1 / 29

Wesley W. Owen spamconference@wesconsulting.com Graduate Student

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen spamconference@wesconsulting.com Graduate Student U Mass Lowell Dept. of Computer Science. MIT Spam Conference March 27-28 2008. Brief History.

grady
Download Presentation

Wesley W. Owen spamconference@wesconsulting.com Graduate Student

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen spamconference@wesconsulting.com Graduate Student U Mass LowellDept. of Computer Science MIT Spam ConferenceMarch 27-28 2008

  2. Brief History • The first known phishing attack on a financial operator was June 2001 against E-Gold. • In 2004 phishing became a widespread attack and started to appear on the radar of technology crimes. • Between 2004 and 2005, organized crime and phishers united to launch more attacks for profit.

  3. Data gathered from http://www.antiphishing.org/phishReportsArchive.html

  4. Tests Performed • Test each technology against 10 real live phishing sites • Some URLs in blacklists • Test those phishing sites copied to the lab • Lab URLs not in blacklists • Create 10 phishing sites of my own in a lab • Viewing sites in IE7 view->source -> file -> save as • wget -p --convert-links --user-agent="Mozilla…

  5. Limitations • I did not decompile any anti-phishing technologies – my results are purely from Trial and Error • I did not test enough phishing sites to make determinations regarding which anti-phishing filter is more effective at real phishing sites. Other papers in this are have done this. See: • http://www.cylab.cmu.edu/files/cmucylab06018.pdf • http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf

  6. Anti-Phishing Technologies Examined • Internet Explorer 7.0 • Netcraft’s Toolbar • Earthlink’s Toolbar • GeotrustTrustwatch • SpoofGuard • eBay’s Toolbar • Firefox 2

  7. Types ofAnti-Phishing Technology • URL Blacklists • Content Filter • URL Popularity & Characteristics • Password recognition

  8. URL Blacklists Similar idea as SPAM Blacklists – a database of URLs that are known phishing sites Pros: • Low false positives • Easy to lookup URLs (low overhead) • Effective once the URL is listed Cons: • “Time to list” is too large to keep phishers out of business – approx 10 hrs as of 2/08 (phishtank.com)

  9. Content Filter Examines the body of each web page visited Pros: • Detects phishing sites as soon as phishers publish them Cons: • Higher overhead than other technologies (a small price to pay for the most users) • It is possible to learn the content rules and work around them

  10. URL Popularity & Characteristics URL Popularity: Checks domains against Google, Alexa, etc. to see how popular the URL is. The basis is that phishing sites are not popular. URL Characteristics: Checks characteristics of the URL such as strange port numbers, recently registered domains, IP addresses, etc.

  11. URL Popularity & Characteristics Pros: • Easy to lookup URL (low overhead) Cons: • Usually requires human interpretation of the indicator and requires the operator to be aware of what phishing is. • Privacy concerns – each site visited must be looked up at Google, Alexa, etc. • May not work well for phishing sites hosted at sites like geocities e.g. http://www.geocities.com/phisher/ebay/

  12. Password recognition Pros: • Easy to detect (low overhead) Cons: • Assumes users never use the same password at more than one site • Requires users to enter passwords to all sites ahead of time

  13. Details of IE7s Content Filter By using Trial and Error I was able to determine what IE7s content filter was looking for when detecting fake ebay.com sites: • 2 input tags nested in a form tag and 3 links: • “forgot userid” link • “forgot password” link • “keep me signed in” link • 1 or more of 10 links that point to ebay.com

  14. Smallest Page that trips IE7s Content Filter <html> <body> <form action="."> <input> <input> </form> <a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?UserIdRecognizerShow"></a> <a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?ForgotYourPasswordShow"></a> <a href="http://pages.ebay.com/help/newtoebay/staying_signed_in.html"></a> <a href="http://pages.ebay.com/help/new/contextual/account_protection.html"></a> </body> </html>

  15. Details of Earthlinks Content Filter By using Trial and Error I was able to determine what Earthlinks content filter was looking for when detecting fake ebay.com sites: • 2 input tags • 2 or more of 14 links that point to ebay.com & 1 .js file on ebay.com

  16. Smallest Page that trips Earthlinks Content Filter <html> <body> <input> <input> <a href="http://pages.ebay.com/help/index.html">Help</a> <a href="http://pages.ebay.com/help/policies/privacy-policy.html">Privacy Policy</a> </body> </html>

  17. Page Load Attack <html> <body> <!-- phishing site here --> <?php while(1){ echo " "; flush(); sleep(1); } ?> </body> </html>

  18. Image Load Attack <html> <body> <!-- phishing site here --> <imgsrc="http://1.2.3.4/image.gif"> <imgsrc="http://1.2.3.5/image.gif"> <imgsrc="http://1.2.3.6/image.gif"> <imgsrc="http://1.2.3.7/image.gif"> <imgsrc="http://1.2.3.8/image.gif"> . . . </body> </html>

  19. JavaScript Attack <html> <head> <script language="JavaScript"> function go() { varbuf = "phishing site here" ; output.innerHTML = buf ; } </script> </head> <body onLoad="go()"> <div id="output"></div> </body> </html>

  20. Attacks Against Anti-Phishing Filters * The Page Load and Image Load attacks worked some of the time against eBay’s Toolbar. I was unable to determine why it worked with some URLs but not others.

  21. Attacks against URL Blacklists Google’s blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 has similar entries that lead me to believe wildcards are not being used: http://home.doramail.com/w37eudhs/ http://home.doramail.com/w823ehds/ http://189.140.107.157/ http://189.140.107.157/bankmain.htm/ http://189.140.107.157/boveda/ similar results at http://www.phishtank.com/phish_archive.php

  22. Attacks against URL Blacklists Using multiple subdomains, folders, etc. phishers already create many phishing URLs. It is possible to create infinitely many URLs by: • Custom 404 error page (page not found) • Apache rewrite rule RewriteEngine on RewriteRule ^[A-Za-z0-9]*$ phishing_page.html

  23. Conclusions • The best anti-phishing filters use a layered approach (URL Blacklist + Content Filter) • Use multiple phishing blacklists • Future work: • Decompiling IE7 and Earthlink’s content filter to learn more about them • If they use static rules, enhance them to use dynamic rules that can be controlled & updated centrally that would make it much harder for phishers to succeed • Address the page/image load & JavaScript attacks

  24. Questions and Comments?

More Related