Anti-PhishingSecurityStrategyAngeloP.
E.
RosielloAgenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsNatureofPhishing3.
8daysAveragetimeonlineforsiteU.
S.
Countryhostingthemostphishingwebsites149Numberofbrandshijackedbyphishingcampaigns37438Numberofuniquesites23415NumberofuniquereportsFinancialServicescontinuetobethemosttargetedindustrysectorat96.
9%ofallattacksinthemonthofMay-ListofthemainhighlightsreportedforMay2007-StatisticsfromtheAntiPhishingWorkingGroup(AWPG)confirmtheglobalnatureofphishingwhoseprimarytargetarefinancialinstitutionsGrowingEffectivenessandEfficiencyofPhishingOverthelastmonthsphishingattackshavebecomemoreeffectiveandcomplextotrackandchallengeUSChina-Thetop5listofbreaches-InformationWeekResearch&Accenture–InformationSecuritySurvey2007Phishingrepresentsthethirdtypeofsuccessfulattackagainstenterprises(mainlybanks)SymantechasdetectedanumberofphishingsitesthathavebeenhostedongovernmentURLsoverrecentmonths.
InJunealone(2007),fraudulentsiteswereidentifiedonsitesrunbythegovernmentsofThailand,Indonesia,Hungary,Bangladesh,Argentina,SriLanka,theUkraine,China,Brazil,BosniaandHerzegovina,Colombia,andMalaysia.
"HostingaphishingWebpageonagovernmentsitehasanumberofadvantagesforaphisher.
GovernmentWebsitesoftenreceiveahighvolumeoftraffic,sotheirserverscanhandletheextratrafficgeneratedbyaphishingsite"writesSymantecresearcherNickSullivan.
"Thisextratrafficmightnotbenoticedimmediately,givingthephishingsitealongerlifespanbeforeitisdetectedandshutdown.
Perhapsmostimportantly,hostingaphishingsiteonanactualgovernmentURLgivesthephishingsiteasenseofauthenticitythat'shardtobeat.
"-ImprovingPhishingqualityattacks-TaxonomyofPhishingAttacksPhishingattackscanbeclassifiedaccordingtotheirnatureEmail,IMPhishingAttacksE-mailIM,IRC,etc.
-Description-Spoofede-mailaresenttoasetofvictimsaskingthem(usually)toupgradetheirpasswords,dataaccount,etc.
MSN,ICQ,AOLandotherIMchannelsareusedtoreachthevictims.
Socialengineeringtechniquesareusedtogainvictim'ssensitiveinformationCallingthevictimsonthephone,classicsocialengineeringtechniquesareusedbyphishersAnotherkindofattackisbasedontheinternetbrowservulnerabilities.
ThisapproachisusuallyadoptedtoautomaticallyinstalldialersPhone,mail,etc.
Exploitbased-ClassificationoftheAttacks-AProcessofPhishingAttacksInatypicalattack,thephishersendsalargenumberofspoofed(i.
e.
fake)e-mailstorandomInternetusersthatseemtobecomingfromalegitimateandwell-knownbusinessorganization(e.
g.
financialinstitutions,creditcardcompanies,etc)Thee-mailurgesthevictimtoupdatehispersonalinformationasaconditiontoavoidloosingaccessrightstospecificservices(e.
g.
accesstoonlinebankaccount,etc).
Byclickingonthelinkprovided,thevictimisdirectedtoaboguswebsiteimplementedbytheattackerThephishingwebsiteisstructuredasacloneoftheoriginalwebsitesothatthevictimisnotabletodistinguishitfromthatoftheservicehe/shehasaccessto.
Lotsofe-mailsaresenttoasetofrandomvictimsThevictimchangesherdataE-mailurgesthevictimtoupdateherdataviaweb(aspoofedone)Phisher!
!
!
AFRUDNewPhishersSkillsToconfusethevictim,phishersaredevisingnewtricksPhishinge-mailembedhyperlinksfromtheoriginalwebsitesothattheusersmainlysurfontherealwebserverexecutingonlyasmallnumberofconnectionstothefakewebserver.
WebsiteURLareencodedorobfuscatedtonotraisesuspicious.
IDNspoofing,forexample,usesUnicodeURLsthatrenderURLsinbrowsersinawaythattheaddresslooksliketheoriginalwebsiteaddressbutactuallylinktoafakewebsitewithadifferentaddress.
VictimsareredirectedtoaphishingwebsitebyfirstusingmalwarestoinstallamaliciousBrowserHelperObject(BHO).
BHOsareDLLsthatallowsdeveloperstocustomizeandcontrolInternetExplorerbutalsophisherstocompromiseconnections.
Thehostsfileonthevictim'smachineiscorrupted,forexampleusingamalware.
ThehostfilesmaintainslocalmappingsbetweenDNSnamesandIPaddresses.
ByinsertingafakeDNSentryintotheuser'shostsfile,itwillappearthattheirwebbrowserisconnectingtoalegitimatewebsitewheninfactitisconnectingtoaphishingwebsite.
Agenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsStrategicDefenseTechniquesAntiphisingdefensescanbeserverandclientbasedsolutionsServer-basedAnti-PhishingClient-basedBehaviourDetectionBrandMonitoringSecurityEventsE-mailAnalysisBlackListsInformationFlowSimilarityofLayoutsFocusofthispresentation!
Server-basedSolutionsServerbasedtechniquesareimplementedbyserviceproviders(e.
g.
ISP,e-commercestores,financialinstitutions,etc…)Crawlingon-linewebsitestoidentify"clones"(lookingforlegitimatebrands),whichareconsideredphishingpages.
Suspectedwebsitesareaddedtoacentralized"black-list".
Foreachcustomeraprofileisidentified(afteratrainingperiod)whichisusedtodetectanomaliesinthebehaviourofusersSecurityeventanalysisandcorrelationusingregisteredeventsprovidedbyseveralsources(OS,application,networkdevice)toidentifyanomalousactivityorforpostmortemanalysisfollowinganattackorafraudUsingmorethanoneidentificationfactoriscalledstrongauthentication.
Therearethreeuniversallyrecognizedfactorsforauthenticatingindividuals:somethingyouknow(e.
g.
password);somethingyouhave(e.
g.
hwsecuritytoken);somethingyouare(e.
g.
fingerprint)Newtechniquesofauthenticationareunderreasearch,suchasusinganimageduringtheregistrationphasewhichisshownduringeveryloginprocessBrandMonitoringBehaviourDetectionSecurityEventMonitoringStrongAuthenticationNewAuthenticationTechniquesClient-basedSolutionsClient-basedtechniquesareimplementedonusers'endpointthroughbrowserplug-insore-mailclientsE-mail-basedapproachestypicallyusefiltersandcontentanalysis.
IftrainedregularlyBayesianfiltersareactuallyquiteeffectiveininterceptingbothspammingandphishinge-mails.
BlacklistsarecollectionsofURLsidentifiedasmalicious.
Theblacklistisqueriedbythebrowserrun-timewheneverapageisloaded.
IfthecurrentlyvisitedURLisincludedintheblacklist,theuserisadvisedofthedanger,otherwisethepageisconsideredlegitimate.
InformationflowsolutionsarebasedonthepremisethatwhileausermaybeeasilyfooledbyURLobfuscationorafakedomainname,aprogramwillnot.
AntiPhishisanexampleofthistypeofdefensetechniquewhichkeepstrackofthesensitiveinformationthattheuserentersintowebforms,raisinganalertifsomethingisconsideredunsafeMostadvancedtechniquestrytodistinguishaphishingwebpagefromthelegitimateonecomparingtheirvisualsimilarity[[Wenyin,Huang,Xiaoyue,Min,Deng],[Rosiello,Kirda,Kruegel,Ferrandi]E-mailAnalysisBlack-ListsInformationFlowSimilarityofLayoutsTrendsonclient-basedMarketSolutionsInOctober2006,aMicrosoft-commissionedreportonvariousanti-phishingsolutionswasreleased.
ThetestersfoundthatMicrosoftInternetExplorer(IE)7.
0hasbetteranti-phishingtechnologythancompetingsolutions.
TheproductstestedincludedIE7.
0Beta3,EarthLinkScamBlocker,eBayToolbarwithAccountGuard,GeoTrustTrustWatch,GoogleToolbarforFirefoxwithSafeBrowsing,McAfeeSiteAdvisorPlus,NetcraftToolbar,andNetscapeBrowserwithbuilt-inantiphishingtechnologyTheMozillaFoundationcommissioneditsownstudytogaugetheeffectivenessofMozillaFirefox2.
0'santi-phishingtechnologyascomparedwithIE7.
0's.
ThisstudyfoundthatFirefox'santi-phishingtechnologywasbetterthanIE'sbyaconsiderablemarginItseemsevidentthatwecannottrustbothabovestudiesandforthisreasonweconsiderathirdindependentevaluationrealizedbytheSecurityLaboftheTechnicalUniversityofViennaInthelastmonthsthemajorbrowsers(e.
g.
IE7andMozillaFirefox)haveintegratedspecificanti-phishingfunctionalities(black-listsandstaticpageanalysis)AnalysisoftheBlack-ListsOveraperiodofthreeweekstheTechnicalUniversityofVienna(TUWIEN)hascollected10,000URLstobenchmarkMicrosoftandGoogle'sblack-lists.
Basedonthreeindicators,theresearchshowsthatGoogleperformsbetterthanMicrosoftCoverage:percentageofphishingURLsalreadyincludedinthelistQuality:percentageoflegitimateURLsincorrectlyincludedinthelistAverageResponseTime(ART):averagetimerequiredtoinsertnotinitiallyincludedURLs-KPI-2,413(67.
18%)3,241(90.
23%)BLTotal6.
4h9.
3hART2,139(59.
55%)274(7.
63%)3,157(87.
89%)84(2.
34%)BLinitallyBLdelayed3,592(100%)3,595(100%)SitesMicrosoftGoogle-ExperimentalResults-StaticPageAnalysisTUWIENhasdemonstratedthatasetofpagepropertiesactuallyallowstodifferentiatebetweenmalicious(phishing)andlegitimate(benign)onesSelectasetofpagepropertiesCollectwebpagestobeanalyzed18propertiesareconsideredmainlyextractedfromtheHTMLsourcecode(e.
g.
forms,inputfields,links,scripttags,etc.
)ExtracttheclassificationmodelInferaboutphishingAsetoflegitimateandphishingwebpagesarecollectedtoextracttheclassificationmodelTheC4.
2algorithmisexecutedtoidentifytheclassificationmodel(i.
e.
thedecion-tree)AnautomatictoolthatusestheextractedclassificationmodelcandistinguishphishingfromlegitimatewebpagesStaticPageAnalysis:ExperimentalResultsThedecision-treeisextractedusingtheWekapackage(algorithmJ48)onasetof4,829webpages-ReducedDecision-TreeextractedusingtheWekapackage-565115PhishingPages184,131LegitimatePagesClassifiedasPhishingClassifiedasLegitimate-ConfusionMatrix-Thequalifierisquitesuccessfulinidentifyingphishingpages(morethan80%arecorrectlyrecognized),raisingonlyaverysmallnumberoffalsealerts(18outof4,149pagesareincorrectlyclassifiedasphishing)StaticPageAnalysis:DemoStartingfromthetrainingdata-set,arealtimedemonstrationisprovidedInstalltheWekaPackageLoadtheinput".
arf"or".
csv"fileSelecttheJ48algorithmRuntheapplicationChecktheextractedtree-Stepstobeexecuted-InformationFlowSolutions:AntiPhish(1/2)Alimitednumberofinformationflowbasedsolutionswererealized.
TheobjectiveistoprotectusersbycheckingwheretheinformationissenttoAntiPhishisanapplicationthatisintegratedintothebrowserasanexternalplug-inAfterAntiPhishisinstalled,thebrowserpromptsarequestforanewmasterpasswordwhentheuserentersinputintoaformforthefirsttimeThemasterpasswordisusedtoencryptthesensitiveinformationbeforeitisstored(usingDES)Aftertheuserenterssensitiveinformationsuchasapassword,theAntiPhishmenuisusedtoscanthepageandtocaptureandstorethisinformationwiththedomainofthewebsite,too-Howdoesitlooklike--Generaldescription-InformationFlowSolutions:AntiPhish(2/2)TheexecutionflowchartofAntiPhishindicateshowthistoolallowtoprotectpotentialvictimsUserpresseskeyorpastestextintoformfieldCheckiftheinformationenteredisinthe"watch-list"Istheinfointhe"watch-list"DoesthedomaincorrespondThewebsiteistrusted.
ContinuenormallyUntrustedwebsite.
GenerateanalertNOYESNOYESAntiPhishdetectsthatsensitiveinformationhasbeentypedintoaformofanuntrusteddomainandcancelstheoperation.
Everytimeinformationisenteredintoaformelement(e.
g.
,textfield,textarea,etc.
),AntiPhishgoesthroughitslistofcaptured/cachedinformation.
Interactioneventstheusergenerateswithinthebrowser(keypresses,submissions,mouseclicks&focus)areinterceptedbeforeinformationcanflowtountrustedwebsite.
AntiPhishinActionWhenthevictiminsertshisusernameandpasswordtoanuntrustedwebsite,analertisraisedbeforesensitiveinformationaresenttothephisherAgenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsLayout-Similarity-basedSolutions(1/2)Layout-similarity-basedapproachesclassifyawebpageasaphishingpageifits"visual"similarityvalueisaboveapredefinedthreshold-Wenyinetal.
Approach-Thewebpageisdecomposedintosalientblocksaccordingto"visualcues".
Thevisualsimilaritybetweentwowebpagesismeasured.
Awebpageisconsideredaphishingpageifthesimilaritytothelegitimatewebpageishigherthanathreshold.
Layout-Similarity-basedSolutions(2/2)DOMAntiPhish[Rosiello,Kirda,Kruegel,Ferrandi]computesthesimilarityvalueextractingtheDOM-Treeoftheconsideredwebpages-DOMAntiPhishdescription-Whenapasswordassociatedwithacertaindomainisreusedonanotherdomainthesystemcomparesthelayoutofthecurrentpagewiththepagewherethesensitiveinformationwasoriginallyentered.
ForthecomparisontheDOM-Treeoftheoriginalwebpageandthenewonearechecked.
Ifthesystemdeterminesthatthesepageshaveasimilarappearance,aphishingattackisassumed-DOMAntiPhishFlowchart-DOMAntiPhish:DOM-TreeExtractionTheDocumentObjectModel(DOM)-Treeisaninternalrepresentationusedbybrowserstorepresentawebpage-HTMLsourcecode-ShadyGroveAeolianOvertheriverAlbert-DOM-Treerepresentation-DOMAntiPhish:SimilarityComputationDOM-TreesreducetheproblemofcomputingthelayoutsimilarityoftwowebpagestotheproblemofestablishingiftwotreesareisomorphicINPUTS:vertexv,vertexu,firstSubTreeФ,secondSubTreeФWHILEcontinue_whileexistsequivalent_subTrees_branchesDOfirstSubTree=getSubTree(u,firstSubTree);secondSubTree=getSubTree(v,secondSubTree);IFaresimilar(firstSubTree,secondSubTree)THENfloatpenalty=compute_similarity_penalty();storesubTrees(u,v,firstSubTree,secondSubTree,penalty);ENDIFENDWHILE-Templatescomputationalgorithm-Equaltemplatesextractedbythealgorithm.
Tocoverthetrees,thebestsetoftemplatesareselected(minimizingthesimilaritypenalties)-PhishingExample-DOMAntiPhish:ImplementationProcessDOMAntiPhishprototypeisimplementedasaJavascriptplug-inforMozillaFirefox2.
0whichinvokesaJavasoftwaretocomputethelayoutsimilarityDOM-TreeExtractionJavaSoftwareCallTheJavascriptplug-inforMozillaFirefox2.
0extractstheDOM-TreerepresentationofeachstoredwebpageandbrowsingoneTheJavascriptplug-inwritesdowntwotextfilesthatcontaintheextractedDOM-TreesTheJavascriptplug-ininvokestheJavasoftwareSimilarityLayoutCalculationTheJavasoftwarecalculatesthesimilarityoftheanalyzedDOM-TreeschoosingthesetoftemplateswhichminimizethesimilaritypenaltyandmaximizethecoveragePhishingReportTheJavascriptplug-inreadsthesimilarityvaluefromatextfileandreturnsthephishingreporttotheuserDOMAntiPhish:ExperimentalResultsDOMAntiPhishwastestedonasetofover200websitesprovingthatourapproachisfeasibleinpractice-Experimentalresultsdescription-Duringthesimilaritycomputationprocess,fortheisomorphicsubtreesidentificationalgorithm,weaddedapenaltyof0.
3iftwocorrespondingtagshaddifferenttypesorifatagdidnothavechildrenanditsmatchedcounterpartdid.
Iftwoattributesofmatchedtagsweredifferent,apenaltyof0.
1wasadded.
Moreover,iftheattributeshaddifferentvalues,thenapenaltyof0.
05wasadded,too.
Thepenaltyvaluesweredeterminedempiricallybyhavingasobjectivefunctiontheminimizationoffalsepositiveandnegativeresultsforlowandhighthresholdvaluesrespectively.
DOMAntiPhish:LimitationsAseverysecuritysolution,alsoDOMAntiPhishisnotperfectandwecanidentifythefollowingmainlimitations:Itcouldbepossibleforattackerstouseacombinationofimagestocreateaspoofedwebpagethatlooksvisuallysimilartoalegitimatewebpage.
Hence,theDOMofthespoofedwebpagewouldbedifferentanddetectionwouldbeevaded.
Onepossibilityofdealingwiththislimitationcouldbetotakeaconservativeapproachandtotagwebpagesasbeingsuspiciousthatcontainalargenumberofimagesorthatmainlyconsistofimages.
AnotherpossibleproblemcouldbeDOMobfuscationattemptsthatwouldmakethevisuallooksimilartothelegitimatewebpagewhileatthesametimeevadingdetection.
Ourapproachraisesthedifficultybarforcreatingphishingpages.
Furthermore,onecanalwaystakeamoreconservativeapproachbyreducingthephishingalertthreshold.
Also,ifphishersareforcedtoalterthelookandfeeloftheirphishingpages,thesepageswillbecomelessconvincingandmoresuspicioustothevictims.
-Potentialattacks--Defensivesolutions-DOMAntiPhish:DemoBrowsingsomewebpagesweshowhowDOMAntiPhishworksagainstphishingattacksInstallDOMAntiPhishplug-inLogintoatrustedwebsiteTrytologintoaphishingwebsiteCheckthephishingreport-Stepstobeexecuted-Agenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsConclusionsAsforeveryITattack,phishingcanbeprevented,detectedandmitigatedthroughserver-basedandclient-basedapproaches,supportedbyeducationandawarenessPeopleClient-basedtechniquestrytoprotectusersimplementinglocalsolutions,suchasbrowserplug-insore-mailclientsServerbasedtechniquesareappliedonserversorprovidersthatofferservicestocustomersReferencesAngeloP.
E.
Rosiello,EnginKirda,ChristopherKruegel,andFabrizioFerrandi.
"ALayout-Similarity-BasedApproachforDetectingPhishingPages".
IEEEInternationalConferenceonSecurityandPrivacyinCommunicationNetworks(SecureComm),Nice,France,September2007ChristianLudl,SeanMcAllister,EnginKirda,andChristopherKruegel.
"OntheEffectivenessofTechniquestoDetectPhishingSites".
DetectionofIntrusionsandMalwareandVulnerabilityAssessment(DIMVA)2007Conference,Lucerne,Switzerland,July2007EnginKirdaandChristopherKruegel.
"ProtectingUsersagainstPhishingAttacks".
TheComputerJournal,2006.
NeilChou,RobertLedesma,YukaTeraguchi,DanBoneh,andJohnMitchell.
"Client-sidedefenseagainstweb-basedidentitytheft".
In11thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'04),SanDiego,2005.
Anti-PhishingWorkingGroup(APWG).
APWGHomepage.
http://www.
antiphishing.
org/,2007.
InformationSecuritySurvey2007–InformationWeekResearch&AccentureGoogle.
GoogleWhitelist.
http://sb.
google.
com/safebrowsing/updateversion=goog-white-domain:1:-1,2007.
Mozilla.
Firefox2PhishingProtectionEffectivenessTesting.
http://www.
mozilla.
org/security/phishing-test.
html,2006.
Verisign.
Anti-PhishingSolution.
http://www.
verisign.
com/verisign-business-solutions/anti-phishing-solutions/,2005.
YueZhang,SergeEgelman,LorrieCranor,andJasonHong.
PhindingPhish:EvaluatingAnti-PhishingTools.
InNetworkandITSecurityConference:NDSS2007,SanDiego,California,2007.
Weka.
http://www.
cs.
waikato.
ac.
nz/ml/weka/
六一云 成立于2018年,归属于西安六一网络科技有限公司,是一家国内正规持有IDC ISP CDN IRCS电信经营许可证书的老牌商家。大陆持证公司受大陆各部门监管不好用支持退款退现,再也不怕被割韭菜了!主要业务有:国内高防云,美国高防云,美国cera大带宽,香港CTG,香港沙田CN2,海外站群服务,物理机,宿母鸡等,另外也诚招代理欢迎咨询。官网www.61cloud.net最新直销劲爆...
关于HostDare服务商在之前的文章中有介绍过几次,算是比较老牌的服务商,但是商家背景财力不是特别雄厚,算是比较小众的个人服务商。目前主流提供CKVM和QKVM套餐。前者是电信CN2 GIA,不过库存储备也不是很足,这不九月份发布新的补货库存活动,有提供九折优惠CN2 GIA,以及六五折优惠QKVM普通线路方案。这次活动截止到9月30日,不清楚商家这次库存补货多少。比如 QKVM基础的五个方案都...
RAKsmart 商家估摸着前段时间服务器囤货较多,这两个月的促销活动好像有点针对独立服务器。前面才整理到七月份的服务器活动在有一些配置上比上个月折扣力度是大很多,而且今天看到再来部分的服务器首月半价,一般这样的促销有可能是商家库存充裕。比如近期有一些服务商挖矿服务器销售不好,也都会采用这些策略,就好比电脑硬件最近也有下降。不管如何,我们选择服务器或者VPS主机要本着符合自己需求,如果业务不需要,...
www.nyzsb.com.cn为你推荐
丽水市chrome互联网周鸿祎变量itunescontentcss我研制千万亿次超级电脑支持ipad支持ipad支持ipadipadwifiipad的wifi打不开怎么办?ipadwifiipad插卡版和wifi版有什么区别,价格差的多么?
高防服务器租用qy edgecast hawkhost优惠码 linkcloud 美国主机代购 permitrootlogin godaddy支付宝 网站保姆 新站长网 52测评网 ntfs格式分区 国外视频网站有哪些 中国电信测速器 太原联通测速 丽萨 godaddy空间 阿里dns 广州主机托管 shuangcheng register.com 更多