Menu
homeInternet

Phishing programs. Phishing (fraudulent) programs steal your passwords. Social engineering factor

Phishing, or fraud aimed at stealing data by copying external images of popular resources, is just coming to the mobile world. In this article, we will analyze the anatomy of such attacks and find out exactly how hackers successfully encroach on the money of Android phone users.

Phishing statistics on mobile platforms.

Smartphones and tablets have burst into our lives so quickly that the behavior of characters from films five years ago already seems anachronistic. Naturally, along with useful and not so useful habits, the user also acquired new Internet enemies.

According to statistics, 85% of all mobile devices have one version of Android installed, and it is not surprising that most attacks and malware are aimed specifically at our favorite operating system. Of course, the situation is not as bad as with Windows ten years ago, but the trend is scary.

Last January, we looked at how easy it is to create a cryptolocker for Android - a program that encrypts user data. And a little later, in April 2016, Kaspersky Lab confirmed our fears: the company announced the appearance of the Fusob locker Trojan, which attacked smartphones of users from more than a hundred countries.

The variety of phishing

Mimicking malware as something useful is a fairly old trend. About ten to fifteen years ago there was a boom in the popularity of sites that were very similar to the official portals of banks or payment systems. Such phishing resources tried to steal user accounts, or even better, credit card information.

But that wave of thefts bypassed the CIS countries. We simply had nothing to take from us: Pavel Durov had not written anything yet, and plastic cards were not popular. Now, for scammers, the situation has become truly “tasty”: online shopping, mobile banking, all kinds of social networks - a lot is now available through a mobile phone connected to the Internet.

There have been no stories about phishing epidemics yet, but there are already unpleasant warning signs. Surfing the Internet from mobile devices has become much less safe: first, webmasters adapted advertising for mobile content, and then unscrupulous people caught up. Quite recently, at the beginning of December 2016, a window popped up on one popular sports resource with a proposal to “update outdated WhatsApp” - naturally, the messenger developers have nothing to do with such advertising.

Rice. 2. Viral affiliate program on a large resource

Such messages are generated on the server side and look quite clumsy. But once inside the device, an attacker can perform a more elegant and effective attack. Let's figure out how difficult it is to replace a working application with its malicious “analog” in Android.

There is still nothing more universal in the world than money, so it’s worth trying to gain access to the user’s wallet. How money is debited by sending SMS to short numbers, we have already said, today we will get to a bank card.

Almost Google Market

For phishing, you don’t need to implement the exact functionality of Google Market - it’s easier to write an application that expands its capabilities without changing the source code. Interested to know how hackers do this? Then let's go!

Choice

It would be wrong to try to fake an application that the owner of the device does not use at all. As with a normal intrusion, the fraudster must first assess the environment he has entered. The diversity of vendors producing mobile devices has led to big changes in the OS itself. And although, according to marketers, they all run on the same Android platform, the set of running applications can be completely different. Android has a built-in API for obtaining a list of running processes - this is the ACTIVITY_SERVICE system service.

ActivityManager am = (ActivityManager ) getSystemService ( Context . ACTIVITY_SERVICE ) ;

List< ActivityManager .RunningAppProcessInfo >runningAppProcessInfo = am .getRunningAppProcesses () ;

For security reasons, every year Google increasingly limits the ability of applications to interact with each other. This is not explicitly stated in the documentation, but for Android versions 4.0 and later, such a call will return a list from only one application - your own. All is not lost - Android is based on the Linux kernel, which means we have a console. You can get to it manually using the adb utility included in Android Studio.

The result of the work is expectedly similar to the output produced by the Linux command of the same name - a table with many values ​​separated by tabs.

media_rw1730 1176 7668 1876 1 20 0 0 0 fg inotify_re b75c3c46 S/system/bin/sdcard (u: 0, s: 3)

u0 _ a151798 1202 1298044 30520 0 20 0 0 0 fg SyS_epoll_ b72f9d35 S com .google .android .googlequicksearchbox : interactor (u : 3 , s : 1 )

u0 _ a351811 1202 1272580 37692 1 20 0 0 0 fg SyS_epoll_ b72f9d35 S com .android .inputmethod .latin (u : 9 , s : 1 )

u0 _ a81871 1202 1428180 77468 0 20 0 0 0 fg SyS_epoll_ b72f9d35 S com .google .android .gms .persistent (u: 168, s: 163)

Actually, this output contains information sufficient for phishing: the name of the process, its identifier, execution priority, and so on. You can launch the utility not only manually, but also from the application - to access the shell, the standard API has the Shell class.

List< String >stdout = Shell .SH .run ("toolbox ps -p -P -x -c" ) ;

Linux users often have to write one-line scripts, so parsing such output is not a problem for them. But OOP developers are more delicate and probably won’t want to do this.

There is already a project on GitHub that implements the necessary functionality. It was created by a certain Jared Rummler, for which we will thank him. Processing the result of toolbox execution is created in the form of a library that can be connected directly through Gradle.

All information about running processes is wrapped in an object of the AndroidAppProcess class. If you look at the source code of the library, there is nothing superfluous there - only parsing console output. Information about a specific application will have to be pulled out by direct search.

for (AndroidAppProcess pr : processes ) (

if (pr .getPackageName() .equals(ps_name) ) (

//do smth

Please note: starting with Android 7.0, Google introduced restrictions on access to information about the processes of other applications. Now it cannot be obtained even using the ps command and directly reading the /proc file system. However, most users will not switch to Android 7+ very soon - if at all.

Active applications

Successful phishing operations, as a rule, are well prepared - the scammers know how to choose the moment so that the user does not have even the slightest suspicion of fraud. Therefore, the phone should not simply ask you to enter your bank card details - this will be very suspicious. Phishing messages appear under some pretext, for example, paid pseudo-updates for 1C or fictitious banking resources at addresses similar in spelling to legal ones.

Multitasking Android can play into your hands here - a dozen applications can work simultaneously in the OS, replacing each other. An inexperienced user may not even understand (or even think about) which application he is currently working in. The output of ps provides information about which applications are currently actively interacting with the user - that is, visible to him.

u0_a65. . . bg SyS_epoll_ b7366d35 S com .localhost .app .noizybanner (u: 248, s: 84)

u0_a64. . . fg SyS_epoll_ b7366d35 S com .localhost .app .fragments (u: 7, s: 11)

This parameter is located in the 11th column - the value here can be bg (background, hidden) or fg (foreground, visible). The OS independently monitors such application states, so the developer's task is to call ps only from time to time.
Based on the library, a simple method is obtained that determines the state of the desired application.

private Boolean isProccessForeground(String ps_name)

List< AndroidAppProcess >processes = AndroidProcesses.getRunningForegroundApps(getApplicationContext());

. . .

We have the opportunity to immediately select only visible processes using the method of the same name. But it does not always work correctly and even displays applications that are currently invisible to the user. In this situation, you need to check the value of the foreground method, which will be true if any Activity is visible to the user.

for (AndroidAppProcess pr : processes )

if (pr .getPackageName () .equals (ps_name ) && (pr .foreground == true ) ) (

Log .e ( "ps " , " " + pr . getPackageName () + " foreground " + pr . foreground ) ;

return true ;

. . .

Now it is possible to find an opportune moment for an attack - calling this method will show whether the user is currently working in a specific application. As soon as the method returns true, you can launch any Activity, which will be immediately shown to the user. This is the essence of the attack - to show the user a phishing window under the guise of a notification from a trusted application.

// Check if Google Market is open

if (isProccessForeground("com.android.vending") ) (

Intent i = new Intent();

i.setClass(getApplicationContext(), FakeGUI.class);

startActivity(i);

In general, a phishing attack has already been built. To operate it, you need to set up periodic monitoring of the victim application, and also draw a GUI window for entering bank card data.

Services

Monitoring the state of the application is not difficult; you only need to restart the isProccessForeground method at certain intervals - this can be implemented in the Activity or Service component. But it won’t be possible to keep the same Activity instance running for a long time; sooner or later it will be unloaded by the system. In addition, it is too noticeable for the user.

In Android, as in “large” operating systems, there are services - components that allow you to perform some routine work invisibly for the user. Usually this is downloading data or receiving updates, but it will also work for phishing.

Services can be different: the so-called foreground service will always work in the system and will only stop when the phone is turned off. We have already discussed the operation of services in detail before, so today I will be brief. Foreground service is inherited from the Service class and must have an icon that will be present in the device notification panel.

NotificationCompat .Builder mBuilder = new NotificationCompat .Builder (this )

SetSmallIcon(R.mipmap.ic_launcher)

We must not forget that this is first and foremost our personal responsibility.

