

24
Experience of CNCERT/CC

• Second generation (Oct. 2004-Mar. 2005)
• --Combine with backdoor, key logger, or Trojan.
• --Purpose to hijack the user info through the
  Spyware.

25
Experience of CNCERT/CC

• The Spyware detected on the Phishing site
• -JS/Stealus
• -W32.Netsky
• -Web/HTTP (Russian version Web server)
• It has been used as a spyware

26
Experience of CNCERT/CC

• Third generation (Mar.2005- )
• --Exploit DNS Cheat, Bot-net, and Dynamic Domain
• --Purpose to make the Phishing site hard to be
  detected and investigated

27
Experience of CNCERT/CC

• Pharming, the revival of old trick
• uses malware/spyware to redirect users from
  real websites to the fraudulent sites (typically
  DNS hijacking).

28
Experience of CNCERT/CC

• Devious DNS Tricks
• Dynamic Domain, Dynamic IP
• CNCERT/CC found many Phishing site host in ADSL
  users PC, which is live only when the user
  online.

29
Experience of CNCERT/CC

• Devious DNS Tricks
• AusCERT found
• A domain name was registered, similar to the
  bank.
• 5 name servers were listed in the WHOIS record.
  These changed every day or so.
• each of these 5 name servers resolved the fake
  bank domain to 5 other servers. These changed
  every 30 minutes or so.
• we saw the IP of the phishing site move across 44
  different in a short space of time (see below for
  IPs).

30
Experience of CNCERT/CC

• Bot-net
• Netcraft said Bot-net can be used as nameserver
  to Phish.
• CNCERT/CC deteced a bot-net with 100 thousand
  bot. It is serious situation, once a bot-net is
  used to Phish

31
Review and prospect

• CNCERT/CC
• -Public Awareness education
• -Anti-phishing consultant
• -Anti-phishing investigation and take down
• -Anti-phishing tech research
• -Participant the APWG WG

32
Review and prospect

• Future Trend
• -- Financial institution will continue to be top
  targets. Phishing attacks will victimize the
  identity of small to medium size institutions.
• -- Phishing attacks will increase in
  sophistication.
• -- Use of Trojans, screen captures and key
  loggers will increase.
• -- Attacks that target the DNS, Router
  Infrastructure will increase.

33
Review and prospect

• Future Trend
• -- Phishing attacks will exploit global events
  such as tsunami's and holidays.
• -- The distinction between Phishing, spyware, and
  malware will blur.
• -- The time between the discoveries of an exploit
  to its use in a Phishing will shrink.
• --Browser specific Phishing attacks will emerge.

34
Review and prospect

• Establish a procedure of cooperation with Law
  enforcement is considerable

35
Conclusion

• -Anti-Phishing is a long time fight
• -Anti-Phishing is a good place for CSIRT practice
• -Trust relationship is required
• -Anti-Phishing is a way to establish the trust
  relationship.

36

• Thank you
• E-maillarryliu_at_cert.org.cn