Anti-Phishing Techniques: Detection Measures
As was outlined in the first part of this series, there are several methods to protect users from phishing attacks. But prevention is not enough. We need detection measures to get early warning signals when a phishing attack is being planned or is in progress. Before we get into detection measures let us look at the steps the attackers does while executing a phishing attack.
As was outlined in the first part of this series, there are several methods to protect users from phishing attacks. But prevention is not enough. We need detection measures to get early warning signals when a phishing attack is being planned or is in progress.
Before we get into detection measures let us look at the steps the attackers does while executing a phishing attack.
- Register a fake domain name [not mandatory]
- Setup a look alike webpage
- Send email to hundreds of users
We will see what we can do at each stage to actively detect the phishing attack.
Detecting registered fake domain names
The attacker needs to setup a look-alike site. First a domain name is registered. Many times attackers register a domain which sounds similar to the original. If they are targeting www.abcbank.com attackers might register www.abc-bank-1.com. In a recent phishing attack Halifax bank was targeted using a domain called www.halifaax.com. Notice the extra "a". If we are diligent enough to track registrations of new DNS domains, we have a chance of getting to know about these "similar" registrations and can initiate action before the domain name can be used for a phishing attack.
This method of detection is not fool-proof because of different reasons. First - Even though it is easy to track new registrations of GLTD-generic top-level-domain like .com and .net, it is not true for CCTLD -country specific top-level-domains like .cn(China) or .kr(Korea) where many phishing sites are registered. Second - attackers may choose not to register a domain name and operate the website using just IP address.
Detecting look alike webpages
Many times attackers design the phishing webpage such that the images are picked up from the original site rather than keeping a repository of images in their fake website. When the user loads the phishing webpage, the browser goes and picks the images from original website. The referrer URL as seens by the original website will be the URL of the fake website [www.abc-bank-1.com].
On the original website if we are analyzing the web server logs and looking for suspicious referrers we will be able to detect an phishing attack in progress.
This method of detection is also not fool-proof for different reasons. Attackers might choose to write their own HTML code and not copy the whole from the original website. Attackers might decide to store the images in their own website rather than picking it up from the original website.
Detecting emails sent to users
Once the phishing site is ready, attackers sends emails to hundreds of users, who are the potential victims. As expected, many of these emails would bounce as the TO: address is incorrect. To increase credibility of the mail attackers would keep the From: address of the mail as something like firstname.lastname@example.org. This userid will be non-existent on the abcbank.com email server. Otherwise the mails which bounce will get into the mailbox of a user, if the email@example.com is a valid email id. If this is a valid email address, attackers would keep the from address as something like firstname.lastname@example.org.
The mails with wrong To: addresses are all returned to the abcbank.com SMTP server. The SMTP server looks at the From: address email@example.com and finds it is non-existent. From: address and To: address are both wrong. This is called a double-bounce mail.
Bounced mails are common but double bounced mails are not. It is highly likely that double bounce mails are phishing mails targeting abcbank.com. If the SMTP servers can be configured to forward these double-bounce mails to an admin mailbox for real-time analysis and alerting we could detect a phishing attack in progress.
This method of detection is not foolproof as attackers could use a domain name other than the original like firstname.lastname@example.org. The bounced mail will never reach the SMTP server of the original abcbank.com and no analysis and alerting is possible.
Finally, users who receive the phishing mail can alert the organization about it. It is important for the organization to implement forums for easy reporting. It could be setting up a common mailbox like email@example.com or a toll-free-number or educating the user helpdesk about this attack. These forums should be actively published to the users via different channels. An alert user who reports early could save many others.
Detecting Man in the Middle Attacks
Another method quite popular today is real time man-in-the-middle phishing attacks. As was recently demonstrated in the attacks on Citibusiness, phishers collect user-id passwords [short-lived one time passwords] and use them in real time against the original websites. If the attacker is trying passwords of multiple victims, you will see hundreds of connections from the attacker's PC. If we are analyzing the webserver logs and checking for large number of connections from one IP it could be the attacker doing man-in-the-middle.
This method of detection is not fool-proof as attackers might use the phished informations from multiple computers rather than from a single one.
Phishing prevention measures should be complemented with detection methods. The key strategies include
- Monitor domain name registrations.
- Watermark the original web pages to identify usage in phishing sites.
- Monitor web server logs for suspicious referral entries and excessive traffic from one source IP.
- Track double-bounce mails.
- Setup forum for users to report phishing.