Anglers of the three typical means of attack-vulnerability warning-the black bar safety net

In most people the impression that phishing is one of those tricking people into providing Bank account or identity information of the fake e-mail. However, according to the honey network project group&honey network research Alliance Honeynet Project & Research Alliance recently published study shows that phishing to be more complex than this and more terrible.

The Alliance in this latest study warned that phishers are using malicious network server, port, re-orientation and success rate is quite high of the honey network to trick users into bait. Their efforts than people initially imagine a more thorough and more organized. In many cases, they with other fishing groups to coordinate the job and at the same time using a variety of means.

Honey network researchers Arthur Clune in comes this report of an attack of examples, said that such phishing sites build up speed is very fast. All of these sites are prepared in advance. The establishment of this website who has clearly been ready, because in this website is not yet fully built before we start to see that there is network communication. Include Scanning with the vulnerability of network servers and other activities, all the process are highly automated. All this indicates that the attacker is serious, ready and as much as possible to find vulnerabilities of the host.

Clune said that such the quality of the website and spam the practice is improving. Such websites use more standardized English and embed a better quality pictures, making it on the outside more like a real website. Another researcher, David Watson said, as users become more aware of phishing and phishing means, the attackers have to improve their methods. He said that by this attack the number of made him feel accident.

Watson said, in our investigation of the many fraud event, we were surprised to find that the user will actually access those fake phishing sites. Guidance on how to safely use the Internet for information apparently not available to the end user.

This study is the use of honeypots. The so-called honeypot refers to deliberately set to the unprotected computer. When under attack, the researchers can be for these attacks to conduct research to better understand the attacker uses the strategy. In the honeypot, the researchers clearly observed anglers successfully using three different means of attack: a

Compromised network server

The first method is to break the security vulnerabilities of the servers and installing malicious Web content. In a typical phishing attack, the attacker utilizes the following method:

? Scanning have security vulnerabilities in the server;

? Compromised a vulnerable server and install a tool or Set Password Protection rear door; and

? Through the encryption of the backdoor into the compromised Server;

? Download advance make a good fishing sites, to prevent a compromised server is a network-based server;

? Limited content configuration and web site testing when the first visit to this web server may have exposed their real IP address;

? Download a large number of sent e-mail tool, using this tool use a junk email for this fake web site to do the advertising;

? Through the above steps, start someone visits the fishing website, and potential victims begin accessing the site’s content.

The Union said in a statement, from the first system connected to the Internet, this attack is usually only a few hours or a few days. The study found, the attacker often is for many servers and many institutions at the same time initiates the attack.

Port redirect

This is the second kinds of attack methods. Allegedly, 2 0 0 5 1 1 1 December, an attacker using Redhat Linux 7.3 system security vulnerabilities successfully entered a honeypot.

The researchers said the attack is a bit unusual. The attacker broke the server and there is no direct upload phishing content. Instead, an attacker in the honeypot installed and configured with a port redirecting service. This port re-orientation services designed to take sent to the honeypot web server in the HTTP request in a transparent manner, re-routing to another remote server, making it very difficult to keep track of the contents of the source location.

The researchers say, an attacker in the honeypot Server, download and install the one named“redir”port re-orientation of the tool software. This tool software is designed to transparently put into the honeypot server the TCP connection is sent to a remote host. The attacker set up this software in order to put all via TCP 8 0 port into a honeypot server communication is re-oriented to China a remote network server TCP 8 0 port.

Honey network

This is the third phishing attack method. In 2 0 0 4 year 9 month to 2 0 0 5 year 1 month period, the German honey network you plan to deploy a series of not using the patch of the Windows-based operating system of the honeypot, in order to observe the honey network’s activities. During this period, the occurrence of a 1 0 0 Number of individual honey network activities.

The researchers said they captured some version of the honeypot software is capable of remote start on a compromised server in a SOCKS proxy.

The study argued that, if access to the honey network the attacker can initiate a remote honeypot server the SOCKS proxy, this server can be used to send a lot of junk e-mail. If a honey network contains a large number of compromised host, the attacker can then very easily from the without perceive the home computer user has a large number of IP addresses to send mass e-mail.

Resource-rich honey network owners the use of the honey network to engage in criminal activities may not make people feel accident. It is now rented honey network. Honey network operators will be sold to customers having a SOCKS v4 server IP address and port list. There are many documents proving that that somebody put the honey network sold to spammers as forwarding spam tool.

Bottom line

In the selection of these attack methods, the researchers concluded that phishing attacks can quickly occur. From the first invasion of the server to the network built on the phishing site requires only a very short time. This makes phishing difficult to keep track of and prevention. This study shows that many phishing attacks are accompanied by a variety of means, organizations have very complex and often the joint use of the above described means.

The IT administrator should do?

Watson pointed out that hackers often scan a lot of IP addresses, looking to attack the vulnerable host. This scanning activity is indiscriminate. Vulnerability most of the server will be the first hacker to find. Therefore, the network administrator to take the best security practices and fix system security vulnerabilities, using firewalls and strict identification measures, or blockade unnecessary to enter server connections.

Honey network researchers Clune disagree with this, and for IT administrators make the following recommendations:

Be vigilant. The fishing site from the establishment to start activities very quickly. These people expect that a phishing site exists for a short time, and therefore, the need to establish many such sites. Phishing sites, although the presence of short time, however, be found before the cause of the loss is great, especially on the weekends.

The simple thing is also to be careful. Prevent the direct issue of the Simple Mail Transfer Protocol into all your machines and enter the server’s HTTP/HTTPS requests and other simple things to make your server not easily be exploited by hackers, so that hacker turned to the other easy use of the server. Through your gateways to enforce Simple Mail Transfer Protocol and while running to find the spam software might completely prevent your server to send spam e-mail. From the credibility point of view, this is a good method.