(A sub-section of the NoteUseCases)
(Adapted from previous use cases: NoteEmailLure)
Alice is a customer of BobBank. Malcolm is an attacker attempting to obtain Alice's access credential for the BobBank site by luring Alice to a site that impersonates BobBank's online banking services. In each case the attack has two distinct phases: contact (luring) and site-impersonation (currently primarily for password capture). In the lure phase Malcolm solicits interaction with victims using a medium that supports unsolicited interaction; email, instant messaging, telephone. Most site-impersonation attacks today are used by Malcolm to capture passwords---however, many other uses of this attack are possible (see below).
Channels through which Malcolm can lure Alice to the impersonated site include:
Malcolm sends Alice an email that purports to come from BobBank. The email may claim a sender address that is used by BobBank ( firstname.lastname@example.org ), an address similar to that used by BobBank ( email@example.com ) or an entirely unrelated email address ( firstname.lastname@example.org ). This email may be customized with information that Malcolm has painstakingly collected about Alice's account or it may be one of millions of indiscriminately targeted emails.
Malcolm may lure Alice to an impostor site by posting a link from another site that Alice may trust. For example, Malcolm may post on a blog or social networking site that he is infuriated that BobBank will be introducing a $20/month fee for bill payment in the next 24 hours, and encourage everyone to login to BobBank (https://BobBank-BillPay.com/) to cancel their bill payment if they don't want to be subject to the fee.
Malcolm may call Alice and inform her that she needs to login to her bank. He may then convince her that she needs to use a special alternate address for her bank. For example, he may claim that she needs to use a special high security login page or that her bank's primary web server is down that day.
Implementation of the Impersonation Site
(Stuart wonders whether this section contains more information than necessary.)
The impostor site may use a cousin address (http://www.b0bbank.com), a numeric address (http://10.1.1.1), a numeric address with a fake username portion (http://email@example.com/). Alternatively, it may use the correct address but use an insecure protocol. In many cases the user is shown a URL that is different to the one that is actually linked.
In some cases the Web site will be implemented as a proxy to the genuine BobBank site, in others static HTML and image file data that has been 'screen scraped' from the authentic BobBank site. The objective of this site is to persuade Alice to enter her username and password so that Malcolm can record it and either use it to access the site at a later date or to sell the information for a third party to make use of in this way.
Beyond password capture---other consequences of site-impersonation
If Malcolm can lure Alice to the impersonated BobBank site, this may enable other attacks beyond those possible from stealing Alice's password. If Malcolm is unable to steal Alice's password (she uses a challenge-response token), Malcolm may still be able to take over Alice's banking session to transfer funds or use bill payment to send himself a check. Malcolm may also exploit Alice's trust in a site the she thinks is her bank's to bootstrap other attacks: he may replace the address to which deposits should be sent with his own address; he may ask ask Alice other personal authentication questions (social security number, high school, etc.); he may observer Alice provide wire transfer instructions and modify amounts.
At the time Alice attempts to contact the impersonating Web site BobBank may have been alerted to the existence of the impersonating Web Site by a number of channels: A customer, spam control company, or anti-phishing company may have explicitly made contact and alerted the bank, the use of the genuine sender address may have caused a 'backwash' of failed email delivery attempts, previous attempts to connect to the site as a proxy may have been detected.
Stakeholders and Consequences
Alice and BobBank both have assets at risk. Alice may lose funds from her account that are not reimbursed. BobBank may be required to reimburse Alice for funds taken from the account. In addition to direct losses due to fraud BobBank may suffer indirect losses due to increased customer service calls whether or not the attack is successful: Alice may insist on doing all her future transactions at a local branch at significantly higher cost to the bank. Alice may contact customer service to ask about the attack.
In this use case, the lure directs Alice to a web site that impersonates an organization with which she does business. An alternative attack would lure Alice to an automated telephone attendant site.