NoteEmailLure - W3C Web Security Context Wiki

(A sub-section of the NoteUseCases)

Email Lure

Alice is a customer of BobBank. Mallet is an attacker attempting to obtain Alice's access credential for the BobBank site by impersonating BobBank, first in email and then as a Web site.

Mallet sends Alice (and a million other users) an email that purports to come from BobBank. The email may claim a sender address that is used by BobBank (accounts@bobbank.com), an address similar to that used by BobBank (accounts@b0bbank.com) or an entirely unrelated email address (accounts@as818d2182.ru).

The email purporting to come from BobBank directs Alice to a web site that looks very similar to the authentic BobBank site. The email link may use a cousin address (http://www.b0bbank.com), a numeric address (http://10.1.1.1), a numeric address with a fake username portion (http://www.bobbank.com@10.1.1.1/). In many cases the user is shown a URL that is different to the one that is actually linked.

In some cases the Web site will be implemented as a proxy to the genuine BobBank site, in others static HTML and image file data that has been 'screen scraped' from the authentic BobBank site. The objective of this site is to persuade Alice to enter her username and password so that Mallet can record it and either use it to access the site at a later date or to sell the information for a third party to make use of in this way.

At the time Alice attempts to contact the impersonating Web site BobBank may have been alerted to the existence of the impersonating Web Site by a number of channels: A customer, spam control company or anti-phishing company may have explicitly made contact and alerted the bank, the use of the genuine sender address may have caused a 'backwash' of failed email delivery attempts, previous attempts to connect to the site as a proxy may have been detected.

Alice and BobBank both have assets at risk. Alice may lose funds from her account that are not reimbursed. BobBank may be required to reimburse Alice for funds taken from the account. In addition to direct losses due to fraud BobBank may suffer indirect losses due to increased customer service calls whether or not the attack is successful: Alice may insist on doing all her future transactions at a local branch at significantly higher cost to the bank. Alice may contact customer service to ask about the attack.

Discussion

In each case the attack has two disftinct phases: contact and capture. In the contact phase Mallet solicits interaction with a large number of potential victims using a medium that supports unsolicited interaction; email, instant messaging, telephone.

The contact message directs Alice to the capture site. While this is typically a Web site today the use of automated telephone attendant sites via VOIP is rising.