Phishing and Pharming: Vulnerabilities and Exploitation Mechanisms
Posted in Security on November 15th, 2010 by Rachael
In this blog I will outline vulnerabilities that could potentially be exploited by phishing and pharming attack mechanisms in order to realise the threats mentioned in my previous blog.
The first threat discussed was employees replying to phishers with personal and confidential information. To realise this threat, the employee must a) be contacted and b) reply to the phisher. Adversaries mainly use email and instant messaging to make contact with potential victims [2]. There are vulnerabilities with email and instant messaging that can be exploited by phishers. An email with a fake “From:” header can easily be produced by utilising flaws in the widely used mail server communication protocol, SMTP. This means a phisher is able to imitate any organisation they wish [2]. Phishing-ignorant users could be considered particularly vulnerable to social engineering, and so by exploiting that vulnerability, in combination with imitating an organisation, this threat can be realised [3].
Employees visiting illegitimate websites under the presumption that they are legitimate can be realised by exploiting vulnerabilities in HTML links [3], search engines [1], banner advertising, URL obfuscation [2], the local lookup process, domain registration and the way website names are resolved to an IP address (DNS lookup) [2].
HTML hyperlinks can be exploited by displaying the legitimate URL, but linking to the illegitimate URL [3]. Search engines can be exploited by using search engine optimisation techniques to lift the page rank. The aim is to get the page rank of the illegitimate website higher than the legitimate website, so users who search for the legitimate website will likely be directed to the illegitimate URL [1]. Banner advertisements can be exploited by creating similar-looking advertisements to the legitimate website and linking them to the illegitimate website [3]. Vulnerabilities in users’ recognition of domain names and flaws in browsers can be utilised through URL obfuscation.
There are many vulnerabilities a pharmer can exploit in the local lookup process. One form of attack is to exploit a workstation’s reliance on the HOST file by adding extra entries to point to adversary owned IP addresses [2]. This exploitation relies on the workstation using Microsoft Windows, and the adversary having access to the HOST file. Pharmers with control of the local network host can also easily exploit network settings to “point all DNS queries” to an adversary-controlled DNS server [2].
An adversary could also exploit vulnerabilities with domain registration by using domain hijacking. In domain hijacking, pharmers purchase an expired domain name as soon as it expires and construct a replication of the original website, thus exploiting the fact that there are existing links to the domain and thereby “fooling any customers who connect to the site” [2].
Exploitation of vulnerabilities in the DNS infrastructure and poorly managed DNS servers can be accomplished using techniques such as DNS cache poisoning [3], DNS spoofing with sniffing, and the “birthday” attack [2].
DNS cache poisoning is aimed at older DNS services, where numerous resolution entries for websites the service has not already retrieved, and is not actually authorised to provide, are cached [2]. This can be performed via the following steps:
1. An adversary queries the DNS server for an IP address of a host managed by an adversary-owned server.
2. Since the DNS server does not have the IP address cached, it queries the adversary-owned server for the IP address.
3. The adversary’s server replies with the IP address, as well as extra, illegitimate resolution records mapping legitimate websites to illegitimate adversary-owned websites.
4. The DNS server caches all replies, and when queried for one of the websites replicated by the adversary, the DNS server replies with the adversary’s illegitimate IP address.
DNS spoofing (with sniffing) is a type of man-in-the-middle attack exploiting vulnerabilities in UDP protocol to allow a pharmer to eavesdrop on requests from a user to a DNS server and return an adversary-owned IP address to the user [4]. This is achieved by sniffing network traffic for requests to DNS servers, obtaining the UDP-based request ID from the request, and responding with an adversary-owned IP address using the same ID [2].
The “birthday” attack is used when network sniffing is not feasible. It exploits vulnerability in the commonly used DNS implementation, BIND [2]. Basically the adversary repeatedly queries the DNS server for an IP address, at the same time as they send fake replies to the DNS server using varied transaction ID’s [2]. Because of the “mathematical properties of the Birthday Paradox”, the probability that the adversary can guess a transaction ID faster than the real authoritative server can respond to the DNS server’s request is increased. The authoritative server can also be slowed down by launching denial of service attacks on it, thus giving more time to the adversary [2].
Malicious software can be installed on employee computers by exploiting security-ignorant employees and the attachment feature in email. They can also be installed by embedding the applications within poorly designed, and hence vulnerable, webpages [2]. The threat of phishers obtaining browser history or personal and / or company details from employees can then be realised by phishers exploiting the now-vulnerable workstation through using the malicious software to spy [1].
References
[1] B. Mohamad, E.-S. Samer, and H. Ibrahim, “Phishing attacks and solutions,” in Proceedings of the 3rd international conference on Mobile multimedia communications Nafpaktos, Greece: ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2007.
[2] G. Ollmann, “The Phishing Guide,” Next Generation Security Software Ltd., Sutton 2004.
[3] W. Knight, “Caught In The Net,” IEE Review, vol. 51, pp. 26-30, 2005.
