PhishTank Annual Report

The PhishTank annual report for October 2006 – September 2007 is now published. The PhishTank Annual Report is an analysis of data about verified phishing Web sites submitted to PhishTank.

The PhishTank annual report presents some interesting statistics such as,

1. Most Spoofed Brands
2. Top U.S. Network Providers Hosting Phishes
3. Top 25 Worldwide Network Providers Hosting Phishes
4. Top Phish-Hosting IPs & Domains
5. Phishes by Country

You can download the report here.

Find Phish using Google search

Today morning Roshen pointed out a blog post on using Google search to detect Phishing sites. You can read the blog post here. It basically illustrates the use of Google's 'Inurl' and 'Intitle' search operators to get a list of Phishing sites.

Quite interesting!

In case you are not familiar with Google's advance serach operators visit this link which provides detailed information.

When Phishers Attack

What should be done when attacked by Phishers? Many organizations face this question everyday. With Phishing attacks rising both in numbers as well as sophistication, organizations need to keep an action plan ready for responding to such attacks. While working with my customers I came across a number of countermeasures taken to respond to phishing attacks. Here are a few things which I think can be useful to all,

1. Bring down the Phishing site - Immediately after the phishing attempt is reported, necessary steps should be taken to bring down the phishing site. This can be done by directly contacting the ISP hosting the Phishing site. There are also some companies which do this task such as Fraudwatch International. But in my experience I have found that contacting the ISP directly is much faster in bringing down the Phishing sites.
2. Preserve evidence - Preserve all evidences related to the phishing attack. This may include taking screen shots of all pages of the phishing site. Storing the source code of the phishing page. If the phishing attack has been perpetrated by sending unsolicited e-mails to the customers, copy of such e-mail along with the header of the mail should be preserved. Additionally, the web server logs should also be preserved.
3. Feed Dummy data on the Phishing Site - A list of dummy user ids and passwords should be kept ready for the purpose of feeding onto the phishing site. The purpose of this activity is to identify the location of the phisher by logging all such user ids if they are used by the Phishers.
4. Analyze the web server logs - If referer logs are enabled on the web server then it should be analyzed. As indicated in my last post here, web server logs can help in pinpointing the exact location of the phisher.
5. Report to relevant authorities - Though it may not help much, still a complaint may be lodged with the relevant authorities for legal purposes. The evidences preserved earlier will be helpful here.
6. Post Phishing analysis of Online transactions - In some cases the transactions carried out during Phishing attack can be analyzed to detect suspicous transactions. What to analyze would depend upon the type of application which was targeted? For example, if it is an internet banking applications then following are a few things which can be examined - addition of a specific third party account by more than one user. All credit transactions to such third party accounts should be scrutinized. The users should be contacted and the addition of third party to their user name should be confirmed. Demand draft requests where the user has asked for the draft to be dispatched to an address other than the address registered with the Bank etc.

Mining Web Server logs

Hi all, after a long break, I am finally back with some spicy news from the world of anti-phishing. This time results from an actual phishing incident analysis which was quite interesting and the results can be quite useful for others too. Here goes the details,

Recently the Internet Banking application of one of our customers was subjected to a Phishing attack. Here is a short step-by-step description of the analysis carried out using referrer logs of their web server to identify the location of the phisher,

1. Once the phishing site was detected the web server access logs of the last four days were taken for analysis.
2. From this log, all the requests which had links to the Phishing site in the referrer field were separated. It was thought that this filtered log may provide a critical information i.e. the IP addresses of the victims of the phishing site. This is because all the users who submitted their login id & password to the phishing site were redirected to the original internet baking application and hence had Phishing site link in the referrer field.
3. From the detailed audit trails stored by the Internet Banking application, the login ids which are generally used from the IP addresses identified earlier was listed down. (as a best practice the internet banking application was storing IP address with each login)
4. Now a monitoring procedure was initiated to see whether an access attempt is made using these login ids from an IP address which is different from those identified earlier. Since these login ids are compromised and will be available with the phishers, any attempt to login from an IP address which is different from the usual becomes suspicious.
5. During monitoring the bank found that a number of login attempts are made from an IP address in UK using the accounts which were compromised. All login using these accounts in the past were from IP addresses in India only.
6. The bank is now planning to initiate a legal action. They may also have to contact the ISP in UK to determine the exact user of the suspicious IP address.

During all this procedure the customers were safe as login to these accounts were disabled as soon as they were identified.

PhishTank - Another effort towards anti-phishing

The people behind OpenDNS have recently launched a site called PhishTank. On this site users can report phishing attacks, similar to APWG or CastleCops. Once a Phish is reported, users can verify and give votes to confirm the Phish. You need to register yourself to add or verify a phish. PhishTank also provides an API for developers and researchers to integrate anti-phishing data into their applications. This feature is currently provided at no charge.

Apart from data on phishing, I found some interesting statistics on the site such as 'Top 10 Phish Submitters' and 'Top 10 Phish Verifiers'. May be they will launch a competition soon :).

Yahoo's Attempt at Anti-Phishing

Yahoo recently launched Sign-In Seal in an attempt to thwart phishing attacks. The concept is similar to the SiteKey used by Bank of America some time back. A Sign-In Seal is a secret message or an image selected by the user that Yahoo will display on the user's computer everytime the user visits Yahoo from the same machine. This can enable the users to make sure that they are on a genuine Yahoo site. The images below show how Yahoo SignIn seal can be used.

"MarkAlert" for Domain Monitoring

Domaintools, a website providing registry and whois services, launched an interesting service called MarkAlert. MarkAlert is a free service and can be used for domain monitoring. In the context of Phishing, domain monitoring involves tracking domain registrations to identify any suspicious domains which is similar sounding or using the same name or trademark as the oraganization which is being targetted.

Here is how the service works. When you register for this service you can select the keywords that want to be monitored. Once that is done any domain registration which contains that keyword will generate an alert and an email will be sent to the user who registered for this service for further action. Currently DomainTools can monitor domain registration in the following top level domains or TLDs -.com, .net, .org, .info, .biz, .us.

A sample email from MarkAlert, monitoring the keyword "Kotak" is shown in the figure below,

Toolbars galore - Which one to choose? Part 2

Here is part two of the Anti-Phishing toolbar evaluation results. In addition to the five toolbars selected in my earlier evaluation, this time I also included Google Toolbar. However in this evaluation I focused on only one parameter and that is accuracy in detecting phishing sites. I basically tried to evaluate the comprehensiveness of the blacklist database of these tools and the speed with which the blacklist gets updated.

I picked up a set of 11 reported phishing sites from multiple sources such as Millermiles, Castlecops and few that I received in my mail box :). Since time is essence in protection against phishing attacks, only the phishing sites reported during the last few days were picked up for evaluation. The image below shows the results along with URL which were used during testing,

From the results it is clear that Netcraft and Google toolbars are the most accurate Anti-Phishing toolbars as of now. However this feature of Google toolbar is only available for Firefox.

Also for the first time I also saw Microsoft Phishing Filter in action and it is quite good. It detected 7 phishing sites and in fact it even detected one site which was missed by Netcraft and Google toolbar.

For all other toolbars it is a mixed result. In my next evaluation I am thinking of including some commercial Anti-Phishing toolbars and I would also focus on any smart features built into the toolbars which would enable them to detect suspicious sites based on URL and content of web page.

Tools wishlist for an Anti Phisher

At times you may be required to carry out an analysis of a phishing attack, especially if you are working as a security admin. So I thought I'll list down tools which may be useful in carrying out a detailed analysis of a Phishing attack. Listed below are a few tools and what they can be used for,

1. Type - Web Proxy Tool

Available Tools - Paros, Web Scarab, Achilles

Description - A web proxy tool can be used to analyze the content and behaviour of a Phishing website. Basically these tools allows you to trap and view http/s data. Hence the http data sent by a Phishing website, in web server response and client requests can be effectively analyzed as well as recorded for future reference. You can download Paros here.

2. Type - Whois Analysis Tool

Available Tools - SamSpade, www.domaintools.com

Description - A whois query can be used to extract detailed information about a Phishing website such as Geographical Location, IP Address, Registrar etc. This information can be used to follow up further action against the Phishing site. The online whois query facility provided by DomainTools website is very informative.

3. Type - Email Header Analysis Tool

Available Tools - eMailTrackerPro

Description - Email header anaysis can be helpful in locating the source of a Phishing email. Email headers can be analyzed even without any tool but a manual analysis is time consuming and can be difficult if the mail has been routed through a number of mail servers. An analysis of email headers using a tool is easier and faster. You can try the online demo of eMailTrackerPro here and learn more about analyzing Email headers here.

4. Type - Web Server Log Analysis Tool

Available Tools - AWStats, SawMill

Description - Web server log analysis tool helps in processing and analyzing webserver 'access' logs. Often phishing site pick up content from the actual website, hence that web server logs may contain traces of a Phisher. A web server log analysis tool can help in analysing the 'referer' entries in access logs to identify a Phisher. You can read more on Referer analysis in my previous post here.

So go ahead, arm yourself with all these tools and land up a big fish. And drop me a line if you come across some better tools.

