4.3.3 System penetration techniques
System penetration techniques are used to exploit system resources for facilitating phishing attack initialization (Emigh, 2005; Jakobsson and Myers, 2006). System penetration techniques are in general used along with other types of cyber-attacks but not limited to phishing. We identified two main system penetration techniques: Fast-Flux and Cross Site Scripting.•
Fast Flux (FF). FF is not a direct attack, but rather a DNS-related technique that protects phishing sites from taking down by hiding the hosting machine of phishing websites. DNS-based phishing refers to any form of phishing that tries to spoof the process of finding the real domain name (Jakobsson and Myers, 2006; McGrath et al., 2009; Moore and Clayton, 2007; Zhou et al., 2008) which includes host files poisoning, and polluting the user’s DNS cache with spoofed location. In FF networks, instead of revealing the addresses of the hosting machine of a phishing sites, front-end proxy hosts are used to transmit requests to another server which is the real host of the phishing site (Hsu et al., 2010). As such, several compromised front-end hosts (bots) are needed. In addition, a mapping of the phishing domain name to front-end proxies is performed. To make the process more ambiguous, FF networks perform domain name resolution over a short duration (see Appendix D). This is important in order to avoid tracing the attack back the hosting machine.•
Content Injection via Cross Site Scripting (XSS) and Request Forgery (CSRF). XSS can be initialized using different techniques, for instance, the attacker may inject malicious code into a benign website by loading it onto a valid server as part of a client review or a web-based email. Alternatively, the code may be injected into a URL and sent to user as an email (see Appendix E). When the user taps the URL, the content will be transmitted to the benign sever and then returned as part of a request of user credentials (Ramzan, 2010). CSRF is yet another type of injection attacks that can be initiated as part of phishing campaigns. The attacker sends emails to victims to lure them into visiting a web page that is under attacker control (Blatz, 2007; Nagar and Suman, 2016). The attacker hides several executable elements in his page (e.g., Java scripts blocks) which will make a request to the target application. This automatically appends session token to the request when the victim is logged in to the application at that time. The application will automatically perform whatever action the attacker requested.
Leave a Reply