0

Phishing: An Interesting Twist On A Common Scam

Written By: Darren Miller

You may reprint or publish this article free of charge as
long as the bylines are included.

Original URL (The Web version of the article)

————

href=”http://www.defendingthenet.com/newsletters/Phishing-A
nInterestingTwistToACommonScam.htm” target=_blank>
Phishing: An Interesting Twist On A Common Scam

Title

—–

Phishing: An Interesting Twist On A Common Scam

After Two Security Assessments I Must Be Secure, Right?

———————————————–

Imagine you are the CIO of a national financial institution
and you’ve recently deployed a state of the art online
transaction service for your customers. To make sure your
company’s network perimeter is secure, you executed two
external security assessments and penetration tests. When
the final report came in, your company was given a clean
bill of health. At first, you felt relieved, and confident
in your security measures. Shortly thereafter, your relief
turned to concern. “Is it really possible that we are
completely secure?” Given you’re skepticism, you decide to
get one more opinion.

The day of the penetration test report delivery is now at
hand. Based on the previous assessments, you expect to
receive nothing but positive information……

The Results Were Less Than Pleasing

————————————–

During this penetration test, there were several interesting
findings, but we are going to focus on one that would knock
the wind out of anyone responsible for the security of
online systems. Particularly if you are in the business of
money.

Most people are familiar with the term “Phishing”.
Dictionary.com defines the word Phishing as “the practice of
luring unsuspecting Internet users to a fake Web site by
using authentic-looking email with the real organization’s
logo, in an attempt to steal passwords, financial or
personal information, or introduce a virus attack; the
creation of a Web site replica for fooling unsuspecting
Internet users into submitting personal or financial
information or passwords”. Although SPAM / unsolicited
e-mail and direct web server compromise are the most common
methods of Phishing. There are other ways to accomplish this
fraudulent activity.

Internet Router Compromise Makes For A Bad Day
In this case, the Internet router was compromised by using a
well-known CISCO vulnerability. Once this was accomplished,
the sky was the limit as far as what could be done to impact
the organization. Even though the company’s web server was
secure, and the Firewall that was protecting the web server
was configured adequately, what took place next made these
defense systems irrelevant.

Instead of setting up a duplicate login site on an external
system, then sending out SPAM in order to entice a customer
to give up their user ID, password, and account numbers,
another approach, a much more nefarious approach was taken.

Phishing For Personal Or Financial Information

———————————————-

You remember that router that was compromised? For proof of
concept purposes, the router configuration was altered to
forward all Internet traffic bound for the legitimate web
server, to another web server where user ID, password, and
account information could be collected. The first time this
information was entered, the customer would receive an
ambiguous error. The second time the page loaded, the fake
web server redirected the customer to the real site. When
the user re-entered the requested information, everything
worked just fine.

No one, not the customer, nor the company had any idea that
something nefarious was going on. No bells or whistle went
off, no one questioned the error. Why would they, they could
have put the wrong password in, or it was likely a typical
error on a web page that everyone deals with from time to
time.

At this point, you can let your imagination take over. The
attacker may not move forward and use the information
collected right away. It could be days or weeks before it is
used. Any trace of what actually took place to collect the
information would most likely be history.

What Do You Really Get Out Of Security Assessments

—————-

I can’t tell you how many times I’ve been presented with
security assessment reports that are pretty much information
output from an off-the-shelf or open source automated
security analyzer. Although an attacker may use the same or
similar tools during an attack, they do not solely rely on
this information to reach their goal. An effective
penetration test or security assessment must be performed by
someone who understands not only “security vulnerabilities”
and how to run off-the-shelf tools. The person executing the
assessment must do so armed with the tools and experience
that meets or exceeds those a potential attacker would have.

Conclusion

———-

Whether you are a small, medium, are large company, you must
be very careful about who you decide is most qualified to
perform a review of your company’s security defense systems,
or security profile. Just because an organization presents
you with credentials, such as consultants with their
CISSP….., it does not mean these people have any
real-world experience. All the certifications in the world
cannot assure you the results you receive from engaging in a
security assessment are thorough / complete. Getting a
second opinion is appropriate given what may be at stake. If
you were not feeling well, and knew that something was wrong
with you, would you settle for just one Doctor’s opinion?

Quite frankly, I’ve never met a hacker (I know I will get
slammed for using this term, I always do), that has a
certification stating that they know what they are doing.
They know what they are doing because they’ve done it, over
and over again, and have a complete understanding of network
systems and software. On top of that, the one thing they
have that no class or certification can teach you is,
imagination.

About the Author

About The Author
—————-
Darren Miller is an Information Security Consultant with
over sixteen years experience. He has written many
technology & security articles, some of which have been
published in nationally circulated magazines & periodicals. If you would like to know
more about computer security please visitus at
http://www.defendingthenet.com.

Previous post:

Next post: