I laughed when I saw a recent phishing email. Not so much because it was a new technique - it wasn’t. It was your old generic phishing scheme with SSL put in the middle of it: leo.ne.jp/ssl/onlinebanking.capitalone.com but it suddenly occurred to me. One thing I have heard many security people say when they are trying to explain best practices in web surfing to newbies is “look for SSL”. The term SSL means absolutely nothing to most people outside of the internet technology/security space. They may understand that “https” means it’s secure or that that “little lock thingy” in the corner makes them safe, but they don’t know why, and they probably have no clue that it’s SSL in the back end. So why do we tell them to look for it?

This all goes back to my distaste for consumer education. In this case our education is working wonderfully. The consumers are looking at that nice little “ssl” word and poof, they must be secure! They’ve never seen it before and they have no idea what it means, but they know that they’re secure now. I think it would behoove the security industry to stop chastizing people for being stupid when we are the ones who are misleading or miscommunicating to them in the first place. Besides, we need to come up with something more secure than SSL anyway.

Okay, new proposal time. Instead of inventing a new Internet (internet-s) with all it’s flaws, having to invent TCP and all the other madness all over again, what if we invent a new protocol that was still available to browsers, but lived in a far more restrictive sandbox? Why not make a new protocol that does what SSL was originally intended to do - secure people. No cross domain linking, no session riding, no anti-DNS pinning issues, no communication with browser shims or handlers, no XSS or JavaScript for that matter. Just a clean, well organized and most importantly a secured syntax that we can use for secure communication with servers. Why not? What we have now clearly isn’t working. I’m open to suggestions.

It’s true, because Firefox tells me so! I didn’t even realize it myself until my browser so nicely informed me that my post about extortion was potentially phishing for my password. And here I thought my site was working for me. All this time it was trying to steal my password! Thank god my browser is there to help me, cuz otherwise I would have… uhm… put my password in… somewhere… no, wait… maybe… uhm… on the page… uhm… I guess… hmmm… nothing here says password anywhere… maybe in that box that says comments… cuz that looks like it could steal stuff from me. I suppose you can sense my sarcasm, but really, come on. How is ha.ckers.org possibly anything like a phishing site? Click here to see what I saw this morning. As of the time of this blog post it’s still not fixed.

If there is anyone on earth who should be whitelisted, it’s this site, given the fact that there is zero chance I’d ever put a phishing site up on this website (if I wanted to be a bad guy, I sure as hell wouldn’t do it on my own site). Hell, I used to work on anti-phishing software. But this strikes me as strange. What is the vetting process involved in putting something on a suspected bad site anyway (clearly it’s not working)? From what I can tell there’s not much going on under the hood because there’s not a single thing on that page that looks anything like a phishing site.

If I had been running a big commercial site, this could have had severe impact on my ability to do business, and my reputation with my consumers. I don’t think most people realize how bad this kind of thing is. Ha.ckers.org is one of the few sites that really is not impacted at all by this sort of thing, but I know I’d feel differently if I were running an e-commerce site. Time to re-vamp the heuristics and the process boys. Color this security guy unimpressed.

Update: Apparently I am also put on the MSFT anti-phishing list as well Click here for a photo of that as well. So it looks like this isn’t heuristics based after all. Someone actually manually added me to the phishing list. Because that extortion post really looks scary. Nicely done guys.

Matt Cutts (the search engine guru at Google) just posted a few comments on this site and others that picked up the story that the redirection hole being used by phishers is now closed by adding a dialog warning you that you are being redirected (Click here for an example). That is good news because 1) clearly Google now can no longer deny it’s a hole - they themselves fixed it 2) some consumers may now be slightly safer, kinda. But as he himself said, this really isn’t a complete fix as this is only one of many known redirects in Google that have the potential of aiding phishing attacks.

There are 10 more redirects in Google that are still functional on this one URL alone. Google is riddled with these holes and they are incredibly easy to find. So while I applaud the fix, I am hardly impressed. It took over a year for this hole to get closed since I first announced it (you’ll notice the other three I mentioned in that post a year ago are still unfixed). There are at least 4 or 5 more that I’ve run across beyond that as well. It’s not even worth cataloging them at this point because there are so many left to fix.

So good job on fixing a small percent of the problem, but Google has got a very long road ahead of them before I’d trust clicking on any unscrutinized Google link I found on the web.

ThePost sent me this link to Dr. Markus Jakobsson explaining how click fraud and phishing works for Google employees. At first this talk was a complete snoozer (if you already know this stuff, it won’t be an eye opener but if you aren’t familiar with it, it’s worth listening to the first half an hour). But the second half of it is where it gets interesting.

Firstly, one thing he mentioned during the speech was that you could create a robot to spider the net looking for bad things - well it turns out there is an easier way for Google to do this - their own spyware. Since Google Web Accelerator is spyware, they can see whatever they want that the user sees - making it a canary account. The counter attack for fraudsters is to create tactics to avoid exploiting users with web accelerator and it would make sense anyway. What’s worse, having Spyware on your machine or making a bad guy a few cents by subverting your clicks - tough choice. He also says, he’s not sure if Google has a way to tell where users have been before - again, Google’s spyware is pretty convenient here too.

I thought it odd that the Google engineers didn’t understand how the browser anti-phishing stuff works (it’s sorta their job to know this stuff, isn’t it?) and Dr. Markus Jakobsson did not mention the anti phishing built into Firefox and Netscape either, but at least he did talk about some of the heuristics and laid to rest their misunderstanding of why a programmatic solution to phishing detection cannot work completely.

Frankly, I’d rather see Dr. Markus Jakobsson doing more Q&A rather than his speech because he obviously knows what he’s talking about and was much more interesting when he was just answering questions. Anyway, interesting 40 minute speech if you have the time (it’s got subtitles if you don’t want to play it out loud at work).

I’ve tried to explain how this works to a few reporters, but there are certain classes of phishers out there that seem to band together. Geographic dispersion is loose, as you might guess, but they are sort of basically chopped up into three groups of people, the Romanians/Eastern Europeans, the Chinese/Asians, and the Nigerians/North West Africans. Each have their own ways of attacking applications and phishing.

Romanians/Eastern Europeans: They tend to be the most skilled of the bunch. They think about scalability and they run their activities like a business. They use modern exploits, and tend to come up with most of the cutting edge scams. They tend to be on the bleeding edge of new issues, and tend to tie in things like malware, pharming, and server exploits. They tend to be the ones creating the phishing kits. Like the others they have strong ties to organized crime, and have actually resorted to kidnapping and (presumed) killing of at least one government official. Due to their technical nature they are highly scalable even though there are probably fewer in numbers. They require the most hardware, and are assumed to have ties with lots of botnets.

Chinese/Asians: They tend to be copy-cats. They watch what the other groups do and mimic the same tactics, only months or years later. What they lack in innovation of exploits they make up for in volume and brute force attacks. They are relative newcomers to the world of phishing in comparison but they are growing rapidly.

Nigerians/North West Africans: They tend to have the lowest sophistication of the three groups, and primarily focus on ways of coming up with new variants of 419 scams. They tend to use people instead of automation and focus only on high dollar scams. They are most likely to make contact with the victim and actually will resort to strong arm tactics if they find out where you live. Would you want this nigerian debt collector after you?

All three groups have technical requirements, and all three groups span across national boundaries. The lax laws around cybercrime and the difficultly in getting machines and operations shut down in these various countries make it particularly easy for them to operate with relative ease at the moment.

Legislation is probably one of the least sexy parts of what we all work on, but I had a thought a while back that I never managed to circle back on. I used to work for a mega-company doing anti-phishing stuff (among lots of other tasks) and one day I decided to look into anti-phishing from a legal perspective. I never followed through with it, but this is a topic that I think deserves some debate, as I haven’t seen a lot of people talking about this, or sponsoring legislation I think has a snowballs chance in hell of helping.

I was doing an interview with InformationWeek today about anti-phishing (btw, any phishers reading this, if you are interested, they would like to have an interview with you - contact me and I’ll get you in touch with them). One of the questions that was asked (and is always asked every time I talk to high level people about this) is what people can do about it. I started down the same old path I always go down, patch up, use modern browsers with anti-phishing built in, blah blah. I hated the sound of my own voice. If you were to take the average IQ of the internet population, I doubt it would be higher than 90-95 at best. There is no way people reading that article are the target segment of the Internet.

If you take that to the next logical step, the people who need this help the most are also the least likely to know how to fix those issues or keep themselves safe. Taking it the next logical step there is no way for the average consumer to protect themselves. So who is it up to? To me it seems like it should be up to the people who actually do know how to fix these issues.

I’m not one of those people who is super into having laws dictate our lives, but this seems like an interesting idea. Current anti-phishing laws only apply to countries that have extradition treaties with us, and since when do phishers care about that anyway? What if we turned the law around and pointed it at the people who actually do know how to fix these issues for consumers - the ISPs? What if we made a law that said that ISPs must make a reasonable effort to subscribe to anti-phishing lists and they must shut down access to websites that have known phishing holes in them. Failure to do so could result in fines, and further, if a consumer is actually phished, the ISP is liable.

I’ve already talked to large ISPs who are using OpenDNS, but that’s not cutting it. OpenDNS only applies to sites that are linked to using a hostname, and many phishing sites use only IP addresses. So yes, it would painful for ISPs. Yes, it would extra cost. Yes, it would be annoying for researchers (maybe they have to call to get sites turned back on for them). Yes, it could cause DoS for websites that are caught as false positives, or virtual hosts on the same IP. All valid points, but none of them seem worth it to spend another billion dollars this year of Internet consumer’s money to finance the phishing market. Comments?

This morning Legionnaire sent me an email to a post that I thought was worth posting in case anyone else hadn’t seen it. Google is indexing blacklists for it’s anti-phishing technology, but in doing so is stealing usernames and passwords. Bummer! As if it isn’t hard enough to get people to adopt security now people can claim that Google’s built in security is spyware too (not that web accelerator isn’t spyware, but you get my drift).

There is a picture of this issue over on Finjan’s website that shows the accidental logging of the user’s credentials. You can see how Google is doing it, and it’s kinda scary. And the worst part is there really is no good way to insure that they aren’t in there other than either not allowing anything with a username/password pair in the blacklist (which could be used against them) or by trying to strip them out (which again, could be used against them). In these cases I doubt the phishers did anything special with those sites, but that’s not to say they couldn’t. Thanks for the link Legionnaire!

Am I going to have to eat my words? I was thumbing through some AV reports over the last few days and one report stuck out at me. Granted, I don’t follow each worm (not enough hours in the day for all the things I’d like to explore) but I was surprised to see a worm that had to do with Pharming. For those of you who are unfamiliar with the term, unlike phishing, pharming takes a more proactive approach by forcing people’s DNS entries to point to a different/malicious server. Frankly, I thought it was mostly the stuff of science fiction since no one could point to a single example of any instance of pharming greater than 100 people (a single ISP that got it’s DNS compromised). Granted, the trojan doesn’t mention pharming but that is the obvious next step if it isn’t already doing it (rather than just trying to get some click-through traffic on some websites).

Trojan.Flush.K also known as Trojan.Dnschanger modifies DNS entries on your Windows box and attempts to forward you to a malicious website. The obvious synergies with phishing attacks make this particular one stand out at me. Symantec rated this one very low (probably to do both with the lack of virulence and the ease of cleaning the system), but it’s interesting to note how potentially dangerous this could be if it were more widespread and written with more malice.

Thanks to Mark for sending this over, but there is a new phishing kit that acts as a man in the middle. According to the article the phishing kit simply acts as a PHP proxy to forward any requests directly through the proxy. That way it can detect anything you are typing or defeat any systems like sitekey that require that you see the image in question.

I can’t exactly say this is a major leap forward, because I’ve seen phishing sites that have similar levels of sophistication in automatic detection of whether the username/password was correct by checking in real time. However, this does represent a new variant that could render a lot of the more snake oil security products virtually useless. The one major disadvantage with this system is that it has to reside on a host and if the same IP is used over and over and over, that could set off a lot of alarms. Interesting nonetheless.

Michael Sutton has a good writeup on the Google blacklist that he released today. He sort of went over the obvious stats, who’s getting phished the most, where the phishers are hosting, etc… So for the most part it wasn’t that interesting to me personally (but I’ve been in this business for years). However, one thing did make me think. Michael mentioned that the lack of sophistication points towards the lack of need for sophistication.

Like any stats person would do, I had to think about what that really means. Is it that they don’t require sophistication or is it that they can’t achieve it. Who is building the phishing kits that they buy? Are these people the world’s best programmers? Are they going to build something that’s in vogue for a few days (a 0day browser exploit) only to have to re-code it a few days later when the patch roles?

Just like in any business the name of the game is scalability. You have to build a scalable product for as cheaply as possible. Just because x% people have anti-phishing in their browser doesn’t mean you don’t put it up. That’s like saying if you’re McDonalds you don’t want to stay in business because a certain slice of the population cares about early heart disease. Who cares? If it makes you money that’s all that’s important. Sophistication is not a current requirement for their business model. The scary thing is that with technology that is years old they are only now encountering tools that even put a dent in their business model.

That lack of sophistication in our own tools to detect and take down phishing sites is the real issue here. We (browser companies, AV companies, ISPs) have not created enough damage to their business to force them to adopt next generation tactics. So although they may have the arms necessary to fight a nuclear war, they don’t have to, because we’re still fighting with bows and arrows. They haven’t even scratched the surface of technical sophistication in their phishing attacks. And who could blame them? There’s no cost incentive to do so. We haven’t created that incentive yet.