Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims

Posted by samzenpus on from the on-to-the-next dept.

chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."

19 of 71 comments (clear)

  1. Need better security by rdebath · · Score: 2, Interesting

    It looks like banks and gov departments can no longer be trusted as normal web sites. They have to be setup to be only available through SSL and must use client certificates for authentication with some way of verifing that the server certificate matches the client certificate.

    Only then could the software (possibly a custom configuration of a web browser, maybe an normal one) actually be sure of defeating a phishing attack.

    Of course the main reason it'd work is that with a client certificate there's no password to "phish" for.

    Something tells me that the banks are too lazy to do this; every other web site will have to be SSL before they get on the bandwaggon.

    1. Re:Need better security by Sepodati · · Score: 3, Interesting

      They need to do like European banks and issue keypads that generate one-time codes in conjuction with the card.

    2. Re:Need better security by rdebath · · Score: 2

      As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions. One example uses a user ID, a password (split into two entry fields) and the site displays a picture that you chose when you first activated the "web access" .

      This isn't that secure and because a lot of their site is HTTP there's a good chance that "sheep" attack will work too.

    3. Re:Need better security by Anonymous Coward · · Score: 2, Interesting

      US banks are so uncaring about user's security. Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.

    4. Re:Need better security by sevenisloud · · Score: 4, Informative

      As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions.

      Here in the UK HSBC, Barclays and others issue OTP calculators to all their Internet banking customers.

    5. Re:Need better security by neyla · · Score: 4, Interesting

      Not at all. BankID, the dominant form of bank-authenthication in Norway issues OTP-calculators to everyone, including average private people with a perfectly ordinary account.

      As an alternative, they have a solution where the SIM-card in your mobile-phone is used by an app to authenthicate you.

      In both cases the same thing is true: logging in to your bank requires knowledge of your passphrase -- but *also* physical possession of a object - so a phisher would need to get both somehow, in order to be able to impresonate you.

      It might not make phishing impossible, but it does make it a lot more difficult.

    6. Re:Need better security by Schreckgestalt · · Score: 2

      Yes, same here in Switzerland at UBS. I have a SmartCard and a reader, and I have a PIN, and then there's some sort of challenge/response magic going on.

      There was an article in the newspaper recently, and they compared the various authentication-mechanisms used for Swiss bank accounts, unsurprisingly, the outcome was that UBS had the most secure as well as the most user-unfriendly authentication process.

      I guess online banking is where I'll always prefer security over ease-of-use.

    7. Re:Need better security by semi-extrinsic · · Score: 2

      Going by the several replies with European (and even Asian) countries where OTPs are the norm for internet banking, it looks like you are wrong. Where I'm from (Norway), not only do I need an OTP for internet banking, but I also have to use it when I make a purchase from most Norwegian webshops. It's funny when Ebay is easier to phish than my local small-town computer part store's e-commerce solution.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    8. Re:Need better security by jxander · · Score: 2

      If World of freaking Warcraft can issue OTP devices to their players, big banks should be more than capable of providing the same. Even if it's just a smart-phone app (far less secure than a physical device, but more secure than nothing)

      --
      This signature is false.
  2. Slightly redundant conclusion. by Spottywot · · Score: 2

    Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."

    The past tense should have been used in that sentence. Any security researcher worth their salt will *not* now move onto the next site upon getting a 404.

    --
    In a cybernetic fit of rage she pissed off to another age...
    1. Re:Slightly redundant conclusion. by Vintermann · · Score: 4, Insightful

      A good security researcher would hopefully just paste in the link with one of the unique IDs that it came with in the honeypots/reports. Not exactly an insurmountable obstacle, this.

      --
      xkcd is not in the sudoers file. This incident will be reported.
  3. Re:How are they validating ID? by Neil+Boekend · · Score: 2

    Unlike the usual IP-restricted entry

    This doesn't use IP addresses to verify. Using IP addresses requires you to know the IP addresses of your intended victims, severely limiting the usefulness. This can send emails automatically and still filter out the incoming requests.

    --
    Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  4. Does this really work though? by DrXym · · Score: 4, Interesting
    I expect antivirus companies, just like government agencies have registered hundreds or thousands of email addresses all over the world on different service providers and domains with the express purpose of harvesting spam. Therefore they're likely to receive legitimate links to phishing sites or be able to identify ones which are protected by per-mark unique urls. And of course the likes of Google, Microsoft, Yahoo et al who run their own webmail services could roll as many spam traps as they liked and analyse spam going to users too.

    So while it might afford some protection to the phishing site, it doesn't seem very likely that it would protect them from further scrutiny.

    I think a bigger benefit for phishers is they can identify users who click on these links they can focus their attention on them rather than on users who don't. Somebody dumb enough to click on these links and fill in data is obviously a more valuable target than someone who never responds.

    Personally I think the best way to combat phishers would be for major mail providers to work with banks and credit institutions to poison phishing sites with bogus data and flagged cards / accounts.

  5. Re: How are they validating ID? by DontLickJesus · · Score: 2

    Whether key or ip are used here is missing the kind of whitelisting this malware is using. When the package exploits a server, it alters pages/links to redirect each unique visitor to a dynamically generated temp folder on itself which contains the phishing code, and afterwards is deleted. The phishing code could obviously get more selective, and will contain a destination either via redirect or transmission, but returning to the same url gets you nowhere. Have the link/page exploited float around as well and you have a "dynamic" whitelist which filters favoring the browsing public, not link-minded researchers.

    --
    Where genius and insanity become confused true wisdom is found
  6. Certificates can be stolen by dutchwhizzman · · Score: 2

    Certificates can be stolen by spyware. As others pointed out, you need a 2 factor authentication and proper prevention of MitM attacks on both network level (SSL/TLS) and on the user's machine. You need it on the user's machine as well to prevent malware modifying the web page, hiding a malicious transaction from view, but still submitting it to the bank. In Europe a lot of countries use the chip part of the debit card with an OTP generator to generate responses to challenges sent by the bank website. This is guarded against physical debt by requiring the PIN for every transaction as well. This still leaves protection against MitM malware on the computers. Banks are currently studying how to deal with that, since it's quite a threat, given the enormous amount of flash, acrobat and java zero-days hitting users in Europe. Every week we get new attacks and they are getting better and better at faking content and hiding the exploits.

    --
    I was promised a flying car. Where is my flying car?
  7. How is this new? by oneiros27 · · Score: 2

    I've seen ones years ago that were PHP scripts that had different behavior based on who was coming in. (one of the more clever ones actually took over the site's main index ... but if the visitor was from the same domain as the server, it returned a near-duplicate of the original content and not the drug ads)

    The 404 aspect does give me an idea that I think could make things trickier, but I'll be damned if I'm going to give spammers any ideas for things that they're not already using. (although, I guess it's possible that what I'm thinking of is what they're actually doing, but no security person would call a whitelist ... some person who's not really familiar with the security lingo might, though)

    --
    Build it, and they will come^Hplain.
  8. Re:New? This is very old method. by sdnoob · · Score: 2

    email harvesters/spammers have been using unique strings in links to verify addresses a hell of a lot longer than 7 years.. probably longer than legitimate mass marketers have been doing it to get stats on each mailing campaign.

  9. Re:How are they validating ID? by Abstrakt · · Score: 5, Interesting

    So which is it? Aren't they using IP addy to verify the identity of the sucker? Or is their some other source (their unique URL that they post)?

    We've started seeing some of these newfangled phishing emails over the last few days. The victim's email address is used as an identifier. It is simply appended to the URL by the mailer bot, so that the link sent to the victim will look something like this:

    hxxp://compromisedsite.ru/joe33/somebank/?victim@gmail.com

    That URL would lead to a script hosted on a compromised site, which looks up the email address in a whitelist before serving either a credential-collecting scam page or a bogus 404 error.

    But this is all very basic stuff, and it is not hindering forensic investigators in the least. The folks investigating such scams don't just stumble upon them by accident; they rely instead on vigilant users and admins who take the time to report phishing emails. Once they get a report they already have a whitelisted URL to begin with.

  10. Re:How are they validating ID? by History's+Coming+To · · Score: 3, Informative

    They don't, that the point.

    I use precisely this technique for presenting discount vouchers to people who have signed up to a restaurant mailing list, identical system but for white hat purposes:

    1 - send an email to the relevant contacts, including an embedded image at domain.com/voucher.php?id=xyz where "xyz" is a unique account ID.

    2 - when the recipient receives the email the voucher that is displayed has their name on it, the image is generated on-the-fly using the unique ID to get the name right.

    3 - (this is the important bit) - if anyone logs into domain.com/voucher.php without passing a correct ID then they simply see a voucher marked as invalid, and a link to where they can sign up. In my case it stops non-members getting a voucher, in the spammers case it stops a non-target (including investigators) from seeing the exploit being presented to a "customer", most likely someone from a list of known phishing mugs.

    --
    Please consider this account deleted, I just can't be bothered with the spam anymore.