Technical Anti-Phishing Techniques

Countermeasures articles:


Overview

When you browse the Internet, you might be unaware of the possibility of attackers waiting to get hold of your information. After all, you might be thinking, “Who would want to hack my data?” But imagine that someone does try and succeeds – the result could be catastrophic. You might end up losing your money, your confidential data and, even worse, getting serious legal charges pressed against you.

Yes, we’re talking of cyber-crimes and the havoc they create. Cyber-crime is big – bigger than you can imagine. Forbes reported how consumers lost $158 million in 2015 alone to cyber-crime and forecasted the cyber-crime cost to reach a mindboggling $2 trillion by 2016.

Cyber-crime encompasses a wide range of activities and one of the most commonly employed is phishing. Phishing is a form of cyber-attack where the attacker tricks you into revealing your confidential information. One example of a modern phishing attack, known as spear phishing, is typically a well-blended mixture of social engineering and content spoofing techniques. As per Internet records, phishing was born on January 2, 1996 in a Usenet newsgroup and, within the last two decades, phishing emerged as one of the most potent and growing cyber-crime threats.

At this point, if online activities seem scary, don’t despair. With awareness and some simple countermeasures, you can thwart any phishing attack.

Anti-phishing countermeasures can be broadly categorized into non-technical and technical. Some non-technical countermeasures involve:

  • Building awareness.
  • Following security best practices while using the Internet.
  • Undergoing training.
  • Understanding legal and regulatory aspects.
  • Applying appropriate policies and procedures.

Building awareness is one factor that organizations, irrespective of sizes and geographical locations, are intensively laying stress on. With excellent anti-phishing products available in the market, creating awareness against phishing has become easy. One such product is SecurityIQ of Infosec Institute, which combines phishing simulator and computer-based security awareness training into one easy-to-use cloud-based service. The product comes with some great features to easily add learners, configure template batteries, and set up new campaigns. You can check out the trial version of the product here.

Technical countermeasures are more about securing the components that enable communication over the Internet.

Overview of Technical Countermeasures

The Internet is based on the client-server architecture. In this architecture, a web application is hosted on a web server. Think of a web application as a collection of web pages, images, media files, and other resources that you encounter while browsing. The web server is the software responsible for serving the web application resources, when requested. To access a web application, we use a browser – the client in the architecture. The client and the server communicate using a protocol called Hypertext Transfer Protocol, or simply HTTP.

Security Awareness

Technical anti-phishing countermeasures involve securing the web server, the web applications running on it, browser clients, and the HTTP communication from phishing attacks. Some widely adopted technical countermeasures are:

Secure Connections (HTTPS)

When you type a URL in your browser and press the Enter key, data gets transmitted over HTTP to the server. Similarly, on a standard web page, when you type in and submit information, say registration, login, or personal information, the information gets submitted over HTTP. This may appear innocuous until you look under the covers.

HTTP is a text-based protocol whose content representation is in human-readable format. Now, anyone with some basic HTTP knowledge and a free HTTP sniffing tool can intercept the traffic between your browser and the server. They can read what you send or receive. Imagine someone waiting to intercept your login credentials or credit card information when you submit them next. To counter such activities, we have HTTPS, the secured HTTP. In all probability, you have been using HTTPS – maybe unknowingly. Ever notice the padlock symbol on your browsers address bar with a URL beginning with https://? They signal that your browser is communicating over HTTPS.

9

HTTPS Communication in Browser

When your browser communicates over HTTPS, all information shared between the browser and the server is encrypted. Therefore, even if someone gets hold of your data in transit, deciphering it to make it readable is almost impossible.

HTTPS was quickly embraced by almost all major websites. Users started associating HTTPS websites with an increased level of assurance. On August 2014, Google even announced a minor ranking boost for HTTPS websites to promote HTTPS adoption. However, attackers were not about to be left behind. Phishing websites quickly turned to HTTPS and the number of HTTPS phishing websites boomed from 24,864 to 33,571 between 2014 and 2015.

As should be apparent, HTTPS alone doesn’t guarantee fool-proof security from phishing. An attacker can easily set up an HTTPS phishing site or host their phishing content on a compromised HTTPS site.

So, how to identify a phishing site? HTTPS websites come with a trusted digital certificate (SSL certificate) issued by a reputed Certificate Authority (CA), such as Verisign, DigiCert, and Symantec, installed on the server. When you send a request to such a site, the server sends back the certificate. Click on the information () icon on your browser to ensure that it’s indeed coming from the website that you expect and verified by a trusted CA.

91

Website Information

You can also view the certificate information on the browser. On Mozilla Firefox, perform the following steps:

  1. Click the More Information button in the information popup.
  2. Click the View Certificate button in the Page Info window that is displayed.

92

The Page Info Window

  1. Go through the certificate information that the Certificate Viewer window displays. Give careful attention to the Common Name (CN) and Organization (O) fields under both the Issued To and Issued By Issued To represents the website you requested and Issued From represents the CA that issued the certificate. Ensure that the CN under Issued To matches the hostname of the website that returned it. Additionally, check the Period of Validity section to ensure that the certificate is still valid.

93

Certificate Information in Certificate Viewer

Once satisfied with the information on the certificate, you can communicate with the website without fearing for your information getting stolen by some phishing sites.

Secure Login Features

By now, you should be aware that anything you load over HTTP can be easily intercepted and misused in transit. Therefore, it’s absolutely essential to secure logins by submitting login forms over an HTTPS connection. However, several HTTPS sites, even a few of the popular ones, provide the login form on the home page served over HTTP. An example of one such site is this.

94

Logging Form over HTTP

Although the login submission happens over HTTPS, this approach has security implications. First, there is no easy way to know that your login credentials after submission will indeed be sent over HTTPS in encrypted form. Secondly and more importantly, when the home page is getting transferred to your browser over HTTP as plain text, an attacker can inject malicious code to change the login POST URL to a phishing site. Once you unknowingly submit your login data, it reaches the phishing site instead of the original one.

Regarding this approach, the OWASP SSL Best Practices clearly states “Use TLS for All Login Pages and All Authenticated Pages”.

So, why aren’t they implementing HTTPS on the whole site? It remains a mystery. Many claim the “HTTP is faster than HTTPS” factor – it’s a myth and in many cases HTTPS scores over HTTP in terms of speed. Also, you can freely get digital certificates used in HTTPS and easily install them, thanks to some great initiatives from Let’s Encrypt.

Two-factor Authentication

Two-factor authentication, as its name suggests, provides two means of verifying users during login from separate categories of credentials. Typically, the traditional user name and password verification is combined with a code sent as an SMS or call to your phone. A combination of “what you know” (password) and “what you have” (phone).

Facebook, Google, Apple, and many others provide options for two-factor authentication. Although this feature requires an extra step when logging into your account, the practice goes a long way towards protecting your account from phishing attacks.

Certificate-based Login

Although not widespread, certificate-based login goes one step ahead to secure logins. Here, instead of your user name and password, you submit a personal digital certificate, a file with the p12 or px extension stored on your computer, while logging. The server authenticates the certificate before authorizing you to access restricted parts of the site.

Certificate-based logging is a strong phishing countermeasure. It also addresses password reuse – one of the most common authentication security threats. Internet users often use the same or similar passwords across different sites, and attackers routinely take advantage. Also, through social engineering and spear phishing, it becomes easy for attackers to guess your password. In certificate-based logging, all these threats are mitigated. Technically, you will have a PKCS #12 certificate holding an encryption key to be used in a TLS handshake with the server for authentication.

Although highly secure, certificate-based login has yet to find wide acceptance. This can be attributed to the usability factor. You have to store the certificate somewhere safe and back it up. Also, you can’t access your account on another computer unless you have the certificate with you. However, with the rise in cyber-attacks, its acceptance seems sure to catch on.

Web Browser Features and Settings

Most modern web browsers have built-in anti-phishing features and you are likely already using them. Let’s look at the anti-phishing features built into two of the most popular browsers: Mozilla Firefox and Internet Explorer (IE).

Anti-Phishing Features in Firefox

Out of the box, Firefox comes with phishing protection enabled. Firefox maintains a database of reported phishing, unwanted software, and malware sites. When you visit a site, Firefox checks the site against the database. According to Mozilla Support, Firefox downloads and updates the database every 30 minutes or so. If a match is found, Firefox prevents you from visiting the site.

To access the anti-phishing feature of Firefox, you need to perform the following steps:

  1. Click Open menu () -> Options on the Firefox main window.
  2. Click the Security tab on the Option tabbed page that appears.
  3. In the Security page that appears, ensure that the following two checkboxes are selected:
  • Block reported attack sites: Protects you from malware sites, files, and software.
  • Block reported web forgeries: Protects you through warning messages whenever phishing websites attempts to trick you into giving them your information.

95

The Security Page

  1. Close the Options tab to save your changes.

SmartScreen Filter in IE

IE 8 introduced SmartScreen Filter, a security feature that helps detect phishing sites. When you browse a site with SmartScreen Filter on, the filter checks the site against a list of reported phishing sites. If the site you are visiting matches an entry on the list, IE displays a warning and prompts you for your feedback. Even if a site is not on the list, SmartScreen Filter analyzes it for suspicious activities and reports if it finds any.

With SmartScreen Filter, you can manually check if a site that you are visiting is suspicious. To do so, you need to perform the following steps:

  1. In IE, open the site that you want to check.
  2. Select Tools->SmartScreen Filter, and then select either Turn on SmartScreen Filter or Turn off SmartScreen Filter that appears.

96

Accessing SmartScreen Filter Status

  1. Ensure that the Turn on SmartScreen Filter radio button is selected, and then click the OK This enables SmartScreen Filter in IE.

 

97

 

 

Turing SmartScreen Filter On

  1. Select Tools->SmartScreen Filter->Check this website. In the SmartScreen Filter prompt that appears, click the OK

98

The SmartScreen Filter Prompt

  1. SmartScreen Filter goes online to check the site against its database, and reports the result. Go through the report, and click the OK button to close the SmartScreen Filter dialog box.

99

The SmartScreen Filter Report

To report a suspicious phishing site using SmartScreen Filter, you need to perform the following steps.

  1. With the suspicious site open on IE, select Tools->SmartScreen Filter->Report unsafe website. The Microsoft report a website page opens in a new IE window.
  2. Select the I think this is a phishing website checkbox, select the language used on the website, type the Captcha text, and click the Submit

81

The Microsoft Report a website Page

  1. Close the Confirmation page that confirms your submission.

82

The Confirmation Page

Email Client Configuration

When you read or send an email, you are using an email client. It’s reported that 156 million phishing emails get delivered every day, and your email client is the main line of defense against them.

Most modern email clients provide anti-phishing features. As an end user, it’s important to know about them and how to configure them to protect yourself from phishing attacks. Let’s look at how to configure the anti-phishing features of Outlook.

Configuring Outlook

Outlook comes with a Junk E-mail Filter that moves suspected emails to the Junk Email folder. Note that Outlook doesn’t stop delivery of suspected emails. But identifying suspected emails and moving them to the Junk Email folder is the next best thing you can expect from your mail client. In addition, Outlook allows you to block suspected emails. You can block emails of a particular sender and even all emails sent from a specific country or location. As an example, you can block all emails coming from Mexico. This will send emails having the email address ending in .mx to the Junk Email folder.

To configure how outlook handles junk and phishing mails, you need to perform the following steps.

  1. In Outlook, click the Junk () icon under Home, and then select Junk E-mail Options.

83

Selecting Junk E-mail Options

  1. In the Junk Email Options dialog box that appears, select the level of junk email protection you want, and check the following checkboxes:
  • Disable links and other functionality in phishing messages: Configures Outlook to disable any links and the Reply and Reply All functionality in phishing messages.
  • Warn me about suspicious domain names in e-mail addresses: Configures Outlook to issue a warning when a domain name in an email address is spoofed to give the impression of a trusted domain name.

84
 

Configuring Options for Phishing Emails            

  1. Click the Apply button to apply the configurations.

If you suspect a phishing message in your inbox that gets through the Junk E-mail Filter, you can block it manually. Right-click the message in your inbox, and then select Junk->Block Sender from the contextual menu that appears.

If you are using a different mail client, refer to its official documentation for information on security configurations.

SPAM Filters

Similar to the Junk E-mail Filter of Outlook that we discussed above, most of the popular mail clients will have some filters to block unsolicited mails from reaching your inbox. That being said, attackers are always at work to bypass these filters and eventually spam and phishing mail will somehow find a way to reach your inbox.

The statistics are scary – out of 156 million phishing emails sent, 16 million make it through filters, 8 million are opened, 800,000 are able to lure victims to click on links, and 80,000 fall for a scam every day and share their personal information.

As a countermeasure, you can use SPAM filter software specifically designed to block such emails. A SPAM filter sits between the Internet and your mail client. Emails have to pass through the filter before getting delivered to your mail client.

SPAM filters are designed to be compatible with the leading email clients and web mail service providers. A good SPAM filter is easily customizable by computer users of all levels. It allows configuring the default rule settings, as well as the creation of new rules – a feature lacking in most of the built-in filters of mail clients.

There are lots of SPAM filters, both free and commercial. One powerful SPAM filter distributed for free is Apache SpamAssasin. Spamihilator is another free SPAM filter for Windows. Some commercial SPAM filters that you can consider are SpamEater Pro, SPAMfighter Pro, and Spam Buster. A good comparative review of the leading commercial SPAM filters is available here.

Phishing Sites Monitoring

According to Google, as of 2016, there are 293,747 phishing sites on the Internet. Personally keeping tabs on them and any new ones is impossible. But the good news is that there are organizations monitoring phishing sites for you. There are several free tools available online that you can use to check if a site is reported as a phishing site. Two such popular tools are Google Safe Browsing and PhishTank.

Google Safe Browsing

Google Safe Browsing is an online tool that uses Google’s large-scale infrastructure to monitor sites and determine if they pose a security risk to users. Using this tool is easy. Just append the URL of the site or the page that you want to check to the end of http://www.google.com/safebrowsing/diagnostic?site=. For example, if you want to check the web page at http://cobbsrentalsnh.com/Yahoo/updateY!.html, enter the following URL on your browse:

http://www.google.com/safebrowsing/diagnostic?site=http://cobbsrentalsnh.com/Yahoo/updateY!.html

Google displays a transparency report with detailed information about the site based on their automated investigations and analysis.

85

Google Transparency Report

PhishTank

PhishTank is a collaborative platform for exchanging data and information about phishing. You can submit a suspected phishing site, track the status of your submissions, and also verify submissions of others. Yahoo! Mail, McAfee, Mozilla and Kaspersky are a few major organizations that use PhishTank to monitor phishing.

As of writing this article, PhishTank has a database of 3,949,000 suspected phishing sites, out of which 1,972,297 has been verified. From the verified lot, 30,060 are active and running.

To use PhishTank, you need to register with the site. Once registered you can log in to the site and use its features.

To check whether or not a site is reported as a phishing site, you need to perform the following steps:

  1. On the home page, type the site URL in the text box, and then click the Is it a phish?
    86
  2. PhishTank queries its database and displays the result that indicates whether or not the site is a phishing site.

87

Alternative Transaction Verification Channels

Financial institutions are the prime targets of phishing attacks. In 2015, 20.43% of phishing attacks targeted financial institutions. These attacks are specifically made to pilfer funds by gaining direct access to a victim’s banking accounts or performing online transactions by impersonating victims. Financial institutions are forced to constantly upgrade their security policies and systems to protect their customers, and one powerful phishing countermeasure is alternative transaction verification channels, also known as out-of-band verification.

Out-of-band authentication uses two separate verification channels to authenticate a user. Therefore, even if an attacker gains access to the user credentials of one channel, a transaction cannot complete without the verification of the second channel.

Recall the two-factor authentication process we learned above. It is out-of-band authentication at work. In it, a transaction is initiated via the Internet through user name and password credentials. Then the transaction is re-authenticated via a code sent to the phone – an alternative verification channel. Once the end user submits the correct code, the transaction is considered as complete.

Out-of-band verification technologies are mostly proprietary. CrontoSign Visual Transaction Signing is one such technology, where to complete a transaction, an end user receives a graphical cryptogram on the computer. The end user needs to capture the cryptogram with the registered mobile phone’s camera. Once captured, the customer is presented with critical information regarding the transaction.

References:

http://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/

http://resources.infosecinstitute.com/a-brief-history-of-spear-phishing/

http://resources.infosecinstitute.com/phishing-and-social-engineering-techniques/

http://resources.infosecinstitute.com/phishing-dangerous-cyber-threat/

https://securityiq.infosecinstitute.com/

http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#14089b003bb0

https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

https://info.wombatsecurity.com/blog/latest-in-phishing-june-2015

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_TLS_for_All_Login_Pages_and_All_Authenticated_Pages

https://tools.ietf.org/html/rfc7292

http://www.symantec.com/connect/blogs/how-does-ssl-work-what-ssl-handshake

https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

http://windows.microsoft.com/en-IN/internet-explorer/use-smartscreen-filter#ie=ie-11

http://resources.infosecinstitute.com/spear-phishing-statistics-from-2014-2015/

http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-en.aspx

 

Be Safe

Section Guide

Simanta
Sarma

View more articles from Simanta

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Simanta
Sarma

View more articles from Simanta