Sunday, November 02, 2008

New phishing attacks require adoption of different countermeasures

Phishign warning source:
Cyberpunk blog
Back in the early 2000 phishing attacks require fraudsters to clone a web site, register it on similar domain and social engineer a victim with a phishing mail. Then phishers got smarter: instead to clone the site with CGI and do all this work why not use a web proxy and exploit a man in the middle attack? Besides this is also a good way to break multi factor authentication controls!. This was back in 2006. Since then, most banks and financial institutions in US deployed strong authentication, besides to mitigate phishing also in response to FFIEC compliance on authentication guidelines. Since then, phishing attacks have evolved to exploit man in the browser vulnerabilities, inject code that can executed by the browser and exploit web site XSS vulnerabilites. In the last years, phishing resort to the use of botnets to be more even more effective such as Mpack, Storm, Asprox and RockPhish just to mention the more popular. These are the tools for the cybercrime economy built to be used by professional fraudsters to gain million of $$ not script kiddies looking for fame! The cost pf such botents in the thousands of $$ and the sale of them generates a business of millions of $$ for the underground economy. The sophistication of these botnets is that can be very stealth to IDS and difficult to tear down by IP because of use of fast flux techniques such as round robin DNS with a short TTL constantly changing the IP mapped to a domain. More information on fast flux and how is used in botnets such as ASPROX can be found here. Spear (targeted) phishing is currently a target for banks: the tools are very close to the original site and use Rockphish as a botnet. This threat is real and requires new countermeasures. It means first of all raise the bar and reduce the attack surface. For example, consider more security for the users of your web site, require them to use locked down browsers with anti-phishing plug-ins enabled with extended validation certificate support. A sandboxed browser such as the ones provided by Trusteer and Authentium could mitigate the risk of malware and keyloggers downloaded on the client browser when your customers become victims of botnet attacks. On the application side, increase defenses by using strong authentication and out of band delivery of tokens to mitigate MiTM attacks: for example using one time passwords and tokens that are delivered completely via SMS and other channels. As a bare minimum, you need to mitigate web application vulnerabilities that can be exploited to attack the browser in a phishing attack such as OWASP T10. In particular XSS and XFS vulnerabilities can be exploited for phishing to deliver attack vectors for malware and spyware. Session management flaws such as CSRF (or session riding) can also be used for phishing. Often times, your site might have design flaws exploitable with targeted attacks that exploit information disclosure, authorization and authentication vulnerabilities. For example an attacker can try to harvest/enumerate user credentials, bank account and credit card information to use to commit fraud via different channels. When you become a victim of botnet attacks, your capability to profile the attacks and alert on the intrusions is very critical for risk mitigation: an IDS that is build into the web application such as OWASP ESAPI or in the web server such as a WAF (Web Application Firewall) can log and monitor suspicious activity and trigger alerts for potential fraud attempts. Using honeypots to learn about botnet attacks can be very useful as well as to learn how to build in defenses. Threat analysis and modeling is the key for mitigation: attack trees can be used to identify possible attack scenarios, the channels being used and the vulnerabilities that can be exploited. Take the attack tree as reference to derive the right countermeasures for the most likely attack scenarios such as the ones that the frauster might use because of the path of minimum resistance and effort. For example, considers that credit card and account data can be purchased from cyber criminal organizations selling their services on line. If such attack is cheaper than to break authentication probably that's the one that a frauster will go after first. If your site has easily exploitable information disclosure vulnerabilities probably the fraudster will attack your site first instead. The most important criteria: never assume the adoption of a anti phishing security technology will solve your problem. You need to consider different mitigations wisely and a defense in depth strategy. Be proative: consider that when you rely on the law enforcement to drive countermeasures is a little too late and this can be very painful in terms of financial losses. Before your site becomes a victim of fraud with phishing 2.0, do a thoughtful review of potential threat scenarios for all your service delivery channels for example both web, ATMs, IVRs and other delivery channels you might have. You need to consider these channels as the attack surface available to a fraudster, simulate potential botnet based/phishing attack scenarios and validate the effectiveness of countermeasures.

No comments: