Monday, April 10, 2017

What is Pharming ?

Pharming is a scamming technique in which attackers redirect traffic of a legitimate website to another fraudulent website with the purpose of spreading malware or stealing sensitive data from victims. A typical example of pharming will be – a user types in the URL bar, but gets redirected to a fraudulent website which looks identical to Amazon website. And, when the user types in his credentials or banking details, the information directly goes to the attackers. Attackers often use several techniques to make it possible.

Pharming vs Phishing

In phishing, attackers typically send a victim an email or SMS containing a link or tricks the victim into clicking on a malicious link in some other way. The malicious link may point to a website which looks quite identical to some legitimate website. If the victim does not understand the trickery and ends up giving sensitive details like credentials or banking information, the information directly goes to the attackers. So, in other words, in a phishing scam, attackers may use an identical looking website, but URL of the website will be different from the actual one, though a victim may not notice the difference and fall prey.

In pharming, on the other hand, a victim types the correct URL of a legitimate website, yet he gets redirected to an identical looking fraudulent website. Attackers often use techniques like DNS Cache Poisoning or compromise host file in a computer to make it possible.

So, in other words, phishing typically uses a bait in the form of a phony email, link or attachment to redirect a user to a fraudulent website, whereas pharming can automatically redirect a user to a fraudulent website, even though the user has typed in the correct URL in the address bar.

How is Pharming done ?

Two major techniques used by attackers in pharming are host file modification and DNS Cache Poisoning. Let’s understand in more detail how these two methods are actually used in pharming.

Pharming using host file modification

When we type a URL in the address bar of a browser, the URL gets converted into a IP address and the IP address is then used to access the actual website. A computer often uses a host file to map IP addresses. A host file is an operating system file that maps hostnames to IP addresses. Attackers often use malware to compromise the host file in a computer, so that when a user types in a legitimate website in the address bar of a browser, the browser gets the IP address of the fraudulent website instead and the user gets redirected to the malicious website, though he typed in the correct URL.

Pharming using DNS Cache Poisoning

When we type a URL of a website in the address bar of the browser, our computer contacts the Domain Name Servers or DNS Servers to resolve the IP address of the website. Now, the Internet does not have a single DNS Server, because that would be very inefficient. Instead, our ISP runs its own DNS Servers, which cache information from other DNS Servers. Our home router has its own DNS Server, which caches information from ISP's DNS Servers. And, our computer has a local DNS cache, which stores responses of previous DNS queries made by the computer.

The function of DNS cache is to store responses of previously made DNS queries, so that next time the same DNS query is made, it doesn't have to contact the DNS Servers again. Instead, it can retrieve the IP address from its cache.

DNS Cache is said to be poisoned when stores a malicious entry instead of a valid one. For example, if we type, for the first time our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address of in its DNS Cache, with a timestamp up to which the entry remains valid. Within that time, if we type again, our computer will look at its DNS Cache for the entry.

Suppose, our computer has made a DNS query and waiting for a response from the DNS Servers. But, instead of an authentic response it gets a response containing IP address of the attacker's website. So, its DNS Cache will be poisoned and next time onwards whenever the computer will try to resolve the IP address of the same URL, it will end up being to the attacker's website.

In similar way, DNS Cache of any DNS Server also may get poisoned. Because, ISP's DNS Server gets response from other DNS Servers and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.

Attackers often use DNS Cache Poisoning for the purpose of pharming. They poison the DNS Cache to store IP address of their malicious website, so that even though a user types in the correct URL, the browser gets IP address of the fraudulent website and the user gets redirected to the attackers’ website even though he typed in the correct URL.

How to prevent Pharming ?

We can always take a couple of steps to protect ourselves in a better way.

  • ISPs can do much to prevent pharming. They can filter out malicious redirects up to a great extent. So, use a trusted ISP. Rigorous security at the ISP level can be a good first line of defense against pharming.
  • It is always a good practice to look at the address bar of a browser and check whether there is any spelling mistakes in the URL before providing any credentials to the website.
  • Pharmers often target banking and ecommerce websites. So, before typing in any financial details, it is always a good practice to verify whether HTTPS is being used. No legitimate website will transfer any sensitive information without using HTTPS.
  • It is always a good practice to verify the digital certificate of a website when you have any doubt. You can go to browser properties menu and click on the “Certificate” tab to verify whether the website is using a secure certificate from its legitimate owner.
  • Look at the padlock of the address bar of a browser to verify whether the connection is secure. An unlocked padlock indicates an unsecured connection.
  • Use anti-malware programs from trusted sources and keep them updated regularly. Some anti-malware programs can detect pharming.
  • Keep your Operating System and browser updated with recent security patches. Attackers often exploit security vulnerabilities present in a system to infect the system. More updated a software is, lesser are its security vulnerabilities.

What is Smishing ?

We often get spam SMS’s. They are not only annoying, sometimes they can be dangerous too. Attackers often harvest phone numbers of potential victims and send them malicious SMS typically containing a link or a number to call back to. When a user clicks on the link or calls the number provided, he falls prey of the scam. This type of scams are called smishing.

A typical example of smishing will be an SMS like this :

We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order clicking on the link

If a victim clicks on the link, he may get redirected to a malicious website spreading malware or even he may end up being in a fraudulent website looking identical to some legitimate website and end up compromising sensitive credentials or other personal details.

Smishing is a type of phishing scam in which attackers use SMS or Short Message Service to deceive users. Attackers often use smishing to steal sensitive information from users or to spread malware.

The term “smishing” is derived from two words “SMS” and “phishing”. An SMS is typically used in this type of scams and hence the name.

Some real life examples of Smishing

Amazon Phishing Scam

This smishing scam appeared in January, 2017. In this scam, a victim typically gets an SMS as mentioned below:

Order Confirmation (#101-2341765-1192723)

Order total: 70$

If you did not authorize this purchase, click to Cancel and Refund.

As usual the link points to some fraudulent website that looks quite identical to Amazon website and asks for sensitive credentials from the victim. The fake website even asks for entering credit card numbers to the victims. No doubt on providing such sensitive details the victims’s Amazon account as well as financial details get compromised.

However, if you look carefully, you can notice some pointers that indicate the SMS is not legitimate.

  • It should have been written as $70 and not 70$. A legitimate communication should not have this mistake.
  • It is unlikely that Amazon will send a link using such URL shortening service.

However, if a user gets any such unexpected text, the best way to deal with it would be not to visit the provided link, but to login in legitimate Amazon website and verify the active orders. The user can also call the Amazon customer care and clarify.

Apple Phishing Scam

This smishing scam appeared in 2016. A victim typically gets an SMS as mentioned below:

Your Apple ID has been locked for invalid details and is pending termination. Confirm your details at http://somesmishinglink Apple.

In this case also, if a victim clicks on the link, he gets redirected to a fraudulent website which looks identical to legitimate Apple’s website and it asks for sensitive credentials from the victim.

However, if any user gets any such SMS, the best response would be not to visit the link, but to login in the legitimate website of Apple and check whether there is any such notification or to call Apple customer care directly to verify.

Netflix Phishing Scam

This smishing scam also appeared in 2016. The scam mainly targeted Australian Netflix users.

Update your Netflix Account so you can continue enjoying your Netflix service. http://somesmishinglink

This link also points to a fraudulent website looking identical to legitimate Netflix website and asks for sensitive credentials. A user receiving any such SMS, however, should verify the information going to legitimate Netflix website instead of clicking on the link or call customer care of Netflix and report it.

How to prevent Smishing ?

We can always take a couple of steps from our side to protect ourselves in a better way.

  • Never ever share your financial information via SMS, call or email. A bank will never ask for that to any of its customers.
  • Do not follow instructions on an SMS sent by an unknown sender. Delete such SMS instantly.
  • Please be alert to the fact that an SMS claiming to be from your bank may not be genuine.
  • Do not click on any link of an SMS sent by an unknown sender.
  • If you get an unexpected SMS asking for providing any sensitive information quickly, be careful. Attackers often use social engineering to create a sense of urgency to the victims and ask for a quick response, so that victims do not get much time to think and reveals all the requested sensitive information instead.
  • It is always good to block unwanted numbers from sending texts or calls.
  • If an SMS sent by some unknown sender asks for calling a number, do not do that.
  • If anything looks suspicious, do your research before responding. Sometimes a simple google search reveals a lot.
  • Use your common sense and caution and make sure you do not fall victim of identity theft.
  • Beware of messages that come from numbers that do not look like phone numbers, for example 5000 numbers. These messages are actually sent by email-to-text services. Attackers often use these services to mask their identity.
  • Never reply to any suspicious messages hurriedly. If your bank is to cancel your credit card, you should be able to call your bank customer care and discuss the matter with them.

Read More

Infographic : How to prevent Phishing ?

Infographic : How to prevent malware ?

What is Vishing ?

What is Pharming ?

What is Social Engineering and how to safeguard oneself ?

What is 2 Factor Authentication and why should we always enable it if possible ?

How to safeguard oneself from Evil Twin ?

What is Vishing ?

Vishing is the practice of using social engineering over telephone system with the purpose of stealing sensitive financial information or other sensitive personal data from a victim. Vishing is one of the most serious threats today and is widely perpetrated by criminals.

The word “vishing” is a combination of two words “voice” and “phishing”. In this technique, attackers use telephone system to do phishing and hence the name.

Vishing is typically used by criminals to steal sensitive banking information like account number, PIN, password, OTP and credit card numbers or to steal other personal details of users that the attackers can exploit to perpetrate identity theft.

Attackers often use VoIP and automated system like IVR to perpetrate vishing. They may even use techniques like War Dialing and Caller ID Spoofing to serve their purpose.

What is War Dialing ?

Attackers often use war dialing to harvest phone numbers of potential victims. It is a technique to automatically scan a list of telephone numbers in a particular region. Attackers often use a dedicated software to dial all numbers in a local area one by one. As soon as they get a response from any number, they simply note it down, so that they can later use it for vishing.

What is Caller ID Spoofing ?

Attackers often use Caller ID Spoofing to deceive a victim in vishing. They mask the actual caller telephone number and a different deceiving number appears in the receiver of the victim.

Attackers can use a variety of methods and different technologies for that purpose. In the past, Caller ID Spoofing would require an advanced knowledge, but nowadays attackers often use VoIP or PRI lines to do that easily. For example, some VoIP providers give a user the option to configure the displayed number. This has lots of legitimate uses also. For example, a doctor may want to answer a patient from his home, but may not want to reveal his home phone number at the same time. But, attackers often use this technique to hide their identity and impersonate others.

How does Vishing work ?

Attackers may perpetrate vishing as mentioned below.

  • Criminals first harvest phone numbers of potential victims. They may use several techniques for that purpose. They may steal phone numbers from an institution or they may use war dialing to find out valid phone numbers.
  • The criminals then start making calls to potential victims. They usually use Caller ID Spoofing to deceive the victims and hide their identity.
  • In a vishing call, the attackers may trick a user in revealing sensitive financial details. They may say the call is from a bank and there is a problem with the user’s bank account or credit/debit card and the user needs to give his financial details to the caller in order to address the problem. The attackers may also use automated instructions to ask the victim to type in his credit card number, account number or PIN on the keypad. And, in some cases, the attackers ask the victim for his personal details that the attackers can later use to impersonate the victim for fraudulent purposes.

A real life example of Vishing

A widely perpetrated vishing scam is Microsoft tech support scam. In this scam, the attackers typically call a victim posing as a member of Microsoft technical support and inform the victim that his computer is infected with malware which is generating all sort of errors. The attackers can then ask for remote access of the victim’s computer or ask the victim to download some software or fake anti-malware programs to solve the victim’s problem. Some attackers may even deceive a victim to reveal his bank account information to make a payment. In other words, the goal of this vishing scam is to infect the victim’s computer with malware or to steal sensitive financial details from the victims.

How to prevent Vishing ?

Vishing is very difficult for legal authorities to monitor or trace. But, we can always take a couple of steps to protect ourselves up to a significant extent.

  • Never ever provide your financial details over phone. A bank will never ask for your account number, credit card number, password or PIN over phone.
  • If someone is asking for any OTP or One Time Password over phone, be sure it is a scam. OTPs are meant for users only and no legitimate authority will ever ask for any OTP from any user.
  • Do not reveal any personal details or personally identifiable information over phone. If you have any doubts, you can politely inform the caller that you are going to call back and then call the authentic number of the website/provider/institution to verify about the call. It is always better to be safe than sorry.
  • If you get a call informing any of your web account is having some problem, please do not reveal any information immediately. You can always login to your account visiting the legitimate website and verify whether there is any such notification or you can call the legitimate customer care numbers and clarify.
  • Get your number registered on the National Do Not Call Registry to block automated calls. It may not stop vishing, but you would get far fewer automated calls than you are used to.
  • Do not trust the caller ID of a phone call. As said above, attackers can very easily spoof that.
  • If you think you have fallen victim of vishing and your financial information are compromised, immediately call the bank and report the incident. Verify whether there is any unauthorized transaction. Also, immediately change your IPIN, password, ATM PIN or other credentials that may have been compromised.
  • It is always good to report vishing incidents to appropriate legal authority. It often helps a lot in catching the actual criminals.

So, to summarize, never ever reveal any financial information or any personally identifiable information over phone. It is always good to verify the authenticity of a call before responding. Be informed about various security threats and stay safe and stay secure.

Read More

How to prevent Phishing ?

What is Smishing ?

Infographic : How to prevent malware ?

What is Social Engineering ?

How to safeguard oneself from Evil Twin ?

What is Pharming ?

Thursday, April 6, 2017

What is Rooting of Android devices ?

If not redirected, please click here

We often here the term “rooting” of Android devices. Some people root their Android devices and often we hear malware roots a device and steals sensitive data. What is rooting actually ? Should we root an Android device ? Why do people root a device ? And, what are the security concerns of rooting a device ? Let’s understand that in more detail.

What is Rooting of an Android device ?

Android uses Linux kernel. And, all Unix based operating systems have the concept of “root” user, which has administrative privileges. By default, an Android user does not have administrative privileges on his Android device. Rooting is a technique which gives a user the administrative privileges on his device.

Why do users root an Android device ?

There are several purposes for which rooting is usually done.

  • Users often root an Android device with the purpose of overcoming limitations put by carriers or hardware manufacturers.
  • By default a user does not have administrative privileges on his Android device and so he cannot alter system applications and settings. Rooting gives the user administrative privileges, which enables the user to alter or replace these system applications and settings.
  • Rooting enables a user to run specialized applications that require administrative privileges on the device.
  • Users can even completely remove or replace the operating system of the device after rooting.
  • Rooting enables a user to remove pre-installed applications.
  • Rooting gives the user lower-level access to the hardware of the device. For example, it enables the user to control status lights or recalibrate touch screens.
  • Users often root an Android device to get better control of the Android device. For example, the user can change themes, icons or boot animations that appear while the device is booting. He can even overclock or underclock the CPU and the GPU or automate system level processes through third-party applications.
  • After rooting, users can even install custom firmware or custom ROM to get better control on the rooted device.

How do Android applications work actually & how does rooting make a device less secure ?

Android applications are written in java. The application code along with other required data and resource files are kept in an APK or an Android Package that a user uses to install the application on his device.

