Friday, May 27, 2005

Security Briefing #4

Phishing Gets Sophisticated

First, a cautionary tale:

Chris Prosise, a security consultant and VP at Foundstone ( shared a recent case history.

He told the story of an attorney who'd been defrauded $50,000 from her online bank account. It seems she logged into her account one day last summer and discovered that $20,000 had recently been transferred out of the account without her approval. She immediately called the bank and alerted them to what she believed was a security problem at their end. The bank changed her password and login and told her the new password and login over the phone. The bank also called in Prosise's company to do an immediate security audit to find out if the problem was at their end -- or if the woman had unwittingly given others access to her account. The woman logged into her bank account, using the new password and login and was reasonably satisfied the problem was behind her.

But when she logged into her account again later that day, she discovered that another $30,000 was missing.

So how did this happen? How did the intruders get her brand new password and login so quickly? Was her phone tapped? Was there an insider at the bank aiding the criminals?

A few background details:
--She was using a home computer, connected via dialup to the Internet --She had never logged into her online bank from anywhere but her home computer --She did not own a laptop computer and had never used any wireless networks --She said she had never responded to any bank or eBay phishing emails --She said she was very careful with her password and login and had never shared them with anybody or stored them on her computer --She was using a firewall and anti-virus software.

Since this message has 'phishing' in the title, you may have guessed that that's what happened -- she gave away the information as result of a phishing request.

If that was your guess -- you're right. But she didn't respond to the type of email we talked about in our last message. Instead, she followed what looked like a legitimate link to a legitimate website that she regularly visited.

The phishing she was hit with represents a new type of attack, one that's targeted at a specific audience. She was a real estate attorney. The site she visited was a professional real estate site aimed at real estate attorneys. The message looked like so many of the other messages the site sends out regularly to alert users of new content. She followed the link in the message, just as she had many times before. The regular site (actually a hacker's duplicate of the site) opened when she clicked the link in the email message. She read the page and thought nothing more of it.

What she didn't know (aside from the fact that this was a duplicate of the legitimate site) was that when she loaded the page, that page installed trojan software on her computer. (Yes, websites CAN install software on your computer.) This trojan software included a keylogger and an itty-bitty email program. A keylogger is a program which records keystrokes and mouse clicks. When she logged into her online bank, the keylogger recorded the password and login and emailed them to a recipient in Romania. Once she logged out, the Romanian logged in and transferred money to his account.

Note: even though the bank was using secure web pages (https://) the keylogger got around that and was able to record the information. So, don't think that using a secure site means you are secure.

So how can we protect ourselves from such attacks?
  1. Use a firewall and anti-virus software and keep them up to date. (It's possible that neither would have stopped this attack, though, since most AV software doesn't detect trojans and the installation program could've slipped by the firewall.)
  2. Keep Windows and Internet Explorer up to date and patched at all times. (Yes, Mac users, these kind of attacks have so far only been detected on Windows machines. But, most security analysts agree that as Macs gain popularity, they too may become targeted.)
  3. Don't use Internet Explorer. (My next Security Briefing installment will try to convince you to folow this advice.)
  4. Never follow links in email messages. Even if you trust the source. Another alternative to this would be to have your email software NOT display HTML messages. The message this woman received (as well as all those eBay and bank phishing messages) use HTML because with HTML you can do things like disguise web addresses. I'm hesitant to recommend this because so many legitimate organizations are now sending email in HTML and disabling this feature would make those messages very hard to read.
Another Note: Some of you may be wondering if the keylogger could've snagged the password and login had she cut and pasted her password into the login page instead of just typing them is. The answer is, 'yes, probably.' Most keyloggers can also catch data that's cut and pasted.

Next Security Briefing: Why You Should Not Use Internet Explorer.


Post a Comment

<< Home