Course: SE 4C03 Winter 2005

Course: SE 4C03 Winter 2005

Title: Internet ID Theft

Researcher Name: Mikhail Onqa

Last Revision: March 31st, 2005

1. Introduction

Identity theft has always been an intelligent way for a criminal to operate. The Internet revolution has opened up new tools and techniques that the computer savvy criminal exploits. There have been hackers, crackers, phreaks, and all other associated lingo to label these criminals. Whether they use email, a website, back door Trojan horses, viruses, and spyware they are exploiting those innocent enough to become their prey. A recent development has been something called “Phishing” with criminals using emails to lure money out of bank accounts and steal identities. Originally phishing was only used to get user passwords, but in the recent years has mutated to include a plethora of the user’s personal and financial information. A new concept called “Identity Assurance” can thwart these criminals and limit their endeavours. This essay describes some of these methods and their solutions.

2. Current Methods

The most common method for phishing was sending an email that sounded official from a trusted source such as a bank. The user would then have to give detailed personal and financial information to avoid either paying surcharges or some other trepidation sited by the phisher. Once the data was gathered, it was either sold or traded. Recently, different scams have been used such as advanced free loans, bogus credit card or offers, new business opportunities or franchises, charity scams, and fake check scams. For a while, the fake check scam was very popular and many people would lose their money to foreign accounts. Even more recent is the charity scams associated with the tsunami relief funds.

2.1 Phishing

Since emails are the most common method used, phishers use well-known flaws in the SMTP (simple mail transfer protocol) to create fake “Mail from:” addresses and impersonate any organization they want. They also change the “Reply to:” address so they may check their mail from another location. Another method is to send the email in html format so that the email is harder to decipher, and to the user looks just like a regular plain-text message. As well, they change letters like a lower case “L” for an upper case “I”. They also white out words to bypass anti-spam filters. In the email, the URL link is hidden within a fake link that is visible. Phishers use the sub-domain USERDLL.COM and don’t use standard HTML ports because the host is probably another infected third party unaware that their computer is being used as a front. Many times the recipient of the email clicks on the link, in which case the user is actually sent the genuine website, but a pop-up window appears, running JavaScript for example, looking very similar to secure login screen. The user automatically assumes that the screen is genuine and gives the phisher what they want. Pop ups that look similar to windows explorer but is in fact are just graphics, key-loggers that track every keystroke entered, fake banner advertising, web bugs, zero sized graphics, screen-grabbers, back-door Trojan horse programs, cross site scripting (XSS), and using scriptable components of an already spoofed website are some of the more common methods being used. Also, the growing popularity of MSN messenger, IRC, ICQ, among other IM services are an easy target for phishers to install malware like spyware, worms, Trojans, and other similar code.

2.2 How exactly is this accomplished?

The real question is how exactly do these phishers accomplish this. A very effective technique is using a man-in-the-middle attack vector. This is basically where a phisher intercepts communication between two parties fooling each one into thinking that they are communicating with each other. There are many ways to do this. The first is DNS poisoning where the program changes the addresses in the local look-up table on the pc. It is the same as a DNS server, but for increased speed, the pc stores regular IP addresses in a file (e.g. host.ini in Windows). Another way is by altering the browser proxy settings. Usually this needs to be done in advance and can be detected by the user only if he regularly checks the settings. Phishers get over this hurdle by using transparent proxies, which users cannot detect unless they utilize “content filtering”. Escape encoding is a form of URL obfuscation, basically fooling the user with an altered URL. In this instance, the user changes a space for a “%20” and such. Since it is common in websites such as hotmail, phishers use this to trick consumers. Other variations of this include UTF-8 encoding and multiple encoding which has similar effects in the location bar. Cross Site Scripting includes HTML embedding, script content embedding, or worse, the forced loading of external script code. Preset session attacks use the stateless HTTP and HTTPS protocols to further phisher activity and use the SessionID to authenticate with a genuine site such as a bank. Furthermore, hidden attacks, hidden frames, overriding page content, and graphical substitution are ways in which the phisher manipulates the appearance of a genuine website.

3. Current Solutions

Phishing has created a plethora of software applications to combat their destructive nature. They include Antivirus, Firewall, Spyware detection and removal, Antispam, Intrusion detection, and enhanced browser tools. These are the most basic steps in ID assurance. These programs work in the following ways. They have the ability to detect and block immediate attempts to install malicious software. They accomplish this by grabbing all ports and deciding whether to allow access to the port from the outside. They also work the other way, filtering any outgoing packets from installed software on the computer. This way these programs ensure that spyware, worms, viruses and other malware are not allowed on the computer. This also allows the user to protect his/her personal and financial information.

3.1 New techniques to be implemented

Although these measures protect the user to some degree there should be new techniques that industry should follow or should be part of the new suite of browsers. The first and most important aspect that should be secured is emails. Digitally signing an email is a method using a public and private key that are used to create computer hashes of the email as it is generated and sent. Suppressing the html into plain text, scanning attachments before they are opened, and using S/MIME (Secure Multipurpose Internet Mail Extensions) to check the integrity of the received email should be standard. For programs like Hotmail that currently cannot use S/MIME, an alternative PGP (Pretty Good Privacy) should be used for the time being. Secure Sockets Layer (SSL) protocol is now the standard for security and authentication, and should be used in conjunction with PKI (Public Key Infrastructure) to enhance site integrity and confidentiality. Extending these concepts to site identity assurance tools that allow users to see if the website visited is legitimate is the next step. Using real time date/time stamps and third party trusted databases with 128-bit encryption are another way to discourage phishers. Managed identity assurance services such as “Verified by Visa” and “MasterCard SecureCode” need to be enhanced by verification engines built into browsers that also use CVC (Content Verification Certificates) and PKI to complete the security.

Conclusion

In Conclusion, the main message should be to be aware, and create a safe and secure way to use the Internet with all the information mentioned above.

References

Steve Roylance, Seemant Senghal, Identity Assurance in a Virtual World, Comodo Inc., 2005,

Douglas E. Comer, Internetworking with TCP/IP: Principles, Protocols, and Architectures, Vol I, 4th edition, Prentice Hall, 2000.

Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: PRIVATE Communication in a PUBLIC World, 2nd edition, Prentice Hall, 2002.

Eric Steven Raymond, How to become a Hacker, 2001,