Phishing attacks, in fact, are a social engineering way to fool the user's attack, the attacker will often imitate a user trusted Web site to steal the user's confidential information, such as user password or credit card. In general, an attacker would be able to send a highly imitated web site to an attacker through mail and real-time communication tools, then let the user not see the difference to the Orthodox site and then collect the user's confidential data.
Analysis of the attacking point of the mobile end fishing
Because the phishing attack is not new, I only talk about mobile.
At the mobile end, this thing will be easier to dry, because the mobile end has the following characteristics:
The mobile end of the UI can only have one application to occupy the entire screen, you can only see an application, and the user screen is small, can display a limited amount of information, such as browsers in the Web site is not full. This will give a lot of opportunity for a phishing attack.
The platform of the mobile end has its security design. Each application is separated and one application cannot obtain data from another application. And the application of the download is basically from the legal place. For example, iOS devices are downloaded through the App Store, and each program has its own signature guarantee that it will not be tampered with. And the application of the mobile end has various permissions to configure, this can also greatly improve security.
Mobile end of the app some are charged, so naturally there will be piracy needs, although the platform to do some security design, but not perfect. Users can jailbreak, can root. This gives malicious software an opportunity.
Below we analyze the user actions on the lower mobile side, we focus on the switching process of user control (because this is the attack point)
On the mobile device, basically, the user's control switch has four kinds:
From one app to another, which is what we call the app.
Call a Web from an app, usually an embedded webview or a browser
Calling an app from a web requires browsers to support some non-standard HTTP protocols, such as skype://.
From one web to another, this is similar to the way on the web.
Basically, the hacker's attack is always to find such a transformation link to make a fuss, and need a user very familiar with the scene (so that users will be relaxed vigilance).
By looking at the characteristics of mobile apps, we can see that when users control switching, there are these features:
To another app, a user login is required (if the login session expires)
When paid, users are required to enter payment information (credit card information, support password)
So what do users often do on mobile apps?
Social sharing: Share to Weibo, share to micro-mail, and so on, when sharing, may require you to enter a username and password.
Application: In general, there are two types of app, a free one, a charge, a large number of users are downloading free, and then through what "open more levels", "to Advertise", "buy props" and so on, let the user input payment information. Apple's payment will also have the user enter the password for the Apple ID.
Click on the link: Sometimes, we receive text messages, or two-dimensional code, or a micro-credit microblogging, will let us click on a site link, the site link is either open a Web page, or to start the application, or jump to the application market to download applications (if you do not install).
Therefore, a good phishing attack must start from these places, and then a high profile UI and interactive process, this interaction process and the user's day-to-day operation of the same, so that users can not detect. In any way, a phishing attack can be simply two ways:
One is direct attack: You have downloaded a malicious app, or opened a malicious fake app.
One is man-in-the-middle attack: Both ends of the user's control conversion are formal applications, but the intermediate process is not normal.
Attack mode
Here are some common ways to attack:
A way of invoking another application from one application
Direct attack
When you click on a social-sharing button, or a Pay button. will go to a page that requires you to enter the user's confidential information (password or payment information), and then invoke the real app.
A malicious app may give you a chance to relax your vigilance, because, when you install this app, you'll find that the app doesn't need any privileges (Android) or even access to the Internet, because under Android, apps can access the web via other components. , for example: a malicious application might create a MediaPlayer object and then access a URL through the object and then send the stolen information.
Your phone will be installed a malicious application is not difficult, the same way through social workers, such as: piracy, pornography, disguised as customer service and so on through the weakness of human nature to let you go to some untrusted market installation. Applications on iOS devices can also be installed without the App Store (via the Itms-services protocol, which allows you to install applications directly on iOS devices via the Safari browser).
Also, people are cheap people, so they will go to some places to buy some inexpensive mobile phones (such as Taobao), the current high imitation mobile phones, refurbished second-hand phones for the average person or even security experts have no ability to identify. There is a high likelihood that these phones will have malicious programs hidden in them. You must not think that you format the phone is OK. Today (April 14, 2015) morning CCTV2 Taiwan's "first time" said a case, you can see. In addition, you can look at the relevant news. (Also, you should be careful when you sell your old phone, because your data is in it, the old phone has become a grey industry chain)
In addition, Apple's app needs a review process that is mysterious to the public, but I think it should include security review. However, the audit process may also have loopholes to drill. For example: In review, this application is completely normal, but when users use, they will download some of their own profiles from the Web site and change behavior (more directly is the access to external Web pages in the audit and when the user application may be completely different, Apple should have no ability to audit the application of the external site to be accessed.
Man-in-the-Middle attack
We know that one app that evokes another app is a lot of url-scheme, some kind of protocol, and it's very simple to audit such a protocol, so if there's something malicious in it, it's basically easy to see. However, if some apps do not register their own url-scheme, or are not installed, instead, another malicious app registered this scheme, then it will cause a malicious app to be aroused (this is why I said in my microblog, if the user does not install Taobao client , it could be another malicious app that allows micro-mail to evoke Taobao's clients. But a lot of people don't understand it. Under iOS, the "keychain mechanism" is the right approach for two app newsletters.
Of course, if there are two applications registered with the same scheme, then iOS and Android will give a choice for users to choose (Note: The iOS system may jump directly to a certain App, different versions of the jump rules are ambiguous, can be considered random jump). As a start, a malicious app would try to make it look more like a regular app than a regular app.
On the Android platform, this may be more perverted, as long as the malicious application has two privileges, one is started in the background with the mobile operating system, and the other is the task list (however, both permissions are general). This way, when you make two app switch, the malicious program can be monitored by the Task List permissions, and then immediately before the normal app, wait until the user data collected after a simple exit. This method only needs your program to be able to react within 10ms (the best is about 5ms), the human eye can not see at all. (under iOS devices, except for the jail break, the iphone can do this, and the normal iphone hasn't found a way to attack it yet)
How to embed the Web within an application
This approach is easier to attack, now many applications are embedded in the form of the Web, you do not know what the open Web site is, because these embedded webview you can't even see the address. and either iOS or Android, its webview can execute any JavaScript code, even if the display url,url may be confused, you do not see the whole, you are also easy to be fooled. Of course, those that use HTTPS-enabled sites with SSL certificates (especially EV certificates) can display a green flag on the address bar to indicate that you are accessing the correct URL, but not all browsers do, like the iphone safari doesn't have this hint, so You must use Chrome.
Even if you open the correct URL, you may still be attacked by a middleman. This site, in particular, uses the plaintext HTTP protocol, and you like to rub free WiFi, so it's easy to make changes to the Web page that the server returns to you, for example, Modify the Web page login form or payment form submitted by the website (think of the Chinese network operators to give you access to the normal web ads this matter)
About DNS hijacking, some people feel that this may not be met, because this is a whole network of problems, if you have such an idea you are wrong. Still, you love to take advantage, rub on those without the password of WiFi, you do not know, you connect to the WiFi will set what kind of DNS server, you entered the www.taobao.com, but you open the site is not Amoy, but a phishing site. Will you know that you opened the wrong? Basically impossible. So, security sites are all about HTTPS, but still, the iphone safari doesn't prompt you to open a Web site with an SSL certificate that doesn't work (in fact, many browsers on your phone don't have this hint, just chrome).
About the way of attack I do not want to speak too much, there are many advanced + wretched way I do not know exactly, know I do not say, otherwise, teaching people crime.
About invoking the app from the Web side is the same as the way the app wakes up the app. I'm not going to say it.
How to guard against phishing attacks
First of all, we need to know that a phishing attack is a very difficult thing to do. In order to deal with this, generally speaking, we need four aspects: the legislative level, the user training level, the propaganda level, and the technical preservation measure level.
In education
One of the strategies to combat phishing is to try to train people to identify phishing and teach them how to deal with them. There are many problems that can be avoided by simply modifying the way people browse their habits. As people become increasingly aware of the social engineering techniques used by nets, traditional phishing techniques may become obsolete in the future.
Be careful about the links you send to others, especially the links that allow you to enter confidential information.
To the normal place to buy mobile phones, do not covet petty gain. The old phone should be "physically deleted" before it is sold.
Don't break out of the cell phone, don't root.
Do not download software from a place that is not trusted.
Be careful of free WiFi.
When you enter confidential data, be sure to check carefully.
Rely on a number of different security systems, such as: online payments do not rely on Alipay, try to use credit cards (credit cards do not set the password), so that is to be fished, you have a bank security buffer zone-can not recognize the transaction.
Now the frequency of using mobile phones is getting higher, so I highly recommend that you use a more secure iphone, be sure to turn on the "Find My iphone" feature, and then set the power-on password. The iphone can be lost on the phone and not available to others, including brushing machines (IOS7 version)
For some key sites, open two-step verification, so that even if your username and password is gone, there is a dynamic mobile phone password as a login checkpoint.
Technical aspects
The use of SSL certificates to ensure that access from the browser to the site is now in a relatively many ways, but also in a theoretically feasible way. Modern browsers will place a lock on the URL, and for the EV certificate, you will see that the browser URL is green (easily distinguishable).
Also, like the Firefox browser has a petname plugin, you can set up some labels for your website. In this way, when you open the phishing site, you will find that these tags do not show up, then there is a problem.
Regarding SSL CA authentication organization, you need to manage the root certificate which you browse, some root certificate you need to erase.
Another popular way to combat phishing is to keep a list of known phishing sites and update them at any time. such as PhishTank, and China Anti-Phishing website Alliance.
Incremental login mode. This way is used by Bank of America, that is, you can upload a picture that you know, and when you open the login page, when you enter your username, you will see that the image you set is displayed. If there is no or wrong indication, you are opening a phishing site.
Two-step verification, through the user set password + mobile phone dynamic password login (a number of sites are using Google Authenticator way, which is a bit like the dynamic password of the company VPN).
These are the PC Web on the prevention, but our mobile phone is not good enough to move the end of the security or to refuel.
Safety Wind control aspect
What is called safe wind control, plainly is to take money out of compensation to be cheated users, everyone believe me, this thing in basically all companies will do, that is to say, no matter how you do security can not guarantee absolute security, you can only alleviate or reduce the number of users cheated or probability. So, almost all companies will have a sum of money earmarked for compensation.
In Western countries, the user experience is good, I say a story, I have a sister in England, one day she went to the ATM to take money, took the money and forgot to take out the card, the result of the people behind her carry the money taken away, so she reported to the police, and so the police after the record, she gave the bank's customer service called a call to explain the situation, Ben wanted to freeze the bank card, but the bank apart to pay for all her losses. Why Britain's Barclays banks are so happy is because they have a wind-controlled fund that deals with such things.
In China, banks and some big companies have this security wind control fund, but they will pay you, and not all, to complain very persistently. To all, I reckon you want to be a "Diao people", or bully you, no reason.
About micro-letters and Taobao
Micro-letter and Taobao in the end is who first shielding I do not care, this business interests I do not care, micro-letter is not supporting the sale of things I do not care. I am concerned about the cold winter article that the micro-letter on Taobao fishing security issues.
Technically speaking, I think to micro-letter and Taobao do this thing, unilateral neither, need security experts on both sides to discuss (if necessary, I can help you about). I am here to give a possible very immature scheme, is a start (I do not consider the commercial competition between you, I only from the user's point of view, customer first):
I think, from the business, Taobao can have a micro-letter on the official mall. and Taobao merchants, need to obtain micro-letter certification after check-in, in order to share the relevant merchandise or store links, to this, businessmen stay, I think the micro-mail service account with Taobao business background integration can be done.
Then, the merchant, the buyer, they share the goods can only through the micro-credit Official mall or the service account of the merchant to share out, and the share of the merchandise information can be a relatively unique form (such as a can not forge the official certification of the label), And the user's payment can be paid through the built-in micro-mail or through the built-in Alipay (by evoking the app is not a good way, or should you communicate with each other on the server side).
Then micro-letter and Taobao both by means of propaganda to tell the whole society, micro-letter of goods what is formal, is not fishing, and to educate users more secure use of mobile phones.
P.s. I say so, but personally, I understand that micro-letters in order to allow users to have a good experience without the micro-letter to become a marketing goods everywhere. So, personally, I hope that the micro-letter will not become a business marketing. In addition, I also know that Ali on the mobile side of the value, so the above scheme although the user experience and security are better, but from the current business interests of the situation seems to be basically unable to achieve. But I'm just a catalyst here.
Faced with security and user these two things, you two China's largest internet company, should take the lead to good example, you are not lack of money companies, should more assume the responsibility of the community, really do something for users, rather than thinking about the flow of the entrance, shielding each other, blame each other, think how many users can have their own, This TMD is too low to be in complete conformity with your position. Therefore, from the point of view of the user, I hope that micro-letter and Taobao can stand on the user's point of view, to work together to truly better service for users.