“If you’re not confused, you’re not paying attention.” — Tom Peters
Perception is not reality. Figuring out what is real can be very confusing. Phisher’s prey on confusing and scaring people enough that they can be lead to clicking on a link, entering personal information, and even calling a phone number. Initially I was going to use a riddle at the top of this post to try and confound the reader. Unfortunately, I ended up the one confused. I was unable to find the original source for the classic riddle I have heard so many times. Worse yet, there are several variations. I decided to go with the Tom Peters’ quote, create my own version of the riddle, and use the new variation in the body of the post. Now bear with me, though no bears were used in the making of this post (only a dog and some fish). We will go through the riddle to get in the proper mindset for phishing, step through a few examples, and finish strong with a little clarity.
Imagine if you will that last night, after too little sleep, and too much Red Bull, you finally crashed. When you woke up this morning, you find Cerberus before you. Unfortunately, in this case, Cerberus is not the network authentication protocol but the actual three headed hound that guards the gate to Hades. Being one who is always prepared, you fortunately went to sleep with your square headed girlfriend. The good news is, being so close to Hades (a definite hot spot) you are able to access the Internet. With a little googling, you discover a few little known facts about Cerberus.
First, each of Cerberus’ heads can speak English, along with Greek. If a talking bilingual hound is not amazing enough, one head will always tell the truth, one head will always lie, and one head may lie or tell the truth depending on its mood. Cerberus, like any other dog, enjoys playing. Still, Cerberus is a little different from other dogs. He will only play a special game fashioned after “Let’s Make a Deal.” Here are the rules. Before you, there are two doors. You may ask two questions, but you have to direct your questions to only one of Cerberus’ heads at a time. Once asking one head a question, you cannot ask the same head a second question. Of course, you have no idea which head lies, tells the truth, or does what ever it feels like.
As for what’s behind the doors? One door, once open, will immediately suck you down into Hades. The other door, when opened, teleports you to Google where there is free Red Bull, 10G Internet access, masseuses, and free lunches and dinners in the cafeteria. Do not worry, Rod Serling is not hiding anywhere. There are no “Twilight Zone” plot twists where Google turns out to be the real evil in this tale. Being a true IT professional, you burn easily, so you will want to avoid Hades. What two questions do you ask?
Confused? That is the theme of this post. Life can be very confusing. Unfortunately there are many black hatters that will take advantage of people’s confusion. In order to avoid the whole hacker verse crackers debate, I am calling evil doers black hatters. Black hatters will build on mistakes, creating some fairly sophisticated deception. For the who, what, and when on phishing, see the Anti-Phishing Work Group (APWG) July 2007 report. As for a recent personal example, last week I received some emails appearing to come from a local credit union. The first email came through with subject “Notice!”
Dear Customer,
The Hades Post Office Credit Union temporarily suspended your account. Reason: Billing failure.
To start the update process click here.
Once you have completed the update, we will send you an email notifying that your account is available again. After that you can access your account at any time.
The information provided will be treated in confidence and stored in our secure database. If you fail to provide information about your account you’ll discover that your
account has been automatically deleted from HPOCU database.Copyright © The Hades Post Office Credit Union , All Rights Reserved
I do appreciate the copyright notice at the end. It is a nice touch. Not to add to anyone’s confusion, I don’t really live in Hades. I am just protecting the credit union. Also, the original “click here” link went off to a phishing site, so I have changed that link. Also, the Goliath Corporation, while ethically challenged, was not behind the attack. For those less battle hardened, what are the give aways on this email? Here is what I noticed:
- The use of “Customer” instead of my name. This indicates they had no personal information. Maybe it was purely by luck, but this email did appear to come from a local credit union. It seems they may have known about where I lived. Or maybe this email went out to so many people, I just happened to live at the same location as the credit union. Let’s assume it was not by chance. If not, this is known as spear phishing. Spear phishing describes any highly targeted phishing attack where the black hatters gather personal or organizational informal to make the emails appear more genuine.
- The link in the email does not go to the Hades Post Office Credit Union. On the positive side, the black hackers failed to compromise the credit union web server. To add confusion to the customer, I have seen many credit unions out source their banking web site so when doing bank business, you go to a non credit union web site.
Right after the first email, a second emails came through. I am not going to reproduce it here because it seems to be from a second black hatter. It is more sloppily done. The sharks are circling. A third email arrives a little later with the subject “Urgent Notice!”
Dear Customer,
We regret to inform you that we have received numerous fraudulent emails which ask for personal account information. The emails contained links to fraudulent pages that looked legit. Please remember that we will never ask for personal account information via email or web pages.
Because of this we are launching a new security system to make accounts more secure and safe. To take advatage of our new consumer Identity Theft Protection Program we had to deactivate access to your card account.
To activate it please call us immediately at 253-397-2068
Activation is free of charge and will take place as soon as you finish the activation process.
If you think your identity has been stolen, here’s what to do now:
1) Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified, and all three credit reports will be sent to you free of charge.
2) Close accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit (PDF) when disputing new unauthorized accounts.
3) File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.
4) File your complaint with the Federal Trade Commission (FTC). The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC gather more information about identity theft and the problems victims are having.
For more information, go to: http://www.consumer.gov/idtheft/.
Please do not reply to this message. For any inquiries, contact Customer Service.
Hades Post Office Credit Union – Copyright © 2007
Now one might believe this email was legit. The calvary to the rescue. There are a few problems.
- Once more, they never identify who they are sending this email to. There is no indication the credit union knows this customer
- “advatage” is misspelled. Black hatters are getting much better at proper grammar and spelling. I would hope a credit union, after being caught up in a phishing attack on its members, would not make spelling errors on the email informing people of this fact.
- I do not have an account with the Hades Post Office Credit Union. The credit union does not know me and should not be sending me email.
- The phone number is not local to Hades. It is not even an 800 number, though there are reasons not to trust 800 numbers. The phone number does not match the numbers listed on the “contact us” page. I cannot find the number via the Internet. This looks like it could be a VoIP Phishing attack. With VoIP phishing attacks, the black hatters will pose as the bank, email people trying to get them to dial a number and then have them enter or provide personal information. In this case, customers call to get IDTheft protection and end up giving the black hatter all their personal information.
You have to give the black hatters credit. If the first email did not fool you, with “billing failure,” they are going to scare you into trying to get IDTheft protection. Going to the Hades Post Office Credit Union website revealed a notice that fraudulent emails were sent out. That notice, unlike the above email, does not provide a special contact phone number.
Now, one could look at the full header of the email and see that the email did not originate from the Hades Credit Union. For IT professionals, this is a wise course of action. Most people are not IT professionals and looking at email headers is confusing. For demonstration purposes, let me show the non IT professional a valid email header from nist.gov. IT professionals you can skip ahead.
From Patrick O’Reilly Tue Nov 13 14:44:40 2007
Return-Path:
Authentication-Results: mta207.mail.re4.yahoo.com from=nist.gov; domainkeys=neutral (no sig)
Received: from 129.6.16.226 (EHLO smtp.nist.gov) (129.6.16.226)
by mta207.mail.re4.yahoo.com with SMTP; Tue, 13 Nov 2007 14:45:46 -0800
Received: from imp.nist.gov (imp.nist.gov [129.6.16.10])
by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id lADMjAUC014099;
Tue, 13 Nov 2007 17:45:13 -0500
Received: from imp.nist.gov (localhost [127.0.0.1])
by imp.nist.gov (8.13.7/8.13.7) with SMTP id lADMieSw013254;
Tue, 13 Nov 2007 17:44:40 -0500 (EST)
Date: Tue, 13 Nov 2007 17:44:40 -0500 (EST)
Message-Id: <7.0.1.0.2.20071113172800.0277b3e0@email.nist.gov>
Errors-To: patrick.oreilly@nist.gov
Reply-To: poreilly@email.nist.gov
Originator: compsecpubs@nist.gov
Sender: compsecpubs@nist.gov
Precedence: bulk
From: “Patrick O’Reilly”To: Multiple recipients of list
Subject: NIST Announces the Release of 3 Special Publications
Notice the occurrences of nist.gov in the header. The IPs in the header could be looked up and they would belong to nist.gov. Below is the black hatters email header. Pay attention to the bold text.
From Hades Post Office Credit Union Mon Nov 12 03:54:05 2007
Return-Path:
Authentication-Results: mta327.mail.re4.yahoo.com from=hpocu.org; domainkeys=neutral (no sig)
Received: from 64.202.189.57 (HELO k2smtpout05-02.prod.mesa1.secureserver.net) (64.202.189.57)
by mta327.mail.re4.yahoo.com with SMTP; Mon, 12 Nov 2007 03:54:15 -0800
Received: (qmail 13872 invoked from network); 12 Nov 2007 11:54:05 -0000
Received: from unknown (HELO DZVS01.prod.phx1.secureserver.net) (68.178.147.168)
by k2smtpout05-02.prod.mesa1.secureserver.net (64.202.189.57) with ESMTP; 12 Nov 2007 11:54:05 -0000
Received: (qmail 24335 invoked from network); 12 Nov 2007 11:54:04 -0000
Received: from tx-65-40-99-101.sta.embarqhsd.net (HELO User) (65.40.99.101)
by digizoneusa.net with SMTP; 12 Nov 2007 11:54:04 -0000
Reply-To:
From: “Hades Post Office Credit Union”
Subject: Notice !
The email did not originate from hpocu.org. You can go to SpamCop and look up the IPs and see if the IP is a known spammer. On local spear phishing attacks, there is a good chance the IP will not be listed. Another point, each of the emails from the black hatter originated from different IPs and domains, which is another indication that even if the credit union out sourced their work, something is not right with these emails. I understand that for many people looking at full headers is not an option. If you are aware of what to look for in the body of the email, that will go a long way in helping protect you against phishing attacks. To help those not in the IT profession learn what to look for, there is Antiphishing Phil.
Carnegie Mellon University has created Anti-Phishing Phil as an “interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.” To continue to quote the site, “Our user studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. Our studies demonstrate that Anti-Phishing Phil is an effective approach to user education.” I applaud Carnegie Mellon. I found Anti-Phishing Phil to be a fun way to teach users about identify phishing attempts.
In the end, security often does not have a simple solution. Once a solution is found, it seems the black hackers build upon yesterday exploits requiring security professionals to derive more complicated solutions. It is an arms race. Fortunately, some problems do have final solutions. I might not have the final answer to preventing all phishing attacks, but I do have the answer to the riddle. As with many problems, the answer can be found through first simplifying the problem. Imagine if there were are only two question-answerers: a truth-teller and a liar. The liar might even wear a black hat, but probably does not. That would make it too easy. In this problem, you must determine which is the correct door using only one question. This solution is well known: pick one of the two answerers and ask the following question, ”Which door would the OTHER answerer say leads to Google?” If the response is ”Door A” go through Door B and vice-versa.
The riddle is made more difficult because of the third head that can either lie or tell the truth. Now suppose that using only one question we can ensure that our second question will be asked of the head that tells only the truth or only lies. Then we can solve the problem just as we did above. So, we choose one head and ask the following question: “Of the other two, which one is most likely to give me a truthful answer when I ask them a question?” Now apply the lessons learned from above in case we are asking of the truth-teller or liar. Our second question we ask of whoever was NOT the answer to the first question, “Of the other two heads, what answer would the head that has to lie or tell the truth give when asked which door leads to Google?” Then you know which door leads to Google.
Let’s confirm this. We will start off by giving names to each of the heads: Adam, Bert, and Carl. Adam is the head that tells only the truth. Bert always lies. And Carl does what he feel like. First question, Q1, is “Of the other two, which one is most likely to give me a truthful answer when I ask them a question?” Second question, Q2, is “Of the other two heads, what answer would the head that has to lie or tell the truth give when asked which door leads to Google?” If the head we ask Q1 of is Carl, then he will answer Adam or Bert. The importantly point is that Q2 will not be asked of Carl. If the head we ask Q1 of is Bert, he will tell us Carl is more likely to tell the truth. Bert is a stinker. No wonder Homer is always chocking him. Again, the important point is for Q2 we choose whoever is not the answer to Q1. So, Adam will be asked Q2. If the head we ask Q1 of is Adam, he will tell us Carl is more likely to tell the truth. In which case, Q2 would be asked of Bert. In other words, our second question will end be asked of Bert or Adam. If we ask Q2 of Adam, Adam will truthfully answer what Bert would say, and point to the door to Hades. If we ask Bert, he will take Adams response and then lie by choosing the door to Hades. Whatever they response to the second question, we choose the other door.
I hope this post has helped clear up some of the confusion over phishing. At the very least, if you ever find yourself a game show contestant with Cerberus filling in for Monty Hall, you will hopefully now know how to figure out which door to choose. See you at Google.
Copyright © SpecOps 2007, All worldwide rights reserved.
