Phishing Counter-Measures Unleashed
In this article, I have done my best to gather and explain all the possible ways by which phishing can be avoided. Here I am going to explain phishing counter-measures in great detail. As you know, phishing is a kind of technical and psychological attack based on human nature, which makes a user to reveal his/her sensitive information to the attacker. For more information on phishing, you may visit Wikipedia and search for the topic “Phishing.” Here I am going to provide you all possible counter-measures for phishing attacks.
A phishing attack is a complex combination of technology and psychology. There are numerous ways in which people are being made fools and they can be conned by hitting on unsecured website links. Especially with the growth of the marketing industry, these types of attacks are rising. A 2007 case study shows that phishing attackers were collecting and purchasing Google AdWords in order to install RAT on victim’s systems. By this, attackers can click on a couple of ads through which they can earn some money.
Different Phishing Countermeasures
Many researchers have developed a kind of mechanism in which, when you give your username and password, it turns into a domain-specific password and that is even done via a transparent method. The basic idea behind this is to hash passwords with a secret key along with website domain name. The website domain name is very important because it will tell that password to go into that domain .
Even if the user uses the same password for every entry point in the world, it gets changed due to this mechanism, so it becomes really hard for the attacker to get the password because it will be very unique and long which will be hard to remember.
Works fine on a theoretical basis.
Practical implementation is quite difficult.
Many banks use multiple domains and sub-domains.
Some sites force the user to use a password with a combination of uppercase, lowercase, and symbols.
It’s a static solution: If a user travels without his/her laptop then this mechanism is not helpful anymore. She/he has to carry his/her device everywhere along with them.
Here I am going to tell about one scenario that happened back in the 1980s. Many corporate banking systems use some back-up operating system in a portable device such as a CD or DVD. That device contains their own piece of the operating system. Let’s suppose this is a matter of administration, but if the bank is providing any kind of mobile or desktop application to use their bank service, it can be a worthwhile target for attack. What the attacker needs to do is just to tell their victim is “Apply our latest upgraded application in order to secure transaction.”
The best way to protect against this is a low-cost SSL certificate. This protocol supports certificates for both servers and client. To find more on this topic, you may visit the link given in the references. There are basically main two functions of SSL: First, to check the real identity of its holder and, second, to encrypt and pass data between the client and server. So if SSL is used, there is very little chance that the phishermen will get his/her victim. The server’s certificate identifies the website that you are visiting through your browser application. The client certificate is used for the verification and authentication process. Then the data transportation process gets started.
It is not end-to-end security.
It is not a bullet-proof secure mechanism.
The process of certificate management is tedious to handle.
Malware can steal the information about the certificate.
In the very worst case scenario, phisherman may manage to convince her/his victim that “Your certificate expired, so give it back to us for secure demolition.”
In this type of mechanism, random passwords are generated and stored in the browsers. It has more advantages than the first method of hashing passwords. It is more “secure,” as the browser will only give the credentials to the right URL. So, for instance, if I saved the password for my website www.chintangurjar.com, then it will pass these credentials only if this URL appears. If anything changes in the URL, it won’t pass credentials. Firefox has this mechanism that stores passwords after encrypting them, but this feature is not by default, so many people won’t even use that.
It’s easy to implement.
No specialized or purchased software is needed.
It doesn’t work fully with subdomains. If I have a saved password for www.chintangurjar.com and I want to log in through subdomain.chintangurjar.com, it won’t allow me to pass credentials through this URL.
Even here, passwords are stored in plain text, so there is always a fear of stealing password via malware, RAT, or other suspicious activity.
This mechanism was the favorite mechanism for organizations and individuals back in the 1990s. Rather than using the traditional hardware keyboard, people used a virtual keyboard that appeared on the screen.
People and some banking organizations assumed that attackers won’t able to capture their keyboard activity. This mechanism has been defeated by attackers. Nowadays they have a method to capture a screen as well as a virtual keyboard.
Many organizations conduct seminars and workshops on ethical hacking and Internet security in order to educate their employees. This can be a quality step towards security awareness, though many of their employees may not take it seriously and may not follow the instructions given at the workshop/seminar. Those kinds of employees can be a potential target of attackers/phishers.
There are some methods of educating your employees that we can think about. Logical awareness has to be built. First, they are given instructions to check the English. To respond to that, the bad guys started writing professional English that is really more than 95% identical to the original website. Thus victims got exploited. Then phishers started to use the lock symbol, keeping in mind that, even if some clever employee/person knows about SSL, she/he can be trapped. Phishers have done this by forging the symbol. They did it by putting lock icons in the URL (favicon) on the web pages. Banks started putting the last four digits of credit card or other bank account detail; in response to that, attackers also started putting the first four digits of those numbers that are constants in the card detail provided by any bank. Thus persons got exploited again.
Mitigations: Logical awareness has to be raised. Customers have to think on their own about whether something is legal and legitimate or a fake. When this awareness rises within them, there won’t be any need for workshops or seminars for ethical hacking awareness.
Many organizations have built toolbars that use a ton of problem-discovering and -solving methods to determine whether a URL is fake or not. Even Microsoft also used this feature, built in to Internet Explorer 7. The concept is like this. If server visits any known fake/phishing URL, then that tool bar turns red. If that phishing or fake site is the one suspect site, then it turns yellow. Nowadays some websites use “extended validation.” This is a new type of certificate that is sold to the website only after the credentials are checked very carefully and particularly. If a browser toolbar finds this type of website, then it turns green.
The first method has already been broken by researchers. It was presented in a research paper whose link is mentioned in the references . That is a very unconventional and unusual semi-technical method for breaking into the victim’s mind. It uses a “picture-in-picture” method. Here the phisher displays a picture of the browser with a green tool bar so that that the user thinks it is safe to visit and thus she/he is exploited.
As you can clearly see that the malicious URL is not https://www.paypal.com/uk that is inside the browser’s top window but it is displayed in the log-in window. The attacker also puts the favicon and outside logo to “prove” the legitimacy of his work. Thus, people think that this is the real page and they log in to the website and their credentials are compromised. The second scenario, which is extended validation, can be broken by URL manipulation. Attackers use an almost identical URL and they buy their own certificate and install it on their server. Now the URL of the phishing site and the original site are almost identical, as shown below:
Phishing Site: www.chintanvvov.com
As you can see, in the first URL it’s “wov” and in the second URL the attacker put “vvov”; “vv” looks like “w” and the client thinks that it’s a genuine website and logs in. Thus, how their credentials gets stolen and they get exploited. These types of phishing sites are called “dodgy sites.”
Two-factor authentication is also known as 2FA, two-step verification, or multi-factor authentication. It requires not only a username and password, but also some piece of information that only the user knows. That piece of information is known as a physical token. Using traditional credentials along with the physical token makes it very hard for a phisher to exploit his/her victim.
The concept of two-factor authentication is explained in the pic below. Let’s suppose you are going to access a VPN website. (1) Here the first authentication is done via traditional credentials such as username and password. This is called primary authentication. (2) Then the domain controller calls on the user’s mobile phone or any other device (mobile is a standard device that all users will have) and it will send a token code or an automated call. (3) Then it checks for the right identity. (4) If the credentials are verified, the user will be given authorization to access the VPN as shown in the pic below.
In the UK, some banks are using two-factor authentication, but not in this traditional mobile token way. They have given their customers password calculators that have multi functions, such as generating a real-time security code to log in to the customer’s account and even to make a transaction.
Let’s take a real-life scenario from the UK. One of the top famous banks, Barclays, uses a small device called PINentry. Each device is registered with a unique card that is given to their customers. The device looks:
If you want to log in to your online Barclays account, you need to give your basic details such as last name and card number. Once you click on “Login,” it will ask you for the security code. Now you need to verify your identity by inserting your card into this PINentry and clicking on “Identity.” Give your secret PIN and it will auto-generate a random number. Once you type that number on the website it will allow you to login. Now if a phisher stole this device and put his card into this, it will flash the message shown in the picture below:
If a customer wants to make a payment, it will also ask for the security code, which you will have to get from this machine. Not only that, but it will also ask you to input the exact amount of money that you have already entered in the website. If both figures match, you will be allowed to make a transaction.
Thus two-factor authentication works. No doubt it’s very effective and promisingly secure. However to pass through all these processes just to log in is a tedious, time-consuming method from the customer’s point of view.
This mechanism is set up by TPM chips, short for “Trusted Platform Module.” If two computers are doing regular transactions, then this chip is physically placed on motherboard to tie them together.
As you can see from the diagram, this whole mechanism can be implemented on a single chip. However this mechanism has a portability/roaming problem. Roaming cannot be done easily on these devices.
This chip is placed on an endpoint device that stores an RSA key. It makes an RSA key pair that is saved within the chip and cannot be accessed by any software. The SRK (storage root key) is generated only when the system administrator accesses the computer. There is a second key, known as the AIK (attestation identity key). It is there to protect the chip from unauthorized access. They create hashes. If the system wants to connect to the network or end device, it passes the hash and gets verified by the network or another end device. If the match fails, access is denied. This is how it gives complete bullet-proof security against phishing.
Many researchers came up with a new authentication protocol. They implemented a series of protocols for encrypted key exchange. This key is generated by combining the shared password. And this process takes place in such a way that the phisher (who is the man in the middle) can’t guess it. Those protocols were awkward to implement and use and they were also too time-consuming.
The Future of Phishing
It happened in the past. We have one educative case study of salesforce.com back in November 2007 . In this case, the attacker got the password from of a staff member. After that customers started getting fake bills and invoices. It leads us to the point that, if it’s hard to get the website or organization, the next step is to attack their suppliers.
Research conducted by various people shows that phishing attacks on emails have become more skillful. Phishers are getting smarter and more clever, as they are using social media. They know whom to target, which are the weak links, what are they lacking, and how to set a trap for them. By assuming this I can make a small joke on this. Future attackers will not call on your cell to say, “I am Mr. Xyz from this bank and kindly give me your details.” They will represent themselves by forging email from the real bank’s email id.
The various marketing websites for industry are getting more and more people to click on their links. Let’s suppose that, in 100 advertisements, phishermen will put their phishing sites to get more and more victims to click on it. Now you can imagine there are millions and billions of Internet users on the earth; you are clever enough to calculate the probability of users clicking on dodgy websites.
It’s hard and very dangerous to predict the future of phishing, as it’s an open sky. There is no limitation but, rather than using technical terms in future phishing, it’s always better to use non-technical (general) terms so that everyone can understand it.