By default, an Android device may contain several sensitive data about the user like location, contacts, messages etc. So, Android needs to make sure an unauthorized application cannot access all the sensitive data unnecessarily or for malicious purpose. To ensure that, Android takes a couple of steps.

Android is a multiuser operating system. Each application on an Android device runs as a different user. When an application is installed on a device, it is given a unique user ID along with its own set of permissions. Moreover, each process has its own VM and an application runs in isolation from other applications. In other words, every application runs its own process in its own VM as a separate user, so that it cannot access data of other applications unnecessarily. However, two applications can communicate with each other using IPC to share data between them.

By default, an Android device can have three types of users :

  • Primary User – It is the first user added to the device. This user has more privileges than other users and can manage the settings. This user cannot be removed except by factory resets and is always running even when other users are in the foreground.
  • Secondary User – These are the other users added to the device. They can be removed easily by themselves or by the primary user and cannot impact other users on the device.
  • Guest User – An Android device can also have a guest user. It is basically a temporary user and the user along with its data are deleted immediately after its work is over. There can be only one guest user at a time.
So, how does rooting impact security of an Android device ? Malware often uses social engineering to deceive a user into running malicious programs. These malicious programs when by trickery is run by an innocent user get the same privileges that the user has. If the user is an administrative user, the malware will easily get administrative privileges on the device. And, if the user is a normal non-administrative user, the malware will only get non-administrative privileges, unless the malware uses some other vulnerabilities in the system that can escalate the privileges.

So, in other words, for a normal Android user, even if the device is infected by malware, the malware can have limited capabilities. But, if the device is rooted and the user has administrative privileges, the malware can easily exploit that to gain system level access on the device and cause more harms. It can steal all the sensitive data from the device easily or cause monetary losses.

Moreover, rooting a device voids warranty of an Android device. Google does not officially support a rooted device. Some Android applications even refuse to run on a rooted device. Applications often run an API called SafetyNet for that purpose. They perform this check before running on a device and refuse to run if the device is rooted. Android Pay is one such application which does that. There are quite a number of other applications which do that. Moreover, rooting can even brick a device if not done properly.

How to secure a rooted Android device ?

One should not root an Android device. And, if a user must, it is extremely important for the user to make sure the device remains secure.

  • If you rooted an Android device and now have changed your mind, you still can unroot a device. There are quite a number of tools available for that purpose.
  • On a rooted Android device, please make sure applications are installed only from official App Store. It is always good to review the permissions requested and the reputation of the developer before installing the application. If the application is unsafe, the damages will be much more for a rooted device.
  • Use your common sense while accessing the Internet using the device. Do not click on unsafe links, do not open attachments of emails sent by unknown sender and it is better not to browse unsafe websites.
  • Please make sure you configure proper Android Firewall. It is always advisable to prevent applications from accessing the network unnecessarily. This can prevent malware from installing on the device, as well as can prevent malware from exfiltrating sensitive data.
  • Use anti-malware programs from trusted sources and make sure you update them regularly.
  • Keep the device updated with recent patches of Android and other applications. More updated a device is, lesser are its known vulnerabilities.
  • Please make sure you backup your device often. This can help a lot in case the device is infected by malware like ransomware as well as when something goes wrong with the device.
  • Please be careful while accessing public WiFi. Please do not transfer any sensitive data while accessing a public WiFi and give no sensitive credentials and other information.
  • Please do not save any password of any online servicees or sites on the device.
  • Use Android in-built security like PINs, passwords, patterns or biometric locks. Please make sure you lock a device when it is not used.
  • There are some applications which hold lots of sensitive data. You can lock those applications separately as a second layer of security to prevent anyone from accessing the data even if he manages to unlock the device. There are quite a number of applications available for that purpose.
  • You can enable remote wipe on your Android device. This will prevent thieves from accessing the sensitive data even if they manage to steal the device.