So long, and thanks for all the phish

The Plot Sickens

You get to work on a Monday morning, you are tired because it was a really good weekend, and really good weekends create really bad Mondays. Part of your morning  habits, like most of us at work, probably begin with firing up your email client and filtering through whatever unread mail has collected in your postbox over the weekend. As you scan through your waiting email the subject hits you between the eyes - and it hurts because you had a really good you-know-what:  "Absa Bank: Final Verification"

This sounds serious, so you quickly scan over the message - it has all the authentic banners and links that you would expect to see from an official bank email, and they are telling you that their database has fallen over and they desperately need you to verify your account details on this handy form and submit it back to them. Don't worry though, do as they say and everything will be fine. However, don't do as they say, and you will find your account suspended. At this point you can hear your blood boiling in your ears, because it's the 4th message they have sent you this week! Every time you do as they tell you, you submit your details and their blasted database falls over again! I mean what's wrong with these guys??! They are a bank for Pete's sake! They work with people's life savings! Surely they have SOME kind of data protection in place? So you start filling out the form for the 5th and final time when it occurs to you..... "ABSA?  But I'm with Standard Bank!!"

If the above scenario has actually happened to you then I am sorry, there is probably nothing we can do to you protect you from yourself after a really good weekend. On the other hand, there is a great deal we can do to protect you from receiving these fraudulent emails in the first place. Before we tell you how and what we are doing to squash these scammers for you, I'd like to briefly explain why phishing is so hard to combat, and leave you with an idea of how expensive this kind of spam is to individuals and organisations.

The Problem

In December 2007 Gartner released a report which indicated that the global cost of phishing attacks against organisations exceeds more than 20 Billion Rand a year. Since 2007 the sophistication of phishing attacks, combined with the global increase in phishing related spam, means that the rate of successful incidents against individuals and organisations has likewise increased dramatically. But why is it so successful, and why is it so hard to detect?

Unlike conventional spam, phishing mail is crafted to look as authentic as possible. If you can remember when last you saw a Viagra or Cialis spam message, maybe you can also recall how saturated it was with poor spelling, or completely mangled English. Much of this mangled content is actually done deliberately in order to get the message to evade conventional spam filters. Phishing on the other hand, has to be easy to read and has to look as though it truly did originate from your service provider. This cloned authenticity is the first lie that the scammer is employing in order to win your confidence and gain your co-operation. It is also a problem to most spam filters which use signature recognition, since the message text in some cases could be identical to the real thing, but with the addition of a fake URL for you to click on. Since many signature applications strip out randomised content (including html), the resultant signature could be identical between a well crafted phishing mail and the target they are attempting to imitate.

Another mechanism that anti-spam solutions employ to detect known spam sources is RBL (Realtime Blackhole List), which although effective against conventional spam is still inefficient against phishing, Why? Because phishing scammers change location frequently and on average won't use a compromised host for longer than 74hrs. This means that they are effectively operating out of a time window that allows them to send a high volume of targeted attacks BEFORE their host servers are tracked down and listed by RBL providers. On our own servers, utilising our own anti-phishing solution, we have noticed that we regularly detect 0day attacks at least 1.5 to 2 days before the attacker servers start showing up on RBL lists. These 0day phishing attacks are the ones which get to your users before your conventional spam filters become effective.

The Solution

Here at SYNAQ we have recently embarked on an aggressive campaign to completely stamp out bank phishing on our managed Pinpoint Securemail servers. We have studied literally thousands of verified phishing mails, and armed with this information, we have assembled counter-phishing rules and tightened our nets. The results we have been getting are so overwhelmingly positive, that we have unanimously agreed to share our method with YOU!

It is important to understand how a phishing attack is constructed. If you can break down a phishing mail into it's distinctive components, then you will find the knowledge you need to write effective anti-phishing rules. In short, know your enemy!

Know Your Enemy
Shall we begin by quickly examining the actual phishing message below?

Dear Customer,

A new phishing scam is going around and due to this, ABSA Bank has developed an Online
Security Program (SentryBay) to protect our customers from fraudulent activities and
online phishing.

You are hereby required to click on the absa website below and follow the intructions
for us to be able to activate the program in your account for safer Internet Banking.
As a result of this Security Program, we require you to bear with us online for some
minutes and follow the instructions as we will be sending you some sms for this
verification purpose and it will be required in other to finish the Security Program
Activation. http://www.absa.co.za/absacoza/

Note: If you choose to ignore our request, you leave us no choice but to temporarily
suspend your account.

Please accept our apologies for any inconvenience.

Regards,

Online Security
Absa Bank

Does the above message look familiar? The above email is a typical phishing attack, and if you could translate its message into what they are really telling you, the conversation would read like this:

We have a nasty problem with your Internet Banking!
YOU must do something to fix it, help us to help you!
If you don't do something, we will....and you WON'T like it!

The examples we will show here are a bit over simplified, and this is not a tutorial on how to write anti-phishing rules. Rather we are hoping that you will be able to adapt our methodology to your own anti-spam servers and use the logic to construct your own effective rules - whichever anti-spam solution you are using. Accordingly, if you studied the above phishing example, you may already have noticed that you can break the entire message down into three clearly identifiable components that can be filtered for:

1) The Introduction
The opening paragraph clearly identifies the subject of this message, and it gives you at least four phrases you can filter for:

phishing scam
Online Security Program
fraudulent activities / online phishing

These phrases will make up the first part of the filter you create, they have no score and a new meta rule is created if any of these phrases score a match. We are looking for a nibble on at least at least two meta rules before we catch and cook our phish! We will call this first meta rule INTRO, and it has a score value of zero

2) The Action
Having identified the nature of his message, the scammer now wants you to take some action:

click ... website / link
follow ... instructions
activate ... program
finish ... Security / Program

Create a few rules that will catch the above phrases, and as before create a new meta rule if they get hit. This second new rule will be called ACTION, and once again it has a value of zero.

3) The Threat
This is the final part of the scammer's message, and it is here that he threatens some form of action or result if you do not comply:

suspend ... account

Create a few rules that will catch variations of the above phrase, and as before create a new meta rule if they get hit. This third new rule will be called THREAT, and once again it has a value of zero.

We now have at least three possible vectors the potential phishing mail can score a positive hit on, but in order to reduce the possibility of incorrectly flagging valid mail we want at LEAST two hits before we toss this mail in our phishtank. Use your imagination and be creative, you can easily come up with many other possible combination phrases for each of the three phases. Now in order to classify this message as a possible phish candidate, we create a new meta rule if ANY TWO of the previous meta get a bite.

Create a fourth new meta rule called CANDIDATE if any of the following two score hits:

trigger and score CANDIDATE if:
(INTRO and ACTION) or (INTRO and THREAT) or (ACTION and THREAT)

CANDIDATE has a score of zero, we don't positively match until one last condition has been matched.

Know Your Friend
Ok, we know that even with your best efforts to write responsible rules and only shoot the bad guys, sometimes innocent and legitmate mail gets caught in the crossfire. No matter how hard you try, false positives can and sometimes do occur. When you are trying to combat phishing, which often looks exactly like the real deal, rules you write come closer to creating false positives than conventional spam, but there are some tricks you can deploy which will help you to miss when it counts.

You are going to have to check your messages Received headers for positive identification. In the following example. let's assume that the bank is called mysabank.co.za, and your anti-spam server is called my.antiphish.co.za:

Received: from mail.mysabank.co.za ([196.xx.xx.xx])
by my.antiphish.co.za with esmtp (Exim 4.94)
id 1PwqlT-00084M-H4
for you@yourdomain.co.za; Tue, 08 Mar 2011 08:51:27 +0200

The general problem with accepting email headers at face value, is that most headers can be forged by attackers. This means that there is limited value in studying the mail path of a spam message, since the spammer could be lying about most of the headers you see. However, the one header he cannot spoof is the header created by your own server, as in the example above. In the above Received header, he could still be lying about the name of the server he is sending from, but he CANNOT fake the reported ip address because that entry was logged by your own server. This is significant, because you have enough information to establish the authenticity of the sending server. However, be sure that you ONLY check the received header that was added by your own server!

Using this information, you will create two new rules for identification of the original server. These rules will once again have a value of zero. Create a meta rule called SERVERNAME, and it only matches if the domain of the sending server is mysabank.co.za.

SERVERNAME if supplied source domain in Received header = mysabank.co.za

Now create the second meta rule called SERVERIP, and this rule only triggers if the servername in the Received header matches the ip address

SERVERIP if ip address of sender in  Received header = 196.xx.xx.xx

Now we create the CANDIDATE_ID meta rule to validate the sending server. If the Received header check scores a hit on BOTH the  SERVERNAME and the SERVERIP rule, we activate the CANDIDATE_ID meta rule. All the rules created so far, have no intrinsic value. We are only using them to sculpt the profile of a phishing message, and score if ALL conditions are met.

CANDIDATE_ID   if   (SERVERNAME and SERVERIP)

Now it is time to bring it all the rules together, and make a final decision! If you have scored a positive hit on composite rule CANDIDATE, and if there is no match on CANDIDATE_ID (indicating this does not come from a known banking server), create final rule PHISHTANK and score it.

PHISHTANK if  (CANDIDATE and not CANDIDATE_ID)  score 10

A Helping Hand

We sincerely hope you have found our guidelines useful, and that you will be able to apply this method to your own anti-phishing solution. However we also realise that many available solutions are difficult to customise and may take a long time to develop around your own needs. In particular, as a company which specialises in combating spam, we have been painfully aware of how few solutions are tailored for the South African mail market, and that available solutions are ineffective at identifying and stopping phishing attacks targeted at South African banks.

This target area poses an enormous threat to both individuals and institutions. One successful phishing attack can lead to devastating financial loss to the victim, and the notable lack of protection spurred us to develop our own. The success of our venture exceeded even our wildest expectations, with positive identification of over 99.99% of all phishing mail reaching our Pinpoint Securemail clusters.  Realising that the impact of our research is significant, we feel compelled to open up the benefits of this technology to South African companies and service providers. We have therefore taken our project a step further and will be publishing our signatures to a database that ALL South African institutions can use. We are in the process of developing this solution further, and expect that it's implementation will be a landmark in stamping out bank related phishing in South Africa. We are calling this new service Phishmonger, and expect it will be ready for public registration by 1 April 2011.  Phishmonger is a minor port of the open source tool Pyzor, and is designed to work with the widely recognised Spamassassin anti-spam server. This means that you would have to implement it on your existing linux servers, but if you are serious about mail you are already using linux, right?

If you deal with a large amount of email every day and would like to benefit from our service, but don't want to maintain your own linux servers, why not request a quote on our Pinpoint Securemail solution?

Our call is going out to all corporates and service providers. Join us! Let's stamp out this threat together! We have the tools, we have the determination and we have the innovation! This is our territory and their fraud is not welcome here!

SO LONG, AND THANKS FOR ALL THE PHISH!!

Tags: bank fraud, Email Security, phishing, pinpoint securemail

This entry was posted on Wednesday, March 9th, 2011 at 8:40 am and is filed under Blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

• Delicious
• Digg
• Share
• Reddit
• Tweet
• Google
• Stumble
• Yahoo
• Linkedin