Lately I have had discussions with members of my team about the increase in phishing attacks as of late. In addition, when chatting with some clients and reading Bank web sites, I read advertisements such as secure code, improvements in security with 2 factor-auth, sophisticated fraud detection systems, early warning phishing scam alerts, etc. I always find it funny when companies advertise security because they always use buzz words like the above where you could read it as “so you also do unsecure coding then?, and sometimes you worsen your security with other products?, and their are unsophisticated fraud detection systems but you have the other one?, or the other guys bought the late warning detection system but not you?…

Anyways, most of the controls listed above are an attempt to mitigate against the increase in phishing that has been occurring at an impressive rate over the last number of years. In an attempt to protect the end user, the Banks are spending a lot of money on the above controls in an attempt to finally stop phishing and if you believe the advertising spinsters, cease Internet fraudulent activities altogether. The question I am asking today is, well, does it?

In short, the above controls will mitigate and protect the end user against phishing attacks as we define them today. The unfortunate truth for the end user and the Banks is that the attack itself will morph into something new to bypass the current controls and the “Phishing” definition will need to be updated by the security word nazis or a new word will need to be created that is a subset of Phishing.

You maybe asking yourself, ”hold on, they have two factor auth, that definitely stops phishing attacks doesn’t it?”.

The classic response I give most clients is yes and no. That is, yes, it may stop the majority of phishing attacks today, but tomorrow brings a brand new day and no it may not stop it then (in the example below, tomorrow is actually today…think about it).

You see, an attack is not static and the above controls are assuming that Phishing will remain the same and once these controls are in place everything should be ok….right? Well, at least that’s what the people who are implementing or selling these systems are telling their upper management and/or clients until the project wraps up. By then it will be time to work on the next big idea as the old anti phishing project just isn’t cutting it. And once again they can say, not our fault, those hackers are really really intelligent.

I guess people who work in the anti-phishing industry might be upset with the above statements, but to be honest, it is the same kind of statement I could be making about any other “anti” security  industry, such as the anti-virus industry. That is, malicious person/s (organisation) or anti virus company releases a virus -> business and end-users are frightened and buy anti-virus software to stop the virus -> anti virus company builds and distributes anti virus protection -> business and end-user feel safe and keep renewing contract -> anti virus company and malicious person/s makes money.

Ok, maybe you think I am being too terse and a bit harsh with my words and phishing is different…Well then, how about I finish with an example…

MPack is a nice/nasty (depending on your viewpoint) piece of malware that basically takes control of a server and vulnerable clients that try to talk to that server. For example, your favourite banking server and you (your pc). To go along with the Phishing theme as promised, let’s also add an infected server that is acting as a Phishing site for your favourite bank (see below).

Banking Site                  <—–>                  Phishing Site

       |——————-You——————-|

So here is the scenario…You get an email that your Bank is doing an upgrade to their Internet Banking site and you need to log in immediately for security reasons. You click on the link that takes you to the phishing site which hosts an Mpack kit – The email is actually spam from an organised crime unit. Either your patches are not up-to-date or the MPack server has an 0-day exploit and your machine is compromised. Malware is then download to your computer unbeknownst to you. Note: In the classic Phishing attack your user name and password are stolen by you submitting this to the Phishing site. In this attack, this is not necessary (do you see the phishing attack morphing?).

On a completely different day (or any time after your machine being owned), you decide to do some Internet Banking and login to your favourite banking site. The malware that current resides on your computer (that has been happily logging everything you do as well as acting as a part time warez server and/or pr0n site) notices the bank URL in your browser. A program is now launched (again unbeknownst to you) that sits within your browser (i.e., within the session so ssl certificates, cookies, etc don’t protect you). You happily type in your username and password as you are security savvy individual and can see the padlock on the screen and enter the site.

Note: This is where the malware becomes especially important in the attack. Instead of you seeing what the bank is actually displaying to you, the malware is intercepting this and displaying what it thinks you should see. Hence, it is up to the imagination of the programmer of the malware on which attack she would like to deploy. In this case, we are only going to use one simple example where you lose all the money in your account.

Note: The malware in your browser is analogous to a person’s brain suffering from schizophrenia and hence they have a distorted view of reality.

You now browse to your account transfers section to transfer funds from your account to your local gas company. The malware is actually displaying these things to you but instead has replaced the gas company with a mule account. You click transfer and then receive either a number of images to click on or even the new and ”secure” sms service to your phone with the pin that must be answered. You click the right combination of images or enter the pin on the phone and click pay. The malware happily intercepts these values and submits the money to the mule account.

Note: I guess if the sms contained the destination account number (or part thereof) and you really were paying attention you may catch that something is wrong. That is unless the malware is aware of this and intercepts the data and substitutes the mule account number to the gas account number on the screen. Anyway, depends on the Bank’s implementation of two factor authentication.

Hopefully enough said.

Happy Banking!