Recently, Twitter implemented technology to help stem the threat of malicious URLs being propagated though its service. This approach seems to be a great effort on the part of Twitter to prevent attackers from tweeting malicious links.
It appears as if the tool is filtering tweets and comparing any embedded URL to their list of known malicious sites. Trying to determine whether a URL points to a malicious website in a large-scale automated fashion, especially in today’s threat landscape, is a challenging problem. From my perspective, there are a few issues that need to be worked out. Twitter is likely in the nascent stages of addressing these types of issues and we expect they will try to overcome the associated limitations.
To date we've only seen a relatively small number of attack attempts involving malicious URLs on Twitter. URL-shortening services are often at the heart of these types of attacks as bad guys try to take advantage of the system to disguise...
While many forms of online mischief require some degree of technical sophistication on the part of the miscreant, we often see forms of attack that are quite simple. One case in point is the phishing attack. In many ways, phishing attacks are at the low end of the totem pole from a technical sophistication standpoint. In fact, ready-made phishing kits can be purchased in the underground economy (though the buyer should beware!), and many aspects of the attack can effectively be outsourced.
For a while, banking and other financial services sites bore the brunt of the phishers’ attention spans. It’s not surprising. Phishing is a financially motivated crime, so to understand the modus operandi of a phisher, all you have to do is follow the money. During the last year and a half or so we have noticed an interesting trend, in that social networking sites have become a much more popular target for phishers.
On the eve of the much anticipated Pennsylvania Democratic Primary, we received public reports of a series of cross-site scripting vulnerabilities that affected Barack Obama's campaign Web site. We also saw reports of these vulnerabilities being disclosed publicly on the XSSed.com Web site. The corresponding code to exploit the vulnerabilities was used to redirect users to Hillary Clinton’s Web site.
Who says attackers don’t have a sense of humor? While a couple of these vulnerabilities were shored up before we could investigate them, we were able to examine some for validity.
At a high level, what appears to have happened is that an attacker took advantage of the fact that certain parts of the Obama campaign site allows users to post content, for example, in the form of community blog postings. While most users take advantage of such features to post political commentary, at least one user decided to try posting something more insidious.
On November 2, 2007 I had the opportunityto participate in a panel at the Federal Trade Commission on the futureof online behavioral advertising. While this topic is not one that isnormally associated with information protection issues, there are someinteresting implications that I touched upon at the panel and that Ithought I’d reiterate here.
First, let’s think about some of the overall trends related to Webadvertising. To begin with, the Web has certainly exploded inpopularity and people are spending more and more time each day surfingtheir favorite sites.
Second, online advertising has proven itself to be a viable businessmodel for many companies. Countless Web sites display ads that areviewed by an even greater number of people.
Third, along these same lines the online advertising supply chain isfairly complex. In the simplest incarnation, an advertiser might workwith an ad network who will arrange to have the ad published throughone...
Michael Dolan, a phisher who targeted AOL over the course of fiveyears recently pleaded guilty to two criminal counts that the U.S.attorney's office brought against him. The first count was a conspiracyto commit fraud and the second count was aggravated identity theft.
Dolan's "career" spanned from 2002 to 2006 and mostly involvedgetting victims to install a Trojan program that would prevent themfrom logging into their AOL account without providing additionalsensitive information like credit card and Social Security numbers.When caught, he had private and financial information for 96individuals.
On the one hand, I think this is a great victory for the Departmentof Justice. I believe that legal actions are one of the importantchannels we need to consider when addressing the problem of phishing.After all, phishing is ultimately a financial crime, and to the extentthat we can make it more risky and less profitable, we cansubstantially reduce instances of phishing.
The Pareto principle, sometimes known as the 80-20 rule, states thatroughly 80% of the effects stem from 20% of the causes. It was namedafter Vilfredo Pareto, an Italian economist, who observed that 20% ofItaly’s population received 80% of its income. This principle comes upin numerous other places in the social sciences and in engineering.
What does this have to with phishing? Well, recently I looked atwhich legitimate brands tend to get imitated the most in phishingattacks. I went back through data gathered from June through December2006. All in all, we found 343 brands being spoofed. Some of these werewell known banks, credit card companies, online retailers, and thelike. Others were smaller players. These included credit unions, localbanks, smaller retailers the like. Note that phishing attacks targetmany sectors beyond just the financial and retail sectors. I just choseto include these as an example.
It turns out that there is Pareto-like behavior among the...
I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.
I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.
There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.
First, let me summarize my understanding of the proposal. The ideawould be to have a top-level domain along the lines of .bank (inaddition to top-level domains like .com, .net, .gov,...
First, let’s recall what two-factor authentication means. There arethree mechanisms we can use to prove to someone else that we are who wesay we are: (1) something we have - a driver’s license, access card, or key (2) something we are - a biometric like a fingerprint (3) something we know - a password, or other common information aboutourselves (like a social security number, mailing address, or ourmother’s maiden name.)
Two-factor authentication simply refers to the idea ofauthenticating yourself using two of the above. Note that having twodifferent passwords is not...
In a previous blog entry,I talked about the concept of a "drive-by pharming" attack. The conceptreceived significant traction, and in this blog entry, I wanted tofollow up on some of the commentary.
Recall that in a drive-by pharming attack, the attacker sets up aWeb page that simply when viewed attempts to connect to the victim’shome broadband router and change its DNS settings. If successful,future DNS requests made by the victim will be resolved by theattacker’s DNS server. As a result, the attacker controls the victim’sInternet connection, which allows the attacker to choose which sitesthe victim sees when he or she surfs the Web. The victim is nowsusceptible to phishing, identity theft, and a whole host of othersecurity issues.
Wired versus wireless A number of people incorrectly thought...
In this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.
Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that...
Castlecops, a volunteer-run organization that has made tremendous waves in fighting phishing, announced a sweepstakes to celebrate their five-year anniversary. A number of security vendors, including Symantec, have contributed prizes to the contest. In addition, Castlecops receives a list of verified phishing sites from Symantec through the Phish Report Network.
For those who don’t know, Castlecops runs the Phish Incident Reporting and Termination (PIRT) task force. If you find a legitimate phishing site and report it to them, Castlecops does the leg work to help take the site down before it does additional damage. In addition, they collect information to work with law enforcement. If the phisher has stored stolen credentials (e.g., passwords, credit card numbers, bank account numbers, social security numbers, etc.) directly on the Web server that he or she compromised,...
Back in July, I wrote a blog entry about examples we had seen of phishing Web sites that worked entirely using Macromedia Flash. What makes these sites scary is that they cannot be analyzed in the same way as traditional HTML- or Javascript-based phishing pages.
When we first mentioned these attacks, the observations didn’t receive much external attention. Perhaps this was due to other, more pressing, issues related to the growth of phishing or, more likely, perhaps folks were in the post-Independence Day doldrums. Now, there has been a resurgence of interest in this topic as seen in some recent articles. With this resurgence, I thought it would make sense to point readers back to my original article on the subject of...
Now that we’re near the end of the year, I thought I’d spend some time looking back at the phishing threat and reviewing some of the noteworthy trends. There are three high-level aspects that I’d like to touch upon: 1) The overall increase in phishing activity 2) New phishing attack vectors 3) New antiphishing techniques
Overall activity
First, phishing activity has steadily increased during the course of 2006. We’ve seen increases in both the number of phishing Web sites that go up as well as the number of unique phishing emails being sent out. Most targets are in financial services, but phishers have expanded their scope to include retailers, social networking sites, service providers, government sites, and even certificate authorities.
In addition, we’re seeing semblances of “corporate” behavior in phishing attack patterns. For example, phishers seem to be working normal business workdays and, therefore, are less active during...
As part of the look at phishing statistics that I’ve blogged about recently, we analyzed the industry segmentation of the brands spoofed in a phishing attack. We divided the spoofed brands into the following categories: • Financial - sites associated with online banking, brokerage, lending, and similar financial services or sites that directly support such a brand • Service provider - sites that provide some common Internet-related services, including one or more of the following: Internet access, email accounts, or information portals • General retail - sites that are associated with the sale of merchandise online • Computer hardware - sites that are associated almost exclusively with the sale of computer hardware and peripherals • Government - sites whose common URL ends in the .gov extension • Social networking - sites whose exclusive purpose is to facilitate connection, collaboration, and communication among members,...
