In most people’s impression, phishing is the fake email that tricks people into providing bank accounts or identity information. However, according to a recent research report published by the Honeynet Project & Research Alliance, phishing is more complex and scarier than this.
In this latest research report, the alliance warns that phishers are using malicious web servers, port redirection and a pretty high success rate of honeynet to trick users into taking the bait. Their efforts are more meticulous and more organized than people initially thought. In many cases, they coordinate operations with other fishing gangs and use multiple means at the same time.
MiNet researcher Arthur Clune said of an example of an attack in this report that the phishing website is very fast. All of these sites are prepared in advance. The people who built this kind of website are obviously ready because we started to see network communication before the website was fully built. All processes, including scanning for activities with vulnerable network servers, are highly automated. All this shows that the attacker is serious, prepared and seeks as many vulnerable hosts as possible.
Clune said the quality of such websites and the practice of over-emailing are improving. These websites use more standard English and embed better quality images, making them look more like a real website on the outside. Another researcher David Watson said that as users become more aware of phishing and the means of phishing, attackers have to improve their approach. He said he was surprised by the number of people under this attack.
Watson said that in many of the scams we investigated, we were surprised to find that users do visit fake phishing sites. Information guiding how to use the Internet safely is obviously not popular with end users.
This study was performed using honeypots. The so-called honeypot refers to a computer deliberately set up as a computer without protection measures. When attacked, researchers can study these attacks to better understand the strategies the attackers use. On the honeypot, the researchers clearly observed that the anglers successfully used three different attack methods:
Break through the network server
The first method is to break through a server with security vulnerabilities and install malicious web content. In a typical phishing attack, the attacker used the following method:
·Scan the server with security vulnerabilities;
·Break through vulnerable servers and install a tool set or password protection backdoor;
·Enter the compromised server through the encrypted backdoor;
·Download the phishing website that has been created in advance to prevent the server being compromised is a network-based server;
· Conduct limited content configuration and website testing, and may expose their real IP address when accessing this website server for the first time;
·Download a large number of emails to use spam email to advertise this fake website;
·After passing the above steps, someone begins to visit the phishing website and potential victims begin to visit the contents of the website.
The alliance said in a statement that from the first time the system is connected to the Internet, such attacks usually only take a few hours or days. Research has found that attackers often launch attacks on many servers and many institutions at the same time.
Port redirection
This is the second attack method. It is said that on January 11, 2005, an attacker successfully entered a honeypot using a security vulnerability in the Redhat Linux 7.3 system.
The attack was a bit unusual, the researchers said. After the attacker broke through the server, he did not directly upload the phishing content. Instead, the attacker installed and configured a port redirection service in the honeypot. This port redirection service is designed to transparently rerout HTTP requests sent to the Honeypot web server to another remote server, making it difficult for people to track where the content comes from.
The attacker then downloaded and installed a port redirection tool software called "redir" in the honeypot server, the researchers said. This tool software is designed to transparently send TCP connections into the honeypot server to a remote host. The attacker sets up this software to redirect all communications into the honeypot server through the TCP 80 port to the TCP 80 port of a remote network server in China.
Honeynet
This is the third method of phishing attack. Between September 2004 and January 2005, Germany's MiNet planned to deploy a series of Windows-based honeypots without patches to observe MiNet's activity. During this period, more than 100 separate honeynet activities occurred.
The researchers said that some versions of the honeypot software they captured were able to remotely start SOCKS agents in compromised servers.
The research report said that if an attacker visiting this honeynet can activate the SOCKS proxy function in the remote honeypot server, the server can be used to send a large number of spam emails. If a honeynet contains a large number of compromised hosts, the attacker can easily send large amounts of emails from a large number of IP addresses owned by an unaware home computer user.
It may not surprise people that the owner of the resource-rich MiNet uses MiNet to engage in criminal activities. Now is the time to rent Honey.com. Mi.com operators will sell customers a list of server IP addresses and ports with SOCKS v4 capabilities. There are many documents that some people sell Mi.com to spam makers as a tool for forwarding spam.
Bottom line
After selecting the above attack methods, the researchers concluded that phishing attacks can happen quickly. It only takes a very short time to start a phishing website on the network. This makes phishing difficult to track and prevent. This research report shows that many phishing attacks take multiple measures at the same time, are very complex and often jointly adopt the methods described above.
What should IT administrators do?
Watson pointed out that hackers often scan a large number of IP addresses to find vulnerable hosts that can be attacked. This kind of scanning activity is indiscriminate. The server with the most vulnerabilities will be found by hackers first. Therefore, network administrators should take the best security practices and fix system security vulnerabilities, use firewalls and implement strict identification measures, or block unnecessary connections into the server.
Mi.com researcher Clune agrees with this view and makes the following suggestions to IT administrators:
Be vigilant. The phishing website is very fast from establishment to beginning activities. These people expect this phishing website to exist for a short time, so many of these websites need to be built. Although phishing websites have existed for a short time, the losses caused before they are discovered are great, especially on weekends.
Be careful about simple things. Simple things such as preventing the simple mail transmission protocol from directly sending into all your machines and HTTP/HTTPS requests entering the server make your server less likely to be exploited by hackers, thus allowing hackers to turn to other easy-to-use servers. Enforce a simple mail transfer protocol through your gateway and simultaneously running software that looks for spam may completely prevent your server from sending spam emails. From a credibility perspective, this is a good way.