I was Phished !

Recently I was a victim of a spear phishing attack, I use the term victim very lightly as nothing untoward actually happened to me. Yes, my account was compromised and, yes, one of my 130 passwords was harvested. 

The fact I was phished has surprised a number of people, why? 

Well I am a security architect and I advocate general system security and application security whenever I get a chance. I am in my final stages of GCHQ accreditation via a Oxford University's master programme for system security, and I am doing pretty good in this programme.

The phish attack was not particularly impressive, they cloned www.daft.ie [1], the cloned site is now offline. It was the timing of the attack that caught me out. Typically daft.ie is a site to view property for sale or rent among other property related activities. You pay to advertise on this site and its generally free for others to view rentals or properties for sale i.e. I suspect daft generate decent revenue[2].  

I rarely use this site for rental purposes, in the last decade I have used daft.ie only a handful of times to rent a family property. Daft.ie a very good site and has excellent traffic. During the periods of having an active property for rent, I would frequently login and check any activity for the rental property e.g. how many views and any messages. Typically my frequent activity would last no longer than two weeks, by frequent I would guess on average 3 times daily. Once the property is let, I would have no need to login, however I do view houses for sale regularly, wishing I could purchase a nice large house! I was targeted because I had an active advert and would have a high volume of email responses looking to view the property, within 48 hours I had organised 12 viewings for the property.

Having informed daft.ie of something untoward, I had a conversation with daft.ie support, they listened to my thoughts. I informed daft.ie support I had a software security background. What surprised me, in general the narrative from daft.ie support was in general this is your fault, I gave out my credentials to a malicious site and there is nothing daft.ie can do. Yes indeed I did hand out my credentials. This I did not dispute, I challenged the narrative “nothing daft.ie can do” to prevent phishing attacks. Well, I disagree, this prompted me to write this post.

So, what could daft.ie have done to mitigate this and help users?

I like daft.ie, its a good site and has always served me well. However, as daft.ie has a paid service and generates decent revenue[2], there is a responsibility to help mitigate phish attacks in my view. There still appears to be a disconnect between sites, users and security. When you drive a car the average drivers have no idea how the engine works, it just works, we need to get security into the same realm. Simply saying “nothing daft.ie can do” is just wrong in my view. Following outlines some items daft.ie could do to mitigate this phish attack.

Email notification

My email address was changed from its original registered email to the email address dduffy1@homemail.com. Daft did not issue a notification to original email address. At least I would have been informed, daft say they can't do this due to the volume of email this would generate. Hmm, very hard to accept this, I do not know the figures, but I would not expect this change of email address to be in the millions. Daft say individuals may no longer have access to the register email address. This changes nothing in my view, I am simply asking for an email notification.

Interestingly homemail.com is no longer valid, it was previously sponsored by CNN in the late 90's. So I wonder was the email address dduffy1@homemail.com actually verified by daft.ie? I do not know as daft.ie do not provide an activity feed on their site e.g. when important activity takes place, email registered & verified, password changed, when logged in, current active sessions etc.

Two Factor implementation

daft.ie have no options for two factor authentication, or at least two step authentication via OTP (one time passcode) e.g. google authenticator or via SMS OTP code (I am aware NIST has recently indicated SMS’s backbone SS7 is not considered secure[3]), its still in use by Apple and Amazon among others, it is still a very handy method for OTP. If daft had offered this as an option my credentials would not have been compromised. I implement two factor on any site that offers it. If implemented in a clever way this can be unobtrusive e.g. at the discretion of the user, store a persistent cookie to trust this browser and therefore never request an OTP again for this browser. According to daft.ie this is being considered, it is pretty easy to implement should take no longer than about 5 days development, I know because I wrote one previously. daft.ie did not provide details as to when this would be available.

Mobile Number

daft.ie could have requested mobile numbers and issued notifications to the user over SMS. Mobiles are not a requirement on daft.ie, but they could easily implement this feature using Twillio or Nexmo to issue SMS. Why not make mobiles a requirement or at least an option if individuals are placing adverts? Even if you want charge 1 more euro.

Geographical IP address Monitoring

I have an active rental advert for a property and login on average four times daily from an Irish generated IP address with CIDR 51.37.1.1/16. I don't know the exact malicious IP address used to login to my account as daft don't make this available to me. But I suspect it was not Irish and not within my IP range. Therefore use this information and flag this activity as unusual. Either notify the user via email or mobile or review internally. 

So, I disagree with nothing can be done, lots can be done if you wish to invest time. And above is about 10 minutes of thought, give me a few days to understand more about the business and activity and I would come up with several more ideas.

HTTP Headers

This prompted to look at www.daft.ie HTTP Headers, daft.ie can certainly do better here with very little effort, nothing to do with phishing.

Following are generally basic enough headers 

  • Strict-Transport-Security - this header is not implemented, no real reason why this would not be enabled.

  • X-Frame-Options - this header is not implemented, again no reason, unless daft.ie facilitate framing.

  • X-XSS-Protection - this header is not implemented, might be a bit harsh here, as most browsers enable this by default. 

  • X-Content-Type-Options - this header is not implemented, again no reason why this would not be enabled.

  • Content-Security-Policy - this header is not implemented, an excellent new header facilitating whitelisting resources. Though can be hard to implement if you have a lot of inline JavaScript, but daft.ie don’t, they have some inline JS for marketing and tracking reasons. So should be relatively easy to implement

Advanced Headers

  • Public-Key-Pins[4] - this header is not implemented. A nice new header to prevent rogue TLS certificates.

References

[1] Cloned Daft Site, which is now offline daft.ie.my-daft60.xyz/2/login/

[2] "Decent Revenue”, checked 20th August 2017. I have no idea how much revenue, according to their site they have 76,561 properties on line

[3] NIST & SS7

[4] Public Key Pinning