These days we hear a lot about security on the World Wide Web. The most often security warnings alert us to take care of where we enter our personal information because of phishing sites. In case you don’t know about them, phishing (pronounced as fishing) websites are the ones who have exactly the same look as legit sites that belong to well-known companies, such as PayPal, Moneybookers, Facebook etc. These sites have an ordinary login form like legit sites do, but they record your username and password. After it’s stored in the phishing site’s database, the site bounces you back to real legit site so you don’t suspect anything. Thousands of people have been phishing victims, so this is a major problem – people who just use sites like PayPal or Facebook not even aware of phishing existence will fall for the trick.
So, let’s get straight to the point. You may have heard that best protection against phishing is to look at the address bar. If the website that the address belongs to is not your website, do not enter. That method should work always. On example, someone would register site such as id123456.com and then set up the server to take care of the subdomain such as facebook.com.photo. So the whole URL would be www.facebook.com.photo.id123456.com. This may look legit, but it isn’t – if you look carefully in the URL, you would see that the domain is really id123456.com and not facebook.com (which are just two nested subdomains).
The real problem is – Windows XP. If you are by now asking what does XP has to do with the Internet – you have a point. The problem lies in XP’s hosts file. Hosts file maps IP addresses that belong to domain names. On example, IP address of one Google’s server is 74.125.39.147. In normal circumstances, your browser would ask XP to connect to your router or modem. Router would look up the DNS records for Google.com and return the desired IP address to XP, which will forward it to your browser. But if the hosts file has a mapping of Google.com to a different IP address, things change. Windows searches the hosts file first and finds Google.com mapped to IP address, let’s say, 123.12.123. Windows would return that IP address to underlying API and browser would connect to 123.12.123 instead of Google’s server.
Not so much of a problem until you think of phishing. For a particular programmer, it’s too easy to create an application and distribute it to many people which would open it. He could write a simple application which would alter the hosts file on Windows and then distribute it as a download manager, for example. An user would install the so-called “Download Manager” and then, when he/she sees that it doesn’t work – they would uninstall it. But the harm is made and the hosts file has been altered.
A malicious programmer could write anything there – on example mapping Facebook.com to malicious phishing site’s address. That is, it’s too easy to redirect traffic from legit site to a phishing one and then capture users’ data. And an average user wouldn’t suspect a single thing because the address bar would say – facebook.com but the underlying IP address will be completely different.
However, a minor problem is the HTTP Host header. Since one server (one IP address) may hold multiple sites, browser must say to the server which site is it requesting: and that would be the content of the Host header. So when connecting to malicious IP, browser would ask for appropriate website address. However, since the browser thinks it’s connecting to facebook.com, it would say facebook.com in the Host header of the HTTP request. Since the server can’t have facebook.com as it’s adress since it’s already registered, it refuses the request and gives the webserver’s default page.
A workaround for this problem is quite simple, so it’s still easy to phish other people without them suspecting a single thing. So, if you’re using XP, someone maybe looks at your username and password right now. If you want to check your hosts file, follow these fairly easy steps:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
You can safely ignore the lines beginning with # i.e. comments and examples; our interest are the ones that start with an IP address followed by at least one whitespace and ending in a website address (a domain). You should have only one line there – 127.0.0.1 mapped to localhost. This is normal and allows you to connect to your own computer using localhost rather than 127.0.0.1.
If you have anything else in the list or see an IP address mapped to a legit site, immediately delete the line, change that password and if you are using the same password on other sites, change those too.
I have tested it in XP, and it works alright – I can map facebook.com to one of Google’s servers and it works fine. I tested it also by trying to modify it through C++, C#, Visual Basic and Visual Basic.NET programs – and Windows XP (even with Service Pack 3) does nothing to suppress it. Neither do Avira, ESET Smart Security and AVG.
Such file exists in both Windows Vista and Windows 7 – but with restricted permissions, which is a little bit better. I don’t have a copy of those operating systems at my home, but I bet there is a workaround for this – as it exists for every single security barrier on Windows anyway.
So by this point you are asking why did Microsoft made such a security hole and a problem to people around the world with Windows XP? Well, the answer lies in the very deep roots of Windows XP: it is based on Windows NT and copies all of its APIs (Application Programming Interfaces) and just introduces minor updates and security adjustments. The Windows kernel, API, including the network connection system haven’t changed since Windows NT. The hosts file was made back then, in the time where World Wide Web was such an innocent place, where there were no phishing or hacking attempts, an early W3. But now things changed and Windows still uses the same outdated API.
However, when you take a look at free operating systems – there are no such exploits. Everything is built based on modern kernel and APIs. Fundamentals are different and leave no places for such attempts. Everything is clearer and better organised. However, Windows and Microsoft have been, and they will be for quite a long time, big gigants in software industry, and majority of applications will be built for the Windows architecture. That’s the reality we must face.
We hope that Microsoft will redesign Windows’ fundamentals and write it in a completely different manner. That will make Windows an operating system which is easy to use and safe. But even with that, Linux is free and open-source and Windows is quite expensive – we must not forget that.
Until that moment, we have to be really sure about our security. There is a method that will never fail – use HTTPS (a secure protocol). If you fail to find a secure protocol or secure connection option on the site you are visiting (unless it’s a smaller site such as forum) there is a high chance that you’re facing a phishing site. All world-wide known websites have a security certificate that can be seen as a padlock in the corner of the screen. At this point in time, no phisher can mimic security certificates or HTTPS protocol. But if you are visiting a less-known website (various forums, blogs etc.) which cannot have a certificate or HTTPS, you can never be sure. Besides security certificates and secure protocol, major methods are checking the hosts file and checking the URL.
As a conclusion, Internet is not safe and we must be aware of that. Take care of suspicious emails, sites, messages and immediately report them to real and legit sites through the Phishing Report or Contact form. We must be very careful about our security – nowadays identity theft is an often issue, which is not a thing to underestimate.
