The Security Skeptic

Rod Rasmussen and I collaborated to publish an APWG Advisory that describes how phishers use subdomain registries to provide safe harbors for malicious and criminal activities. A subdomain registry is a naming service web hosting providers offer to customers. The provider allows customers to register a subdomain from one of its own registered domains as part of a hosting service package. Customers to choose a label (name) from the parent domain. The general structure for names of this kind is:

<customer_term>.<service_provider_domain_name>.<TLD>

For example, if the web hosting company has registered the domain freewebhosting.com, a customer could register securityskeptic.freewebhosting.com, Paypal.freewebhosting.com, BankofAmerica.freewebhosting.com...

But wait, would some of those names infringe on a brand? And couldn't someone use such a site to impersonate a brand and phish for accounts from such a site? They can indeed, and the practice is becoming widespread and difficult to contain.

Our advisory examines this unintended consequence of spinning one's own registry by largely well intentioned free web hosting providers, and also discusses measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers.

See Making Waves in the Phishers' Safest Harbors: Exposing the Dark Side of Subdomain Registries at APWG.COM.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID712 by Dave Piscitello  

I still recall my first visit to a Baskin Robbins Ice Cream Parlor. Some of you no doubt recall your own awe and anticipation when presented with the opportunity to choose from 31 flavors of ice cream! Fifty years later, and I feel angst and trepidation when I confront the imposing numbers of phlavors of phishing.

Phishing is commonly associated with financial scams and identity theft. As I scanned nearly six months of mail posted to an antiphishing list, I noticed how broad the phishing reach has extended. Sifting through five months' worth of posts and several weeks worth of URLs listed at PhishTank, I found at least one phishing attack notification and multiple targets in the following categories:

• Financial scams/Identity theft. The list of banks attacked illustrates that financial institutions of all sizes and kinds are in play: Abbey, Alliance, Barclays, Chase, Citigroup, Colonial, commerce, Compass, Farmers State, Franklin, Halifax, HSBC, Home Valley, Leicester, Lloyds, NatWest,Ocean, State Farm, Synergy, UniCredit Banca di Roma, Wells Fargo,...

• Bank scams that use fake security certificates. In attacks against Wachovia and Bank of America, phishers used bogus digital certificates to convince visitors that the site is SSL-protected.

• Domain name authority impersonations. Phishers used anticipated correspondence (e.g., annual Whois accuracy reporting, account verification) from ICANN, eNom, Network Solutions, Netsons (reseller) to convince users to disclose login information for domain name account management.

• Government agency impersonations. Phishers impersonated US IRS eFile and Her Majesty's Revenue and Customs, and the FTC to obtain social security IDs and other personal information.

• Fee/Deposit scams. Phishers still lure victims with various state and national lotteries, and other 419/Nigerian scams, and now customize these with phony contests run by recognizable brands like Pepsi.

• Banner and pay per click ads. Phishers replicated landing pages and altered Google Adsense and AdWords on these pages to divert PPC revenue from Google customers to accounts they control directly or through mules.

• Software scams. Impersonating Microsoft, antivirus companies (AntiVir, McAfee), and open source developers (Joomla!), phishers lured victims into downloading malware instead of patches, virus definitions, and executable binaries.

• Political contribution scams: Obama and McCain

• eMerchants: The major eMerchants (eBay, PayPal, Amazon.com) remain prime targets for phishers, but smaller (Big 5 Sporting Goods, Shopping.com) are targets now as well.

• Online payment services: Phishers remain very interested in hijackingPayPal, MoneyBookers, and Cahoot accounts.

• VoIP Service hijacking: Vonage is primary target for enticing customers into downloading malware that purports to optimize your VoIP service. Account hijacking was also popular.

• Online Pharmaceuticals. I found hundreds of domains hosting sites that sell prescription meds without prescriptions. They are inherently illegal, so phishers don't need to impersonate a Pharmacy brand.

• Airline rewards programs: AAdvantage was phished using a $50 award for completing a survey that included numerous questions seeking personal and financial information.

• Social Networks. Phishers targeted Facebook, Hi5, Classmates.com, SinglesNet.com, Habbo, and HabboTeen accounts. I could have listed a dozen more if I could read Cyrillic, Korean, Chinese, and Japanese. These are great resources for hosting malware and to send spam.

• Sharing sites. account grabbersFlickr, Myfavoritetube.net, YouTube, Yahoo! Photos

• Blogs. Geocities and BlogSpot are reputed to be the hottest spots for hosting malware. The phish email notices I found corroborate this claim.

• email accounts: Gmail, MSN, and Yahoo! email accounts are valued by phishers because they can be used to spam or to collect stolen credentials they obtain from impersonation web sites.

• List, messenger, and contact managers. Phishers cast their nets to any account they can compromise, from the "remove my email address from your list" managers to sites such as Twitter,CheckMessenger3, MeetYourMessenger, Messenger FX that enhance or extend the reach of instant messaging.

If I were a phishing behavior analyst, I might profile a formidable phishing "unsub" as follows. The unsub attacks any financial, merchant or social networking venue that he believes will eventually lead to money or resources. He explores any and all means available to obtain personal information and account logins. The unsub is interested in any account. He relies on the inherent laziness of Internet users who use the same names and passwords for many if not all of the web accounts they create. He is patient, willing to sort and correlate information from multiple, successful attacks against an individual to land a whale, an individual with a fat online banking account and sloppy Internet habits, to gain administrative control over a portfolio of domain names that he can use to make money via subsequent phishing attacks, or to sell in the underground market to other unsubs.He is elusive, and criminally clever.

If you don't want to be the next unsub's victim, take measures to protect all your online accounts. Don't use short, simple passwords. Don't use the same username and password for every account you create on the web. Don't publish information on social networks, blogs, and wikis that provide clues the unsub can collectively use to identify you. Imagine the kind of information you would hesitate to share with a stranger and exercise the same caution in your virtual world as you would in the real world.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID711 by Dave Piscitello  

In January, SSAC published an advisory on Fast Flux attacks. A basic fast flux attack employs automated, rapid modification of IP addresses assigned to hosts in the DNS to hide the location of web sites supporting malicious, illegal, or criminal activities. A variant, double flux, not only modifies IP addresses to obfuscate the location of web sites but name servers for the domains used to assign names to those web sites.

Over the past 10 months, researchers and investigators have studied fast flux attacks and today, we are better able to characterize fast flux attacks. For example, not all flux attacks are "fast". Flux attack still change IP addresses, though, and often use hundreds of IP addresses that are often traceable to compromised PCs connected to broadband access networks. Flux attack networks commonly span many autonomous systems. These characteristics and more allow us to accurately identify flux attacks and some outstanding research provides us with a formula that identifies these networks with an accuracy of 99%.

I gave a presentation of how our understanding and appreciation of flux attacks has evolved at the ICANN Cairo Meeting today. Visit again in December for ways we might reduce the threat fast flux networks pose.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID710 by Dave Piscitello  

The most senior judge in the United Kingdom thinks so, but is it true?

According to a Telegraph.co.UK article, the Lord Chief Justice says, "it might be better to present information for young jurors on screens because that is how they were used to digesting information", suggesting that the generation of young adults who were raised having Internet access are get most of their information by reading and referring to what is published on the web. He asserts that, "They are not listening. They are reading."

While it's hard to argue that young people read, learn, and publish via the web, I'm struggling to find the issue here. When did reading become a poorer learning skill than listening? How can you find fault with any medium that encourages children and adults to practice skills our education systems have repeatedly failed to improve? Moreover, why would anyone as learned as a chief justice conclude that if you learn mostly by reading, you don't know how to learn by listening"?

The Lord Chief Justice's fails to appreciate the breadth of today's Internet experience. "Print" is only one component of the today's web. Yes, young adults most certainly read what is printed on the web. However, they listen a great deal more than the judge gives them credit. The Lord Chief Justice fails to consider the emergence of the podcast and the growing popularity of this medium across all age groups.

Podcasting popularity has expanded dramatically (see image, courtesy of the Pew Internet and American Life Project)

According to Pew Internet and American Life Project, podcasting isn't simply popular for downloading music. National Public Radio is a signal example of how podcasts empower individuals to access broadcast news and editorial content at their convenience. In fact, so many publishers use this medium today that podcasts are available for nearly every subject you might find blogged or published online. Technology, comedy, religion, science, news, editorial and business are among widely available topics. Podcasts are now a common complement to the learning experience at colleges and universities and are even an acceptable submission form for course assignments.

Young adults are aggressive adopters. This is only natural given that the generation of the 18-25 age group is the first where many children held a mouse before they held a pen. Podcasting and Internet immersion potentially make the Web savvy generation more informed and better qualified than any prior generation. Lord Chief Justice, I respectfully suggest you've underestimated the web-savvy generation.

(While you are mulling over podcasting, you might want to also look at how voice over IP is integrated into collaboration software...)

If you must find reason to be circumspect about web-savvy jurors, focus on the challenge young adults face as they try to distinguish fact from opinion in a medium where self-publishing is popular. Certain jurors will no doubt be influenced by biased or erroneous content. Hopefully, attorneys and prosecutors will identify and excuse these during jury selection. Be optimistic, however, that the ratio of knowledgeable versus uneducated jurors will improve. Moreover, the ability of naive jurors to separate fact from fiction will improve as all jurors are increasingly afforded greater exposure to information. Stop worrying that the legal system will fail because we are not listening. Instead, leverage all Internet media to the benefit of the legal system. Educate and encourage young adults to seek out reputable sources that adhere to traditional publishing standards, peer review and emerging reputation-building systems. If we are successful , the web- and podcast savvy generation could be the most informed and formidable jurors ever.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID708 by Dave Piscitello