Computer Forensics for Preventing Email

¶ … Computer Forensics for Preventing Email Phishing

It is no secret that white-collar crime has experienced rapid growth since the advent of the Internet. Reports state that white-collar crime costs average approximately twenty times more than the costs associated with street crime annually. Fraud is a "generic term" that "embraces all multifarious means which human ingenuity can devise, which are resorted to by one individual, to get an advantage over another by false representations." (Singleton, Singleton, and Bologna, 2006) This may include "surprise, trick, cunning and unfair ways by which another is cheated." (Singleton, Singleton, and Bologna, 2006)

Fraud according to the U.S. Supreme Court involves the following variables:

(1) That the individual has made a representation in regard to a material fact;

(2) That such representation is false;

(3) That such representation was not actually believed by the defendant on reasonable grounds, to be true;

(4) That it was made with intent that it should be acted on;

(5) That it was acted on by complainant to his damage; and (6) That in so acting on it the complainant was ignorant of its falsity and reasonably believed it to be true. (Singleton, Singleton, and Bologna, 2006)

Email phishing is one form of fraud as described just above. Email phishing involves the sending of emails that are misrepresentative in some way for the purpose of cheating the recipient of the email. Phishing emails have cost individuals and companies both in monetary terms and in terms of privacy violations and issues. The work of Watson, Holz, and Mueller (2005) entitled "Know Your Enemy: Phishing" states that email phishing is

"…the practice of sending out fake emails, or spam, written to appear as if they have been sent by banks or other reputable organizations, with the intent of luring the recipient into revealing sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details. Typically, phishing attacks will direct the recipient to a web page designed to mimic a target organization's own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack.' (Watson, Holz, and Mueller, 2005)

Jakobsson and Soghoian (2009) write in the chapter entitled 'Social Engineering in Phishing' and report that social engineering is a term "used to describe psychological tricks aimed at making victims agree to things they would not have done normally. Phishing is the theft of user credentials, such as passwords, social security numbers, PINs and answers to security questions." (Jakobsson and Soghoian, 2009) Social engineering is stated to have "become prevalent around 2003, it is a crime that is on everybody's lips." (Jakobsson and Soghoian, 2009) in fact, many online crimes are reliant on inducing the victim to take action in some way through "convincing him to do so." (Jakobsson and Soghoian, 2009)

It is necessary to understand the risks faced by consumers to deception and for this needed is an approach that is proactive in nature "in which the expected vulnerabilities are minimized by the selection and deployment of appropriate e-mail and web templates and the use of appropriate e-mail and web templates, and the use of appropriate manners of interaction." (Jakobsson and Soghoian, 2009)

Those who are specifically knowledgeable in terms of technical and technological applications often fail to grasp the average consumer can be protected thorough the security measures they themselves use for protection. However, the average consumer is much more susceptible to social engineering type attacks. It is related that a study involving 2500 subjects and reported by Fogg et al. (2001, 2003) "investigated how different elements of web sites affect people's perception of web sites." (Jakobsson and Soghoian, 2009) Findings show that 23% of individuals in the study overlooked browser-based security clues such as the address bar, the status bar, and the SSL lock icon, and 40% of subjects made the wrong security decision." (Jakobsson and Soghoian, 2009)

II. Project scope proposal

The purpose of this study is to review and examine techniques of computer forensics for email phishing. Towards this end this work will review publicly available information such as is located online via the Internet including company reports, news reports, journal articles, and other such information. Included will be any information assurance risk analyses should consider legitimate, known threats, which pertain to the subject organization, based on the research information gathered, the presumed process strengths and vulnerabilities or any organizational computing and networking infrastructure will be identified in depth.

III. Forensic Methodology, Requirements, Issues and Trends

According to the Frost and Sullivan work entitled "Key Challenges in Fighting Phishing and Pharming" phishers in avoidance of anti-phishing text techniques of anti-phishing systems scans over websites, use several Flash-based websites methods hiding a multimedia object. (paraphrased) as well, for avoiding the anti-phishing filters current used, "phishers are using images instead of text to make it harder to detect text commonly used in phishing emails. A user facing a phishing site should be able to differentiate what text is and what an image is." (nd) Additionally reported is that "new and improved telecommunications infrastructure gives to phishers the ability to control and access in new ways with new techniques for cybercrime." (nd) Large Internet-based companies including those such as "AOL, MySpace, and Paypal, and retailers such as TJX Companies, have been victims and have had to spend large amounts of capital -- and jeopardized branding -- due to phishing attacks." (Frost and Sullivan, nd)

The specific incidents reported in the Frost and Sullivan report are those as follows:

1. Early phishing in AOL: Posing as an AOL staff member sending an instant message to a potential victim, phishers ask users to reveal passwords in order to "verify your account" or "confirm billing information. This way, hackers used phishing to obtain legitimate AOL accounts (1990).

2. PayPal: Users were redirecting to a fake site in an attempt to collect password details (2005).

3. MySpace: A computer worm altered links to redirect visitors to designed websites, stealing login details (2006).

4. Banamex: Despite all preventive phishing attacks through the use of OTP tokens (One-Time Passwords and keys for a single use), in 2006 phishers attacked the Banamex OTP token (named NetKey), using it as an excuse of the system itself, based on the token, to generate confusion among users and ask them to provide the passwords. This is not the first attack to this entity. (2006)

5. Banco Chile: A phishing email with the bank's logo: "During our regular maintenance and verification processes, we have detected an error in the information we have associated with your account." The mail content specifies some factors which could provoke the error and contains a phishing link at the bottom of the email. (2008)

6. Twitter: A phishing scam spreading quickly via direct message, "Hi, this you on here?," and providing a phishing link which can take your personal information and hijack accounts.(2009) (Frost and Sullivan, nd)

It is reported in a Symantec Blog article written by Antonio Forzieri (2008) that there are specific dilution strategies which are classified by the type of data provided to the phishing site:

(1) Random Data -- a large amount of random unformatted data is submitted. This strategy attempts to fill up the collection point, but has a drawback in that the fraudsters can easily identify fake data.

(2) Properly Formatted Data: a large amount of properly formatted data is submitted. This process avoids the drawback of the first dilution type, but still fills up the collection point.

(3) Tag Data: this time, the fake data submitted is indeed valid and accepted by the institution's website. The injection of this data allows financial institutions to more easily track criminals and gain additional forensic information. (Forzieri, 2008)

Frost and Sullivan report that there are several classifications of 'phishing' which include the following types of phishing:

1. Deceptive Phishing: It is the most common one. Consists of a deceptive email masquerading as a trusted company. The recipient clicks on the link contained in the message, unconsciously being readdressed to a fraudulent website.

2. Malware-Based Phishing: Refers to a variant of phishing attacks that involves the execution of malicious software on the user's computer. The user must perform some functions that allow the execution of the malware on the computer (open an attachment, visit a website and download a program, etc.).

3. Keyloggers / Screen loggers: Keyloggers are programs that record keystrokes when installed in the computer, with access to a registered website. Data are recorded by the program and sent to the phisher over Internet. Screen loggers have the same function, but capture screen images.

4. Session Hijacking: Describes the assault that occurs once the user has accessed any website registered by the software. These programs are often disguised as browser components.

5. Web Trojans: Program with pop-up screen appearance over legitimate web pages validations. The user might think he or she is entering details on a real website, while in reality it is being done in the malware.

6. System Reconfiguration Attacks: The attack takes place by changing the configuration parameters of the user's PC. i.e. modifying the domain name system.

7. DNS-Based Phishing ("Pharming"): This offense is based on interference in the domain name searching process by modifying the domain name resolution sending the user to a different IP address.

8. Content-Injection Phishing: The phisher introduces fraudulent content into a legitimate website.

9. Data Theft: Malicious code that collects sensitive information stored within the machines in which it is installed.

10. Man-in-the-Middle Phishing: The phisher takes a position between user's PC and the server filtering, reading and modifying information.

11. Hosts File Poisoning: This is another option for pharming. In this case the attack is carried out by the host's card index hosted on DNS' servers.

12. Spear Phishing: One of the newest phishing strategies. It targets a specific company and uses e-mails to train individuals at various locations. (Frost and Sullivan, nd)

It is reported that the types of websites attacked by phishers include such as banks and customers with online payment services. The general method of attack is carried out through an email or instant message that persuades users to enter personal details at a fraudulent website that appears to be a legitimate one. The majority of phishing attacks use "misspelled URLs or use sub-domains provided in emails which appear to belong to the legitimate organization. Another form of phishing known as IDN spoofing involves the use of URLs and IDNs by phishers in web browsers that appear identical to those of a trusted organization however, the open URL redirectors are used for disguising malicious URLs with a trusted domain. It is reported that certificates fail to address this problem since the phisher can purchase a valid certificate which can be modified in order to spoof a real website.

Other attacks include 'cross-site scripting' which is reported as a "type of an attack which is very difficult to spot without a specialist's knowledge; this is when phishers use errors in a trusted website's own scripts against the victim. The script directs the user to sign in at their own web page (the web address and security certificates seem to be correct), but in reality the link to the website is crafted to carry out the attack." (Frost and Sullivan, nd) Finally, another technique used is popup windows that request the individual's credentials "on top of the legitimate website, in a way that seems that the website is requesting this sensitive information." (Frost and Sullivan, nd) This is a technique reported to be used primarily in banks.

The report of Frost and Sullivan states that challenges include those of:

(1) Lack of knowledge in the differentiation of threats;

(2) Perception of high prices;

(3) Lack of quantifiable ROI; and (4) Fear of outsourcing security. (Frost and Sullivan, nd)

Trends and technologies reported by Sullivan and Frost include those related to the evolution of phishing attacks in the short, medium and long-term. Included in short-term phishing evolution is stated to be the increase in the "volume and degree of vulnerabilities and attacks is turning electronic security into an increasingly complex and broad issue, so the need for specialized professionals and solutions reinforcing network and electronic security is becoming clearer to companies." (Frost and Sullivan, nd)

It is reported that another strong driver of growth of the internet security market in view of the short-term is the "pressure of regulatory acts, such as the Sarbanes-Oxley, Basel II, and compliance with payment card industry international regulations (PCI)…" (Frost and Sullivan, nd) it is additionally reported that the "enterprise scope turn virtual by incorporating mobile workers, remote sites, home-offices and even vendors and partners within the same corporate network. In this context, security solutions appear as a strategic tool for a reliable and efficient network operation." (Frost and Sullivan, nd) in the analysis of industries it is reported that ISPs as well as banking and finance and retail are the most attacked by security threats since the economic crisis started and by the short-term end the advantages of such as detect monitoring services requires that services be clearer to corporations and mid-sized companies.

In regards to the medium term stated as 2011 and 2012 and the long-term, stated as 2013 and 2014 it is reported that security threats "are expected to present at an increasingly growth patterns, mainly leveraged by new and improved telecommunications infrastructure and due to new market entrants." (Frost and Sullivan, nd) in view of the long-term it is reported that the changes in pricing which are "inevitable…will redefine segmentation in the long-term." (Frost and Sullivan, nd)

IV. in-depth Computer Forensics: Communication of Methods, Processes and Procedures

Frost and Sullivan report that there are several forensic applications that can be used for detecting phishing including those as follows:

(1) Detect Monitoring Service -- work through identification accuracy checking and used for addressing phishing issues. This is a real-time connection monitoring service that is in receipt of transactional sites on the client side, with the client's information "correlated with data obtained from malicious activity in the industry. (Frost and Sullivan, nd)

(2) Early Notification -- Detect CA proprietary methodology that has the capacity to identify "specific patterns and behaviors that typically occur at the early stages of a phishing attack, providing a way to stop an attack even before it becomes a real threat." (Frost and Sullivan, nd)

(3) Malware Monitoring Services - monitors on a daily basis hundreds of samples of new financially-motivated malware which enables the company to proactively and quickly implement an action plan when a malicious code is attacking clients. (Frost and Sullivan, nd)

(4) Phishing Alerts - prevents, detects and recovers from phishing and malware attacks. The solution addresses the entire lifecycle of an alert, providing the right, just-in-time help when clients need it most. (Frost and Sullivan, nd)

The work of Abu-Nimeh, Nappa, Wang and Nair (2007) entitled "A Comparison of Machine Learning Techniques for Phishing Detection" reports that there are three main categories of phishing and fraud defense mechanisms:

(1) detective;

(2) preventive; and (3) corrective. (Abu-Nimeh, Nappa, Wang and Nair, 2007)

These solutions include such as 'anti-phishing toolbars' which are used for attempting to alleviate the problem of phishing. According to Abu-Nimeh, Nappa, Wang and Nair Although these toolbars help mitigate the problem, many research studies have demonstrated the ineffectiveness of such techniques." (2007)

Two primary problems with this solution are those of:

(1) quite often the spoofed link is tested without any consideration to the context in which it was presented to the user thereby losing accuracy; and (2) once the user enters the address of the phishing site in the browser address bar, the user is exposed immediately to any attack carried by the site. (Abu-Nimeh, Nappa, Wang and Nair, 2007)

The phishing and fraud solutions in the three categories are listed in the table below.

Figure 1

Categories of Phishing and Fraud Solutions

Source: Abu-Nimeh, Nappa, Wang and Nair (2007)

The work of Wu, et al.

(2006) conducted an evaluation of the effectiveness of security toolbars in the prevention of phishing attacks. Experiments were performed on three security toolbars, as well as the browsers address bar and the status bar. Included in the study were 30 individuals which all showed that the toolbars that were tested were "ineffective in preventing phishing attacks. Users were spoofed 34% of the time. 20 out of 30 users got spoofed by at least one phishing attack. 85% of the spoofed users thought that websites look legitimate or exactly the same as they visited before. 40% of the spoofed users were tricked because of poorly designed websites, especially when using improper redirections." (Abu-Nimeh, Nappa, Wang and Nair, 2007) Two primary reasons that users fell under these attacks are stated to be those as follows:

(1) users discarded the toolbar display, as the content of the web pages looks legitimate or professional; and (2) companies do not follow good practice in designing their websites and the toolbar cannot help users distinguish poorly designed website from malicious phishing attacks. (Abu-Nimeh, Nappa, Wang and Nair, 2007)

The work of Knickerbocker, Yu, and Li (2009) entitled "Humboldt: A Distributed Phishing Disruption System" states that conventional techniques "for combating phishing have focused primarily on detecting phishing web sites and preventing users from revealing their passwords to such sites." This type of protection is stated to be inherently "incomplete and does nothing to protect users that do not reveal their passwords. Combating the phishing threat requires more than simple avoidance -- it requires a more active approach to disrupting even successful phishing operations." (Knickerbocker, Yu and Li, 2009)

The anti-phishing system introduced by Knickerbocker, Yu and Li (2009) is that called "Humboldt" which is similar to another system 'BogusBiter' which "…poisons the data that phishers obtain en masse in order to actively disrupt phishing activity." (Knickerbocker, Yu and Li, 2009) Specifically it is stated that Humboldt "…takes a different approach to injecting fraudulent submissions into the phishing site's collected data. It relies on Humboldt clients distributed over the Internet to submit poisonous data to every phishing site it targets." (Knickerbocker, Yu and Li, 2009) the following are characteristics of Humboldt:

(1) Poisonous data from Humboldt is indistinguishable from the data submitted by real phishing victims, not only in terms of the data itself, but also in the way the data is submitted;

(2) the submission of poisonous data is coordinated among Humboldt clients in order to prevent detectable behavior which would make post processing by phishers easier and also to avoid the risk of launching DDoS attacks against the innocent machine that hosts the phishing site; and (3) Data submission from Humboldt is also automated, without requiring manual intervention from users. With enough clients, Humboldt can inject a significant amount of fake data into the phisher's database, either disrupting the phishing campaign or exposing the phishers when they try to use these fake credentials -- which are generated and recorded by Humboldt -- on the real web sites they were pretending to be. Humboldt can also cause data entries stolen from real victims to be interspersed among fake entries, protecting those phished users now that their entries are harder to pick. (Knickerbocker, Yu and Li, 2009)

The requirements that must be met in an effective system such as Humboldt include:

(1) ensuring that the data it submits is indistinguishable from real phished data;

(2) ensure that clients have incentives to join Humboldt; and (3) must not bring disruptions or harm to innocent parties; especially the web hosting company that is unknowingly hosting the phishing site and Humboldt's own clients. (Knickerbocker, Yu and Li, 2009)

Knickerbocker, Yu and Li (2009) state that the assumption must be made by Humboldt that "for every piece of stolen data it collect, a phisher can check its source, its pattern of submission, or its content to determine whether the data is from Humboldt or from a real phished user. If Humboldt submissions can be easily identified based on log file information on the phishing server, then all the fraudulent submissions from Humboldt can be readily removed." (Knickerbocker, Yu and Li, 2009)

Therefore it is stated that Humboldt submissions would have to be "made from a pool of machines, not a central server" and this requires Humboldt to operate on a distributed nature and it does so through use of "individual client machines." (Knickerbocker, Yu and Li, 2009) the phisher then may attempt to learn the individual IP addresses of the clients of Humboldt and this is because Humboldt clients are more likely to aggressively submit data than actual phishing victims.

The way that Humboldt works is through addressing the issue of the phisher's ability to watch submissions from Humboldt's clients. In today's Internet it is reported that "…many machines are behind NAT boxes, and all machines behind a NAT box will appear to be from the same IP address. If the phisher does not accept multiple visits from an IP address, when multiple victims from behind the NAT box submit to the phishing site, all of their submissions will be ignored -- "and this results in user realization of benefits and phisher realization of loss. Secondly, it is reported that a Humboldt client may also use the DHCP protocol, stated to be common on the Internet, and each time a submission is made to a phishing site a different IP address is used. The Humboldt client has the ability to log its IP addresses "in the previous submissions." (Knickerbocker, Yu and Li, 2009)

Stated third is that if the Humboldt client is behind a firewall "that is not performing NAT, the firewall can be configured to collaborate with Humboldt." (Knickerbocker, Yu and Li, 2009) the firewall has the ability to act as a NAT box "for communications to phishing sites identified by Humboldt which would achieve the same result as stated just previously however, it is stated that "alternatively, whenever Humboldt clients communicate with phishing sites, the firewall could replace the IP of Humboldt clients with a random IP from the local domain. With this method a single Humboldt client could effectively act as multiple clients, up to the number of IP addresses in the local domain." (Knickerbocker, Yu and Li, 2009)