# Phishing Exposed. Syngress

## Lance James, Secure Science Corporation

### Uncover Secrets from The Dark Side

FOREWORD
BY JOE STEWART
LURHQ, INC.

 Phishing Exposed

#### Author

Lance James has been heavily involved with the information security community for the past 10 years.With over a decade of experience with programming, network security, reverse engineering, cryptography design & cryptanalysis, attacking protocols and a detailed expertise in information security, Lance provides consultation to numerous businesses ranging from small start-ups, governments, both national and international, as well as
Fortune 500’s and America’s top financial institutions.
He has spent the last three years devising techniques to prevent, track, and detect phishing and online fraud. He is a lead scientist with Dachb0den Laboratories, a well-known Southern California “hacker” think-tank, creator of InvisibleNet, a prominent member of the local 2600 chapter, and the Chief Scientist with Secure Science Corporation, a security software company that is busy tracking over 53 phishing groups. As a regular speaker at numerous security conferences and being a consistent source of information by various news organizations, Lance James is recognized as a major asset in the information security community.

#### Foreword Contributor

Joe Stewart (GGIH) As Senior Security Researcher with LURHQ, Joe researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. Prior to this role, he was an Intrusion Analyst handling millions of security events for LURHQ clients while monitoring their corporate networks from the Secure Operations Center. He is a SANS Global Information Assurance Certified Incident
Handler (GCIH) and has been in the information security field for five years. He is a frequent commentator on security issues for leading media organizations such as The New
York Times, MSNBC,Washington Post, and USA Today. Additionally,
Joe has published numerous security research papers on Sobig,
Migmaf, Sinit, Phatbot and other cyber-threats and attack techniques.

#### Foreword Contributor

George Spillman currently is a Director for Acadine Informatics, president of the computer consulting group PixelBlip Digital Services and one of the principals behind ToorCon, the highly respected computer security conference that draws in and educates some of the best hackers and security experts from around the globe. As such, he travels well in hacker circles and takes great pleasure in poking and prodding the deep dark underbelly of the internet. George is a frequent guest on television news programs for his expertise and his ability to communicate complex computer security and identity theft issues to non-technical audiences. His consulting clients include representatives from both the Fortune 100 and the Fortune 100,000,000. In the past he has been lured away from consulting by large wheelbarrows of stock options to serve as Director of IT for an international
pharmaceutical R&D company, and would most likely do that again
if the wheelbarrow was included to sweeten the deal.

Introduction
Author Acknowledgements
I would like to take this page to say first and foremost, thank you to my
amazing wife.Without her strength and support I would not be where I am
today.Thanks for putting up with the @home Lance! I love you. Also, I would
like to thank my two children for being themselves.You are truly my upgrades
and even though you’re all so young, you have taught me many wonderful
lessons in life to date. I would like to dedicate this book to my entire family, the
support system I could not live without. I love you all.Thanks so much Mom
and Dad, you know why!
I would like to send shout-outs to my grandmother-in-law, you have taught
me so much more than you’ll ever know, and I don’t know if I would have
made it to the last stretch of becoming a man just right if I hadn’t met you. I
want to thank my 100 year-old Poppa for hanging in there, and teaching me
chess, gardening, and that life doesn’t have to be so complicated—at 100 you
still play a mean game of chess! I would like to thank Nana (may she rest in
peace) for everything, you have a very big place in my heart and I know you’re
watching out for me up there. I would like to thank my mother-in-law for
expecting me to go this far—and I know you know what I mean.
Above all, thank you God for blessing me every single day of my life with
the opportunities! Big-ups to you God!
I would like to thank the entire Syngress team for having the patience and
understanding of getting me through this book—you guys have been awesome
and I look forward to many other Syngress published books with you all,
specifically Jaime Quigley and Andrew Williams, thank you. Shout-outs to Dave
Stephens, Adrian Younkins (the good always die young!), Dr. Rick Foreman,
Kim, Geo, Jake, Josh, H1kari,Tim, and the whole San Diego 2600 crew!
A big thank you to the Anti-Phishing Working Group and the Digital
Phishnet members, we’ll get there, I promise.
Thanks to Joe Stewart for bailing us out at the last minute.
Anyone I may have forgot please forgive me, but that’s always a good reason
to talk to me, just to complain that I forgot!
Last, but not least, I would like to say thank you for picking up a copy of
this book, as I believe it will be an informative read, and it gave me the
opportunity to share some of the experiences I have had with the epidemic of phishing.

Foreword
In March 2003 one of our secure operations centers received a phishing e-mail
that started a chain of events that ends with this page you are reading now.
Phishing was almost unknown at the time; in fact, before that time it was generally
used only in reference to stealing AOL users’ credentials.Tracing that email
back to the source machine led us to the discovery that the recently
released Sobig virus was facilitating the anonymity of the phishing e-mail we
received; a proxy server made it impossible for us to trace the e-mail back any
further and find the culprit.These proxy servers made it possible for spammers
and phishers to begin a deluge of mail that hasn’t stopped increasing to this day.
At the time, no one had made the connection between viruses and spam;
viruses were just a nuisance propagated primarily by attention-seeking, smart,
antisocial kids.We hoped that publishing a paper on how Sobig was connected
to spam (and the phishing e-mail we received) would inspire law enforcement
officials to track down the responsible party and introduce the person to some
jail time. Instead, Sobig paved the way for what was to come: a plethora of
criminal operations that has created an amazing amount of “background noise”
on the Internet in terms of time and bandwidth wasted. Moreover, the author
of Sobig is still at large, and as far as we know, is still running a spamming operation,
even though the flood of Sobig variants stopped in late 2003.What’s
worse, however, is with each malicious creation, the noise level grows.The
problem becomes worse, and other would-be criminals learn from those operations
that went before them, adapting and then improving their methods.

Over the past two years, phishing has skyrocketed to staggering proportions.
Each technical defensive measure deployed by the network security community
and the financial organizations has been met with only an escalation in the
complexity and cleverness of the phisher’s methods. Even though phishing is
nearly a household word these days, most of the general net population doesn’t
understand exactly how phishers ply their trade so successfully with hardly any
risk of being caught. And if complexity weren’t bad enough, the different
phishing groups display a diverse range of techniques they use.Therefore,
learning the specialized tactics of one phishing group isn’t necessarily going to
bring you any closer to understanding the next one.What is needed is a comprehensive
study of the ways phishers operate—that is what I believe we now
have with this book.
I’ve dealt with law enforcement officials working on the phishing problem,
as well as individuals in the private industry, and I can say unequivocally that I
have never met anyone so “clued” on the problem as Lance James. I can’t think
of a better qualified person to write this book, and I’m happy that Syngress also
saw the need for such a tome. People who are tasked with handling the
phishing problem either in their institutions or in terms of law enforcement
should have a copy of this book on their shelves and should read it religiously.
Phishing isn’t going to be solved by technical measures alone—at some point
it has to become too risky for all but the most hardened criminals to operate in
this space.And the only way that realistically will happen is when there are arrests
occurring regularly all around the globe. I’ve often said that fighting Internet
crime effectively requires a global task force of highly clued people who have a
deep understanding of the technical issues involved as well as the authority to
kick in doors and seize servers when necessary. Law enforcement is coming up to
speed, but it is a slow, painful process to watch, especially as we see the Internet
sink further and further into a quagmire of crime committed by those who
would make a quick buck at the expense of everyone else. Hopefully, this book
will help speed up the process of providing a “clue” to those people who need it
and help stop the epidemic of phishing and identity theft that threatens to undermine
the trust the public has left in doing business online.
—Joe Stewart
Senior Security Researcher, LURHQ Corporation

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
Chapter 1 Banking On Phishing . . . . . . . . . . . . . . . . . . . .1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Spam Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Spam Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Classification Techniques . . . . . . . . . . . . . . . . . . . . . . . . .7
Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Cyber-Crime Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
What Is Phishing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
What’s Not a Phish . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Phishing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
E-Mail Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . .17
Fraud, Forensics, and the Law . . . . . . . . . . . . . . . . . . . . . . .24
Phishing and the Law . . . . . . . . . . . . . . . . . . . . . . . . . .24
Spam, Spyware, and the Law . . . . . . . . . . . . . . . . . . . . .25
Promising Antiphishing Legislation . . . . . . . . . . . . . . . .28
Technical Ramifications . . . . . . . . . . . . . . . . . . . . . .29
Legal Ramifications . . . . . . . . . . . . . . . . . . . . . . . . .29
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .34
Chapter 2 Go Phish! . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
The Impersonation Attack . . . . . . . . . . . . . . . . . . . . . . . . . .40
The Mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Setting Up the Phishing Server . . . . . . . . . . . . . . . . . . .45
Setting Up the Blind Drop . . . . . . . . . . . . . . . . . . . . . .49
Preparing the Phishing E-Mail . . . . . . . . . . . . . . . . . . . .53
Preparing the Con . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
The Forwarding Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
E-Mail Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
The Phishing Server and the Blind Drop . . . . . . . . . . . .64
Preparing the Con . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
The Popup Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Setting Up the Phishing Server . . . . . . . . . . . . . . . . . . .70
E-Mail Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Preparing the Con . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .83
Chapter 3 E-Mail: The Weapon of Mass Delivery . . . . .85
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
E-Mail Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
E-Mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Mail Delivery Process . . . . . . . . . . . . . . . . . . . . . . . .91
Anonymous E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Forging Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Open Relays and Proxy Servers . . . . . . . . . . . . . . . .100
Proxy Chaining, Onion Routing, and Mixnets . . . . .103
Harvesting E-mail Addresses . . . . . . . . . . . . . . . . . . . . . . .108
Harvesting Tools,Targets, and Techniques . . . . . . . . .108
Hackers and Insiders . . . . . . . . . . . . . . . . . . . . . . . .119
Sending Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
The Tools of the Trade . . . . . . . . . . . . . . . . . . . . . .120
The Anti-Antispam . . . . . . . . . . . . . . . . . . . . . . . . .124
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .133
Chapter 4 Crossing the Phishing Line . . . . . . . . . . . . .137
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Quick Overview of the Web . . . . . . . . . . . . . . . . . . . .138
Dynamic HTML . . . . . . . . . . . . . . . . . . . . . . . . . .139
HyperText Transfer Protocol . . . . . . . . . . . . . . . . . . . .139
Request, and They Shall Respond . . . . . . . . . . . . . .140
HTTP Message Header Fields . . . . . . . . . . . . . . . . .141
Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Misplaced Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Target: Redirects . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Target: Reflective Queries . . . . . . . . . . . . . . . . . . . .189
Target: Reflective Error Pages . . . . . . . . . . . . . . . . .204
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .213
Chapter 5 The Dark Side of the Web . . . . . . . . . . . . . .215
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
What Is Dynamic HTML, Really? . . . . . . . . . . . . . . . . . . .216
When Features Become Flaws . . . . . . . . . . . . . . . . . . . . . .218
Careful with That Link, Eugene . . . . . . . . . . . . . . . . . .223
Evasive Tactics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Patching Flat Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Protect Yourself Against Fraud! . . . . . . . . . . . . . . . .234
Mixed Nuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
The Code of Many Colors . . . . . . . . . . . . . . . . . . .254
A Web Site Full of Secrets . . . . . . . . . . . . . . . . . . . . . . . . .260
Cross-Site Request Forgery . . . . . . . . . . . . . . . . . . . . .261
Session Riding . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Blind Faith . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Browser Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Attacking Yahoo! Domain Keys . . . . . . . . . . . . . . . .294
The Evolution of the Phisher . . . . . . . . . . . . . . . . . . . . . .301
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .306
Chapter 6 Malware, Money Movers, and Ma Bell
Mayhem! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Mule Driving and Money Laundering . . . . . . . . . . . . . . . .310
How Phishers Set Up Shop . . . . . . . . . . . . . . . . . . . . .311
The Process of Receiving the Money . . . . . . . . . . . . . .312
Western Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Mule Liability and Position . . . . . . . . . . . . . . . . . . . . .314
U.S. Operations and Credit Cards . . . . . . . . . . . . . .315
Phishers Phone Home . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Defining Telecommunications Today . . . . . . . . . . . . . . .315
SIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
SIP Communication . . . . . . . . . . . . . . . . . . . . . . . .318
Caller ID Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . .319
SBC Network Takeover . . . . . . . . . . . . . . . . . . . . .321
Anonymous Telephony . . . . . . . . . . . . . . . . . . . . . . . .324
Phreakin’ Phishers! . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Slithering Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Malware in 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Early 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Mid-2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
End of 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Trojans of 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Malware in 2005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Malware Distribution Process . . . . . . . . . . . . . . . . .329
Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Blind Drops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
The Phuture of Phishing . . . . . . . . . . . . . . . . . . . . . . . . . .342
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .345
Chapter 7 So Long, and Thanks for All the Phish! . . .347
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Looking Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Legal Eagle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Interagency Guidelines . . . . . . . . . . . . . . . . . . . . . . . .352
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
What About Spam? . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Antiphishing Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Stats to the Future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Tracksploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Stealing Their Network . . . . . . . . . . . . . . . . . . . . . . . .373
Send Me Phish! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .380
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Screenshot

Purchase Now !
Just with Paypal

Product details
  Price 2.00 USD 416 p 8,480 KB PDF format 159749030X 2005 by Syngress Publishing, Inc
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●

═════ ═════