Phishing is derived from the words “fishing” and “phreaking.” Phreaking itself derives from hacking telephone systems (“phone” + “freak”).
Types of Phishing
- Phishing (generic). Phisher takes what they can get.
- Spear phishing. A particular individual or group of individuals (e.g., employees) are targeted, and may employ specific information or assume known identities to increase success.
- Whaling. Targeting high value individuals, e.g., company CEO.
- Install malicious software, spyware, etc.
- All your files are encrypted and you are directed to pay a ransom in exchange for the decryption key
- Website substitution
- You are directed to a site that looks legit and enter your credentials
- Session hijacking
- Phisher obtains your session cookie or authorization token and can login to website under your identity
- Key loggers
- Phisher is able to log what you type to gather passwords.
Western’s Information Technology Services (ITS) regularly posts http://www.uwo.ca/its/email/spam_phishing/examples/index.html phishing emails.
Western University Dear Western University Canada Account Owner, This message is from Western University Canada Mailbox Administrator Messaging Center to all email account owners. We are currently carrying out scheduled maintenance, upgrade of our web mail service and we are changing our mail host server, as a result your original password will be reset. We are sorry for any inconvenience caused. To complete your Account- Western University Canada webmail email account settings, you must fill our verification form immediately and provide the information requested. To SAVE your contacts and documents in your Mailbox, you are requested to click and fill in the verification accurately. ***************************************************************************** To Upgrade your Western University Canada Mailbox settings CLICK HERE! Failure to do this will immediately render your email address deactivated from the Database- Webmail Western University Canada
The text says one thing, but the underlying URL is different:
Can be effective in applications (such as email clients) where it is difficult to see the underlying URL without clicking on it.
Phisher constructs misleading URL to exploit misunderstanding (or lack of attention) to the actual domain. User sees
goodsite.com in the URL, meanwhile only a subdomain an evil site.
Typo Based Attacks
Phisher constructs evil URL that is similar to real site to capture traffic when user mistypes URL.
http://www.yoptube.com http://www.paypual.com http://www.facebool.com etc
example.com containes a redirect script
redirect.jsp that will forward user to a site passed in an argument.
A legitimate email is sent out. The phisher then re-sends a (nearly) identical email with a modified link, claiming to be a resend or update of the original email
How to Protect Against Phishing
- Education: People need to be made aware that phishing happens. Some companies will even phish their own employees to (a) see how easy it is, and (b) start a conversation
- Skepticism: Whenever you get an email or a phone call asking for personal information, begin from a position of skepticism. Make them authenticate themselves to you.
- Pay attention: Adopt an “always-on” mentality to phishing. Don’t let your guard down ever.
- Look for the signs: Many phishing attemps are easily spotted
- Generic greetings
- Asking for information
- Sense of urgency
- Use of language
- Poor graphics (resolution, scaling)
- Understanding Browser Warnings: User notices and understands risks of various browser indicators, e.g., missing padlock, self-signed or revoked certificate warnings, etc.
- Multi-factor authentication: Here we’re talking about multiple factors a site can use to authenticate to you (as opposed to you authenticating to them). Many banks for example ask you to select a personal image that is shown on login, acting as an “identity cue.”
See the following lectures notes on secure password generation and storage.
In Linux user passwords are stored in
/etc/shadow file. The relevant fields are:
- Salt: A random salt value
- Hash: The hashed (or encrypted) password.
- Other stuff: Number of days since password was changed, days until it may be changed, days until it must be changed, etc.
An example entry from
Placing this in a file
tocrack.txt we can use a password cracking utility like John the Ripper to recover the password:
The cracked will be stored in
~/.john/john.pot and can be viewed using the
john --show tocrack.txt
In this case user
example is revealed to have been using password
example:12345:16817:0:99999:7::: 1 password hash cracked, 0 left