In our example of forging headers, we successfully spoofed our email address and some headers, but unfortunately this did not stop our IP address from being identified within the email. It clearly states our IP address on the line that reads Received: from hostname (xx.7.239.24). If we were to send a bulk email like this trying to phish someone, we would be considered newbies and would probably be an easy target for apprehension.
One way of hiding our IP address is to take advantage of open relay servers combined with proxy servers. An open relay servers is an SMTP mail server that allows unauthorized users to send email through it. The reason we could send spoofed email in our example is because we did it from our own MTA server. Although we are considered "authorized" to send email, the detriment is that our real IP of our own MTA will be revealed to the receiver.
Most open relays reside in corporations or systems that have a misconfigured mail server and are not aware that they are contributing to spamming and phishing. These types of mail server are prime targets for phishers and spammers, since the unsuspecting and unaware probably lack the education to keep track of the server logs. By the time they find out, many spammers have probably already exploited their system for illicit activity. Spammers and phishers could use multiple open relays simultaneously to send their bulk emails. Unfortunately that is a drawback as well, since the more one uses the open relay, the faster it ends up on a real-time black hole list (RBL; see www.email-policy.com/Spam-black-lists.htm).
The anonymous element is to locate open proxy servers that are on the Internet. An open proxy server is similar to a open relay server except it is not specifically used for email; it will also route arbitrary TCP and sometimes UDP requests. One of the more popular proxy protocols is SOCKS, an abbreviation for SOCKet Secure; it is a generic protocol for transparent proxying of TCP/IP connections. SOCKS is a more universal proxy and is in high demand by phishers and spammers because it can serve multiple necessities. There are also standard HTTP/HTTPS proxy servers and cache proxy servers such as Squid that mainly focus on HTTP and the ability to cache data so that you save bandwidth. Most phishers are specifically looking for proxies to cover their tracks in perpetrating fraud.
There are many methods of locating proxies to hide through; a quick way is Google. One of the first sites at the top of the Google search list is www.stayinvisible.com/index.pl/proxy_list (see Figure 5). Let's look at the list and try them for ourselves.
Figure 5 Available Proxy Lists
There are also many available tools that check for open proxies on the Internet at a very fast rate. YAPH -- Yet Another Proxy Hunter (http://yaph.sourceforge.net) -- is a UNIX version of a freely available proxy hunter, and there are multiple ones for Windows. One of the bulk-mailing tools, known as Send-safe, even provides a proxy hunter with its software. At this time, the software's author has trouble hosting his site anywhere due to being a suspect in the authoring of the Sobig virus (http://securityresponse.symantec.com/ email@example.com). Also, in the underground free-trade market, you can even purchase proxy and VPN services from "trusted" individuals for approximately $40 per month.
On this list are both anonymous and transparent proxies. The transparent proxies are usually HTTP proxies. Since the anonymity level can be lessened due to the fact that your browser will answer a request such as REMOTE_ADDR from the server, the transparent proxy will pass that along without a rewrite. This makes it obvious that it is not an anonymous proxy, but it can be useful for caching when bandwidth is low. On the other hand, SOCKS was designed to tunnel all TCP traffic, no matter what type. Since SOCKS does not require information from the browser, it simply treats it like an arbitrary TCP client. This method of handling the data will increase anonymity, since the Web server is viewing the SOCKS server as a client and any requests will come from the SOCKS server.
Phishers Go Wireless
With the ongoing growth of wireless networks, phishers now can anonymously mass-mail by war driving -- the act of driving around looking for available wireless networks to connect to, with a goal of sending bulk mailings through networks that are either open or vulnerable to security flaws and so accessible by unauthorized parties. More than this, war driving eliminates any signature available for tracking, since the wireless signal can be received even from 2 miles away, depending on the attacker's antenna. During the day of a phish attack, the attacker could be sitting at his home logging into the neighborhood Starbucks' wireless hotspot to send emails.
To extend the abuse of wireless networks, since T-Mobile provides the majority of wireless services to Starbucks coffee shops that require a login and password to use, phishers can start attacking the users on the network while drinking a cup of java. One technique used against hotspots was originally dubbed airsnarfing by "Beetle" and Bruce Potter of the Shmoo Group. The media later nicknamed this practice the Evil Twin attack, but unfortunately the media got to it a lot later than the actual concept was demonstrated by Shmoo. The media stated that airsnarfing was being exploited by sophisticated hackers, but actually Windows or Linux users can do this quite trivially, since setting it up is as easy as setting up a phish.
Here's quick rundown on a trivial attack for phishing wireless networks: The way T-Mobile and most other hotspots work, including those at airports, is that you're handed an IP address delivered via the DHCP server and then requested to log in to their Web-based authentication form, entering your username and password. The weakness occurs right at the beginning of the wireless session, since there is no real trust between the wireless gateway and the casual user. This weakness can be used to create a rogue access point (AP) with the same service set identifier, or SSID. When we connect to a network, the SSID is shows as the identifying name of the AP. In the case of T-Mobile's hotspots, most of the time you will see tmobile as the SSID value.
Our rogue AP is set up to compete with the hotspot and have the same name, since in most Windows wireless setups the stronger wireless signal usually wins. We will also host all the DHCP, DNS, and IP routing required on our AP, and we'll have an HTTP server with our phishing site(s) all set up. Once victims connect to you instead of T-Mobile, they will not know the difference, since we are routing the Internet and they have logged into the look-alike site. We then can poison our DNS cache to point to other fake sites set up to look like sites that we want to steal customer information from. Essentially, we control the flow of where victims go, since we control their wireless Internet connections.
This attack is possible due to the trust model, or lack thereof, between the user and the service the user is logging into. Simple login credentials don't protect against something you've never met before. The Shmoo Group has designed a HotSpot Defense Kit for MacOS and Windows XP, downloadable at http://airsnarf.shmoo.com/hotspotdk.zip.
Phishing exposed -- 10 tips in 10 minutes
Tip 1: Phishing and email basics
Tip 2: Phishing and the mail delivery process
Tip 3: Anonymous email and phishing
Tip 4: Forging headers and phishing
Tip 5: Open relays, proxy servers and phishing
Tip 6: Proxy chaining, onion routing, mixnets and phishing
Tip 7: Harvesting email addresses and phishing
Tip 8: Phishers, hackers and insiders
Tip 9: Sending spam and phishing
Tip 10: Fighting phishing with spam filters
This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.