Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How does phishing/malware work?


  • Please log in to reply
8 replies to this topic

#1 Number_6

Number_6

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 14 May 2011 - 11:53 AM

Can someone here refer me to a good technical or semi-technical explanation of how phishing-malware attacks work? I was reading recently that some big gummint installation was hit with such an attack, and tho I understand the phishing part, I'd like to learn more about how simply going to a site can result in malware getting installed on your computer without you downloading and then installing it.

I'm not too worried about my own situation, since I use Firefox with Scriptblock and have set Firefox to deny automatic installation of downloaded software. But I'm intrigued at how this is done.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:20 PM

Posted 15 May 2011 - 08:15 PM

Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.

Phishing, sometimes referred to as brand spoofing or carding, was derived from "fishing", the idea being that bait is thrown out with the hopes that some will be tempted into biting. It is essentially an old con game updated to take advantage of new technology.Tips on how to avoid phishing
  • The golden rule to avoid being phished is to never ever click the links within the text of the e-mail. Always delete the e-mail immediately. Once you have deleted the e-mail then empty the trash box in your e-mail client as well. This will prevent "accidental" clicks from happening as well.
  • Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It means your information is secure during transmission.
  • If you are uncertain about the information, contact the company through an address or telephone number you know to be genuine.
  • If you unknowingly supplied personal or financial information, contact your bank and credit card company immediately.
  • Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at www.ftc.gov.
  • Use an anti-phishing toolbar.
  • A rule of thumb: always look for ""https"" in the address bar and the yellow lock icon at the bottom of the window when entering sensitive information. If its not SSL 128 bit encrypted do not waste your time with it.
Another quick way to test if you are bring redirected is to right click on the URL and select properties. It will tell you the true URL that you are connecting to, and it should be the same as the link that you are clicking on. Use this when you suspect fraudulent links in your emails.

Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.
DNS Poisoning is a pharming threat which can cause a large group of users to be lured to bogus sites by sending fake information to a DNS (domain name system server. The DNS translates web and e-mail addresses into numerical strings so that it essentially acta like an Internet telephone directory. If a DNS directory is "poisoned" this means it is altered to contain false information regarding which web address is associated with what numeric string. DNS cache poisoning uses a technique that tricks a DNS server into believing it has received authentic information. It involves the practice of hacking into domain name servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. This type of scam typically sends users to bogus Web pages where they may be asked for personal/sensitive information or exposed to malware infection. DNS servers are constantly sending out questions asking for IP addresses and receiving answers. Since they do not actually authenticate the source of the answers there is no way for a DNS server to be sure that the answer actually came from a legitimate source. Some DNS servers do not even check that they asked a question which corresponds to an answer they received...they just believe any answer that is sent to them.
Edit: Fixed two broken links.

Edited by quietman7, 16 May 2011 - 07:15 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Number_6

Number_6
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 16 May 2011 - 07:09 AM

Thanks, Quietman. I know how the phishing part works...I guess I wasn't clear enough that I'm interested in knowing how the malware part works. I know about scripts, but I didn't know that just going to a site could result in some sort of malware being downloaded to and installed on your computer, and I wanted to know how that part was done, from a technical POV.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:20 PM

Posted 16 May 2011 - 07:28 AM

Please read How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 16 May 2011 - 07:33 AM

I know about scripts, but I didn't know that just going to a site could result in some sort of malware being downloaded to and installed on your computer, and I wanted to know how that part was done, from a technical POV.


Here's an high-level description:

One popular method nowadays is to exploit a Flash vulnerability. It works as follows: you visit a website that hosts an html page that calls a Flash script.
This Flash script executes automatically. Normal Flash scripts can't harm your machine, but this is a special Flash script. It is a script that is written specially to trigger a bug in the Flash interpreter. This bug (the vulnerability) is triggered in such a way that that Flash script can execute instructions that it would normally not be allowed to do.
And these instructions usually infect you machine with malware.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Number_6

Number_6
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 16 May 2011 - 07:43 AM

I know about scripts, but I didn't know that just going to a site could result in some sort of malware being downloaded to and installed on your computer, and I wanted to know how that part was done, from a technical POV.


Here's an high-level description:

One popular method nowadays is to exploit a Flash vulnerability. It works as follows: you visit a website that hosts an html page that calls a Flash script.
This Flash script executes automatically. Normal Flash scripts can't harm your machine, but this is a special Flash script. It is a script that is written specially to trigger a bug in the Flash interpreter. This bug (the vulnerability) is triggered in such a way that that Flash script can execute instructions that it would normally not be allowed to do.
And these instructions usually infect you machine with malware.



Ahh, excellent. Just what I was lookg for. Thank you.

Please read How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread.


Thank you, will read.

#7 Oz Steve

Oz Steve

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:20 PM

Posted 20 May 2011 - 05:54 AM

Great answer Didier, that really explains it very well.

#8 Winterland

Winterland

  • Members
  • 1,008 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:07:20 PM

Posted 20 May 2011 - 06:47 AM

Quietman, Didier ~ thank you, for the links and the information/explanations.

I'm mostly a tourist here at BC, and because I come here and read so much, I haven't really had to reach out for assistance (keep my fingers crossed and my apps updated) since both my blazin' e-machine (ha!) and my wife's laptop are all patched up, up-to-date and secure.

And, my wife thinks I'm really smart.


I don't take any of this for granted, so to you two - and the rest of the wonderful BC staff/volunteers - thank you.

Now to head on out into the wild reckless www to see what's out there.


Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:20 PM

Posted 20 May 2011 - 12:55 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users