Transcript Phishing
Fraudulent Site Take Down
Guidance
www.cuispa.org
Author:
John Brozycki, CISSP
Hudson Valley FCU
CUISPA Member Advisor
LEGAL DISCLAIMER: This document is provided for informational purposes only. CUISPA and the author
make no warranties or representations as to the accuracy or completeness of such information and CUISPA and
the author assume no liability or responsibility for errors or omissions in the content of this information. Your use
of this information is AT YOUR OWN RISK and applies to all CUISPA legal notices and terms of use.
Overview
•
Responding to phishing attacks has
become a routine task for many credit
union IT departments. Rapidly taking
down these fraudulent websites is a
prudent and often necessary measure for
preventing losses.
•
This presentation outlines some of the
processes, challenges, and techniques
involved in getting a fraudulent website,
impersonating your institution, taken
down.
www.cuispa.org
Take-down Steps:
www.cuispa.org
1)
2)
3)
4)
5)
6)
PREPARATION
DETERMINE THE SOURCE
RESEARCH THE DOMAIN
RECON / INTELLEGENCE
CONTACTING 3rd PARTIES
WORKING WITH LAW
ENFORCEMENT
Prepare Environment
•
•
•
www.cuispa.org
•
•
•
•
Prepare your environment in advance.
Remember that the site may host malicious
code.
Do not use a production machine that can’t
afford to be compromised. Always use a test
PC that can be “sacrificed.”
If possible, do not use your production
network.
A separate broadband connection is
preferable.
Full Internet access (no proxy server or
restricted ports) is advantageous.
Useful common Internet tools: ping,
traceroute, nslookup etc.
Helpful Tools
VMware Workstation or Player
www.cuispa.org
Allows you to create a test environment
without sacrificing a production PC.
Disks can be “undoable” so you can get
back to the original state without
rebuilding from scratch.
Helpful Tools
SandboxIE
www.cuispa.org
A freeware utility that allows you to
launch an app, such as IE, in a controlled
area, prohibiting writes to the hard drive
and registry.
2) Determine the SOURCE
•
www.cuispa.org
•
The phishing site may be accessible via
FQDN (Fully Qualified Domain Name)
and/or IP address.
Try to determine the FQDN if applicable,
IP address, and path information
2) Determine the SOURCE
•
www.cuispa.org
If you have the phish email, view the
underlying source to determine the true
link URL
Example (FQDN):
http://www.hackedsite.com/mycreditunionexploited
/
Example (IP address):
http://192.168.0.1/mycreditunionexploited
3) Researching the DOMAIN
•
The Domain often be contained in the FQDN
Example:
http://www.hackedsite.com/mycreditunionexploited
(domain is hackedsite.com)
www.cuispa.org
•
Use a WHOIS utility to determine
information on the domain.
•
WHOIS gives us:
1) Domain owner and contact information
(email and hopefully a phone number)
2) Determine who is authoritative for DNS.
May be owner, ISP, or DNS hosting service.
3) Researching the DOMAIN
•
For US-based .com and common domains,
start with:
www.netsol.com
click on “whois” link.
•
For a more expansive search, try one of
the following:
www.cuispa.org
www.arin.net
www.allwhois.com (free service from MarkMonitor)
www.completewhois.com
3) Research the DOMAIN
ARIN:
• Start with ARIN (American Registry for
Internet Numbers, www.arin.net) WHOIS
tool. Enter the IP address.
www.cuispa.org
• If IP is not domestic, ARIN will tell you
where to look next, ie: RIPE, APNIC, etc.
• If IP only leads back to site owner, use a
traceroute to determine how packets get to
the site. The IPs right before the site will be
the ISPs and you can look them up.
3) Researching the DOMAIN
•
www.cuispa.org
If given an IP address only:
1. Any website that may be viewable
from the IP only should be viewed on
a safe test machine (ex: http://192.168.0.1)
1.
PING –a 192.168.0.1
3) Research the DOMAIN
SAMPLE RESULTS FOR 10.32.15.1
BOB’S INTERNET, BOBI-IPNET (NET-10-32-15-0-1)
10.32.15.0 - 10.32.19.255
My Credit Union BOBI-MYCU-1 (NET-10-32-15-0-1)
10.32.15.0 - 10.32.15.255
# ARIN WHOIS database, last updated 2006-01-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
www.cuispa.org
The above results tell us that “Bob’s Internet” owns
the range of addresses from 10.32.15.0 through
10.32.19.255. A class “C” range (255 addresses from
10.32.15.0 through 10.32.15.255) are assigned to “My
Credit Union”. In this case, you would try to contact
My Credit Union as they are responsible for the IP
address. You can always contact the ISP if you can’t
reach the party immediately responsible for the IP
address.
RESEARCH COMPLETE!
www.cuispa.org
We now know:
• Who owns the domain
• Contact info for domain
• The ISP (may not be hosting but is at least providing connectivity)
• DNS provider
4) RECON AND
INTELLIGENCE
www.cuispa.org
• Procede with caution
• Gathering intelligence is optional. You may
not need any additional information.
• Further investigation calls upon some
technical skills.
• Be cautious of the legal aspects of further
investigation.
• Finger-printing tools can be deployed to
determine OS, app, etc.
• Port scanners can determine if other
services are running.
4) RECON AND INTELLIGENCE
Example: Information from FTP service
www.cuispa.org
telnet 192.168.0.1 21
220 FTP Server ready.
214-The following commands are recognized (* =>'s unimplemented).
USER
PASS
ACCT*
CWD
XCWD
CDUP
XCUP
SMNT*
QUIT
REIN*
PORT
PASV
TYPE
STRU
MODE
RETR
STOR
STOU*
APPE
ALLO*
REST
RNFR
RNTO
ABOR
DELE
MDTM
RMD
XRMD
MKD
XMKD
PWD
XPWD
SIZE
LIST
NLST
SITE
SYST
STAT
HELP
NOOP
214 Direct comments to root@www.<sanitized>.kr.
5) CONTACT PARTIES
www.cuispa.org
• Try contacting Website owner first
• Try contacting ISP next
• If no luck and the site uses an external DNS
service then try contacting them next.
• Have documentation available and provide
it with your request.
• Request the fake site code for further
reference.
5) CONTACT PARTIES
Sample email to ISP
To whom it may concern,
URGENT REQUEST - Please read the following:
www.cuispa.org
Today a number of our credit union members received a phishing e-mail
soliciting their personal account information. The link referenced in the email returns to a site which is presenting itself as our Hudson Valley
Federal Credit Union Web site. As such it is violating copyright laws and
misrepresenting itself for the purposes of illegally collecting account
information for financial gain.
The compromised server is housing the spoof content at:
http://nefariouswebsite.com/mycreditunion/banking001
IP 192.168.0.1 = www.<sanitized>.kr
Please take this site down or remove the fraudulent content and respond when
these changes have been implemented. If any financial loss is incurred we
will be required to actively seek redress through local and national law
enforcement bodies.
I have attached a PDF capture of the spoofed site (rogue1.pdf). We would
greatly appreciate it if you would email us an archive of the fake site
directory.
Thank you for your prompt attention to this matter.
5) CONTACT PARTIES
www.cuispa.org
• Common difficulties:
Time differences with overseas ISPs.
Language barriers.
ISP policies on take-downs
6) WORKING WITH LAW ENFORCEMENT
www.cuispa.org
• Law enforcement can make request on your
behalf or call on contacts abroad (ie:
Interpol)
• Provide law enforcement with intelligence
information:
1) They track it
2) You may provide a missing piece of a
larger puzzle
3) Losses across organizations can be
aggregated
CUISPA
www.cuispa.org
Educational Programs
(512)465-9711
3500 Oakmont Blvd. Su.204
Austin, TX 78731
For comments on this presentation please send email to:
[email protected]