Pages

Wednesday, May 05, 2010

Credentials Verification- Security Emails Phishing and Trust Manipulation

Phishing attacks based on trust exploitation are on rise. Banks are facing tremendous complexities and security issues due to these type of attacks. The primary focus of this sort of attack is to trick user’s sense of understanding and
segregating the trust to perform operations of attacker's choice. The case studies discussed in this article sheds light on phishing attacks that exploit users' trust with the third-party. Credit card forgeries are quite common considering the bank phishing frauds. The primary artifact of the attackers is to play with the user trust and to manipulate user thinking process by raising a complexity through spams. The user inability to distinguish between the trusted website and attacker controlled website, which is a replica of the original website, results in forged transactions.

Recently HSBC, Paypal security phishing emails are used to steal the credentials of users. The phished email carry online form as an attachment which looks similar to the original HSBC bank forms for updating the credentials of the user.

Case 1 - Paypal Verification Credentials Theft

The email is sent by phisher on the behalf of Paypal verification group for re-verifying your credentials. The email looks like as



During analysis the attachment is downloaded in a restrictive environment to scrutinize against malware, infection handlers etc.



Luckily the form page does not contain malware but the form is posted to a attacker controlled domain (http://probe.201w.com/verification.php) for verification as:



On further analyzing the domain, we came across the fact that some of the users have fallen into this trap as:



The users inability to distinguish between the trust boundaries lead to compromises and information stealing.

Case 2: HSBC Verification Credentials Stealing



We performed simple analysis in controlled environment. The form looked like as



The form itself does not contain any sort of malware but the form is posted to the malicious domain (http://www.thebluzmen.com/verify.php) for verification as




A normal user should be aware of the artifacts used by the phishers to betray the trust.

0 comments: