This is another of those posts to my internal corporate blog that I figured may have some use to the larger community so I’ve re-posted them here. The goal is user awareness and arming people with information as well as keeping these issues top of mind when they become more common.
If you have comments, other resources for information about these attacks, or see something in this note that doesn’t quite look right please let me know – I always appreciate feedback.
Original blog post:
Recently there has been quite a bit of press about various forms of phishing messages sent to organizations. Whether it’s a facebook email, an AT&T SMS text, or an email claiming to be a Microsoft update, the frequency is increasing. Most of the time, these have the same old clues that they are fraudulent such as poor grammar, links that claim to point to one site but point to something different, requests for sensitive information such as credit cards or login information and so forth. Unfortunately, some of these messages are becoming more advanced and multiple layers of techniques are available to attack you by sending a simple email. I want to review some of the recent techniques so you are aware of them.
SANS had a good diary entry summarizing some of these techniques – it’s worth a read if you have time. Below I’ve tried to summarize some of these forms of attack.
First, a few simple rules:
Always distrust links in email – from friends, organizations, co-workers or whatever. If an email has a link to a download – browse directly to the site and find the download, don’t click the link. If you are unsure – you can use a service like linkscanner to verify that the link is not malicious. This is the #1 thing that will protect you.
If the context of an email doesn’t seem right, or the grammar seems incorrect, be extremely suspicious. Companies put a lot of effort into making communications with their customers sound professional – phishing email messages typically do not put in so much effort.
Attachments should always be distrusted. It used to be “Attachments from unknown sources” but unfortunately its so easy to forge the sender of an email that you can’t even trust attachments from known sources. If you weren’t expecting the attachment – don’t open it without checking it out. You have a local virus scanner, you can also use services like VirusTotal to check files for malicious content.
Messages that are personally threatening should be verified with the source. If you get an email stating your Facebook account is getting disabled, that your bank has been taken over by the FDIC, that your email account is going to be disabled, etc – call the source and verify. It’s usually pretty easy to pick up the phone and find out if the message is legitimate – most of the time it is not, this is simply not how companies communicate with their customers.
Just because you use a Mac, doesn’t mean you’re safe. Many of the attacks are moving toward client side web attacks using Javascript. These attacks are OS independent and payloads are available for Mac just the same as Windows & Linux. While it may be harder to get administrative rights on your machine, that isn’t required to get access to your documents and such.
A note about your IT Department
It’s common for an attack to use the IT department as the source of the email or even a phonecall. This works because people trust their IT department, which is good. Your IT department will not do any of the following:
Send you an email, without having contacted you previously, which provides a link to download and install something. They may respond to your inquiry by providing a link, but they aren’t going to simply notify you out of the blue that you must install something.
Ask you for your password so they can make a change. They have the ability to change your password and will do so if they need access to your account. They’ll let you know they’re doing this, they don’t need your password.
Attach any executable file to an email and ask you to run it. If they want you to run something on your PC they will ask you to stop by or they will stop by your desk.
Ask you to go to an external site and enter your username and password to update information. They may send you a link to a new tool – such as http://phonebook.companyname.corp and ask you to update information there. If you are ever uncertain about the link being provided, send a note to IT and they will be happy to let you know if it’s legitimate.
What are some of the techniques you can expect to see?
The “update your PC” email:
There are a variety of messages recently which appear to come from Microsoft, your IT department, an anti-virus vendor or any other software vendor, claiming to offer an update for your computer. Typically, the approach in these messages is that you click a link which may do one of a few different things:
Download an application which are you asked to run. This application may install a malicious program on your PC.
Load a legitimate looking site which has javascript embedded to silently load malicious software on your machine.
Load a legitimate looking site which has javascript embedded to silently make a request to a site you are already authenticated against (more on this below).
The “please login to your account” email:
An easy way to capture your online banking password, your facebook password, or a variety of other accounts is to simply ask you to login to you account and provide you with a forged URL that looks like the site you are logging into. Infact, the page you login to may be an exact replica of the original site but the URL with never be identical (this is very difficult to change – but it is possible). You go to a site which asks you to login to facebook or your bank and the attacker immediately has your credentials to login.
The “your account will be closed” email:
This approach prey’s on someones fear that a bad thing will happen. You get an email saying something like “Your facebook account will be closed immediately if you do not respond” or “Your bank balance is overdrawn and you need to login and correct this immedately” or “You are in violation of XYZ law if you do not update your information”. These threats could be true, but typically serious problems with your important accounts aren’t communicated through email messages like this. You will generally get repeated notifications and a bank would probably give you a call. When in doubt – make a phonecall or send an email to the organization the email appears to come from. Don’t click the links in the email, reach out to them directly and find out what is going on – it’s much safer.
The “check out this site” email:
This is one of the oldest tricks in the book. A forged email which may or may not appear to come from someone you know contains a link to a site. The text of the email tells you that you should take a look at the site. You click the link and you are owned, it only takes a second. If a friend tells you they are going to send you something it’s one thing, if they send you something out of the blue – be suspicious of it. I have never had anyone get upset when I’ve sent them a response back asking “Did you send this to me? What is it?”.
And what type of things can someone do to me when I click one of these links?
The silent attack – cross site request forgery:
This is a particularly nasty one and difficult to detect. It can apply to any of the above types of email messages and only requires a click to execute. When you visit facebook, or maybe your online banking site after already logging in, do you have to re-authenticate? If you don’t, that’s likely because you have a cookie stored which gives you access to that site. Using Javascript, it’s possible for an attacker to use your browser to make a request to a site you are already authenticated to in the background, without your knowledge. There have been cases of bank transfers, password changes, or information gathering being done using this technique. CSRF is the new to you, but not so new hotness in serious client side attacks – it’s been a known risk since 1988 but not well published.
For a technical rundown of CSRF check out this OWASP page.
Here is a good FAQ with info about CSRF
Installation of a Trojan, rootkit, or other malicious software
Typically if you are being asked to run an application, the goal is to get some malicious code installed on your PC. This is the threat your virus scanner is designed to protect against but they aren’t perfect. Running an application you get in email is extremely dangerous. Even if it came from a friend, they very likely have no idea if it’s malicious or not. You should only run software that has been downloaded from the originators website.
As mentioned above, attachments may be tested using Virustotal to see if other anti-virus products flag them as malicious. Usually at least one vendor will detect something that is malicious – it may just not be the vendor you are using on your desktop.
Web site forgery for credential or information gathering.
In this attack a web site is forged to look like a legitimate site. You are asked to enter your username and password to login (which will probably either always work or never work – no matter if it’s right or wrong) or you may be asked to enter your personal information. Credit card information is becoming less common simply because people get nervous about that, but they don’t think twice about trying to login to facebook or myspace. Once that username and password is obtained, the attacker can try to re-use it to login to your banking sites, or any other site you use. Because many people re-use passwords this attack commonly works very well.
This has become so common that sites such as facebook have pages showing users how to detect a forged facebook site – it’s worth checking out.
Can’t I protect myself with some program?
There are a variety of technical methods which protect against the various attacks used by phishing messages. Here’s a quick rundown of the available options:
Virus Scanner: this is required and generally protects against malicious programs. Newer anti-virus products are also offering some phishing detection & browser protection.
Browser plug-ins: For Firefox, tools such as ‘No-Script’ prevent the execution of javascript from untrusted sites. These tools are very successful in limiting the success of many of the browser-based attacks which rely on calling javascript from an external site. They are a little inconvenient at first but once they understand what sites you frequently visit they become mostly transparent. Internet Explorer 8 has its own filters and Safari users can use “SafariBlock” to get functionality similar to No-Script.
DNS Services: Some DNS services such as OpenDNS actually protect users by not allowing malicious domains to resolve properly. This worked tremendously well during the Conficker breakout earlier this year because OpenDNS was able to disable access to the URL’s used by the virus to download instructions – it was also able to notify users who were infected because it could detect the malicious DNS requests.
For the Marketing Folks
SANS has put together a great summary of the steps marketers can take to make sure their organization and brand are not abused to send phishing messages. Much of the reason people fall for phishing attacks is because they can’t easily verify that the message is a fraud – make it easy for them.