Phishing: Three typical ways to attack anglers-web surfing

In most people's minds, phishing is fake e-mails that deceive people into providing bank accounts or identity information. However, online fishing is more complex and scary than this, according to a recent study published by the Honey Net project group & Honey Network Research Alliance (HONEYNET Project & Study Alliance).

In the latest study, the alliance warns that phishing users are using malicious Web servers, port redirection, and a fairly high rate of honey nets to lure people into the bait. Their efforts are more deliberate and organized than people initially imagined. In many cases, they coordinate their operations with other fishing groups and use multiple means at the same time.

Honey nets researcher Arthur Clune, speaking of an attack in the report, said the phishing site was built very quickly. All of these sites are prepared beforehand. The people who built this kind of site are obviously ready, because we started to see network communications before the site was fully built. All processes, including the scanning of vulnerable Web servers, are highly automated. All this suggests that the attacker is serious, ready and looking for vulnerable hosts as much as possible.

Clune says the quality of such sites and the spam-spamming approach are improving. Such websites use more standardized English and embed better quality images, making them more like real sites on the outside. Another researcher, David Watson, said that as users became more aware of phishing and phishing techniques, attackers had to improve their approach. He said he was surprised by the number of such attacks.

' In many of the scams we investigated, we were surprised to find that users do visit fake phishing sites, ' Watson said. The information that guides how to use the Internet safely is clearly not universal to end users.

The study was conducted using a honeypot. The so-called honeypot refers to deliberately set the computer without protection measures. When attacked, researchers can study these attacks to better understand the strategies used by attackers. On the honeypot, the researchers clearly observed that anglers successfully used three different methods of attack:

Breach of a network server

The first approach is to breach a compromised server and install malicious Web page content. In a typical phishing attack, the attacker used the following methods:

• Scan for servers with security vulnerabilities;

• Breach of a vulnerable server and install a toolset or password to protect the backdoor;

• Access the compromised server via an encrypted backdoor;

• Download a well prepared phishing website to prevent compromised servers from being network-based servers;

• Limited content configuration and Web site testing, when the first visit to the Web server may be exposed to their true IP address;

• Download a large number of e-mail-sending tools that use this tool to advertise this fake website using spam emails;

• After the above steps, people began to visit the phishing site, and potential victims began accessing the site's content.

The alliance said in a statement that the attack usually took only a few hours or a few days from the time the system first connected to the Internet. The study found that attackers often launch attacks against many servers and many other institutions.

Port redirection

This is the second method of attack. It is alleged that January 11, 2005, an attacker successfully entered a honeypot using the security vulnerabilities of the Redhat Linux 7.3 system.

The attack was a bit unusual, the researchers said. The attacker did not upload the phishing content directly after breaking through the server. Instead, the attacker installed and configured a port redirection service in the honeypot. This port redirection service is designed to transparently reroute HTTP requests sent to a honeypot network server to another remote server, making it difficult to track the location of content sources.

The researchers say the attacker then downloads and installs a port redirection tool software called "redir" on the honeypot server. This tool software is designed to transparently send TCP connections into a honeypot server to a remote host. The attacker set up the software to redirect all communications through TCP 80 ports into the honeypot server to TCP 80 ports on a remote network server in China.

Honey Net

This is the third method of phishing attack. During the period from September 2004 to January 2005, the German Honey net plans to deploy a series of Windows operating system-based honeypot that does not use patches to observe the activity of the honey net. During this period, more than 100 separate honey net activities occurred.

The researchers say that some versions of the Honeypot software they capture can remotely launch socks proxies in compromised servers.

The study said that if an attacker who visited the honey net could start the socks agent function in a remote honeypot server, the server could be used to send a large amount of junk e-mail. If a honey net contains a large number of compromised hosts, an attacker can easily send large amounts of e-mail from a large number of IP addresses owned by an unsuspecting home computer user.

It may not be surprising that the owners of resource-rich honey nets engage in criminal activity using the honey net. It's time to rent a honey net. The operator of the Honey net will sell the list of server IP addresses and ports with SOCKS V4 functionality to the customer. There are many documents proving that the network was sold to spammers as a tool for forwarding junk mail.

Bottom line

After selecting these methods, the researchers concluded that the phishing attacks could occur quickly. It only takes a very short time from the first intrusion server to the phishing site on the web. This makes phishing difficult to track and prevent. The study shows that many phishing attacks are done at the same time in a variety of ways, organized very complex and often combined with the methods described above.

What should IT administrators do?

Watson points out that hackers often scan a large number of IP addresses, looking for vulnerable hosts that can be attacked. This kind of scanning activity is indiscriminate. The most vulnerable servers will be first found by hackers. Therefore, the network administrator should take the best security practices and fix the security vulnerabilities of the system, use a firewall and perform stringent identification measures, or block unnecessary connections to the server.

Honey NET researcher Clune agrees with this view and advises IT administrators on the following:

Alert. Phishing sites from the establishment to the beginning of the activity is very fast. These people expect this phishing site to exist for a short time, so many of these sites need to be built. Although the phishing site has a short time, the losses caused before being discovered are significant, especially on weekends.

Be careful with simple things. Simply preventing the Simple Mail Transfer protocol from being sent directly into all your machines and HTTP/HTTPS requests to the server makes your server less vulnerable to hackers, allowing hackers to switch to other, easily accessible servers. Enforcing a Simple Mail Transfer protocol through your gateway and running a search for spam at the same time may completely prevent your server from sending junk e-mail. In terms of credibility, it's a good way to do that.