Phishing

Etymology

Phishing is derived from the words “fishing” and “phreaking.” Phreaking itself derives from hacking telephone systems (“phone” + “freak”).

Types of Phishing

Phishing Outcomes

Methods

Phishing Emails

Western’s Information Technology Services (ITS) regularly posts http://www.uwo.ca/its/email/spam_phishing/examples/index.html phishing emails.

Western University 
	
Dear Western University Canada Account Owner,
	
This message is from Western University Canada Mailbox Administrator Messaging 
Center to all email account owners. We are currently carrying out scheduled 
maintenance, upgrade of our web mail service and we are changing our mail host 
server, as a result your original password will be reset. We are sorry for any 
inconvenience caused.
	
To complete your Account- Western University Canada webmail email account 
settings, you must fill our verification form immediately and provide the 
information requested. To SAVE your contacts and documents in your Mailbox, 
you are requested to click and fill in the verification accurately.
 *****************************************************************************
	
To Upgrade your Western University Canada Mailbox settings CLICK HERE!
	
Failure to do this will immediately render your email address deactivated from
the Database- Webmail Western University Canada

Differing Text/URL

The text says one thing, but the underlying URL is different:

http://googsite.com

Can be effective in applications (such as email clients) where it is difficult to see the underlying URL without clicking on it.

Phisher constructs misleading URL to exploit misunderstanding (or lack of attention) to the actual domain. User sees goodsite.com in the URL, meanwhile only a subdomain an evil site.

http://www.goodsite.com.account-update.web/some/subdirectory

Typo Based Attacks

Phisher constructs evil URL that is similar to real site to capture traffic when user mistypes URL.

http://www.yoptube.com
http://www.paypual.com
http://www.facebool.com
etc

###Redirects

Legitimate site example.com containes a redirect script redirect.jsp that will forward user to a site passed in an argument.

http://www.example.com/redirect.jsp?url=evil.com

Resend

A legitimate email is sent out. The phisher then re-sends a (nearly) identical email with a modified link, claiming to be a resend or update of the original email

How to Protect Against Phishing

Passwords

Password Hashing

See the following lectures notes on secure password generation and storage.

Shadow file

In Linux user passwords are stored in /etc/shadow file. The relevant fields are:

<username>:$<algorithm>$<salt>$<hash>:...<other stuff>...

An example entry from /etc/shadow:

example:$6$xxPGIf29$6cQxezniLN.bZ2XCBe1lLfzjv05nCMzNvCTWk2YsmctC7WHKIJdjdkiRquO4pKmcNlvrQawmLA/Gazd5wGq840:16817:0:99999:7:::

Placing this in a file tocrack.txt we can use a password cracking utility like John the Ripper to recover the password:

john tocrack.txt

The cracked will be stored in ~/.john/john.pot and can be viewed using the --show option:

john --show tocrack.txt 

In this case user example is revealed to have been using password 12345:

example:12345:16817:0:99999:7:::

1 password hash cracked, 0 left