Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing, DomainKeys, Laundering, oh my!

There is a thread on the Webappsec mailing list regarding some statements I made about the blacklist approach to solving phishing that the browser companies are adopting. There are some things I think should be clarified for the people who are reading that list.

I respectfully disagree with the statement that there are programs that can solve phishing by authentication. I know exactly what he is talking about (domainkeys/SPF records, etc…). The problem is that the bad guys are already adopting it. But instead of using wellsfargo.com they are using wellfs4rg0.com. People read it too quickly. Sure it is properly authenticated to be from that user, but it doesn’t stop the user from thinking it’s from someone else. Also, you have the problem that no one can seem to settle on a standard. SPF is the easiest to use but it’s far from secure. DomainKeys verses SenderID verses SPF and varients of each all make this even more complex because you have different companies installing what they think is the best solution out there. And let’s not even go into the privatized versions of those same tools which completely messes this up.

Then you have companies that do direct marketing on behalf of huge clients, like these mega banks we’re talking about. Now they have to adopt the same methodology. And don’t get me started on the additional cost of server hardware due to the performance hit. It’s just not that cut and dry. Calling them “good” products means that they solve the problem. I don’t think they even address the problem directly. They are only designed to detect if the user who sent the email is the same user that is said to have sent the email. If the user is @wellfs4g0.com sure, it is them. How has that stopped the email from being delivered and stopped the user from clicking on it? Sure, now we have to rely on education. Read #5 about why educating users is the 5th dumbest idea in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/index.html

To answer some of the previous comments, blacklists DO work. The problem is that no one is using them (well, Netscape is, and a few very poorly used toolbars do, but that hardly makes up a majority). If you had those blacklists in every peice of email software, and content filters at the network leverl, and browsers, the name of the game would simply be how fast could you get the blacklist updated and sent to the clients (same as anti-virus, only the signatures are way easier to build). Also, these aren’t just blacklists pulled out of thin air. They are either detected using heuristics engines, or there is a canary (read sacrificial user) who goes to the site, despite it’s perils, detects that it’s a phishing site and notifies one of the companies that deals with the blacklist. So literally as soon as the first person clicks on an email is when the clock starts ticking as far as when the blacklist can be updated (assuming that user doesn’t fall for it and either they can tell it’s a phishing site or the application they are using detects it on their behalf). IE7.0 has such a heuristics engine. As does WholeSecurity (now Symantec). Others are on their heels.

DoSing the lists wouldn’t work, they all go through a vetting process as to who can actually submit them - so unless you happen to be one of these companies who regularly gets phished, you don’t even have access to write to them. It’s dirt cheap to get added ($15k is nothing to most companies), and it’s very easy to get kicked off of it as well if they detect abuse. I’ve talked with Dave Jevans about this actually, when he was first starting the anti-phishing work group.

There was also a comment about stopping the ways in which money is laundered. Shutting down every strip club and laundromat in the world (all cash companies), isn’t going to solve phishing. Yes, they do have a fairly centralized command and control structure (fairly). But as we have seen from the dozens of arrets, this hasn’t put much of a dent in stopping them. They have been very resiliant - and they should be considering how valuable an attack this really is.

As I said in my original post, browsers adapting to this by including blacklists doesn’t solve everything, and the bad guys definitely will adapt, but it does put a major hurt in the current vector of phishing via email.

Lastly, I’d appreciate any feedback on this topic: I’ve batted around the concept of attempting to write some legistlation to make the ISPs liable for identity fraud via phishing unless the ISP makes reasonable attempts to protect it’s users (providing optional content filters using these blacklists).

Comments are closed.