Top 5 Tips to avoid getting Phished

A number of technical solutions are currently being researched and explored to combat Phishing. Still user awareness remains a top priority, as even with technical controls Phishing will thrive if users are not alert and aware of the threats. So thought I will just list down a few tips which I feel are very important for any user to know and follow to avoid getting Phished. Here are the rules to be followed,

1. Do not respond to emails received on behalf of any bank or any other oragnization with which you do online transactions. Read them if you want to but never click on any of the links on emails or submit information in forms imbedded within emails. To carry out any transaction always logon to the website directly by typing the complete URL in a browser.
   
2. Since phone phishing is also on rise, always be alert while revealing information over phone. It is better if you do not entertain any calls made to you asking for personal information; instead for all queries or services you should directly call up the organization on a known valid contact number.
   
3. Always keep the operating system and web browser of your system updated with all security patches. Microsoft Windows provides the automatic update feature which is quite efficient and should be enabled. Otherwise visit http://windowsupdate.microsoft.com/ to manually update security patches.
   
4. Use a good Anti-Phishing browser toolbar. Netcraft toolbar is my favorite and you can download it free from http://toolbar.netcraft.com/. You can see a review of a few toolbars here.
   
5. Also use a good Anti-Virus and Anti-Spyware software. Configure it for automatic updates and check the update status periodically. And yes, use a licensed copy; it does not cost much for home users.

Toolbars galore - Which one to choose?

Of late anti-phishing toolbars have been catching my attention. These small utilities can be quite useful in protecting a user from a known Phishing attack. But with so many different anti-phishing toolbar being launched, I thought of evaluating a few. I picked up five popular anti-phishing toolbars for evaluation, namely Anti-phishing Toolbar from Netcraft, Phishing Filter from Microsoft, Scamblocker from Earthlink, Trustwatch from Geotrust and Anti-fraud Toolbar from Cloudmark. These toolbars were evaluated against a set of parameters which is shown in the image below (click on the image to enlarge).


Looking at the evaluation results it is not difficult to interpret which tool has won the first place. Netcraft Anti-phishing toolbar is definitely most impressive and accurate in detecting phishing sites, followed closely by Geotrust’s Trustwatch. I used the following two recently found Phishing URLs to test the toolbar’s accuracy in detecting a known phishing attack,

http://www.yourfreespace.net/users/payal/webscr_cmd=_login-run.html
http://adsl-71-132-90-121.dsl.sntc01.pacbell.net:81/update/

Netcraft alerting mechanism is also good as it displays a message popup as against other tools that rely on a visual icon on the toolbar which users may fail to see if they are not alert. The message popup thrown by Netcraft toolbar is shown below.



Netcraft also provides the most detailed analysis of the website along with a risk rank calculated based on a number of parameters. The help information available to the users is also quite detailed.

One interesting feature that I found in Trustwatch toolbar is the ‘Personal security ID’ which is aimed to prevent toolbar spoofing by displaying a user selected image or text on the toolbar. The text 'ABHISHEK' in the image below is the 'Personal Security ID' that I set during installation.



Microsoft phishing filter is right now in beta stage and has a lot of catching up to do. Cloudmark and Earthlink failed to detect the phishing sites and their features currently are not very useful. So after all this evaluation my pick is Netcraft Anti-phishing toolbar.

Phone phishing, now playing at Paypal

Ezhil Arasan tipped us to a more sophisticated phone phishing attack at Paypal reported by Register. An email requests users to re-validate their user account by calling a phone number, instead of visiting a website.

Unlike the earlier phone phish at Santa Barabara Bank and Trust, this one verifies the account details the victim has been lured into giving before hanging up.

We'd like to hear what new defenses are coming up to combat phone phishing. Will someone offer an "Immediate take down" of the phone recording? :)

Castlecops List of Top 20 Phished Brands

Today morning Jose pointed out the list of Top 20 Phished Brands released by Castlecops. This list is for the month of May 2006 and includes brands which have traditionly been targets of phishing such as Paypal, eBay, Bank of America, Barclays, Wells Fargo.

You can see the complete list Top 20 phished brands here . It also indicates an approximate count of attacks against each brand. Interesting to see all these statistics.

Revisiting 'Referer' Analysis

In the last post on 'referer' analysis, we discussed how ‘referers’ in the web server access logs can be analyzed to detect a Phishing attack. But a manual analysis of web server logs can be difficult and time consuming. However, there a number of tools which can be used for effective and fast analysis of web server logs.

One such versatile tool is SAWMILL . Once the web server access logs have been processed using SAWMILL, a list of referer entries can be generated, which would appear as shown in the figure below (click to enlarge).


The ‘referers’ can then be analyzed for suspicious entries such as presence of IP address or organization name. See the previous post here to understand a suspicious referer. If a suspicious referer is found then that link can be followed and further analyzed. Of course to be effective in detecting a phishing attack the log analysis process has to be a regular activity.

Immediate Site Take Down at Fraud Watch

Bhaven pointed us to Fraud Watch International's "Immediate Site Take Down" service. For $200, this Australian company guarantees to take down a phishing site within 24 hours. I wish they gave more details what exactly they do. I haven't see a similar claim before for $200.

There's a very active list of phishing alerts on the company's site. The alerts, like this one for Wachovia Bank gives screen shots of the phishing email and/or website. An RSS feed is also available.

I liked the simple, straight forward tutorial on the different ways phishers fool users. That too includes screen shots of some of the attacks.

For our readers from the wrong side, check out if your name appears in their scam operatives list ;-)

Referer Analysis - Mining for a Phisher’s Traces

Web server logs can provide valuable information to detect a phishing attack, especially the referer entries. But before we dive into the details, and for those who are not familiar with web server logs, here is a brief introduction to referer.

A referer is the URL of the previous web page from which a link was followed. Similarly when an image is being picked up from within a HTML page, the referrer is the URL of the page within which the image is being requested. Referer log is generally used to identify from which websites users are visiting this website whose logs are being monitored.

This is how a referer appears in an apache log (referrer field highlighted in blue):

127.0.0.1 - "GET /bank/demo/bank/images/line2.gif HTTP/1.1" 200 "http://localhost/bank/demo/bank/demo.html"

You can read more details on referer logs here.

Having understood the referer logs, let us see how referer logs be used to detect a phisher. An analysis of phishing sites has revealed that they very often link content such as images or texts from the actual web site instead of embedding it within the fake website. When the fake website page loads on the user’s browser the images are fetched from the original server. This leaves information about the phishing website on the actual web server in the form of referer entries in web server logs. If the web server logs are analyzed for suspicious referer entries then we may detect a phisher. Given below are two examples of what can be a suspicious referer entry:

Presence of numeric IP addresses – In the past many phishing web sites have been hosted on a URL which are identified by IP address instead of domain name. If the phishing site does not have a domain name, then the referrer entries will contain numeric IP address of the fake website.

Presence of organization name – Also many phishing websites generally use a URL which contain the name of the targeted organization. For example, if ABC bank is victim of a phishing attack then the phisher’s URL may look like: http://sorstyle.com/ABC.com/us/cgi-bin/index.php. So if the request is coming from such a website, then the referer entries will have the name of the organization.

If referer entries are analyzed regularly for presence of numeric IP addresses or name of the organization, then a phishing attack may be detected.

Look out for the next post on referrer analysis where we use a log analysis tool to identify suspicious referrer entries.

Phishing via Cross Site Scripting at Paypal

Netcraft reports a very convincing phishing attack on Paypal, exploiting a Cross Site Scripting vulnerability on the Paypal site.

The phishers exploit a XSS vulnerability on the original Paypal site. They automatically re-direct the user to the Phisher's site after they are induced to visit the original site. Netcraft has step-by-step screen shots of the attack.

Paypal has fixed the vulnerability.

This seems to be the first appearance of phishing tied to XSS. Expect to see more of this in the coming months!

Phishregistry - free service to monitor your site

Heard via the Bankers Online Anti-phishing blog, that CipherTrust is offering a free service called PhishRegistry to monitor if your website is being duplicated.

According to the site:

"PhishRegistry.org monitors the content of your Website and alerts you when attempts to duplicate it have been detected. By registering your site on Phishregistry.org, you are able to receive notifications of online fraud attempts, and increase your Website’s visibility with CipherTrust and our anti-fraud partners."

The site asks you for the URLs to your home page, the login page and your logo.

The service was launched in March 2006, but I couldn't find more technical details of how the service works.

Scamsters attack ISACA

Recently phishers targeted ISACA, the organization behind the coveted CISA certification. A website with the name www.cisaca.org was created and tricked users into buying study material or register for CISA exam. The phishers may be after the credit card numbers of the users.

A quick check with Netcraft toolbar revealed the location as China. The domain name of the website is quite interesting; the use of words such as isaca, cisa, ca can be misleading to an unsuspecting user.

Another thing to note in this attack is the shift in focus from a banking or financial institute to other organizations which can be equally vulnerable. Organizations such as ISACA are attractive targets, as they will have users in multiple countries. Users accessing these websites may also be a little less alert than when they are accessing something more sensitive, say Internet Banking. These factors may increase the overall chances of a successful Phishing attack.

We may see more such attacks where non financial organizations are targeted in the future.