Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.

Published byBetty Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document."— Presentation transcript:

1 www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document is provided for informational purposes only. CUISPA and the author make no warranties or representations as to the accuracy or completeness of such information and CUISPA and the author assume no liability or responsibility for errors or omissions in the content of this information. Your use of this information is AT YOUR OWN RISK and applies to all CUISPA legal notices and terms of use.

2 www.cuispa.org Overview Responding to phishing attacks has become a routine task for many credit union IT departments. Rapidly taking down these fraudulent websites is a prudent and often necessary measure for preventing losses. This presentation outlines some of the processes, challenges, and techniques involved in getting a fraudulent website, impersonating your institution, taken down.

3 www.cuispa.org Take-down Steps: 1)PREPARATION 2)DETERMINE THE SOURCE 3)RESEARCH THE DOMAIN 4)RECON / INTELLEGENCE 5)CONTACTING 3rd PARTIES 6)WORKING WITH LAW ENFORCEMENT

4 www.cuispa.org Prepare Environment Prepare your environment in advance. Remember that the site may host malicious code. Do not use a production machine that can’t afford to be compromised. Always use a test PC that can be “sacrificed.” If possible, do not use your production network. A separate broadband connection is preferable. Full Internet access (no proxy server or restricted ports) is advantageous. Useful common Internet tools: ping, traceroute, nslookup etc.

5 www.cuispa.org Helpful Tools VMware Workstation or Player Allows you to create a test environment without sacrificing a production PC. Disks can be “undoable” so you can get back to the original state without rebuilding from scratch.

6 www.cuispa.org Helpful Tools SandboxIE A freeware utility that allows you to launch an app, such as IE, in a controlled area, prohibiting writes to the hard drive and registry.

7 www.cuispa.org 2) Determine the SOURCE The phishing site may be accessible via FQDN (Fully Qualified Domain Name) and/or IP address. Try to determine the FQDN if applicable, IP address, and path information

8 www.cuispa.org 2) Determine the SOURCE If you have the phish email, view the underlying source to determine the true link URL Example (FQDN): http://www.hackedsite.com/mycreditunionexploited / Example (IP address): http://192.168.0.1/mycreditunionexploited

9 www.cuispa.org 3) Researching the DOMAIN The Domain often be contained in the FQDN Example: http://www.hackedsite.com/mycreditunionexploited (domain is hackedsite.com) Use a WHOIS utility to determine information on the domain. WHOIS gives us: 1) Domain owner and contact information (email and hopefully a phone number) 2) Determine who is authoritative for DNS. May be owner, ISP, or DNS hosting service.

10 www.cuispa.org For US-based.com and common domains, start with: www.netsol.com click on “whois” link. For a more expansive search, try one of the following: www.arin.net www.allwhois.com (free service from MarkMonitor) www.completewhois.com 3) Researching the DOMAIN

11 www.cuispa.org 3) Research the DOMAIN ARIN: Start with ARIN (American Registry for Internet Numbers, www.arin.net) WHOIS tool. Enter the IP address. If IP is not domestic, ARIN will tell you where to look next, ie: RIPE, APNIC, etc. If IP only leads back to site owner, use a traceroute to determine how packets get to the site. The IPs right before the site will be the ISPs and you can look them up.

12 www.cuispa.org 3) Researching the DOMAIN If given an IP address only: 1.Any website that may be viewable from the IP only should be viewed on a safe test machine (ex: http://192.168.0.1) 1.PING –a 192.168.0.1

13 www.cuispa.org SAMPLE RESULTS FOR 10.32.15.1 BOB’S INTERNET, BOBI-IPNET (NET-10-32-15-0-1) 10.32.15.0 - 10.32.19.255 My Credit Union BOBI-MYCU-1 (NET-10-32-15-0-1) 10.32.15.0 - 10.32.15.255 # ARIN WHOIS database, last updated 2006-01-29 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. The above results tell us that “Bob’s Internet” owns the range of addresses from 10.32.15.0 through 10.32.19.255. A class “C” range (255 addresses from 10.32.15.0 through 10.32.15.255) are assigned to “My Credit Union”. In this case, you would try to contact My Credit Union as they are responsible for the IP address. You can always contact the ISP if you can’t reach the party immediately responsible for the IP address. 3) Research the DOMAIN

14 www.cuispa.org We now know: Who owns the domain Contact info for domain The ISP (may not be hosting but is at least providing connectivity) DNS provider RESEARCH COMPLETE!

15 www.cuispa.org 4) RECON AND INTELLIGENCE Procede with caution Gathering intelligence is optional. You may not need any additional information. Further investigation calls upon some technical skills. Be cautious of the legal aspects of further investigation. Finger-printing tools can be deployed to determine OS, app, etc. Port scanners can determine if other services are running.

16 www.cuispa.org 4) RECON AND INTELLIGENCE Example: Information from FTP service telnet 192.168.0.1 21 220 FTP Server ready. 214-The following commands are recognized (* =>'s unimplemented). USER PASS ACCT* CWD XCWD CDUP XCUP SMNT* QUIT REIN* PORT PASV TYPE STRU MODE RETR STOR STOU* APPE ALLO* REST RNFR RNTO ABOR DELE MDTM RMD XRMD MKD XMKD PWD XPWD SIZE LIST NLST SITE SYST STAT HELP NOOP 214 Direct comments to root@www..kr.

17 www.cuispa.org 5) CONTACT PARTIES Try contacting Website owner first Try contacting ISP next If no luck and the site uses an external DNS service then try contacting them next. Have documentation available and provide it with your request. Request the fake site code for further reference.

18 www.cuispa.org 5) CONTACT PARTIES To whom it may concern, URGENT REQUEST - Please read the following: Today a number of our credit union members received a phishing e-mail soliciting their personal account information. The link referenced in the e- mail returns to a site which is presenting itself as our Hudson Valley Federal Credit Union Web site. As such it is violating copyright laws and misrepresenting itself for the purposes of illegally collecting account information for financial gain. The compromised server is housing the spoof content at: http://nefariouswebsite.com/mycreditunion/banking001 IP 192.168.0.1 = www..kr Please take this site down or remove the fraudulent content and respond when these changes have been implemented. If any financial loss is incurred we will be required to actively seek redress through local and national law enforcement bodies. I have attached a PDF capture of the spoofed site (rogue1.pdf). We would greatly appreciate it if you would email us an archive of the fake site directory. Thank you for your prompt attention to this matter. Sample email to ISP

19 www.cuispa.org 5) CONTACT PARTIES Common difficulties: Time differences with overseas ISPs. Language barriers. ISP policies on take-downs

20 www.cuispa.org 6) WORKING WITH LAW ENFORCEMENT Law enforcement can make request on your behalf or call on contacts abroad (ie: Interpol) Provide law enforcement with intelligence information: 1) They track it 2) You may provide a missing piece of a larger puzzle 3) Losses across organizations can be aggregated

21 www.cuispa.org CUISPA Educational Programs (512)465-9711 3500 Oakmont Blvd. Su.204 Austin, TX 78731 For comments on this presentation please send email to: Inquire@cuispa.org

Download ppt "Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document."

Similar presentations

The Internet.

The Internet.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.

Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
Presentation for the Department of Commerce's Internet Policy Task Force Second Public Meeting Recording Industry Association of America, May 8, 2014.

Presentation for the Department of Commerce's Internet Policy Task Force Second Public Meeting Recording Industry Association of America, May 8, 2014.
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
FTP – File Transfer Protocol. 5 דברים שלא ידעתם על FTP FTP is commonly run on two ports, 20 and 21.ports FTP run exclusively over TCP.TCP FTP is separated.

FTP – File Transfer Protocol. 5 דברים שלא ידעתם על FTP FTP is commonly run on two ports, 20 and 21.ports FTP run exclusively over TCP.TCP FTP is separated.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.

Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.
How to Establish a Blog. What is a Blog A blog is a collection of informational articles/ideas intended to update a viewer on new information associated.

How to Establish a Blog. What is a Blog A blog is a collection of informational articles/ideas intended to update a viewer on new information associated.
Internet Basics.

Internet Basics.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Mandatory Annual ACE Training Fiscal Year 2011 – 2012.

Mandatory Annual ACE Training Fiscal Year 2011 – 2012.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
GCSE Computing#BristolMet Session Objectives# 19 MUST understand what is meant by intellectual property and the legislation to protect ownership. SHOULD.

GCSE Computing#BristolMet Session Objectives# 19 MUST understand what is meant by intellectual property and the legislation to protect ownership. SHOULD.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.

Similar presentations

Ads by Google