More fraudsters are adopting new approaches in an effort to make phishing sites undetectable by common security measures such as firewalls and content filtering web proxies.
By replacing some of the textual content on the phishing page with similar-looking images, fraudsters are making it much more difficult for automated systems to detect the presence of keywords such as "PayPal" and "credit card". The following example shows a phishing page that uses this technique to make the page appear legible to a human, but not so legible to a computer:
Highlighting the text in the browser makes it apparent that some of the page is made up from images, which are easily read by a human, but will be ignored by content filters which only process the text on the page:
Because the content filters may not detect this page as being a PayPal phishing scam, it could slip through undetected, allowing the fraudster to harvest the credentials of thousands of PayPal customers.
Detecting "undetectable" phishing sites
The Netcraft Toolbar community is based upon a large network of human scrutinizers, each of which is able to report suspicious sites with far more accuracy and intelligence than any computer program. Sites such as the one shown in this example are therefore quickly discovered by the Toolbar community and subsequently blocked for all other users.
Netcraft has made the list of phishing sites reported by the Toolbar community and validated by Netcraft available as a continuously updated feed suitable for ISPs, hosting companies, enterprises, and other companies that operate mail servers and web proxies, or network monitoring systems. This offers an excellent level of defence against phishing, including those sites that use sneaky measures to trick their way past firewalls and web proxies.
If you would like to join the Netcraft anti-phishing community, the Toolbar can be downloaded from toolbar.netcraft.com.
Network Solutions has entered the SSL certificate market, continuing an expansion beyond its core domain name products. By becoming a certificate authority, NetSol will now compete against its former owner VeriSign, currently the largest seller of SSL certificates. VeriSign owned Network Solutions from 2000 until 2003, when it was sold to a private investment firm, Pivotal Private Equity. Network Solutions manages more than 6.5 million domain names, and recently expanded its web hosting business.
NetSol's Secure Link SSL products are being sold at netsolssl.com, with prices ranging from $99 to $159 for one-year certificates for individual domains, and $479 for a wildcard domain to secure multiple subdomains under a single domain. Network Solutions' certificates are chained to the GTE Cyber Trust Global Root Certificate, which means they inherit the trust level of the GTE root and thus will be supported by more than 99 percent of current web browsers. This approach is currently used by The Comodo Group, which also sells certificates chained from the GTE root certificate.(more...)
Botnets controlled by fraudsters are running their own DNS nameservers on compromised computers, complicating the task of shutting down malicious sites. The technique can keep phishing sites accessible longer by making the nameservers a widely distributed moving target amongst thousands of compromised machines within a bot network.
In recent days both the Internet Storm Center and DailyDave mailing list have received reports of botnets using rapidly-shifting DNS servers. The sophisticated new strategy makes it harder to target phishing sites at the nameserver level, which can be the most effective route to taking a malicious site offline. If fraudsters are able to compete effectively by deploying botnets as nameservers, additional emphasis will be placed upon the responsiveness of domain registrars.
To combat phishing Netcraft provides a Toolbar, which operates as a neighbourhood watch system whereby the most experienced members of the community can report and block phishing sites, thereby protecting less experienced users of the Toolbar. ISPs and organizations can block phishing sites at the mail server or proxy server with the Netcraft Phishing Site Feed. The toolbar is available as a free download for users of Internet Explorer, while the phishing site feed is available as a paid for service (contact us for details).
Bot networks aggregate computers that have been compromised allowing them to be remotely directed by the attackers. Botnets are being used for a variety of scams, including spamming, phishing, sniffing network traffic for unencrypted passwords, and click fraud targeting Google's AdSense program. A March report found that at least 1 million compromised machines are being used in botnets.
Some 5,600 phishing sites have been detected and blocked by people using the Netcraft Toolbar since the system started at the turn of the year and the community has been widely featured in the media from the Washington Post & Wall St. Journal through to Slashdot.
Thanks to everyone who has reported sites so far.
A new version of the toolbar is now available, with extensions including easy to see site risk ratings, faster browsing, and support for enterprise desktop rollouts.
In addition to blocking known phishing sites, the Netcraft Toolbar now displays a Risk Rating for all new sites it encounters. The Risk Rating - a user-friendly visual summary of the information displayed by the toolbar - evaluates new sites against characteristics of the phishing sites reported to date. Sites which are deemed safe will show a low Risk Rating, while riskier sites will show higher ratings based on a number of factors.
The above example shows a web site used to recruit people to withdraw money from compromised bank accounts. Although the site contains plausible content, the Netcraft Toolbar assigns a high Risk Rating because it is hosted under a newly registered domain, the site has never been seen in the Netcraft Web Server Survey, and the Chinanet Hebei Province network has hosted other fraud sites in the past.
The ratings will evolve and adjust automatically as phishers change their behavior, and along with pre-emptive blocking of cross site scripting, are particularly helpful to people who receive a phishing mail early on, before it has been reported by someone else in the community and blocked.
Protecting Enterprise Networks
The new version of the toolbar can now be run by ordinary Windows users without administrator or power user privileges. This new feature makes it simpler for administrators to deploy the toolbar across enterprise networks, offering real-time protection against phishing threats through automatic updates of the blocklist and Risk Ratings.
The list of sites blocked by the community and validated by Netcraft is also available as a feed suitable for proxy servers mail servers. Please contact us firstname.lastname@example.org for details.
Customized Branding and Navigation
Customized versions of the toolbar are available, providing banks, brokerages, credit card companies and ISPs a powerful tool to protect their customers and networks from Internet phishing scams while simultaneously building customer loyalty.
The toolbar can be branded with your logo and customized navigation links, served dynamically from the central server, giving clients the ability to update the toolbar to highlight new services, and other timely customer communication. Over and above the fraud fighting attributes of the toolbar, it is an extremely attractive branding and customer loyalty mechanism, as it keeps the clients' logo and services on screen throughout the time the customer spends using the Web.
The cost per user is very favorable when compared with traditional web advertising, while the branded toolbar maintains contact with the user throughout the time they spend using the Web. If you would like to have a version of the Netcraft Toolbar branded for your organization, please contact us email@example.com for details.
Distributed denial of service (DDoS) attacks on The Final Fantasy XI virtual world have caused extended downtime within the past week, according to game publisher Square Enix. The attacks, which began April 9, raise the prospect that online games may be emerging as a new target for "DDoS blackmail" schemes.
"Recent technical difficulties with our PlayOnline server are due to a DDoS from anonymous third parties," Square Enix said in a message to users. "We have determined that this activity was undertaken with malicious intent and specifically targeted our network." The company said it has been working with law enforcement officials in the US, Japan and Europe, but has not yet isolated the source of the DDoS. "Attack methods have varied, which has caused a more time-consuming review of our network protection," Square Enix reported.(more...)
Serious vulnerabilities have been found in Concurrent Versions System, a source code maintenance system used by many open source development projects. The security holes, which could allow a remote compromise of unpatched servers, are addressed in a security update from the CVS development team.
Version 1.12.2 of CVS fixes a potentially serious buffer overflow. "An attacker could exploit these vulnerabilities to cause a Denial of Service or execute arbitrary code with the permissions of the CVS pserver or the authenticated user," warned an advisory from Gentoo Linux, posted on the BugTraq list.(more...)