6/16/2006

What can be done about phishing

Yesterday I was upset about the attitude of everyone about phishing, the same attitude that everyone has about scams and spam and fake banks, etc. Two main reasons for this are the problem is too big and those who fall for it are gullible people that everyone else deem as stupid and worthless of consideration. Yes, I know it sounds harsh but that's the way most people think.
They have the right to think anyway the want but from a practical point of view, don't the service providers want the gullible people as customers? Gullible people make a great market, they support shopping TV channels. Who wouldn't want to sell to them?
But this is a blog about phishing and other things around the Internet, gullible people and market place is theme for another blog.
What I want to write about today is ways to reduce phishing, ways that can be implemented by the service providers whoever they are. None of this recomendations are technically impossible nor complicated. In fact some of them are out there right now, someone is using them already.
Here they are

First of all we have to understand how phishing works. The phisher goes to the original login page and save a copy, then download the copy to a server somewhere else. The original page takes the username and password, checks against a database and grants or denies access. The phisher changes this, stores the username and password and, in most of them, directs the user to a page where his/her personal information has to be verified for security reasons. There is where you have to put your address, credit card number, PINs, etc. Then it forwards you to the original home page, an error page (try again in a couple minutes), or any other he can think of. It doesn't matter, by that time your personal information is compromised already.
I'd like to start from the email, but there's a lot of stuff that I have in another article about spam and I don't want to duplicate it. So I'm going to start from the phishing page.
The first problem here is that the page looks like the original one, in fact most of the components of the page are the originals.
A web page is basically a file with instructions to build the page, it says what text is included, how it should be organized, format information, etc. It doesn't include the images, it just says what images are required to build the page, how to put them in the page and the link where the images are stored. Your browser asks the server for the image. In fact there's an option in your web browser to prevent it, it was included many years ago for people using low speed dial up access so they could see the content of the page without downloading all the images.
The phisher can download all the images and set a server just like the original, is easier now that any browser has the ability to save a full web page in one command. Before that you'd have to save them one by one. But they don't, I think the reason is that is a lot easier to keep the links and let the original server to do the job. Having the images stored on their own servers won't help finding them, they're not more incriminating that the page itself, so I have to assume that the main reason is because they're lazy.
On the other hand, we have the original server. Its serving the images for the offending site for free, keeping them and paying for the bandwidth everytime a mark falls in the trap. It doesn't make sense to me.
Why aren't they doing something about it? And here's a list of simple silly things that can be done.

- Don't serve images if they're referred from another server. Even when the session itself is from your browser to the server, your browser tells the server where the link comes from, this is something that the phisher can avoid. A lot of sites are doing this, it's a simple solution. I'm not saying that you can do that just checking a flag on a configuration, someone has to work it out. But it's worth it.

- Serve the images but with a twist. When you ask for an image to a web server, it sends you the file. All the URL that you see is basically a directory path just like the ones you use in your own machine. The server goes through the path, finds the file you want and sends it. An alternative to this is to use an image serving script, an active page that checks what file are you asking for and serves it. The difference is that this scripts can check the referral and decides wheter to serve the file or not or serve another. And that option is a very good one, they can serve an image file that, instead of the original logo, bears one that's obviously fake. Better yet, an image with a text saying "you're about to login into a fake server". Eventually the phishers will copy all the images and serve them from their own sites but it will make things harder for them, they'll need more time, they'll need more resources, it will give the hosts a good way to detect the phishing pages automatically, at least it will reduce the problem. Yahoo is doing even more, they change the images of their webmail login page. And not only the images, they're changing the look of it frequently. If you're a frequent user, you probably got used to it by now. The idea (I guess) is that if the user sees an old page he'll suspect that something's wrong and won't login.

- While they're not doing it, having the log of referrals they can identify without a shadow of a doubt any phishing page as it's being accessed. The second someone opens that page and request the image file, the server is able to tell that it was referred from a site other than the original. Maybe they're not logging that but I'm sure they can, any web server has a log service. The logs are or would be huge surely, but they don't have to read them line by line. A computer can do that, and even if they have to set a computer to do just that all day everyday is worth it. All they need is to compile a list of the sites from where a reference to the images is done other than their own servers. And that's it, they'd have the most efficient early warning system ever. Every page I've seen lately is using the original image files, every single one. The phishers are literally ringing a bell every time they set up a page. However, the service providers are sitting there waiting for you to report a phishing page. And in return you have a nice preformated thank you message with tips to recognize phishing pages and protect yourself, what for? You're reporting the page, you don't need that. "Common sense is the less common of the senses", I don't know if it makes any sense in english but never before that phrase was more appropiate. - In adition to the image problem, most of these services are using links to other services. Doubleclick, Omniture, BBOnline, Verisign, etc. Each one with an specific purpose. Doubleclick manages targeted advertising, BBOnline and Verising do certification of the site, Omniture runs statistical analysis. I'm making a complete article about Omniture, don't miss it. They can apply the same criteria if some elements are referred from that page. But they can also certify that you're connected to the right server. The verification that Verisign or BBOnline do is useless for the final user, the seal at the bottom of the page has an ID code assigned to the original site and you can use it anywhere you want. In fact you can try these:

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.AMERICARX.COM〈=en

http://www.bbbonline.org/cks.asp?id=20111061155818568


You can try them from here, copy and paste in your browser or do your own page with the link. Anyway they won't certify that the site from where you're clicking it is the real one. They certify security (internal), business standards, etc of the site whose ID you're asking about. Why aren't they certifying the site from where you're clicking? Why aren't they selling that service? As a user I'd like to have that service, the other certification is fine too but I want one to help me know that I'm on the right site. And I know that it can be fooled, I wouldn't sell it as a 100% safe method because I know is not, but at least it can tell you 100% sure that it isn't the right site.

- Research more each phishing case. I don't think they're doing it. At most they're requesting the closure of the offending site and I don't think they're doing it either. I closed more sites last week than they did ever. Closing the site itself is good but not enough, each phisher opens many of them at the same time and doesn't expect them to live for long. If they do, great, but just a couple days is more than good enough. People that fall for this do it almost immediatly, they get the message, they click, they login, it's done. Even one day is good enough, half a day or less too. Heck, I bet the phisher is happy if he gets one good hit. But they're doing a lot better than that, if you've read the previous article you may have seen that I found one page with less than a day of life and close to 10 good logins. Today I've just found another, half a day of life and almost 10 good logins. By the time the page is close, most likely the phisher already cropped it. Add to that all the pages that have been running for weeks, months. The phisher now can keep sending messages linking to them forever. And the worse part is that even if the page is closed fast most of them are not storing the information in the same server. I want to explain this in detail because it seems simple but is not. The page itself is weak, the phisher knows that it will be closed (most likely) and that it won't last much. He has two choices, check it out often enough to make it worth before is closed or store the data somewhere else. The last option has many advantages, he can stay away from the page for a long period of time without risking his position, the information is safe meanwhile is the page is closed, all his pages report to only one site and, best of all, he knows that nobody cares, the host of the page will shut it down, erase all the content and move on. After that, there's no link between the phishing message, the phishing page and the site holding the database. I'm seeing this set up often lately, the pages holding a local file with the logins are uncommon now. Getting the database down would make all the pages linked to it worthless, and we're talking about almost all of them linked to a relatively small number of servers. And, again, I know it takes time and resources to do it. But I think that I can do it by myself if I want to, and once you get to the server it should be easy to take any measures to close it, block it, take legal action, anything. But is worth it, is something that the service providers owe their customers.

I have suggestions more complicated, not impossible but more difficult to implement. I think I can do them, that's why I know that they can be done, but the complexity is such that some are impossible to do with the resources the phishers use to host their pages and some would put out of business a good part of them.
Like dynamically generated images. How about the logo with the date and time? The image can be generated dinamically but if you have access only to a web server, even with scripting capabilities, is close to impossible. The phisher will have to move to more complex setups that would be easier to find and shutdown, even worse, they'd give more evidence to track the phisher.

And the best of all, they can hire me. After all, among all those who are talking and talking and talking about phishing, I'm the one who can show results... just a though.

No comments: