Phishing

Etymology

Phishing is derived from the words “fishing” and “phreaking.” Phreaking itself derives from hacking telephone systems (“phone” + “freak”).

Types of Phishing

  • Phishing
    • Phishing (generic). Phisher takes what they can get.
    • Spear phishing. A particular individual or group of individuals (e.g., employees) are targeted, and may employ specific information or assume known identities to increase success.
    • Whaling. Targeting high value individuals, e.g., company CEO.

Phishing Outcomes

  • Malware
    • Install malicious software, spyware, etc.
  • Ransomware
    • All your files are encrypted and you are directed to pay a ransom in exchange for the decryption key
  • Website substitution
    • You are directed to a site that looks legit and enter your credentials
  • Session hijacking
    • Phisher obtains your session cookie or authorization token and can login to website under your identity
  • Key loggers
    • Phisher is able to log what you type to gather passwords.

Methods

Phishing Emails

Western’s Information Technology Services (ITS) regularly posts http://www.uwo.ca/its/email/spam_phishing/examples/index.html phishing emails.

Western University 
	
Dear Western University Canada Account Owner,
	
This message is from Western University Canada Mailbox Administrator Messaging 
Center to all email account owners. We are currently carrying out scheduled 
maintenance, upgrade of our web mail service and we are changing our mail host 
server, as a result your original password will be reset. We are sorry for any 
inconvenience caused.
	
To complete your Account- Western University Canada webmail email account 
settings, you must fill our verification form immediately and provide the 
information requested. To SAVE your contacts and documents in your Mailbox, 
you are requested to click and fill in the verification accurately.
 *****************************************************************************
	
To Upgrade your Western University Canada Mailbox settings CLICK HERE!
	
Failure to do this will immediately render your email address deactivated from
the Database- Webmail Western University Canada

Differing Text/URL

The text says one thing, but the underlying URL is different:

http://googsite.com

Can be effective in applications (such as email clients) where it is difficult to see the underlying URL without clicking on it.

Phisher constructs misleading URL to exploit misunderstanding (or lack of attention) to the actual domain. User sees goodsite.com in the URL, meanwhile only a subdomain an evil site.

http://www.goodsite.com.account-update.web/some/subdirectory

Typo Based Attacks

Phisher constructs evil URL that is similar to real site to capture traffic when user mistypes URL.

http://www.yoptube.com
http://www.paypual.com
http://www.facebool.com
etc

###Redirects

Legitimate site example.com containes a redirect script redirect.jsp that will forward user to a site passed in an argument.

http://www.example.com/redirect.jsp?url=evil.com

Resend

A legitimate email is sent out. The phisher then re-sends a (nearly) identical email with a modified link, claiming to be a resend or update of the original email

How to Protect Against Phishing

  • Education: People need to be made aware that phishing happens. Some companies will even phish their own employees to (a) see how easy it is, and (b) start a conversation
  • Skepticism: Whenever you get an email or a phone call asking for personal information, begin from a position of skepticism. Make them authenticate themselves to you.
  • Pay attention: Adopt an “always-on” mentality to phishing. Don’t let your guard down ever.
  • Look for the signs: Many phishing attemps are easily spotted
    • Generic greetings
    • Asking for information
    • Sense of urgency
    • Use of language
    • Poor graphics (resolution, scaling)
  • Understanding Browser Warnings: User notices and understands risks of various browser indicators, e.g., missing padlock, self-signed or revoked certificate warnings, etc.
  • Multi-factor authentication: Here we’re talking about multiple factors a site can use to authenticate to you (as opposed to you authenticating to them). Many banks for example ask you to select a personal image that is shown on login, acting as an “identity cue.”

Passwords

Password Hashing

See the following lectures notes on secure password generation and storage.

Shadow file

In Linux user passwords are stored in /etc/shadow file. The relevant fields are:

<username>:$<algorithm>$<salt>$<hash>:...<other stuff>...
  • Algorithm:
  • Salt: A random salt value
  • Hash: The hashed (or encrypted) password.
  • Other stuff: Number of days since password was changed, days until it may be changed, days until it must be changed, etc.

An example entry from /etc/shadow:

example:$6$xxPGIf29$6cQxezniLN.bZ2XCBe1lLfzjv05nCMzNvCTWk2YsmctC7WHKIJdjdkiRquO4pKmcNlvrQawmLA/Gazd5wGq840:16817:0:99999:7:::

Placing this in a file tocrack.txt we can use a password cracking utility like John the Ripper to recover the password:

john tocrack.txt

The cracked will be stored in ~/.john/john.pot and can be viewed using the --show option:

john --show tocrack.txt

In this case user example is revealed to have been using password 12345:

example:12345:16817:0:99999:7:::

1 password hash cracked, 0 left