disparity between the stupid and the clever
all of us know very well about phishing attacks, right? i just felt like listing out how clever these attacks can get and, as the title suggests, how stupid people can behave when a phishing attack is launched on them. when you combine these two factors, *bam*, you've got a multi-million dollar industry.
so first, let's take a look at how stupid people can get:
a security professor at a reputed university conducted this little experiment to see how easy it is to swindle people out of their passwords. he wanted to test the extent to which people would trust emails that came from familiar/trusted sources. so he collected a list of friends of a bunch of students from the popular 'facebook', and sent a mail to each student. this email looked as if it was forwarded by a friend of the target student and it read, "hey, check out this cool link!!" (as you all know, this is the very first sign of something fishy) followed by a link forwarded to the sender by someone else (possibly unrecognized by the target - remember this part as it plays an important role in a variant of the experiment, which is described later here).
(a little digression at this point)
a dumb idiot would directly click on the link, while we clever and alert computer literates would first place our mouse pointer over the link, take a peek at the destination, and only then click on the link, right? by doing this, most of us get the "oh so wonderful" feeling that we're being very cautious and that no one can hoodwink us, right? you couldn't be more wrong. 'cross site scripting' (XSS) attacks only need the user to roll the mouse over a malicious link posted on a 'good' site and the user's cookies get hijacked. usually, the 'good' site is a billboard or an online discussion forum, where anyone can post anything. just imagine, you're part of these discussion forums. you see a post from a member with an interesting title. you click the title to open the article (remember the title points to a page on the forum/billboard itself and so doesn't raise any questions in your head). when the page opens, there's a huuuuuuuuge picture link that spans the entire width and height of your screen, so your mouse is automatically on that link and your cookie's stolen!!
(back to the experiment)
alright then, so the emails were sent out. and people started clicking on the link. and a page opens up that says "you need to login using your university id and password". apparently, this website was created in such a way that the passwords of the people who tried to login were not stored anywhere (good professor, but who knows?). instead, it just counted the number of login attempts that were made. (it just struck me that a few people could have entered meaningless ids and passwords, but i'm sure that would have formed only a small percentage of the results, which follow). so what would be your guess at the percentage of students that fell for this well-known trick? well the count was a whopping 71%.
"hmm . . . well that's expected. it probably looked like a legit university page, with the university logo and everything," you say? that's because i haven't yet mentioned the most important part of the experiment - the address bar of the website read something like *stealyourpassword.com*. (i'm sooooooo tempted to use upper case letters here)
that's right!! and 71 bloody percent of the students gave away their passwords. i leave the conclusion to you people.
that's not all. there was a variant of the experiment with a different set of targets (obviously). in this variant, the email sent to each student had a deliberate blow-up. remember i mentioned that the link was present as part of a mail forwarded to the sender by someone else? so now, the email received by the target said that the sender received that email from the target in the first place. now tell me, how many people do you think would go and directly click on the link, which in fact, was below the from, to, subject, sent, etc fields of the forwarded mail?? 48%. period.
i have reason to believe these students were actually computer science students. worse, they were all taking that professor's security class. i earnestly pray that's a distortion of the truth and that these students were not very familiar with security issues. in any case, no wonder the phishing industry is a multi-million dollar industry.
now, let's see how clever phishing attacks can get:
as we all know, the basic version is an email purportedly from our bank or paypal.com or whatever, asking us to login to a page that's a twin of the real bank or paypal.com homepage. once we're past the login page (even when we *clever observers* provide non-existent username and passwords just to check it out!!), we're asked for all the booty - our full name, address, credit card number, date of expiration, mother's maiden name, etc. (if you ask me, these guys are a bit too ambitious, don't you think? they want *everything*)
so we *acute observers* see through this prank by looking at the address bar, which is generally very close to the actual site's address but off by a character, or with a numeric '0' in place of the letter 'o', etc., - minor details which can (and do) easily go unnoticed. in fact, some sites show only the ip address and don't have a readable string, which in my opinion, should act to the attacker's disadvantage (which apparently doesn't seem to be the case!!)
so here comes the second version of the attack where the address bar looks perfectly legitimate. how is this done? though the actual address bar of the browser contains the illegitimate site's address, it is hidden behind an image which shows a valid address. wouldn't you fall for that? agreed you know that no legitimate site would ask you for all the booty on one single page. but what if the attacker behaved in a slightly less greedy fashion, and is only interested in getting your password? once you supply your password, the attacker's program redirects you to the actual legitimate site and logs you in with your credentials, leaving no trace of what transpired.
some of you *astute* observers probably have a huuuuuuuge grin on your face right now, and are probably saying to yourself "i wouldn't have fallen for that. i know that these illegit sites don't show a 'lock' in the bottom right part of the browser window. yaaaaaaaaay" (lock shown in the following picture). again, you couldn't be more wrong. the attacker can put all the locks and keys he wants. he can even buy a bloody ssl certificate for a measly amount of money.
and here's the third version - the worst of them all. you buy a wireless router off ebay for your home wi-fi connection and happily use it to perform all your online banking transactions. while wi-fi connections can themselves be easily intercepted by even a novice hacker, that's not the point here. assuming that there is no eavesdropper around listening on your wi-fi network, would you feel safe? of course you would. that's exactly how the attacker wants you to feel, while he has happily obtained your bank's password. "whooooooaaaaa!! how the hell did that happen?," you ask? all he has to do is create a bunch of sites that are replicas of all the major banking sites. (if you use a lesser known bank, then you're probably lucky and won't be affected.) then he buys a wireless router, flashes it so that the routing table now points to his version when you type www.<mybank>.com in your browser, and puts it up for sale on ebay for half the price. this is the router that's sitting in your house right now, and directing you to his site each time you login to your bank. ha ha gotcha!!
so as you can see, you really don't need people to be stupid to wipe their accounts clean. but, stupidity is definitely a desirable and a favorable characteristic as far as the attacker is concerned.
i consider myself to be one of you 'observers'. and i admit that i would fall for the second version.
gets you thinking, huh?
it is claimed that there are 5 different gangs in the world that mastermind all phishing attacks. if any of you knows where they hire their programmers from, please let them know that i'm interested.
-w
posted by -w at 21:53
7 Comments:
Hi.
This is the first time i've come across your blog.
Your blog perfectly balances equal amounts of fiction and science.
This comment has been removed by a blog administrator.
This is the first time I've received an anonymous comment. Your comment balances equal amounts of excitement and mystery in my head (even if you're possibly just a program whose job is to post random comments on random blogs)
Thank You(?)
Hi.
This is just to confirm you that its(anonymous comment) not a program and also no mystery.I'm a programmer myself.Should I think of your remark as sarcastic one (as it seems at first sight) or just a witty comment !
Hi.
This is just to confirm you that its(anonymous comment) not a program and also no mystery.I'm an amateur programmer.
Should I think of your remark as sarcastic one (as it seems at first sight) or just a witty comment !
May be your article is a little bit alarming. But considering the wide spread issues with phishing attacks, it's probably a good idea.
But I just wanted to make clear a few of the comments you made.
1. It's true an attacker can hijack cookies simply when the users hover their mouse over a malicious link posted on a 'good' site. But only cookies for that website.
- So first of all, if you received this link in an email, then your email client can disable javascript (and still display HTML emails just fine).
- If you are on a discussion board, then it's a bad site if it is not protecting its users and the average user doesn't have to worry about losing anything critical by compromising their account to such an incompetent site.
2. ssl certificates not only serve as secure transmission purposes but also for authentication. if you click on the 'lock' and examine the certificate, you can know if the website is who it claims to be. but that said, XSS exploits can still happen on secure 'good' sites.
2.5 yes, it is cheap to get an ssl certificate and have that lock show up on the status bar of a malicious website. but it is impossible to beat authentication. the certificate will not say that the website is a 'good' one when it is not.
3. dns hijacking (ebay wireless modem) is the most difficult to figure out for the average user. but this problem is easily solved if the user takes the extra step of examining the ssl certificate when they are on the bank's website, before they proceed.
my advice to folks. avoid using any links for 'interesting articles'. go to google or the referred website and search for the same. even if you want to live on the edge and be careless most of the time, be careful when banking and simply examine ssl certificates before typing in your credentials. ssl certificates are impossible to duplicate as of today.
chaitan,
this is what scares me the most: till date, i've never clicked on and verified any 'lock'. i'm worried about those millions of non tech-savvy people who don't even know that this lock exists or what it signifies. i guess i need to stop worrying about others and start worrying about myself and start looking at these certificates from now onwards.
sara,
i wonder how many people fell for the blatantly obvious trick present on the link you posted. but i'm sure that it isn't none.
anonymous,
your first comment did have me guessing at whether you're lifeless (because the comment was short and vague) or real (because you didn't leave a 'check out my blog' kinda thing, which is generally what these silly bots do). so anyway, now that you've confirmed your nature, i'm really glad you found this blog worth returning to!! you may rest assured now that there's no sarcasm (atleast, not anymore :))
love you all,
-w
Post a Comment
<< Home