Phishing and what to do about it

- by Paul Murphy -

Most phishing depends on spam to make that initial connection to the victim. Beyond that, however, Phishing and spam have two interesting things in common:

  1. First, "getting away with it" depends, in both cases, on using the internet's jurisdictional and informational barriers to thwart swift retribution.

    Thus phishing spam is usually sent from a network or PC taken over without the owner's knowledge -meaning that the real criminal is long gone before the police or anyone else gets past the initial hurdles posed by the need to identify and alert the system's owners. That's fundamentally what's done with servers too, except that in this case the servers are usually easy to find and the jurisdictional barriers international. Either way, however, the thieves are long gone before the authorities can jump through the hoops needed to get enforceable co-operation by those concerned.

  2. Secondly, success depends mainly on the victim's creduality, not the victim's choice of technology. In stark contrast to their relative immunity to viruses and worms, almost all of which depend on weaknesses in Intel's x86 CPU architecture, people who use MacOS X or other non-Intel based Unix are every bit bit as vulnerable to phishing exploitation as anyone in Microsoft's x86 environment.

It's these two commonalities that make using normal market behavior to fix the problem pretty easy. All that's needed to faciliate an appropriate market response to drive these people out of business is a technology allowing the recipient to know, with certainty, where any internet transmitted material, including email, text messaging, and internet telephony, came from.

Suppose, for example, that one million people received a piece of spam designed as a phishing lure -and that half the network administrators responsible for the devices used by the email recipients responded by mailing it back to the originator at a ten for one rate?

Today, we can't do that simply because the ease with which email return addresses can be spoofed (falsified) can turn this into an overpowering denial of service attack on the innocent. If, however, everyone knew for sure who really sent offending e-mail, then the resulting opportunity for effective denial of service retributions on the guilty would quickly make spam, and thus phishing, an unprofitable business.

There are "innocently guilty" parties here. For example, a person whose home PC was taken over by a spam sender or a company whose network web servers were subverted to serve a phisher, would both suffer denial of service attacks. To some extent that would be unfair, but of course their role in the original attack on the internet community is only partially accounted for by the simple bad luck of becoming someone's target with their share of the responsibility arising from their own poor technical choices and administrative practices.

In other words, there's little question such people would be hurt, but a good argument to be made for this being on balance better than the alternative in which they face no penalty for letting criminals mis-use their equipment and connectivity to hurt others.

Notice, furthermore, that an instant, full on, denial of service attack on a spam sender has no lasting effects and thus can't accidently hurt the genuinely innocent the way many of the current spam blockers do. Under this plan someone whose PC or network is taken over by spammers will be functionally denied access to the shared internet by the response - but only until the problem is cleared up and the affected system stops originating spam. In contrast someone whose internet address is accidently or maliciously listed by spam blocking database operators can find it virtually impossible to clear themselves without changing domain names and internet service providers.

Notice too that this is what was wrong with the recent European experiment by Lycos - in which they provided a screen saver that bombarded known spammer sites with junk to create a distributed denial of service attack and thereby ran afoul both of basic concepts of fairness and specific legislation designed to protect the innocent.

There is an easy way to ensure that all arriving internet communications carry authenticated source information: add that information when a packet destined for internet transmission arrives at the first carrier owned router it encounters.

This approach takes advantage of the fact that the internet is a shared resource but not a free resource. For everyone with access there is somebody who pays for that access, and whether that's an individual, an employer, or a hosting company doesn't matter. Access rights are always traceable to someone who writes a check and that information can be encoded in the information packets handled by the first device owned by a transmission services supplier encountered on leaving the customer's premises.

The routers involved would have to form a self authenticating ring, but the technology to do that - an adaptation of public key encryption to message signing - is well known and understood. Thus making it happen wouldn't be technically difficult and the nature of the carrier's role as the packet producer's gateway to the internet means that attempts to send packets with false information already loaded will fail, while internal authentication among participating routers should make spoofing it at the penultimate point of delivery impossible.

With that in place, mail transfer agents and other communications programs could add a display field showing the authenticated source of each arriving transmission and people could take appropriate action on receipt of spam at corporate gateways or personal computers.

Notice that a program running on a recipient computer can falsify a return address and thereby trigger a denial of service attack on someone other than the real sender. In that case, however, the packets sent to achieve this will have that sender organization's return address encoded and even well co-ordinated attacks of this kind should therefore come to an administrator's attention very quickly. A criminal, furthermore, who attempts to push origination "upstream" by buying a router with the authentication capabilities and then tries to pass himself off as an originating carrier must have an account with a carrier to pull this off - meaning that the imposture will be caught almost immediately.

Most of today's Phishing scams depend on spam: a technology enabling a market response to spam also responds to phishing -no spam, no email based Phishing.

Since all the technology for this, including the self authenication needed for the routers, is well understood and available "off the shelf" the question is, why isn't anyone doing it?

The answer, oddly enough, is that it's not done, because no one does it.

That means getting it done will require either regulation by a major government such as that of the US or leadership by a major router maker - because once one starts, all the others have to follow.

But where will the impetus to action come from? It won't come from Cisco and the rest of the Microsoft community because the PC security business, now spreading rapidly to cell phones and even text pagers, is a multi-billion dollar opportunity for them. Doing what works is contra-indicated for an industry that grows through failure.

My guess, instead, is that this change will come about very quickly in response to increased caller-id spoofing and other abuses affecting in IP telephony (known as VoIP).

Today users can generally trust caller id and have almost total faith that a number looked up and dialed personally will result in the intended connection. With PC based internet telephony, however, calls in both directions fall heir to the weaknesses in PC networking. Calls coming in to VoIP users can have their calling number identification spoofed almost as easily as any other return address -and user PCs or VoIP servers equiped to originate VoIP calls can have their software modified to misroute calls to specified numbers. Either way, VoIP users simply can't trust that the call they get from, or place to, their bank isn't really connecting them to an off-shore phishing operation.

There are sample exploits for both parts of this now, but the problem hasn't yet become terribly significant because VoIP acceptance is still relatively low. As this market grows, however, the problem will force the bigger players, mainly banks and telcos, to enforce accuracy in both caller id and call routing. It seems reasonable to expect, therefore, that the VoIP technology leaders, Lucent and Avaya, will start putting sender authentication controls at the interfaces to the traditional phone systems -thereby signaling the end of both spam and phishing while giving themselves a significant, if short term, competitive advantage in routing and related products.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry.