Wednesday, August 27, 2014

Phishing for Men (and Women)

Those that know me well know there are three things I put most of my energy into: my faith, my family, and security. When something comes along that involves two of those interests, so much the better.

For the last year and a half, I have been involved in an organization known as HackFormers. HackFormers was founded by several Austinites who shared two passions: a passion for hacking (in the sense of finding, fixing, and defending against security flaws), and a passion for Jesus Christ. Its vision is to teach security principles, and then to show faith principles that go hand-in-hand with security. I gave a presentation at the August chapter meeting. It is in that context that I write today.

In security, occasionally you see blatantly obvious signs of compromise. It's hard to overlook a ransomware attack in which a computer's contents is encrypted with a bright red warning screen stating it will be erased if you do not pay a fee. Far more common, however, is the point-of-sale compromise that does not come to light until weeks if not months after the attack took place, or the successful phish that you never realize you fell for. Cyber crime has a couple of common drivers, but the most common is money. It's a business, a business in which the masterminds profit by not being caught. If your computer has been conscripted into a botnet, the bot controller wants to retain control of your computer. If an attacker has infiltrated point of sale devices for a business, they can collect ever more financial data by not being detected. So it is in their best interest to look as normal, as legitimate, or as invisible as possible. Cryptolocker and related ransom attacks aside, most attacks are detected because someone was looking in the right place, at the right time, with the right degree of skepticism or intuition.

So too is it with our spiritual walk. There are times when it takes a literal act of God to get our attention, but more often than not He speaks in a quiet voice. In 1 Kings 19, Elijah watched powerful forces of nature - a windstorm, an earthquake, a fire - but discovered God was not speaking to him through those impressive displays. Instead, the Lord spoke through a gentle breeze - in a voice that Elijah only heard because he was intently listening for it.

Several weeks ago as I was driving through Austin I thought I saw a friend on the other side of the median, at the scene of a minor traffic accident. There are a hundred excuses I could think of for not stopping. It was on the other side of a divided highway; I had just begun a 5-hour drive to East Texas with my kids and had dinner plans with my grandmother; the van was full so we could not have aided in any useful way; it looked like a minor accident and a police officer was already on the scene helping out; and for that matter I was not certain it was my friend in the first place (I got only a brief glance at the scene). The farther I drove down the highway, the easier it was to justify not stopping.

As it turned out though, it was the person I thought it was. The accident was minor and no one was injured, but her vehicle was out of commission for a couple of weeks. In truth there really wasn't anything I could have done in a practical sense, but I could have been a friend during a stressful event, if only I had listened to the voice that said "wait."

The musical band Casting Crowns recorded a song a few years ago called "Slow Fade" that seems to fit:

It's a slow fade when you give yourself away
It's a slow fade when black and white have turned to gray
Thoughts invade, choices are made, a price will be paid
When you give yourself away
People never crumble in a day
Daddies never crumble in a day
Families never crumble in a day

I doubt anyone woke up this morning and decided "I want to put myself into financial ruin today." Maybe it starts with Thursday night poker with the guys, or extending credit a little further than planned, or maybe a weekend in Vegas where things get out of hand. Maybe a dearth of business leads to missed mortgage payments; too ashamed to ask for help, you start looking for less legitimate ways to make a few bucks. A year later, you are facing 15 years for bank robbery. But it doesn't happen overnight.

I doubt anyone woke up this morning and decided "I want to wreck my family today." Maybe it starts with seemingly harmless flirting in the office, or adjusting a bike route to correspond with the jogging route of an attractive neighbor. Perhaps (an insidious risk in our line of work) it starts with stumbling into porn sites while digging around the rotten underbelly of the Internet. Three years later, your children wonder why daddy (or mommy) has a new address. But it didn’t happen overnight.

At the risk of offending some, I’ll offer another point. No one ever woke up one morning and decided “I am going to throw my life away today and leave my loved ones to pick up the pieces.” It might start with a small voice saying your life has no worth, a period of sadness that seems to not have an end, or an illness that won’t let up. Depression sinks its cruel claws in and gradually blinds you to reasons to live. Ten years later we watch in shock as a beloved comedian and actor is buried. But it didn’t happen overnight.

And that’s the point: it didn’t happen overnight, and it (usually) didn’t happen due to a blatantly obvious invitation to do something irreversible. Opportunities to compromise our character, as well as opportunities to be the hands and feet of Christ, are often subtle. We must be alert to recognize them.

Traditional viruses, worms and trojans sought to compromise the computer. Around a decade ago though a new trend emerged, known as phishing, which seeks to compromise the human. Phishing is an attempt to get a victim to reveal sensitive information that the attacker can use for profit: usernames and passwords, credit card numbers, bank account numbers, social security numbers – anything that can be used to either impersonate or defraud the victim.

Casting the Bait

The first step in a phishing campaign is to cast some bait. Sometimes that bait may be targeted at an individual, but more often than not it is cast far and wide with the goal of catching anyone that happens to take the bait.

Importantly, phishing generally tries to abuse your trust in something legitimately trustworthy (or at least something that you would be wise to pay attention to). The phisher might mimic your bank, or your grandmother, or the IRS or FBI. Whatever the cover, the phisher imitates something you would be expected to trust - and then abuses that trust for illicit gain.

A few months ago I received an email purporting to be from USAA, stating that I had a new message waiting for me in the secure message center. I and others in my family do in fact have business with USAA, so it is not unexpected to receive correspondence from them - and so this particular phishing attempt was of interest to me. The format of the email even closely resembled the way USAA formatted such messages several years ago (though they have since changed the format to be harder to replicate without knowing some additional things about the member). So I did what any researcher worth his salt would do: I took the bait, and used the experience to write up a story on phishing.

The phish message clearly looks nothing like current legitimate messages – but it’s similar if not identical to the format USAA used a few years ago. A member not paying attention might accept it as real. Outdated formatting aside, there are a few clues that this is not legitimate.

The email address – in this case the fraudulent domain was obvious, but other clients may not display the full address by default, and it is quite easy to spoof an address. It is in essence a postal envelope, with no guarantee that the sender wrote their actual address in the return field.

The URL – the links go to www3usaa instead of www.usaa; this one was relatively easy to detect, but the phisher could have chosen a character that more closely resembled a "dot." In fact, with multilingual domain name support beginning about 10 years ago, an attack known as an "IDN Homograph Attack" using visually identical characters from another character set, you could not tell by looking that it was a fraudulent link. Or the attacker could have used Javascript to change the displayed text of the link. I've demonstrated disguised links on my blog - it's easy to make a link look like something other than what it is.

Setting the hook

Now it gets harder to tell that this is fraudulent. The premise was that USAA had sent an email to me via the secure message center on their web site. Had that been the case, I would have had to log in first before seeing the message. But aside from that, the approach is very believable.

The login screen is disturbingly convincing because it is an exact replica (or was as of the time that I received the email), even loading images and formatting scripts from the genuine site. Only the submit handler is changed. There is no visual clue that this is a phish.

Ah, another clue: I have two-factor authentication enabled. I should have been sent a code to my phone, instead of entering an unchanging PIN. But most members probably do not – and this is precisely what they would see. And surprise, I can get here without entering my real password or account.

Upon "logging in" I am asked to provide a few "security questions, " and to provide my email address and email password for good measure. I am finally deposited onto the logout page at the authentic USAA web site. If I did not know better, I might assume I had successfully added a layer of security to my bank account and then logged out, when in fact I have just given an attacker everything they need to defraud me.

The moral? Scammers are very good at mimicking the genuine article. If you don't pay attention to red flags at the beginning, there may be no more warnings that you are falling into a trap.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen