Phishing, is not a new invasion method, but its harm is gradually expanding and has become one of the biggest harm of recent threat network security. Do you know phishing? What is the significant feature of it compared to the traditional intrusion? What are the typical phishing cases? How to prevent being pation?
The early spring of the South is always accompanied by rain, rare today is a sunny day, and Zhang Yi, a costume company, has a fishing activity in the suburbs of more than a dozen important employees. After the manager placed the fishing, the manager opened the laptop that portable and connected to the network. He wants to use this time to handle the most recent business. The secretary saw that he was inseparable from this time, and persuaded him: "Manager, today is a day of play, it is rare to relax, don't deal with the company's business today ... You are not afraid that the fishing rod is gone by the fish?" Yi smiled and laughed to the secretary, looked at the fishing rod in front of him: "All said Jiang Taogong fishing, I will hook, but if I don't know how to make a fisherman, the fish will slip away. Wait this The pen business is talking, I will not be late again. "Said that he will continue to knock on the keyboard.
The business is finally talking, and the customer transfer the goods into the bank account of Zhang Yi, and Zhang Yi smiled: "This big fish finally caught in me." Then he boarded the online bank account to view the transfer situation. When the remaining amount is displayed on the page, Zhang Yi is tight, then there is a feeling of dizziness: the original deposit in the account is free, but the page is only transferred in the page, as if it is laughing at the manager .
Zhang Yi did not think that this time, he became a fish fishing in others, and it was a big fish.
Interpretation of online fishing
Online fishing, is not a new invasion method, but its harm is gradually expanding and has become one of the most serious network threats in the near future. Phishing means that the invader is faked by the technical means of the invaded, forces some methods such as the true website and the victim of the victim, so that the victim "voluntarily" will give important information or steal important information (such as the bank account password) s method. The invader does not need to take the initiative to attack, he only needs waiting for the reaction of these fishing rods and mentioning a fish, it is as if it is "Jiang Taihuo fishing, the hook".
Seeing this, some readers may say, is this not social engineering? Both are the means of deception. Nice, there is indeed social engineering shadow in the network fishing, but it is more tended to technology than the latter, because it is not just deception, it must also be incorporated into technical components, otherwise if "angry" I can't control the "fishing rod", how can I catch fish?
Visual trap: fishing rod behind the web page
The police are analyzing the data in the laptop hard drive. Zhang Manager has lived in the hospital due to heart attacks during the report. Since the manager cannot know the time of the last login network bank, and the system has not infected any lattice procedures for any stealing account, the case has become a bit confusing. A analyst has not intended to open Foxmail inadvertently, and the last letter is the bank sent by the bank. The subject is the "Notification of XX Network Bank on Strengthening Account Security". The analyst predicts that there is a major relationship with this letter, and immediately opens reading. This is a letter from HTML web template. The content is generally upgraded to the bank to upgrade the system in order to strengthen account security. Please re-set the account password as soon as possible, and the URL link for setting the password is also given.
The behind-the-scenes black hand is here! The analyst immediately viewed the letter source code. Soon, I found out that the catty of it: "a set of" said, "said a set of", "the author of this message adopted" a set of entered "This simple fraud method, invader uses the characteristics of the URL tag in the HTML language, and writes it this:" http://www.xxbank.com.cn/account/index.asp ", due to psychological functions, the victim will click on the" http://www.xxbank.com.cn/ ACCOUNT / INDEX.ASP "URL link, however they don't know, this click actually leads them to" http://www.xxbank.com.cn/account/index.asp "this fishing rod! And this so-called change password page, of course, forgery is exactly the same as the real bank page, but its "Change Password" function is sent to the "fishing" hand of the account and password to the behind-the-scenes, then "angry" login The real online bank has changed the password set by the victim, and the lac will transfer the deposit in the bank account. In this way, even a small fish will make the "angry" to make a laughter in the dream, even if a small is too small, the number of accumulated has become quite considerable. Under the temptation of money, the "fishing worker" once again, and I don't know, he himself is also a fish fished by the money fishing rod. Key to the success of the hunt
Why is this so bad technology to have frequently? Have you encountered a similar situation in your actual life? What kind of preventive measures do you take?
Because online fishing uses people's psychological vulnerabilities, first, people will almost nervous when they receive a large business mail, many people have never doubt the authenticity of the letters, and will open the email according to the requirements of the consciousness. The specified URL is operated; after the page is open, we usually only pay attention to the page content without paying attention to the display of the browser address bar. It is this to make the "angler" have a machine.
In fact, "Fishingiers" can use IE's URL spoofing vulnerability to make yourself more like a thing, but now IE generally played patch, in which case this vulnerability will "do not play" Therefore, there is only a very small number of "fishing people" to adopt this method, and some "fish" is not even if the "comparative formal" domain name is not, but the IP address form is even directly bright, and the real address is displayed in browsing. In the address bar of the device - because they know, most people do not pay attention to the address bar of the browser unless there is an unexpected situation.
By the way, it will mention the Email, why will the Manager meet? Even if the Email's sender address is not a bank website, then idiots can see this is forged email. But the problem is here, this Email's sender address clearly writes the technical support mailbox address of the bank website! How did the "fish" do it? Very simple, some unsettled Email servers do not verify that the user information is true, so the liar sent a letter to send a letter to the sender's address with such a mail server.
