n this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.
Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that information can then be used in perpetuity. The attacker can potentially open new credit card accounts or even set up utility bills in your name. Once your identity is stolen, it’s impossible to fully reclaim it. All you can do is mitigate the damage, and hope it doesn’t rear its ugly head too often.
Phishing is a major problem. In the first nine months of 2006, the Symantec Brightmail Antispam system blocked over two billion phishing messages; of these over two hundred thousand were unique. By all accounts the problem seems to be getting worse – as researchers develop techniques for addressing the problem, phishers are themselves adapting and developing new techniques to bypass existing security mechanisms.
Phishing and Malware. Phishing is traditionally thought of as a social threat – meaning that the attacker uses trickery and deceit to achieve his goals rather than technical prowess. At the same time, malicious software can play a role in many aspects of the phishing lifecycle.
• First, many unsolicited emails – like spam or phishing emails – are sent from computers that have been compromised by malware. These machines belong to every day computer users who are otherwise unaware that they are participating in sending massive amounts of email.
• Second, many unsolicited emails contain malicious code files as attachments. According to the tenth edition of the Symantec Internet Security Threat Report, from January through June 2006, 0.81% of spam emails contained malicious code (the tenth edition of the Symantec Internet Security Threat Report can be found here: http://www.symantec.com/enterprise/threatreport/index.jsp). However, as spam filters continue to improve and block such code, attackers will likely search for new malicious software propagation vectors.
• Third, there are many different types of malicious software that can be used to steal a person’s login credentials when they visit their Web site. For example, a browser overlay is a type of malware that puts a fake login window on top of the real login window you see on your bank’s Web site. If such a piece of malware were installed on your machine, then when you log in, it turns out that the information will simply go into the hands of an attacker. Another variation on this concept is fake browser malware – such malware would put a fake Web browser window on top of your real browser window. Again, whatever you type in will be stolen by the attacker. Yet another example is a so-called form grabber. This type of software captures any sensitive information you enter into a form on a Web site. The information is siphoned off to the attacker – perhaps by email – without you knowing it.
• Fourth, many phishing Web sites can host malicious software. The software could be your traditional malware that requires a user to be duped into downloading and installing it. However, so-called JavaScript malware is an emerging, and potentially extremely devastating threat. Recall that JavaScript is a programming language that can run in the context of your Web browser. Almost all the major Web sites these days include some JavaScript component and trying to surf the Web without allowing JavaScript code to execute on your Web browser would be a pretty hideous experience. It turns out, unfortunately, that an attacker can write JavaScript code that can attempt to scan your home network and potentially make changes to it.
JavaScript Malware. What’s scary about JavaScript Malware is that it does not require the end user to accidentally download or install malicious software. Instead that user puts himself at risk by simply viewing a Web page containing the offending code. Sometimes, all it takes is a split second.
Jeremiah Grossman, one of the top Web application security experts, helped pioneer and draw attention to threat of JavaScript malware; the slides from the talk he gave on this topic at Black Hat 2006 are available here: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf. It turns out that one can apply these exact techniques to change DNS settings on home broadband routers – thereby allowing an attacker to control what Web sites you visit. It can be extremely difficult to tell that you’ve become a victim to this attack since the change did not happen on your computer, but on a piece of external hardware.
Sid Stamm, Markus Jakobsson (both of Indiana University Department of Informatics), and I worked out some of the details of this attack (which we’ve named “Drive-by Pharming”). More information, together with a flash animation describing the threat, can be found in a previous blog posting: http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html.
This threat has the potential to infect a large number of people – but can be mitigated by changing the password on your home broadband router to something other than the default. (If you didn’t know that your router came with a password – don’t worry, you’re not alone. But before you surf the Web, I’d highly recommend that you change it.)
Overall, while phishing is traditionally thought of a “social engineering” threat and malware is traditionally thought of as a “technical” threat, there are places where the two can meet.
Here are some best practices for dealing with this broad spectrum of threats:
• First, I would encourage anyone to use a comprehensive Internet security software suite that includes Anti-Virus, Anti-Spyware, PC-level firewall, Intrusion Prevention/Detection, and Anti-Phishing as well as Anti-Spam capabilities.
• Second, you should change the default passwords on any home devices that are part of your network configuration. That includes your broadband routers or wireless access points.
• Third, I would suggest practicing Internet street smarts – try to stick to sites that you trust and encourage all who are on your network to do that same.
• Fourth, it’s usually a good idea to turn off any functionalities on your PC that you are not using. Along the same lines, do not run in “administrator” mode if you do not need to. The more functionalities you have running, the more opportunities an attacker might have to find an exploit.
While this list is far from exhaustive, I certainly believe it’s a good start. I would also encourage you to look at the materials presented by my co-panelists:
Markus Jakobsson: http://www.malware-jakobsson.info/
Aaron Emigh: http://www.malware-emigh.info/
Ari Juels: http://www.malware-juels.info/
Suzanne Wetzel: http://www.malware-wetzel.info/