10. Phishing from the 90s

It may seem that faxes are something outdated and forgotten in the deep 90s. But, not surprisingly, fax letters are a very popular tool for phishing. Last year there were several large phishing attacks organized in this way: scammers send an email in which, on behalf of some government agency, they ask to fax updated data, say, a completed tax return, and transfer some personal information. Many companies still have fax machines in their offices, although they almost never use them. This type of attack is unusual and even exotic in our time, so the unsuspecting recipient of the letter will not even doubt that this is a trick. Company letterhead – yes, seal and signature – yes.

When transmitting data via a fax number that no one will ever answer, on the fraudster’s side the document is scanned and forwarded in electronic form to his email. Therefore, it is extremely difficult to stop this type of deception. You can only rely on your own attentiveness.

9. .NET Keylogger

This attack is based on sending supposedly official emails from banks or other large organizations with an attached archive that contains a .NET Keylogger application. This is a simple software that records various user actions - keystrokes on the computer keyboard or mouse keys. Very convenient for stealing account data. You just tap the keys, and the program records your actions and sends them to attackers. Therefore, we remind you once again - be sure to use the most modern anti-virus software and do not forget to update it in order to prevent attackers from getting all your passwords.

8. Messages from the lawyer/lawyer

The scheme here is very simple, and there are probably no people who would not receive such letters. Let's consider a real case. A letter arrives from a respected gentleman named Eric, who represents the interests of “your” deceased relative from a very distant country, for example, from the Togolese Republic (a state in West Africa, located between Ghana and Benin). It’s scary to imagine how your relatives ended up there, but anything can happen. To confirm the legality of his information, this Mr. Eric even sends photographs of himself and his family, as well as scans of documents proving his identity and an account opened in the name of the heir.

In return, he asks to send your data, both passport and bank. All correspondence is accompanied by phrases that there is very little time left (I wonder where he is in such a hurry, his relative has already died). From the very beginning, you can already understand that this is an ordinary scammer, because, unfortunately, miracles do not exist, and free cheese is only in a mousetrap, which is what this letter is.

You can find a lot of similar stories on the Internet on specialized sites.

Enjoy reading. Be careful.

7. Ransomware

Such programs, as in the case of .NET Keylogger, are attached to phishing emails and are sent by email. The user personally installs this application under completely different pretexts invented by scammers. Ransomware locks your computer in such a way that you can only unlock it by purchasing a special key (not really), or it will erase all data on your hard drive. Since Bitcoins became especially popular among Internet users in 2014, the attackers also asked to make payments in this particular currency. After analyzing the ransomware's electronic wallets, it was discovered that they were able to collect more than $130 million from victims.

Most modern antiviruses will help cope with this disease.

6. Malicious PDFs

This attack allows the attacker to feel his complete power over the victim. Typically, malicious PDF files are sent via email and are presented as very important documents that you absolutely must read. An open PDF file injects malicious code that exploits vulnerabilities in the viewer program. To complicate the analysis, scammers use Zlib, a free cross-platform library, to compress data into multiple layers and hard-to-track variable names. The purpose of the attack can be either to seize control of the system (increasing privileges) or to disrupt its functioning (DoS attack).

5. VAT refund

Often, when returning from abroad, travelers take the opportunity to get back the money that was spent on paying taxes when purchasing a particular product (vat refund). This can be done immediately at the airport, in special organizations or banks. But few people want to spend their precious time on this. And here scammers come to the rescue and are ready to happily help you return your taxes without leaving your home. Tempting, isn't it? All you need is to indicate your personal data (passport numbers, TIN, addresses, etc.) in the response letter. As you might guess, no one will return your money, as well as the confidentiality of your data.

4. Political screensaver

These primitive, but very popular due to the political climate, phishing emails came in handy in the second half of last year. Everything is classic - a nested archive with infected files hiding under the guise of a “Glory to Ukraine” screensaver. Malware is clear, but what is phishing? In fact, this is simply a notification of the receipt of a fax, which can be viewed by clicking on the link, and, therefore, losing the confidentiality of personal data. A good price for curiosity.

3. Zeus and education

Around the end of October last year, users began receiving phishing emails from the hacked “edu” domain. Such letters contained the ZeuS Trojan in the archive with information about payments made, which in fact did not exist at all. The scammers thought that the “edu” domain, created specifically for educational institutions, simply would not seem suspicious to victims, because it was considered the most secure and prestigious. Their expectations were met. This method of spreading malware and stealing data has proven to be very effective.

2. Dropbox

The growing popularity of cloud services such as Dropbox has prompted scammers to create a new method of delivering virus software to our computers. Fraudsters send emails with an invoice from Dropbox. The link to the service is absolutely clean, only it leads to a zip file containing an SCR (infected script) type file, and not to accounts. Dropbox quickly responded and created protection for users, but hackers found a way to bypass the spam filter developed by the company. The use of Dropbox is so widespread that no one would even think of blocking this service as potentially dangerous, so it is extremely difficult to stop this type of spread of viruses and Trojans.

1. He-Who-Must-Not-Be-Named or Dyre Malware

The most popular phishing emails of 2014 seemed quite harmless at first glance. Such letters came with links to third-party file storage facilities. The content was simple - a link to the account. Only by downloading it to his computer, the user launched the Dyre program into the system, a remote access Trojan that was aimed at obtaining banking information and personal data of the user. Dyre's spread was so widespread that the Internet Security Response Team had to work diligently to get rid of the virus and help users avoid falling for it.

Bonus

Fraudsters are finding more and more sophisticated ways to use phishing. This case was not included in the Top 10 of 2014, but it was striking in its simplicity and treachery. The goal of the attack was to gain control of the email account.

0. Letters from a popular community with a personal message

All the stories in the article are real, and this one happened directly to one of our colleagues. Here's what she said:

“You receive an email notification from a well-known website about a new message. Personally, I received such a letter from a site masquerading as Habrahabr. It says that such and such a community user left me a message, which can be read by following the link. Absolutely standard procedure. When you click on the link, a window similar to those that appear when logging into a site through social networks appears, and you are asked to allow access to your email inbox. Since everything looks standard, the hand itself reaches for the word “Allow”. But you need to restrain your impulses - losing your email box in our time is a real tragedy. Immediately after this incident, I changed my password just in case.”

Remember that email protection requires some precautions. Be careful and vigilant! Use

Phishing (fraudulent) programs steal your passwords
01:37
Phishing (fraudulent) programs steal your passwords
07:37
Lately, there has been an increase in cases of passwords being stolen from system users. This is due to the spread of false programs: “uCoz - Administrator”, “Ucoz Agent”, perhaps some other similar ones. The appearance of their interfaces can be seen in the pictures in this message.
As you can easily see, the windows of these “programs” ask you to enter a password, a secret answer. I am forced to remind you once again that you should not enter such data anywhere. Today there are no programs, utilities, addons, etc. that we have released, or real products from third-party developers. And even when they do, they will certainly not ask for all of your possible passwords, and they will most definitely never ask for your secret answer.
Before installing, let alone entering any password data in a particular program, you need to make sure of its sources. As a precaution, you should find information about the product on the company’s official website, and, of course, such a site will not be located on third-party domains, such as http://uagent.nm.ru/, http://nucoz.tk/, etc. P. The file must also be downloaded from the official website, and not from file exchangers or third-party servers.
This logic, of course, applies not only to programs related to yukoz, but also to any others. Most often, this is how passwords for accessing email services, online games, and payment systems are stolen.
We, in turn, are fighting against such phenomena, but only you can really protect yourself. I also recommend reading the material about phishing, if you have not done so before, and other materials on security issues.
If your password has been stolen, you should contact our complaint handling service.
Select the topic “Password theft” in the feedback form. Before you write, you should calm down internally. Remind yourself that it was you who lost your password in one way or another, and neither the system nor the person who will read it is to blame for this, which means you need to discard unnecessary emotions. Be patient, the proceedings will take some time, and essentially state your problem. Don’t forget to indicate which account you are talking about, and any evidence that comes to your mind that you are the owner of the account. Most likely, you will be asked a number of questions that will need to be answered.

Phishing is a very common threat. An email with a link to a malicious site or malicious attachment will not surprise anyone, and the development of ransomware has only added fuel to the fire.

Technical anti-phishing measures, such as filtering and analyzing email/web traffic, limiting the software environment, prohibiting the launch of attachments, are very effective, but they cannot counter new threats and, more importantly, cannot counter the human stupidity of curiosity and laziness. There have been cases when a user, being unable to open/run malicious content at his workplace, sent it to his home computer and launched it, with all the consequences...

Therefore, no matter how thorough a technical protection system we build, we should not forget about the main link in the entire chain - the user, and his training.

Periodic briefings and newsletters are an important component of staff training, but, as practice shows, their effectiveness is much lower than training employees from their own mistakes.

What the system will do:

  1. Send phishing emails to users;
  2. When clicking on the link in the body of the letter, notify the user about his error - direct him to a website with a training page;
  3. Keep statistics on inattentive users.

Mailing of letters

The user's greeting name is taken from their mailbox name. The letter is purposefully made in such a way that the user has the opportunity to consider it suspicious. After several training sessions, the complexity of the letters can be increased.

