Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Phollow the Phlopping Phish InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phollow the Phlopping Phish

Published: 2006-02-13
Last Updated: 2006-02-14 17:26:07 UTC
by Tom Liston (Version: 1)
0 comment(s)
Disclaimer: Normally I hold forth in a series of diary entries titled "Follow the Bouncing Malware," but today, we're going to take a walk down a different path: we're going to phollow a phish and see where it takes us.  Along the way, while we won't be getting down and dirty with bits and bytes, we will talk a little about scams, social engineering, and some of the plain old dumb things that companies do to make livin' la vida loca off of a phishin' net all too easy.

Strap in, boys and girls... it's gonna be a bumpy ride.

You grab a line, and I'll grab a pole...

"It just isn't fair," thought Joe Sixpack as he sat grumbling at his desk.  His boss and the Director of IT had just spent the last 40 minutes chewing him out over something that wasn't even his fault.  He needed more space on his computer for his MP3s, and those stupid .DLL files had been taking up so much room...  How was he supposed to know they were important?

He was in the middle of a particularly good daydream involving the boss, a cattle prod, the hot little receptionist from accounting, and a Labrador retriever, when he was distracted by his freshly re-installed computer's brainlessly chipper pronouncement: "You've got mail!"

Now Joe Sixpack was no dummy.  He knew all about those online scams that tried to trick you into giving out your personal information... what were they called... "phoning"... "pharting"... "phishing"... That was it: phishing!

He was going to be really, really careful.

The email looked to be authentic... it had the Mountain America logo, and it certainly sounded authentic, especially when it warned him that his credit card would be "disabled" if he didn't do what it asked.  Those bankers... Type-A personalities, all of them.  He couldn't let his credit card be disabled!  He had just gotten his cable bill set up to be paid through his Visa!

Joe pulled out his wallet and looked carefully at his Mountain America Visa card, and it did indeed have the correct numbers, just like those shown in the email.  He was pretty certain that the only way anyone could know that his card had those numbers on it was if they were Mountain America, but he decided that he had still better be careful.  What was it that his boss had said earlier?... Something about Joe being so stupid that if he saw a sign saying "wet floor," that he would.  Well, he wasn't stupid, and he would prove it.

Looking at the email, he saw that there was a link in it.  He thought back to the in-service that the Director of IT had held a few months back.  It was a particularly memorable experience for Joe, because he managed to sit right next to the hot little receptionist from accounting, and he was able to spend most of the boring talk peeking down her blouse.  While he remembered little of the actual meeting (beyond the receptionist's taste in lacy undergarments) Joe thought he recalled something about links in email being bad.  Yes... yes... that was it.  You were never supposed to click on a link in an email... clicking on link was a bad thing but the exact reason it was bad was somehow all mixed up inside Joe's brain with hazy visions of something hot-pink from Victoria's Secret.

In any case, he wouldn't click on the link... he would re-type the address of the website.

As he typed in the address,, Joe thought that it seemed a bit odd.  He thought that he remembered that the correct address for the Mountain America website was different.  But he also remembered a few months back, in the midst of a similar "I'm not stupid" episode following a similar butt-chewing from the IT Director, he had tried to prove that the real Credit Union site was bogus because it contained links to another site with a funny name.  The IT Director had patiently explained that while it wasn't a good thing, sometimes banks and credit unions used other "special purpose" sites for...well... special purposes.  He explained that those sites could cause people to be confused, just as Joe had been, and because of that, it wasn't a good idea.  He had also showed Joe how to confirm that the site did indeed belong to the bank.

Because, on that occasion, the IT Director wasn't competing with cleavage and lace for his attention, Joe actually remembered exactly what he had said and done.  Keeping that in mind, and after carefully typing the website address, Joe checked out the page that appeared before him:

Sure enough, there at the bottom of the screen, he saw what the IT Director had clicked on:  the little lock.  Joe clicked, and was presented with a new window that explained that the site was indeed legit... someone called Equifax (that was trusted by his browser) vouched for them.

"Cool," though Joe, "I'm really getting the hang of this whole Internet thing!"  And, just to prove that he was... what was it his son always said?... oh yeah..."leet,"...he clicked on another button on the window.  This brought up an entirely new window, filled with mind-numbing gobbledygook.


Joe puzzled over this window for a few moments, trying to make sense of it.   It appeared to have something to do with proving that this website was really owned by his credit union, but most of it seemed to be written in a foreign language.  He looked it over a few more times and was just about to close the window when he noticed what looked to be a website address on one of the lines.  The address pointed to something called "," and although he didn't know if it was important or not, he typed it into his browser's address bar to see what he could find.

Wow... he really was "leet."  It appeared that he had found even further confirmation that this website was legit, this time from a company called "ChoicePoint."  Right there, it said that the website address was part of Mountain America of Salt Lake City, UT.

Joe knew that the headquarters of his credit union was indeed located in Salt Lake City... it said so on every quarterly statement that he received.

If his credit union thought that it was important that he registered for this Verified by Visa program, then hey, he'd do it.  He was humming to himself and thinking happily of the hot little receptionist from accounting as he typed in his Visa card's number...

...and we'll go phishin' in the crawphish hole...

So, what did Joe do wrong?  Well... for once: nothing.

He went above and beyond what we could possibly expect an end user to do.  And yet he still got phished.

He didn't follow a link.  He checked the certificate.  He even went so far as to double-check the certificate issuer's facts.

Joe was let down by the very infrastructure that was supposed to be there to protect him.

What happened?

I talked earlier today to a representative of Equifax/GeoTrust, and asked a simple question:  how do you confirm that someone really is who they claim to be when issuing an SSL certificate?  I got a response that sounded really quite good.  There was official documentation required: copies of business licenses, articles of incorporation, etc...  There was official confirmation required: checks made with the Secretary of State's Office in the state of incorporation, a requirement that the business be in good standing, etc...  

And still, some scummy phisher got an SSL certificate that appears to link him back to the actual credit union.

I asked about the ChoicePoint information and whether it was used as verification and was surprised to learn that ChoicePoint wasn't a "source" of data for the transaction, but rather was a "recipient" of data from Equifax/GeoTrust.  According to Equifax/GeoTrust, "as part of the provisioning process with QuickSSL, your business will be registered with ChoicePoint, the nation's leading provider of identification and credential verification services."

What more could any burgeoning identity thief ask for?

What is going on here?  How can this be happening?  Internet e-commerce is founded on SSL, and SSL is founded on the trust that the companies handing out SSL certificates are doing their homework and are verifying that the companies sitting behind their certs are who they say they are.

To paraphrase one of my favorite movie lines: "What we have here is a failure to authenticate..."

Finally, banks and credit unions that send out email with clickable links teach their customers incredibly dangerous habits.  Financial institutions that use multiple domain names are setting their customers up for disaster.  And, of course, any financial institution that isn't checking their referrer logs for odd and unknown sites is a time bomb waiting to explode.

Come on folks.  It's hard enough to keep the end users from shooting themselves in the foot... don't give them a loaded gun.

0 comment(s)
Diary Archives