Search engine with romance: love hate
Due to the rapid development of the Internet, the information volume explosion with the popularity of the Internet, we can get more and more ways to get information, but finding specific information data has begun difficult, and people need one for this person. A tool that can be managed to manage and provide a simply search function as much as possible, and the search engine is born. At the same time, the representative of search engines makes Google's focus of viruses and invaders have become the focus of viruses and invaders. This time, it is still a disaster that Google. It used to "provide" a "search invasion" in "Search": Intruders, the invader can find that there is a computer where there is a Unicode vulnerability by querying some specific characters on Google. Being out of Google - as long as "/scripts/..%5C../scripts/..%5c../winnt/system32/cmd.exe \c dir" can find a lot of contrabing "Directory of" strings IP address, click in, you will find that you have invaded the computer with Unicode vulnerability ... Now, although this method has basically failed, the security issues brought by Google are more worthy of everyone's attention. In the face of powerful Google, "Fishingiers" is not satisfied with the Web page fishing, they also look at Google's desktop search tool Desktop Search, this tool exists with a vulnerability of information leaks, invaders can deceive Desktop through script SEARCH provides user information, the most common is to leak disk data. With this vulnerability, "Fishingiers" can counter-related letters and establish a deceptive e-commerce website, so that users have mistakenly believe that the big company is sent to her letter. Some "fishing people" use fake password verification to steal user information, others deceive users to click on some commodity information and are planted in the wood horse. Cross-station fishing: nightmare
The forged page deception mentioned earlier is "Yisher" using false letters and people seek convenient psychology, directly click on the malicious link given by the letter to meet the purpose of fishing, now with the renewal of the media and the improvement of user vigilance, this The success rate of a means gradually decreased. So the liar of the affection begins to make a new fog: they also use some means to deceive the user to the business website, but in fact, this user is accessible to the real business site. Is it "angry" to change evil? The answer is negative, this real business site will still bring users to the "fishing worker" malicious page - scammers use a technology called "cross-station attack", insert a malicious link on the real website, the user even It is difficult to think that the real site will also hide the murder. This means known as "cocktail fishing" makes the credibility of the business website greatly reduced.
What is "cross-station attack"? The industry is defined as follows: "Cross-station attack refers to data with malicious destination in the HTML code in the remote web page, so that the user thinks that the page is trustworthy, but when the browser downloads the page, embedding it The script will be interpreted. "
There are two ways of cross-station attacks, and there are two ways: one, because the HTML language allows the use of scripts to make simple interaction, the intruder is inserted into a malicious HTML code in a page through technical means - such as record forums save User information (cookie), because cookies have saved complete usernames and password materials, users will suffer security losses. Let us give an example to explain this situation: For example, a regular forum is often going, you certainly don't doubt this forum has problems, but some bored users may release posts with malicious scripts in this forum. When you browse this post, it is possible to attack.
"Fishing" naturally does not ask the user's cookie information, how many business sites now allow users to save cookies? So they can only let users send themselves, this has the second simpler cross-site attack method: "Fishing" uses a special cross-site attack script code to make the page to pop up a design The page dialog that is not there, it requires the user to enter a password or bring the user to the forged site. Because these dialogs are visible in the normal website, they will naturally not doubt its legitimacy, but it is this psychological spoiler that leads to another trust crisis. This method persecuted more than just users, but also innocent business sites, because cross-station attacks are not intrusion server, but don't know what happened at all, until users find them. They found their reputation by these scammers.
Dangerous Hosts file
Readers who know more about the network generally know that there is a hosts file in Windows system directory, which is mapped to the IP address and URL. Everyone knows that the DNS server must be resolved into an IP address via the DNS server when visiting the website, so that the browser can know where to connect to the website we want. In Windows's processing logic, it always looks for this domain name and IP's correspondence in the HOSTS file. If the corresponding relationship exists, Windows directly connects the IP address described in the HOSTS table, only when it is not found. The DNS server sends a request for the domain name. This logical relationship is certainly convenient in some extent, because the Hosts table has high priority than any DNS server, but terrible is due to the characteristics of the Hosts table, we may A "fish" again became a fishing.
The principle of the HOSTS table is to change the mapping between domain names and IP, we can change, "fish" can change. By using download vulnerabilities such as MIME, EML, even simple web scripts, the scammers can add any map relationship they want in the HOSTS table, because Hosts hide too deep, general users will pay little attention to this file Change, this gives "angry" drill a space, although the Hosts table establishes a mapping relationship for domain name and IP address, but it does not judge the accuracy of this mapping relationship! So "Fishing" to access the user's network domain domain name and their forged website IP address, and the user is an entered domain name, even if the countless anti-virus monitor is installed, it cannot reverse the spoofing site. Wiguan - Who makes Hosts's priority?
Hosts table mapping principle
System upgrade patch: bait for liar
I believe that every Windows user will take a vulnerability from time to time and then an additional patch is hate, and because the vulnerability is harmful, the general users will pay attention to the new Windows upgrade patch, and the liar is also No exception, but they intend to borrow the vulnerability patch invading the user machine. The liar is forged a "good", "a patch developed for a serious security vulnerability" actively sent to the user, but the attachment is a Trojan. Generally, users are rare to meet this kind of meeting, naturally do not work, run this "patch." The liar is also savvy, they will make the interface that appear after running is exactly the same as the true patches, but what is the last installed user machine? Don't tell me.
In addition to these technical means, there are many ways to access social engineering. If you use QQ defrauding trust, send counterfeit winning information, buy empty sales, empty extravagance, etc., the liar is in mind, and it is to invade you. Interests!
Cross-station attack example
Stay away from fishing: a heavy problem