A link leading to a phishing site like http://phishingsite-327.com/p/ [email protected] varies depending on the username. In this way, we transmit user information to the site and can conduct reporting.

Creating a tutorial page

Our task is not to accuse the user of violating, but to explain to him what the threat of phishing attacks is, show him where he made mistakes and give simple guidance for action in the future. Therefore, the information page contains a detailed analysis of its actions:


The training page is hosted on the organization's Web server and includes PHP code for maintaining statistics.


On the organization's local DNS servers, we set up a CNAME record for our web server so that the link looks more like a malicious one, for example: http://phishingsite-327.com/

If we want to control the fact that a malicious link is opened from non-workplaces (for example, when an employee forwards a letter to his personal email), then we will have to use a real address on the Internet. Or monitor the fact that a letter is sent to an external address through available security and administration tools.

Over time, we analyze the report with the list of users who followed the phishing link. In our case, the PHP script saves information about the time, email address and IP address of the node from which the site was accessed into a csv file.

The report helps assess the level of staff training and identify weak links. And when conducting periodic checks (monthly/quarterly), you can:

  1. Construct a staff preparedness curve for phishing attacks and use it as one of the quantitative indicators of infrastructure security;
  2. Identify users who regularly make the same mistakes in order to apply other educational measures to them.

Implementation experience

  • IT personnel training
    Before sending out the mailing, IT personnel should be warned and explained how to respond to user requests about a strange letter. But before that, you should test them yourself. In case of inattention of IT personnel, you should not limit yourself to recommendations, since in the future such negligence can be extremely disastrous for the infrastructure.
  • Preparation of the manual
    The organization's management should be notified about the planned testing. Or even formalize the testing as an internal act. The user, depending on his position and personal qualities, upon realizing that he has violated information security requirements, that he “was misled,” can react very unpredictably. Arguments in favor of the information security service in the form of documents and management support will not be superfluous.
  • Target selection
    When sent mass mail to all employees, word of mouth will significantly spoil the objectivity of the final assessment. It is better to carry out testing in parts, not forgetting to change the text of the letter.
For the first time, the results of the training can be quite surprising and even upsetting, because they provide more objective information about the preparedness of the personnel than the signatures in the briefing logs.
The effectiveness of such a measure is very high and conducting training on a regular basis can significantly increase the preparedness and vigilance of personnel.

Alexey Komarov

The threats that emerged with the advent of phishing required the implementation of adequate protection measures. This article will discuss both already widespread methods of countering phishing and new effective methods. This division is very arbitrary: we will classify as traditional methods well-known (including to the attackers themselves) methods of countering phishing and analyze their effectiveness in the first part of this article. According to the APWG report, 47,324 phishing sites were identified during the first half of 2008. The same report also shows the average losses of users and companies as a result of a phishing site - they amount to at least $300 per hour. Simple multiplications allow us to conclude that this type of black business is highly profitable.

Modern phishing

The word "phishing" is derived from the English words password - password and ёshing - fishing, fishing. The purpose of this type of Internet fraud is to deceive the user into a fake site in order to subsequently steal his personal information or, for example, infect the computer of the user redirected to the fake site with a Trojan. An infected computer can be actively used in botnet networks to send spam, organize DDOS attacks, and also to collect user data and send it to an attacker. The range of applications of information “extracted” from the user is quite wide.

Phishing mechanisms

The main vector of a phishing attack is aimed at the weakest link of any modern security system - the person. The bank client does not always know exactly which address is correct: mybank.account. com or account.mybank. com? Attackers can also exploit the fact that in some fonts, lowercase i and uppercase L look the same (I = l). Such methods allow you to deceive a person using a link in an email that looks like a real one, and even hovering the mouse over such a link (in order to see the real address) does not help. Attackers also have other means in their arsenal: from banal substitution of a real address in the local IP address database with a fake one (in Windows XP, for example, for this you just need to edit the hosts file) to pharming. Another type of fraud is replacing a Web page locally, “on the fly.” A special Trojan that has infected a user’s computer can add additional fields to the site displayed by the browser that are not on the original page. For example, a credit card number. Of course, to successfully carry out such an attack, you need to know the bank or payment system used by the victim. This is why thematic databases of email addresses are very popular and are a liquid commodity on the black market. Unwilling to incur additional costs, phishers simply direct their attacks to the most popular services - auctions, payment systems, large banks - in the hope that the random recipient of the spam email has an account there. Unfortunately, the hopes of attackers are often justified.

Traditional methods of countering phishing attacks

Unique website design The essence of this method is this: a client, for example, of a bank, when concluding an agreement, selects one of the proposed images. In the future, when entering the bank’s website, this image will be shown to him. If the user does not see it or sees something else, he must leave the fake site and immediately report it to the security service. It is assumed that attackers who were not present when the contract was signed will a priori not be able to guess the correct image and deceive the client. However, in practice this method does not stand up to criticism. Firstly, in order to show the user his picture, he must first be identified, for example, by the login that he entered on the first page of the bank’s website. It is not difficult for an attacker to prepare a fake website to find out this information, and for the user to emulate a communication error. Now all you have to do is go to the real server, enter the stolen login and peek at the correct image.

Another option is to give the client a fake warning about the expiration of their image and ask them to choose a new one...

One-time passwords

Classic passwords are reusable: the user enters the same password every time they go through the authentication procedure, sometimes without changing it for years. Once intercepted by an attacker, this password can be used repeatedly without the owner's knowledge.

Unlike the classic one, a one-time password is used only once, that is, with each request for access, the user enters a new password. For this purpose, in particular, special plastic cards with a protective layer are used. Each time the bank client erases another strip and enters the required one-time password. In total, about 100 passwords can be placed on a standard size card, which, with intensive use of telebanking services, requires regular replacement of the medium. More convenient, but also expensive, are special devices - one-time password generators. Basically, two types of generation are distinguished: by time, when the current one-time password is displayed on the screen and changes periodically (for example, once every two minutes); by event, when a new value is generated each time the user presses a device button.

While more secure than classic password authentication, this method nevertheless leaves the attacker certain chances of success. For example, authentication using one-time passwords is not secure against man-in-the-middle attacks. Its essence is to “intervene” in the information exchange between the user and the server, when the attacker “introduces himself” to the user as the server, and vice versa. All information from the user is transferred to the server, including the one-time password he entered, but on behalf of the attacker. The server, having received the correct password, allows access to sensitive information. Without arousing suspicion, an attacker can allow the user to work, for example, with his account, sending him all the information from the server and back, but when the user ends his work session, do not break the connection with the server, but carry out the necessary transactions supposedly on behalf of the user.

To avoid wasting time waiting for a user session to end, an attacker can simply fake a communication error and prevent a legitimate user from accessing their account. Depending on the generation method used, the intercepted one-time password will be valid either for a short time or only for the first communication session, but in any case, this gives the attacker the opportunity to successfully steal the user's data or money.

In practice, authentication using one-time passwords itself is rarely used; to increase security, establishing a secure connection before authentication is used, for example, using the SSL protocol.

One-way authentication

Using the SSL (Secure Sockets Layer) secure connection protocol ensures secure data exchange between the Web server and users. Despite the fact that the protocol allows you to authenticate not only the server, but also the user, in practice only one-way authentication is most often used. To establish an SSL connection, the server must have a digital certificate used for authentication. A certificate is usually issued and certified by a trusted third party, which is a certification authority (CA) or certification authority (in Western terminology). The role of the CA is to confirm the authenticity of Web sites of various companies, allowing users, by “trusting” one single certification authority, to automatically be able to verify the authenticity of those sites whose owners accessed the same CA.

The list of trusted certification authorities is usually stored in the operating system registry or browser settings. It is these lists that are subject to attack by an attacker. Indeed, by issuing a certificate from a fake certification authority to a phishing site and adding this CA to the trusted ones, you can successfully carry out an attack without arousing any suspicion from the user.

Of course, this method will require more actions from the phisher and, accordingly, costs, but users, unfortunately, often help steal their data themselves, not wanting to understand the intricacies and features of using digital certificates. Due to habit or incompetence, we often click the “Yes” button without paying much attention to the browser messages about the lack of trust in the organization that issued the certificate.

By the way, some SSL traffic control tools use a very similar method. The fact is that recently cases have become more frequent when sites infected with Trojan programs and the Trojans themselves use the SSL protocol in order to bypass gateway traffic filtering systems - after all, neither the anti-virus engine nor the data leakage protection system can check encrypted information condition. Wedging in the exchange between the Web server and the user's computer allows such solutions to replace the Web server's certificate with one issued, for example, by a corporate CA and, without visible changes in the user's experience, scan the user's traffic when using the SSL protocol.

URL filtering

In a corporate environment, site filtering is used to limit misuse of the Internet by employees and as protection against phishing attacks. In many anti-virus protection tools, this method of combating fake sites is generally the only one.