Saturday, October 10, 2009

Level of (im)maturity in prevention

A few days ago I received an email (not arrived as spam) that I am attracted wide attention, so I wanted to know its origin. Here you can see a screenshot of the email.

This is a false message intentionally sent to my email. The first thing that crossed my mind to see it was, first, the memory of the old "xploits" he thought, mistakenly, missing the fact only because it's easy to underestimate them and their condition very crude attempt to deceive users, on the other, questions will be effective ... today?, what's the level of preventing users from this sort of cheating?

The point is that I also wanted to know their origins. And so I came up a website that offers the "service", specifically, to send this sort of cheating with several alternatives regarding the strategies employed. And of course ... actually, not that the "xploits" ceased to exist but they changed their nomenclature, as this is nothing to Phishing.

However, before dealing in more detail some features of this site, I'd like to share some of the arguments expressed by the author directly through the "terms of use." The first thing we read is welcome ...

"Interested to discover passwords of friends, boyfriends/as, heads, enemies/as of who you want? You know that getting the password of your victim could get many things as personal data, data access and personal sites plenty of information."

This type of activity is punishable in most countries since the mail has the character of private ... condoning the crime? Besides ... someone wants to access my email account :)

It continues with some things funny curious that I share... "All the information provided here is for educational use and/or science."

"Scientific use?... without words...

"Our software is not designed to be used for malevolent purposes, the product was intended for responsible adults, not every person under age 18 may use our programs."

However, to access the site doesn't display a warning stating that they can only access the site over 18 years...

"Spyware programs were created as a solution for remote monitoring and surveillance of the computer."

From the perspective in which information security discusses these aspects, is nothing but an act framed in the guise of privacy violation. There are alternative, less intrusive and aggressive for the purposes of parents who want to "monitor" certain activities of their children without coming to an abusive state. In this regard I consider the best solution is useless if not accompanied by education regarding the dangers that exist online. The question isn't spying on our children...

Aside from the superficial to the mechanism of deception, the domain is hosted at Hosting Solutions International Inc, located in the U.S. under the IP address 69.64.58.50. At least three domains are in this direction and all redirected to the same page.

When you access this "service", we find a menu which is managed by the maneuvers of deception, allowing sending emails with fake messages to the main services (real) webmail and two of the most popular social networks. Even you can customize the messages.

The procedure, after selecting the service option to be used to provide a consistent level of confidence is a matter of selecting one option among several. As an example, consider a snapshot of a Gmail account bombarded with an example of each.

All contain in the body of the message, that address links to a fake page, in this case of Gmail, which requests an authentication process that is part of the deception. The page is a clone of the real and you are looking to steal user's authentication data to the webmail service. But according to this, the question is ... how do realize that is false?

Mainly, checking where to redirect the links found in the message. With the mere fact of passing the mouse over the link in the taskbar is the actual address.

Likewise, we must check the URL. In this case, the address begins with http://login.live.1d8gfh35f9h6438d2g6.tumsg.com/accounts/ServiceLogin.php?service false...

While the real beginning with
https://www.google.com/accounts/ServiceLogin?service...

Besides being completely different, false doesn't have the secure protocol (https) characteristic of all sites that require authentication via the web. While this particular aspect doesn't guarantee full security is a good habit to check your existence.

However, suppose that the attack is directed to a Hotmail user. The real address for this is:

http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1255052408&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2fdefault.aspx&lc=3082&id=64855&mkt=en-

In this case we aren't with "https" and the false address is very similar to the real, which, it's likely that a user who doesn't understand much about it, fall into the trap without too much effort, but wonder... How many users verify the address?

Now, try to find some answers to the questions discussed above lines (are they effective now?, What is the level of preventing users from this sort of cheating?)

To obtain a test that was done was basically sending emails with fake messages using the "services" offered by this website, obviously under strict ethical sense as the intention is only investigative. Moreover, unless they pay a minimum cost of USD 15, there is no access to passwords.

What the business makes it evident that behind this system of deception. Also at the same time, its creators are made from a large database which until now has over 95.000 records, where each of those records is a victim.

For our purposes, obtain a statistic of the level of maturity in terms of sense of prevention on users, but passwords don't need to know how many users rely on the false message.

The sample consisted of 100 addresses to which it sent the same message that had come to my email. From one day to another, ie within 24 hours, emails sent Hundred, these were the results:

Sent: 100
User who fell into the trap: 12

As we see, a little over 10% of users who received this email with the message you have opened, and not only that, but have also offering trusted him unknowingly credentials data access to your accounts e-mail.

Accordingly, trivial attacks of this kind are more common than people think and have a worrisome level of effectiveness, but more worrying still is, in a way, that the level of maturity in terms of prevention is still low and that if these values are enhanced depending on the amount of emails of this kind that any spammer could send per day, the final death toll is very high.

Related information
Estado de la seguridad segĂșn Microsoft
Phishing y "cuentos" en navidad
Phishing para American Express y consejos

Jorge Mieres

No comments: