solutionssb

Anti-PhishingSecurityStrategyAngeloP.
E.
RosielloAgenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsNatureofPhishing3.
8daysAveragetimeonlineforsiteU.
S.
Countryhostingthemostphishingwebsites149Numberofbrandshijackedbyphishingcampaigns37438Numberofuniquesites23415NumberofuniquereportsFinancialServicescontinuetobethemosttargetedindustrysectorat96.
9%ofallattacksinthemonthofMay-ListofthemainhighlightsreportedforMay2007-StatisticsfromtheAntiPhishingWorkingGroup(AWPG)confirmtheglobalnatureofphishingwhoseprimarytargetarefinancialinstitutionsGrowingEffectivenessandEfficiencyofPhishingOverthelastmonthsphishingattackshavebecomemoreeffectiveandcomplextotrackandchallengeUSChina-Thetop5listofbreaches-InformationWeekResearch&Accenture–InformationSecuritySurvey2007Phishingrepresentsthethirdtypeofsuccessfulattackagainstenterprises(mainlybanks)SymantechasdetectedanumberofphishingsitesthathavebeenhostedongovernmentURLsoverrecentmonths.
InJunealone(2007),fraudulentsiteswereidentifiedonsitesrunbythegovernmentsofThailand,Indonesia,Hungary,Bangladesh,Argentina,SriLanka,theUkraine,China,Brazil,BosniaandHerzegovina,Colombia,andMalaysia.
"HostingaphishingWebpageonagovernmentsitehasanumberofadvantagesforaphisher.
GovernmentWebsitesoftenreceiveahighvolumeoftraffic,sotheirserverscanhandletheextratrafficgeneratedbyaphishingsite"writesSymantecresearcherNickSullivan.
"Thisextratrafficmightnotbenoticedimmediately,givingthephishingsitealongerlifespanbeforeitisdetectedandshutdown.
Perhapsmostimportantly,hostingaphishingsiteonanactualgovernmentURLgivesthephishingsiteasenseofauthenticitythat'shardtobeat.
"-ImprovingPhishingqualityattacks-TaxonomyofPhishingAttacksPhishingattackscanbeclassifiedaccordingtotheirnatureEmail,IMPhishingAttacksE-mailIM,IRC,etc.
-Description-Spoofede-mailaresenttoasetofvictimsaskingthem(usually)toupgradetheirpasswords,dataaccount,etc.
MSN,ICQ,AOLandotherIMchannelsareusedtoreachthevictims.
Socialengineeringtechniquesareusedtogainvictim'ssensitiveinformationCallingthevictimsonthephone,classicsocialengineeringtechniquesareusedbyphishersAnotherkindofattackisbasedontheinternetbrowservulnerabilities.
ThisapproachisusuallyadoptedtoautomaticallyinstalldialersPhone,mail,etc.
Exploitbased-ClassificationoftheAttacks-AProcessofPhishingAttacksInatypicalattack,thephishersendsalargenumberofspoofed(i.
e.
fake)e-mailstorandomInternetusersthatseemtobecomingfromalegitimateandwell-knownbusinessorganization(e.
g.
financialinstitutions,creditcardcompanies,etc)Thee-mailurgesthevictimtoupdatehispersonalinformationasaconditiontoavoidloosingaccessrightstospecificservices(e.
g.
accesstoonlinebankaccount,etc).
Byclickingonthelinkprovided,thevictimisdirectedtoaboguswebsiteimplementedbytheattackerThephishingwebsiteisstructuredasacloneoftheoriginalwebsitesothatthevictimisnotabletodistinguishitfromthatoftheservicehe/shehasaccessto.
Lotsofe-mailsaresenttoasetofrandomvictimsThevictimchangesherdataE-mailurgesthevictimtoupdateherdataviaweb(aspoofedone)Phisher!
!
!
AFRUDNewPhishersSkillsToconfusethevictim,phishersaredevisingnewtricksPhishinge-mailembedhyperlinksfromtheoriginalwebsitesothattheusersmainlysurfontherealwebserverexecutingonlyasmallnumberofconnectionstothefakewebserver.
WebsiteURLareencodedorobfuscatedtonotraisesuspicious.
IDNspoofing,forexample,usesUnicodeURLsthatrenderURLsinbrowsersinawaythattheaddresslooksliketheoriginalwebsiteaddressbutactuallylinktoafakewebsitewithadifferentaddress.
VictimsareredirectedtoaphishingwebsitebyfirstusingmalwarestoinstallamaliciousBrowserHelperObject(BHO).
BHOsareDLLsthatallowsdeveloperstocustomizeandcontrolInternetExplorerbutalsophisherstocompromiseconnections.
Thehostsfileonthevictim'smachineiscorrupted,forexampleusingamalware.
ThehostfilesmaintainslocalmappingsbetweenDNSnamesandIPaddresses.
ByinsertingafakeDNSentryintotheuser'shostsfile,itwillappearthattheirwebbrowserisconnectingtoalegitimatewebsitewheninfactitisconnectingtoaphishingwebsite.
Agenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsStrategicDefenseTechniquesAntiphisingdefensescanbeserverandclientbasedsolutionsServer-basedAnti-PhishingClient-basedBehaviourDetectionBrandMonitoringSecurityEventsE-mailAnalysisBlackListsInformationFlowSimilarityofLayoutsFocusofthispresentation!
Server-basedSolutionsServerbasedtechniquesareimplementedbyserviceproviders(e.
g.
ISP,e-commercestores,financialinstitutions,etc…)Crawlingon-linewebsitestoidentify"clones"(lookingforlegitimatebrands),whichareconsideredphishingpages.
Suspectedwebsitesareaddedtoacentralized"black-list".
Foreachcustomeraprofileisidentified(afteratrainingperiod)whichisusedtodetectanomaliesinthebehaviourofusersSecurityeventanalysisandcorrelationusingregisteredeventsprovidedbyseveralsources(OS,application,networkdevice)toidentifyanomalousactivityorforpostmortemanalysisfollowinganattackorafraudUsingmorethanoneidentificationfactoriscalledstrongauthentication.
Therearethreeuniversallyrecognizedfactorsforauthenticatingindividuals:somethingyouknow(e.
g.
password);somethingyouhave(e.
g.
hwsecuritytoken);somethingyouare(e.
g.
fingerprint)Newtechniquesofauthenticationareunderreasearch,suchasusinganimageduringtheregistrationphasewhichisshownduringeveryloginprocessBrandMonitoringBehaviourDetectionSecurityEventMonitoringStrongAuthenticationNewAuthenticationTechniquesClient-basedSolutionsClient-basedtechniquesareimplementedonusers'endpointthroughbrowserplug-insore-mailclientsE-mail-basedapproachestypicallyusefiltersandcontentanalysis.
IftrainedregularlyBayesianfiltersareactuallyquiteeffectiveininterceptingbothspammingandphishinge-mails.
BlacklistsarecollectionsofURLsidentifiedasmalicious.
Theblacklistisqueriedbythebrowserrun-timewheneverapageisloaded.
IfthecurrentlyvisitedURLisincludedintheblacklist,theuserisadvisedofthedanger,otherwisethepageisconsideredlegitimate.
InformationflowsolutionsarebasedonthepremisethatwhileausermaybeeasilyfooledbyURLobfuscationorafakedomainname,aprogramwillnot.
AntiPhishisanexampleofthistypeofdefensetechniquewhichkeepstrackofthesensitiveinformationthattheuserentersintowebforms,raisinganalertifsomethingisconsideredunsafeMostadvancedtechniquestrytodistinguishaphishingwebpagefromthelegitimateonecomparingtheirvisualsimilarity[[Wenyin,Huang,Xiaoyue,Min,Deng],[Rosiello,Kirda,Kruegel,Ferrandi]E-mailAnalysisBlack-ListsInformationFlowSimilarityofLayoutsTrendsonclient-basedMarketSolutionsInOctober2006,aMicrosoft-commissionedreportonvariousanti-phishingsolutionswasreleased.
ThetestersfoundthatMicrosoftInternetExplorer(IE)7.
0hasbetteranti-phishingtechnologythancompetingsolutions.
TheproductstestedincludedIE7.
0Beta3,EarthLinkScamBlocker,eBayToolbarwithAccountGuard,GeoTrustTrustWatch,GoogleToolbarforFirefoxwithSafeBrowsing,McAfeeSiteAdvisorPlus,NetcraftToolbar,andNetscapeBrowserwithbuilt-inantiphishingtechnologyTheMozillaFoundationcommissioneditsownstudytogaugetheeffectivenessofMozillaFirefox2.
0'santi-phishingtechnologyascomparedwithIE7.
0's.
ThisstudyfoundthatFirefox'santi-phishingtechnologywasbetterthanIE'sbyaconsiderablemarginItseemsevidentthatwecannottrustbothabovestudiesandforthisreasonweconsiderathirdindependentevaluationrealizedbytheSecurityLaboftheTechnicalUniversityofViennaInthelastmonthsthemajorbrowsers(e.
g.
IE7andMozillaFirefox)haveintegratedspecificanti-phishingfunctionalities(black-listsandstaticpageanalysis)AnalysisoftheBlack-ListsOveraperiodofthreeweekstheTechnicalUniversityofVienna(TUWIEN)hascollected10,000URLstobenchmarkMicrosoftandGoogle'sblack-lists.
Basedonthreeindicators,theresearchshowsthatGoogleperformsbetterthanMicrosoftCoverage:percentageofphishingURLsalreadyincludedinthelistQuality:percentageoflegitimateURLsincorrectlyincludedinthelistAverageResponseTime(ART):averagetimerequiredtoinsertnotinitiallyincludedURLs-KPI-2,413(67.
18%)3,241(90.
23%)BLTotal6.
4h9.
3hART2,139(59.
55%)274(7.
63%)3,157(87.
89%)84(2.
34%)BLinitallyBLdelayed3,592(100%)3,595(100%)SitesMicrosoftGoogle-ExperimentalResults-StaticPageAnalysisTUWIENhasdemonstratedthatasetofpagepropertiesactuallyallowstodifferentiatebetweenmalicious(phishing)andlegitimate(benign)onesSelectasetofpagepropertiesCollectwebpagestobeanalyzed18propertiesareconsideredmainlyextractedfromtheHTMLsourcecode(e.
g.
forms,inputfields,links,scripttags,etc.
)ExtracttheclassificationmodelInferaboutphishingAsetoflegitimateandphishingwebpagesarecollectedtoextracttheclassificationmodelTheC4.
2algorithmisexecutedtoidentifytheclassificationmodel(i.
e.
thedecion-tree)AnautomatictoolthatusestheextractedclassificationmodelcandistinguishphishingfromlegitimatewebpagesStaticPageAnalysis:ExperimentalResultsThedecision-treeisextractedusingtheWekapackage(algorithmJ48)onasetof4,829webpages-ReducedDecision-TreeextractedusingtheWekapackage-565115PhishingPages184,131LegitimatePagesClassifiedasPhishingClassifiedasLegitimate-ConfusionMatrix-Thequalifierisquitesuccessfulinidentifyingphishingpages(morethan80%arecorrectlyrecognized),raisingonlyaverysmallnumberoffalsealerts(18outof4,149pagesareincorrectlyclassifiedasphishing)StaticPageAnalysis:DemoStartingfromthetrainingdata-set,arealtimedemonstrationisprovidedInstalltheWekaPackageLoadtheinput".
arf"or".
csv"fileSelecttheJ48algorithmRuntheapplicationChecktheextractedtree-Stepstobeexecuted-InformationFlowSolutions:AntiPhish(1/2)Alimitednumberofinformationflowbasedsolutionswererealized.
TheobjectiveistoprotectusersbycheckingwheretheinformationissenttoAntiPhishisanapplicationthatisintegratedintothebrowserasanexternalplug-inAfterAntiPhishisinstalled,thebrowserpromptsarequestforanewmasterpasswordwhentheuserentersinputintoaformforthefirsttimeThemasterpasswordisusedtoencryptthesensitiveinformationbeforeitisstored(usingDES)Aftertheuserenterssensitiveinformationsuchasapassword,theAntiPhishmenuisusedtoscanthepageandtocaptureandstorethisinformationwiththedomainofthewebsite,too-Howdoesitlooklike--Generaldescription-InformationFlowSolutions:AntiPhish(2/2)TheexecutionflowchartofAntiPhishindicateshowthistoolallowtoprotectpotentialvictimsUserpresseskeyorpastestextintoformfieldCheckiftheinformationenteredisinthe"watch-list"Istheinfointhe"watch-list"DoesthedomaincorrespondThewebsiteistrusted.
ContinuenormallyUntrustedwebsite.
GenerateanalertNOYESNOYESAntiPhishdetectsthatsensitiveinformationhasbeentypedintoaformofanuntrusteddomainandcancelstheoperation.
Everytimeinformationisenteredintoaformelement(e.
g.
,textfield,textarea,etc.
),AntiPhishgoesthroughitslistofcaptured/cachedinformation.
Interactioneventstheusergenerateswithinthebrowser(keypresses,submissions,mouseclicks&focus)areinterceptedbeforeinformationcanflowtountrustedwebsite.
AntiPhishinActionWhenthevictiminsertshisusernameandpasswordtoanuntrustedwebsite,analertisraisedbeforesensitiveinformationaresenttothephisherAgenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsLayout-Similarity-basedSolutions(1/2)Layout-similarity-basedapproachesclassifyawebpageasaphishingpageifits"visual"similarityvalueisaboveapredefinedthreshold-Wenyinetal.
Approach-Thewebpageisdecomposedintosalientblocksaccordingto"visualcues".
Thevisualsimilaritybetweentwowebpagesismeasured.
Awebpageisconsideredaphishingpageifthesimilaritytothelegitimatewebpageishigherthanathreshold.
Layout-Similarity-basedSolutions(2/2)DOMAntiPhish[Rosiello,Kirda,Kruegel,Ferrandi]computesthesimilarityvalueextractingtheDOM-Treeoftheconsideredwebpages-DOMAntiPhishdescription-Whenapasswordassociatedwithacertaindomainisreusedonanotherdomainthesystemcomparesthelayoutofthecurrentpagewiththepagewherethesensitiveinformationwasoriginallyentered.
ForthecomparisontheDOM-Treeoftheoriginalwebpageandthenewonearechecked.
Ifthesystemdeterminesthatthesepageshaveasimilarappearance,aphishingattackisassumed-DOMAntiPhishFlowchart-DOMAntiPhish:DOM-TreeExtractionTheDocumentObjectModel(DOM)-Treeisaninternalrepresentationusedbybrowserstorepresentawebpage-HTMLsourcecode-ShadyGroveAeolianOvertheriverAlbert-DOM-Treerepresentation-DOMAntiPhish:SimilarityComputationDOM-TreesreducetheproblemofcomputingthelayoutsimilarityoftwowebpagestotheproblemofestablishingiftwotreesareisomorphicINPUTS:vertexv,vertexu,firstSubTreeФ,secondSubTreeФWHILEcontinue_whileexistsequivalent_subTrees_branchesDOfirstSubTree=getSubTree(u,firstSubTree);secondSubTree=getSubTree(v,secondSubTree);IFaresimilar(firstSubTree,secondSubTree)THENfloatpenalty=compute_similarity_penalty();storesubTrees(u,v,firstSubTree,secondSubTree,penalty);ENDIFENDWHILE-Templatescomputationalgorithm-Equaltemplatesextractedbythealgorithm.
Tocoverthetrees,thebestsetoftemplatesareselected(minimizingthesimilaritypenalties)-PhishingExample-DOMAntiPhish:ImplementationProcessDOMAntiPhishprototypeisimplementedasaJavascriptplug-inforMozillaFirefox2.
0whichinvokesaJavasoftwaretocomputethelayoutsimilarityDOM-TreeExtractionJavaSoftwareCallTheJavascriptplug-inforMozillaFirefox2.
0extractstheDOM-TreerepresentationofeachstoredwebpageandbrowsingoneTheJavascriptplug-inwritesdowntwotextfilesthatcontaintheextractedDOM-TreesTheJavascriptplug-ininvokestheJavasoftwareSimilarityLayoutCalculationTheJavasoftwarecalculatesthesimilarityoftheanalyzedDOM-TreeschoosingthesetoftemplateswhichminimizethesimilaritypenaltyandmaximizethecoveragePhishingReportTheJavascriptplug-inreadsthesimilarityvaluefromatextfileandreturnsthephishingreporttotheuserDOMAntiPhish:ExperimentalResultsDOMAntiPhishwastestedonasetofover200websitesprovingthatourapproachisfeasibleinpractice-Experimentalresultsdescription-Duringthesimilaritycomputationprocess,fortheisomorphicsubtreesidentificationalgorithm,weaddedapenaltyof0.
3iftwocorrespondingtagshaddifferenttypesorifatagdidnothavechildrenanditsmatchedcounterpartdid.
Iftwoattributesofmatchedtagsweredifferent,apenaltyof0.
1wasadded.
Moreover,iftheattributeshaddifferentvalues,thenapenaltyof0.
05wasadded,too.
Thepenaltyvaluesweredeterminedempiricallybyhavingasobjectivefunctiontheminimizationoffalsepositiveandnegativeresultsforlowandhighthresholdvaluesrespectively.
DOMAntiPhish:LimitationsAseverysecuritysolution,alsoDOMAntiPhishisnotperfectandwecanidentifythefollowingmainlimitations:Itcouldbepossibleforattackerstouseacombinationofimagestocreateaspoofedwebpagethatlooksvisuallysimilartoalegitimatewebpage.
Hence,theDOMofthespoofedwebpagewouldbedifferentanddetectionwouldbeevaded.
Onepossibilityofdealingwiththislimitationcouldbetotakeaconservativeapproachandtotagwebpagesasbeingsuspiciousthatcontainalargenumberofimagesorthatmainlyconsistofimages.
AnotherpossibleproblemcouldbeDOMobfuscationattemptsthatwouldmakethevisuallooksimilartothelegitimatewebpagewhileatthesametimeevadingdetection.
Ourapproachraisesthedifficultybarforcreatingphishingpages.
Furthermore,onecanalwaystakeamoreconservativeapproachbyreducingthephishingalertthreshold.
Also,ifphishersareforcedtoalterthelookandfeeloftheirphishingpages,thesepageswillbecomelessconvincingandmoresuspicioustothevictims.
-Potentialattacks--Defensivesolutions-DOMAntiPhish:DemoBrowsingsomewebpagesweshowhowDOMAntiPhishworksagainstphishingattacksInstallDOMAntiPhishplug-inLogintoatrustedwebsiteTrytologintoaphishingwebsiteCheckthephishingreport-Stepstobeexecuted-Agenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsConclusionsAsforeveryITattack,phishingcanbeprevented,detectedandmitigatedthroughserver-basedandclient-basedapproaches,supportedbyeducationandawarenessPeopleClient-basedtechniquestrytoprotectusersimplementinglocalsolutions,suchasbrowserplug-insore-mailclientsServerbasedtechniquesareappliedonserversorprovidersthatofferservicestocustomersReferencesAngeloP.
E.
Rosiello,EnginKirda,ChristopherKruegel,andFabrizioFerrandi.
"ALayout-Similarity-BasedApproachforDetectingPhishingPages".
IEEEInternationalConferenceonSecurityandPrivacyinCommunicationNetworks(SecureComm),Nice,France,September2007ChristianLudl,SeanMcAllister,EnginKirda,andChristopherKruegel.
"OntheEffectivenessofTechniquestoDetectPhishingSites".
DetectionofIntrusionsandMalwareandVulnerabilityAssessment(DIMVA)2007Conference,Lucerne,Switzerland,July2007EnginKirdaandChristopherKruegel.
"ProtectingUsersagainstPhishingAttacks".
TheComputerJournal,2006.
NeilChou,RobertLedesma,YukaTeraguchi,DanBoneh,andJohnMitchell.
"Client-sidedefenseagainstweb-basedidentitytheft".
In11thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'04),SanDiego,2005.
Anti-PhishingWorkingGroup(APWG).
APWGHomepage.
http://www.
antiphishing.
org/,2007.
InformationSecuritySurvey2007–InformationWeekResearch&AccentureGoogle.
GoogleWhitelist.
http://sb.
google.
com/safebrowsing/updateversion=goog-white-domain:1:-1,2007.
Mozilla.
Firefox2PhishingProtectionEffectivenessTesting.
http://www.
mozilla.
org/security/phishing-test.
html,2006.
Verisign.
Anti-PhishingSolution.
http://www.
verisign.
com/verisign-business-solutions/anti-phishing-solutions/,2005.
YueZhang,SergeEgelman,LorrieCranor,andJasonHong.
PhindingPhish:EvaluatingAnti-PhishingTools.
InNetworkandITSecurityConference:NDSS2007,SanDiego,California,2007.
Weka.
http://www.
cs.
waikato.
ac.
nz/ml/weka/