Tuesday, 31 March 2009

Searching for phishing - the quick win

My quick win for searching for confirmation that a person visited a phishing is to check the Internet history of the browser(s) on the imaged workstation. I use an Encase condition to to search the url names for host names of known phishing sites. We have a comprehensive list going back to the start of Feb 2005.

Start by searching for the Internet history and the email on the workstation. Internet history first and then the email.

The condition code looks like (all from a default condition):
f() Main
  if Url Name find []
  or Url Name find []

When you run this code, it'll ask you the sites. If you have a large list like us you may need to do this in batches. If this yields results, look for the email that the person received as having the email and proof that the site was visited is what you need, but to really seal the deal make sure that you know the structure of the phishing site. Someone can only visit the second page of the site or post to a url if they capture details...

If you don't get a hit in the Internet History - time to pull out the full keyword search and comeback in the morning.

Get in touch if you want screenshots of the process...

Sunday, 15 March 2009

A mini digital forensic rant

I am a great admirer of Google, but it doesn't even know everything. I am tired of working late hours and on the week trying to conduct a forensic analysis on a workstation and need to find out how to extract information (yes, I am a noob) and not being able to find it on the interweb.

So going forward, I'll include the basic things that I find out. They will be mostly based on FTK and Encase as those are the tools that are available to me.

Thursday, 12 March 2009

Phishing and Trust in a Brand.

I have had the opportunity to meet some some people that have fallen victim to phishing. The experience for me was some sometimes uncomfortable, difficult and an interesting exercise in marketing.

Some people take the knock on the chin and will learn from the experience and be sad and hang on the glimmer of hope of getting their loss back. Others are aggressive and demand that the Bank make it right. I use the analogy of a set of car keys. If you left your car keys in your car, go into the shop and come back and your car is stolen, do you demand that the vehicle manufacturer replaces your car?

The problem, I believe, is that cars have been around for a long time, at least three to four generations and the ins and outs of car ownership, not the oily ins and outs, but the day to day ones have become a part of life's lessons. Take the internet, its only really been in mainstream existance for lets say at most 20 years. This means that our parents don't really comprehend it and our grandparents probably think that it is bordering on voodoo.

How ingraned has the internet and all the ins and out become in our lives? Not a lot. Add in the great work that marketing does, they have built trust. Huge amounts of it, so much in fact that if a customer sees their Bank's logo, that is sufficient. It is all they need to trust the site - no matter how dubious the site looks.

This trust is perfect for criminals, it is very good for the Bank in terms of customer loyalty, but it is horrendous in terms on trying to teach people about the dangers of an online life. The problem that we face is that as we tell customers to scrutinise their banking tool, the marketers are launching new products and campaigns touting the safest and most secure product offering.

Whilst, yes, the banking tool is safe and secure - think about it no one is going to offer a solution that is not secure, the risk is just too high. So where does the tool fall down? The same place that cheques, credit cards and other scams do - People. The people that we are offering a service are the weak point.

Is phishing different from card fraud, or smaller scale Ocean's 11 type scams? Nope. The problem is that when you have a tool, you need to learn how to use it. Driver's license. Should we be making clients get an Internet license? I can hear the marketing people choke on their creative "enhancer".

Interesting thing is, is that the most difficult and aggressive of the interviewees who nearly socked me thought that it was a brilliant idea.