Columnists

< http://www.securityfocus.com/columnists/274 >

Phishing For Savvy Users By Scott Granneman Nov 01 2004 02:15PM PT The art of faking out opponents in a clever, elegant, beautiful way is one that I find fascinating, and I cherish examples of that art. When looking through history for stories illustrating the deliberate use of distractions to obfuscate an intended purpose, I often return to World War II, which offers many such tales. The story of the allies' cracking of the German Enigma machine is one that everyone in security should know about. Used by the Germans, the Enigma machine was cracked by the allies using a variety of techniques. Math played its part, but so did subterfuge. Robert Morris, former chief scientist at the NSA (and father of the Morris Worm author), explained during a talk at Blackhat Briefings that the Americans noticed that German weather ships trawling in the North Atlantic used Enigma machines to send in weather reports every day. If the Allies could acquire those machines and their keys, it would be a major help in decrypting Enigma. Consquently, the Allies sank a couple of the ships in what seemed like a normal wartime action, but in reality salvage teams immediately went to work and recovered the Enigma machines and the required keys. The Germans never suspected what the real target of the attacks was, and the Allies had another tool to use in their war. Several incidents, famous only after the war, occured during the preparations for the liberation of Europe from the fascists. The Allies wanted to confuse the Nazis so that the actual locations of the landings -- the beaches of Normandy for D-day in 1944 and Sicily in the Mediterranean in 1943 -- would be secret as long as possible, so they developed several deceptions that were purposely designed to be "accidentally" picked up by Nazi operators, including: Operation Fortitude A fake First Army Group, supposedly commanded by General George S. Patton, sent fake radio messages confirming that the Pas de Calais was going to be the epicenter of D-day. In addition, airfields were created that contained row upon row of papier-mache planes, designed to fool air surveillance. Operation Skye Radio traffic out of Scotland intentionally deceived the Germans into believing that the D-day attack was going to come out of northern Europe, in either Norway or Denmark. Operation Mincement (This one is my favorite) This brilliant plan involved dropping a dead man, wearing a life jacket and supposedly named "Major William Martin", into the ocean off the coast of Spain in April 1943. Chained to his wrist was a briefcase containing forged war plans about the upcoming invasion of Sardinia. Hitler fell for it completely, diverting Axis defenses to Sardinia and allowing the Allies much easier access to the island of Sicily, the real target. In the cases above, the good guys used subterfuge, trickery, even treachery to fool their enemies into beliving that what they were seeing and hearing was true, when it fact it was anything but. We're seeing the same sort of chicanery today on the web, except now its ordinary users who are being duped by the bad guys, and the good guys have a heck of a time making the situation any better. I'm referring to the epidemic of phishing that is currently one of the biggest problems on the net. Reaching the point of epidemic I don't know about you, but I get at least one email every few days that is supposedly from CitiBank (currently used in 54% of phishing messages), or PayPal, or eBay, or Amazon, or SunTrust Bank (who the heck are they?), or or or or or ... the list goes on and on. The emails always mention that my account needs to be updated, or my credit card has been charged for some enormous purchase that I never made and I need to correct this, or that I need to verify some information the web site has on me. Whatever. The goal is always to get me to believe that a company I use for financial transactions -- and who therefore is trusted by me -- needs information, so that I submit personal data that can be used by criminals to further their own ends. These messages can look very, very real, as the image below, taken by blogging pioneer Dave Winer shows. Yes, he uses Outlook Express for some reason, and received this in his email: click to enlarge Keep in mind that phishing is not confined to email, but is also web-based as well. In fact, those emails wouldn't work without a corresponding web site, designed also to look as realistic as possible, containing forms for suckers to fill in. But there are also various tricks that can be played on unsuspecting web users that can get them in trouble. How big is that trouble? Enormous, and growing. According to a Gartner Group study from May of this year, at least 1.8 million consumers have been tricked by phishing attacks into revealing sensitive information -- and the majority of that 1.8 million occured within the year prior to that report. In just the last six months, phishing emails have increased by 4000%. On average, a consumer loses $1200 when his bank account is taken over, and the vast majority of such takeovers are from phishing. Think about those numbers for a second. 1.8 million people affected. 4000% increase. $1200 average loss per person. This is escalating into such a problem for banks that many of them are now refusing to protect their customers and, as The Boston Herald reports, are now choosing instead to "litigate, fight and force consumers to settle for lower amounts". If you were fooled through phishing, your bank very well may refuse to reimburse you. Most consumers know that if they get screwed using a credit card, they're only liable for $50. Not so with bank accounts, evidently. Some of you might think, as I did, that FDIC protections safeguard those of us who live in the U.S., at least up to $100,000 (which is far, far more coverage that this columnist needs!). Nope. Those only apply if the bank declares bankruptcy, not if an Eastern European cracker employed by the mob tricks me into revealing my PayPal password and then cleans out my bank account. Browser Problems So phishing is a large, serious, and growing, problem. That's bad. And then within the last few weeks we received even worse news: many of our favorite (and some not-so-favorite) web browsers were vulnerable to phishing using a particularly clever attack vector: the tabs that many of us have come to know, love, and depend upon. Secunia issued a security report detailing how most major web browsers with the tabbed browsing feature were vulnerable to two different vulnerabilities. First, the browsers. Recognize any you use? Mozilla 1.7.3 Mozilla Firefox 0.10.1 Camino 0.8 Opera 7.54 Konqueror 3.2.2-6 Netscape 7.2 Avant Browser 9.02 build 101 and 10.0 build 029 Maxthon (MyIE2) 1.1.039 That list contains several that I use on a daily basis: Firefox, Opera, Konqueror, even Mozilla. In many cases, these are the very latest versions of these browsers (not counting nightly builds, of course). A cross-section of browser rendering engines -- Gecko, KHTML, Trident, Presto, and more -- is represented. The major operating systems, Linux, Mac OS X, and Windows, are represented as well. Microsoft's Internet Explorer -- at least an un-enhanced IE, since Avant and Maxthon are just feature-laden shells wrapped around IE's Trident rendering engine -- is unaffected, but only because IE by itself is so lacking in modern features that it doesn't even support tabs (hey, maybe that's why Microsoft hasn't ever included support for tabs in IE -- 'cause they're concerned about security!). Now, the vulnerabilities. One of them is pretty clever, and one of them, I think, is a bit overstated, but I'll explain that in a second. You have a couple of different web sites open in a couple of tabs. You open another tab and head over to a trusted web site, like PayPal's. You're on the PayPal site, when suddenly a dialog box opens, apparently from PayPal, and asks you to enter your password and your credit card info, "for verification purposes". You do so and keep using the PayPal site, never realizing that it was not the PayPal tab that spawned that dialog box, but a web site on a different, inactive tab. To see what I'm talking about, open the demo site at Secunia with an affected browser and follow the instructions. Very clever. There are two problems here. First, the browser doesn't easily keep the user informed as to which tab is responsible for the dialog box. That's an easy fix. Second, the browser shouldn't allow inactive tabs to spawn dialog boxes in the first place. Another easy fix. But still -- not good. Clearly, none of the organizations creating these browsers ever envisioned such an attack. Of course, this attack will only work if you're already on a shady web site to begin with, and if that site knows you've gone to a site that it knows you trust, like PayPal. As Secunia itself points out, for this sneaky stunt to work it would "normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new tab". Clearly, the likelihood of that string of events is pretty small. But it's still clever, and it would undoubtedly get a lot of folks in trouble if they somehow had both the "bad" and the "good" sites open at the same time in separate tabs. The second vulnerability strikes me as even less likely, but perhaps I'm wrong. Let's say you have a couple of different web sites open in a couple of tabs. You open another tab and head over to a trusted web site, like PayPal's. You type in your username and password, but nothing shows up. You type it again. Still nothing. Assuming that PayPal's site is temporarily borked, you close the tab and continue on your merry way. Little do you know that everything you typed actually went into a form on a site found on one of your other tabs. If you want to see this in action, Secunia has a demo site up for this one as well. Now, this one seems quite unlikely to me, even more so that the first. Secunia justifies the seriousness of the hole by claiming that it "is escalated a bit by the fact that most people do not look at the monitor while typing data into a form field", which doesn't jibe with what I do or what I see. In my experience, most folks -- not all, but most -- look at form fields while they're typing, so I think that they would immediately notice when text isn't appearing. Further, it doesn't matter if the text you're trying to type is actually entered into a form field in another tab -- you'd have to actually go back to that tab, not notice that your PayPal password was sitting there in a field, and then go ahead and press Submit and send that data to the bad guys. I find this scenario even less likely than the one in the first vulnerability, but maybe I'm nuts. So here we have problems in some very popular tabbed browsers. Secunia's advice is logical: either disable JavaScript (which will cause problems using a vast number of web sites, so it's not likely), or avoid opening a trusted web site in a tab when other tabs already contain untrusted web sites. OK. Not bad advice. So if you want to use PayPal or eBay or your bank, open up a new Firefox window first. No problem. A fix, of course, would be better. In the usual open source tradition of fixing flaws quickly, Konqueror released a version of the browser that was patched against the vulnerabilities, and Firefox promised that it would be secured by the time 1.0 is released, sometime in the new few weeks. On the other hand, Netscape, now owned by AOL, and Avant never bothered to respond to Secunia when it contacted them. Guess I know which browsers to avoid. I'm not trying to discredit Secunia or these vulnerabilities. They are definitely problems that need to be fixed. It's just that there's a big difference between the almost torturous series of steps required to exploit users with these vulnerabilities as compared to the recent IE exploit that involved simply visiting your bank's web site. However, there are other phishing vulnerabilities out there, involving Google, for instance, that are far easier to fall for. Undoubtedly there are many, many others, involving weaknesses in the web sites and in the web browsers we all use every day, that will be discovered. We need to be aware of these openings because they remind us that phishing is not just a matter of receiving an email that's a doppelganger for a real one from a company we do business with, but also that phishing is increasingly going to use the vector of the browser itself as an opening for exploitation. And that, as security pros undoubtedly know in their bones, is going to be an even bigger problem than duplicitous emails. Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.