In August 2004 an innovative phishing attack was launched, not against the usual targets of PayPal and large banks, but against the Kerry for President campaign. The campaign fought back against it, also in an innovative way.
Typical of phishing attacks, the e-mail and Web site linked directly to images on the Kerry campaign site johnkerry.com. It contained a picture of Kerrys brother Cam Kerry with an appeal for a contribution.
The original phishing e-mail had used a from: address of johnkerrys.com rather than johnkerry.com—note the extra “s” in the name—which was probably of no value to the phisher and, as youll see, contributed to countermeasures. Ill leave out the other technical guts of the phish—suffice it to say, as you may have already guessed, the money didnt go to the campaign.
The campaign responded quickly though. Since the phishing e-mail directly linked to the image of Cam on the Kerry Web site, site admins replaced that image with one that contained the text “WARNING! If this e-mail is from any address that includes @JohnKerrys.com it is not an official e-mail from Kerry-Edwards 2004, Inc. Do not donate using any link in this e-mail.”
This is what engineers call an “elegant” solution. A very simple change, using features designed into HTML, forced the attack to reveal itself. Users who opened the e-mail after the change saw clearly that something was wrong with it (unless they followed the common techie advice to turn off graphics in e-mail).
Presumably the site controls its own access to these graphics and can then point users to a new, legit version. Note that the Kerry graphic message hedges its bets somewhat by saying not that the site is necessarily illegitimate, but that it is if the mail came from johnkerrys.com. Ironically, this was probably an overly conservative approach by the campaign. But the basic approach should have worked.
Fast-forward two years, and this elegant approach is still unheard of in the face of phishing attacks. Then I read about a use of it in Brian Krebs Security Fix blog in the Washington Post.
Krebs shows an attack against phishing punching bag e-gold. The company responded in the same way by changing their graphics to declare: “STOP – THIS IS A FAKE FRAUDULENT WEB SITE.” Nothing ambiguous there. Anyone who still gets suckered by this site deserves what he gets.
I decided to ask PayPal, which has a near-monopoly on phishing victimhood, why it doesnt take this approach. But even before I got an answer I could see how difficult it could be.
First, there is the sheer scale and manageability of the problem. Doing this the conventional way with static images would require constant monitoring of phishing attacks and changing the images they use. On PayPals scale, this is a serious problem.
The obvious way around this problem is for images not to be static, but script-generated, where perhaps the script checks the address of the referring page. But once again the problem is scale, as this would entail an immense increase in processing load on PayPals servers. Doing it right means seriously limiting the caching of images.
There is also the problem of legitimate outside linkers. PayPal expressed concern about “the thousands of very small, legitimate businesses that sign up for PayPal every day and add our logo to their sites.” Its possible to imagine ways to whitelist such sites, but the process sounds complicated, expensive and failure-prone.
For small sites, even for some not-so-small sites like the Kerry campaign and e-gold, perhaps image-swapping is a practical solution, but not for PayPal. Practical considerations mandate other solutions, none of which appears to be all that effective. This magic bullet missed the big target.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer