June 20, 2003
Id: fraud-anatomy.tex,v 1.3 2003/06/20 19:06:39 cmcurtin Exp
This article is available in PDF.
Here we discuss the fraud in detail, showing how it was constructed, how it was stopped, and what consumers can do to protect themselves against these kinds of attacks.
Criminals have long preyed upon the expectations of users who can be fooled into doing things they shouldn't. The fact that this can now be done online--where fooling someone around the world is just as easy as fooling someone across town--should come as a surprise to no one.
Here we consider a recent scheme directed at eBay users, in an effort to collect their usernames, passwords, and credit card numbers.
The scheme involved sending email to eBay users, telling them that there was a problem with their credit card, and asking them to visit the eBay site, helpfully providing a link. While appearing to be from eBay, the email was actually from a cable modem user in Canada. Following the link in the email would not take the user to the actual eBay site, but an imposter.
Two critical pieces of information were targeted in this scheme: the authentication credentials (i.e., username and password) and the user's credit card information. Figure 1 shows the critical steps of the scheme from beginning to end.
Each of the thirteen steps identified here supports one of three goals needed for the thief to achieve his objective. Those goals are creation of the fraudulent eBay site, directing users to the fraudulent site, and then operating the fraudulent site such that users never suspect what has happened.
Creation of the fraudulent site is obviously necessary for this scheme so that users will be inclined to enter sensitive authentication and financial information.
Instructing the eBay site to send a copy of the source is as simple as having the attacker point his browser to http://www.ebay.com/.
The attacker now has the source code needed to replicate the "look and feel" of the eBay site on any server of his choosing. With some minor modifications to the code, the results of forms can be sent to new programs that reside on the attacker's computer, instead of the legitimate form processing software on the real eBay web site.
Unbeknownst to eBay, however, the attacker has not been simply displaying the data he has downloaded. He has created a new site of his own, using the HTML and images from eBay, with modifications to ensure that the data submitted by the user will be collected by the attacker's site instead of submitted to the legitimate eBay web site.
Once the site is finished, it is put online, where it will await users who submit their information to it.
With the exception of the truncated copyright notice, there seems to be very little indication of anything being amiss. Indeed, to non-experts, the reason given for having deleted the credit card information might even sound plausible.
Careful examination of the email's HTML source will show the actual link. Figure 3 shows the HTML source of the paragraph and the link itself.
The URI is very carefully constructed to appear to be legitimate but to redirect to the fraudulent Web site. Here we break the URI into its parts.
At this point, the user believes that he is following a legitimate link to the eBay web site. What the user sees instead is the illegitimate copy of the eBay web site created in steps one through four.
Note that no matter what the user enters, the fraudulent site will behave as if the username and password were entered correctly. This reinforces the idea to the user that the site is the correct one: when the user enters the right authentication credentials, the site accepts them, and only the user and eBay's server should know what those credentials are.
Note that because the site is not using cryptographic methods for authentication or session confidentiality, the credit card is also exposed to eavesdroppers.
At the end of the session, the user believes that he has updated his eBay account, and the attacker has collected the username, password, and credit card information of eBay users who fell for the scam.
Two collaborators (or one person doing two things) worked to launch the scheme: the sender of the fraudulent email and the operator of the fraudulent web site.
First, we wanted to identify the fraudulent web site, since it was still active and capable of collecting sensitive information. As was identified above (in step 8), the web site to which clients were directed was www.john33.netfirms.com. Theoretically, WHOIS records should help us to contact the right folks. However, since registration of domain names is open to anyone, the perpetrators of fraud frequently submit fraudulent contact information to these records.  Additionally, some otherwise legitimate domains populate the WHOIS records with bogus data to avoid being targeted by spammers.
NetFirms is a fairly well-known hosting service, so the likelihood that their WHOIS records were incorrect wasn't especially high.
Since registration of Internet numbers is much more tightly controlled, WHOIS records for network numbers are much better maintained and less likely to contain bogus information. So even though checking the WHOIS record for NetFirms would probably get us the information we needed in this case, we opted to match the IP address to the network contact, as it is more general, and will work even if the fraudulent web site were hiding on a network whose administrators were harder to contact.
Using command-line utilities like host or nslookup2 would reveal the IP address as [220.127.116.11].
Using the command-line utility whois3, we were able to identify TELUS Communications as the network administrator. A phone call placed to TELUS got us connected to some helpful folks there who gave us the telephone number for their security and abuse contact.
A gentleman who answered the phone asked us to email details, along with a forwarded copy of the message showing the link to the fraudulent site to the abuse contact, and to send him a copy as well. He then promised to call over to the security group to be sure that someone would look at it quickly.
Our next step was to identify the source of the email. By reading the mail headers [1,2] (shown in Figure 4), we can see that the source is u201n212.hfx.eastlink.ca [18.104.22.168]. A telephone call to Eastlink (in Halifax, Nova Scotia) alerts Eastlink to the problem. The helpful folks there ask for a copy of the message to be sent to their abuse contact.
Had this message originated from overseas, finding a reasonable point of contact might have been more difficult. In this particular case, it appears to be a high-speed cable modem Internet connection sent into someone's home.
Technically, the telephone call was unnecessary, but I placed it because I wanted to alert them to what was probably an ongoing incident of international wire fraud, and probably a lot of other things. It's a much bigger mess than, say, sending spam, and I wanted to be sure that it didn't sit in a queue for hours or days before someone was aware of the situation. That might be the kind of thing to which an administrator would want (after verification) to respond immediately.
Since this was potentially very large fraud involving many victims, crossing state and national boundaries, this is no doubt of interest to law enforcement officials. As I am a member of InfraGard, I decided to report the matter through InfraGard.4
Finally, since eBay impersonated, it would likely want to be made aware of the incident in an effort to keep its users' accounts safe, perhaps locking out any that might appear to be involved in fraudulent activity.
It is noteworthy that the user who originally got the fraudulent email tried to find a way to report the incident to eBay, but was unable to find anyplace to report this kind of activity. Ultimately, we reported to firstname.lastname@example.org, and watched to see whether a bounce came in. One never did, but as of this writing--five days after the incident--we have yet to receive as much as an acknowledgment from eBay.
There are some lessons here for end-users of systems that can help them to avoid falling victim to online fraud.
Fraud often depends upon someone making a quick decision, before having time to consider possible ramifications. Consider the original text of the fraudulent email: "This is the quickest way of getting information to us."
If, as had been stated in the email, the account data had been deleted, the critical data would be safe, and the worst case scenario would be that the user would not get something for which he won a bid.
If it seems strange to be asked for some kind of information in a strange sequence of events, or at a strange time, beware. If you made a credit card purchase, it would be either accepted or rejected quite soon--usually immediately.
If the vendor has a mechanism for entering sensitive information, follow it. Beware of the dangers that could come from the appearance of deep linking.
If it doesn't make sense for a vendor to ask for your credit card number, don't be afraid to question it. If the explanation sounds fishy, don't be afraid to question it. Remember that when you're doing the buying, you're the boss.
When you're connecting to a site that involves any kind of financial transaction, the connection should be "secured." In the browser, a small padlock will appear, and it will be locked. That tells you that the connection is encrypted, but it does not verify with whom you are speaking.
Clicking on the lock will open a new dialog and present you with the option of viewing the certificate in use. Look at it and be sure that the URI is exactly what you think it is.
In this particular case, the fraudulent site made no serious attempt to impersonate a secured eBay server, so the lock never closed.
As the Internet becomes more of a normal part of every day life and commerce, it will become more frequently used as the means by which thieves attempt to perpetrate their deeds. Users need to be aware of the dangers, understanding the limits on how well they can be protected by others, and the need to defend themselves.
There is good news in this regard, however. The simple fact that I was able to pick up a telephone and talk to someone at a Federal law enforcement agency is a tremendous step forward from where we were even five years ago.
Companies that do business online, particularly with consumers, need to understand that they will be frequent targets for this kind of activity. (In the week following this incident, I was advised of two separate incidents of almost identical nature, targeted at Best Buy customers.) Such companies need to be sure that they are encouraging good security practice, such that an attacker cannot send something that is usual to receive that fools the user into doing something bad.
Successful security will require that we work together thoughtfully to identify and to stop fraud and other electronic crimes. It won't be quick and it won't be easy, but it can be done, reasonably and effectively.
Matt Curtin, CISSP is the founder of Interhack Corporation, a professional services firm with information assurance, forensic computing, and information systems practices. His work includes published research in secure systems development, dozens of technical reports, and several books on online privacy and computer security. His information security work is cited by University courses worldwide and NIST. He has given expert testimony given in civil litigation dealing with Internet privacy and computer systems, work which recently led to clearer definition of "protected content" under the Electronic Communications Privacy Act of 1986 (ECPA) by the U.S. Court of Appeals for the First Circuit.
This document was generated using the LaTeX2HTML translator Version 2002-2-1 (1.70)
Copyright © 1993, 1994, 1995, 1996,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -no_navigation -show_section_numbers fraud-anatomy
The translation was initiated by Matt Curtin on 2003-06-20